We are slowly moving from an 100% on-prem AD Windows client/server infrastructure to as much cloud management as we can do and still maintain servers on-prem. We've already started building new laptops to be fully managed by Intune (replacing our AD managed laptops a few at a time with no intention to use hybrid on-prem/cloud managed devices). We are going to start building new Server 2025 servers to replace our current fleet of Server 2016 servers, and while they will remain on-prem and AD joined, I want to make sure we can leverage Azure to do things like monitoring, alerting, updating, and change logging. I am still researching options, but it seems like Azure Arc might be the way to go. One question I have is whether my server build process needs to change at all to accommodate any sort of cloud-management. Today's process is as follows:

1. Download the latest Windows Server ISO from my M365 Admin portal and upload to my ISO datastore in VMware (I do not modify the ISO)
2. In vSphere, I create a new server VM using the ISO I just uploaded, power it on and let the installer boot and take me through the install process.
3. Once OS is installed, I configure the server (change name, change local admin password, static IP, set time zone, add product key, and check for/install all available updates).
4. Once OS is updated, I join the on-prem domain (Active Directory)
5. Install 3rd-party agents/sensors (Qualys, CrowdStrike, Duo, LAPS, SolarWInds SEM, VMware Tools) and ensure server is seen by those services.
6. Install software (as required for that server's purpose). Examples include SQL-Server, IIS, Exchange Server, Business Software, etc.

If my servers will have Azure Arc installed, should I install it before I join the server to the domain? or does it matter when Azure Arc gets installed/configured? And should I upgrade my domain to a certain forest/domain level before bringing Azure Arc into the picture? Thank you for any assistance.

I’m working on securing an internal web app hosted on an Azure VM, accessed over a point-to-site VPN. The goal is to secure it with HTTPS, but I don’t want to expose the private IP in public DNS (if i want to create a cert using certbot) or make any changes to the client devices (like adding a self-signed certificate to their trusted store).

Here’s the setup:

Domain: Managed through GoDaddy

Challenge: Obtaining an SSL certificate from a trusted CA without exposing private IPs publicly and without having to configure client devices.

Has anyone found a way to achieve this setup? Any tips on handling SSL certificates for internal Azure apps or using Azure Private DNS Zones in this context would be appreciated!

I have a pair of vms with sql server installed that are part of an always on availability group (AOAG). Patching today consists of me manually logging into the server and failing one node over to the other so that it can be patched. Once the patching is complete, I fail it back to the original and patch the secondary. Has anybody found a more automated way of doing this? I can't afford for there to be much of an hour outage, so I'm scared to just let the cluster handle it when the primary goes down. I'd love to script running of the patching on the secondary, then flipping the primary and patching the other. I'm definitely open to any options though. Thanks for your help

Hello

I'm a trainer in Azure and I want to try run a powershell script using automation runbook in azure but unfortunately It didn't work can somebody help?

Define the Group ID (can be found from Azure portal)

$groupId = "YOUR_GROUP_ID_HERE"

List of user UPNs (User Principal Names) you want to add to the group

$userUPNs = @( "user1@yourdomain.com", "user2@yourdomain.com", "user3@yourdomain.com" )

Iterate over each user and add them to the group foreach ($userUPN in $userUPNs) {

Get the user object by their UPN (email)

$user = Get-AzureADUser -ObjectId $userUPN if ($user) {

Add the user to the group

Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $user.ObjectId Write-Host "Added $userUPN to the group successfully." } else { Write-Host "User $userUPN not found." } }

Hey everyone,

My company is planning to set up an internal ChatGPT powered by AzureAI, using Azure OpenAI Studio and Retrieval-Augmented Generation (RAG) through Azure AI Search. We’re trying to figure out the best approach for the frontend.

Does it make sense to develop a custom frontend from scratch, or are there open-source projects suitable for enterprise use that we could build on?

Additionally, has anyone tried Microsoft’s demo repo? Is it production-ready? Here’s the link for reference: Microsoft’s Azure OpenAI + Search demo repo.

Any ideas, suggestions, or experiences would be much appreciated!

Inside each vnet, there are 3x subnets (frontend, backend, data), each is 256 IP addresses (so only 256 free in the VNET).

Was this a mistake / was the VNET cidr range to small?

I know you can add a new IP range in a VNET, but that sounds like a complexity that could have been avoided.

If I need a subnet delegation (create a dedicated subnet for f.ex. an Azure App Service Plan), how big should I have it (since I only have 256 free IP addresses in the VNET)? I guess as small as possible? /28 (Total IPs: 16) which is the minimum?

I’m aware it’s an award and somebody at MS/another MVP has to vouch for you (like Al Pacino as Lefty in Donnie Brasco).

I’m also aware that most MVPs have all the major Azure certs (working on it).

I’m dreaming to become an independent consultant one day so a MVP would help.
I’m guessing active in the community on social (reddit, twitter/x, youtube, msdn forums, etc.)?

Hello!

I'd like some advice on how to easily deploy an app to an App Service with VNET integration. With VNET integration, outbound internet access needed during deployment is restricted, causing deployments to fail. If I'm deploying from VSCode or Azure DevOps, would temporarily disabling VNET integration be the best approach?

Thanks.

Like the title, I've read that AKS only charges me if there are nodes running, it's zero cost to just have the control plane running. But I'm still learning k8s so I'm not sure if I understand it right.

So the question is, I can create an AKS service, after every session I have to tear down all pods to avoid incurring cost when I don't use it right?

Thank you

Just cleared my az-204. Now I need to plan then next certificate. Should I go for az-104 or power apps certification?

Prepared for 2 months, 2-3 hours at least on weekdays, 7-8 hours on weekends.

Prepared with exampro and measure up. Total 52 questions.

2 Case studies including 15 questions Fourth coffee and VanArsdel

Microsoft learn was very slow and of no use.

I would like to thank you all here for providing support and guidance.

Has anyone set up a syslog forwarder on a Linux based VM scale set?

I am trying to forward logs into Ubiquiti_CL from ubiwuiti unifi. I followed the documentation for Custom Logs via AMA for ubiquiti and I have the logs being successfully forwarded and written to a log file on the forwarder but I cant get them into Sentinel.

I was having issues with getting the Azure Monitor Agent for Linux on installed on the scaleset but l eventually did via the azure CLI. I am getting a heartbeat from the name of the scale set itself but not from the Linux instance within the scaleset where the logs are being written.

When I created the DCR I chose the scale set which includes the instance. Ive checked over the documentation multiple times but it still isn't working.

Im at a loss of what to do. Anyone have any luck with the AMA forwarder to a custom log table from a VM scaleset?

I have a service that logs in to a particular app from a certain IP and I want to block access unless it comes from that IP and accesses that app. I added the User to the policy, set Network to Include All Networks and Locations and added the one IP to Exclude, then for app I included All Resources and Excluded the one app, then chose Block and chose Require all the selected controls. But it seems that it's allowing based on Network or App and doesn't require both. Am I looking at this the wrong way? Thanks.

Hi everyone,

I'm pretty new to Azure and I'm hoping you can help me make the most of my learning opportunity. My company recently gave me a Microsoft Visual Studio Enterprise subscription with £150 in monthly Azure credits.

To give you some context, I've only dabbled in Azure for a short time (like 15 minutes lol). My IT experience is mainly in 2nd-line IT support (6 months) and currently 2 months in basic network troubleshooting (physical layer 1 kit checks, nothing technical at all). I'm currently working towards my CCNA certification (booked for February).

I'm eager to leverage these Azure credits to enhance my skills and explore potential career paths. I'm open to suggestions on courses, tutorials, or hands-on projects that can help me solidify my understanding of Azure - have read around and it seems like the AZ-104 might be the best starting point, but unsure.

Any advice or guidance from experienced Azure professionals would be greatly appreciated. Thanks in advance!

Hi fellow engineers, how to get the jobs data of all workspaces and make a pattern out of it using a dashboard maybe a dashboard from databricks itself. Any help would be greatly appreciated.

I would like to move our Entra AD Connect (as its called now...lol) to another server. I found the steps on how to do it but my question about moving it but modifying the json config file.

Under the onpremisesDirectoryPolicy section of the json file is "containerInclusions" and it lists our DC but includes all the old containers from 4 years ago when they used to run SBS at this company I am at which was migrated then to Azure AD in Hybrid mode. Can I remove these entries or change them to include the inclusions I want now? even though I know I can select them the Entra AD Connect.

Thanks,

Hello all,

Just looking for some advice on the Entra Connector setup.

I recently discovered that the MSP brought in to deploy a primary and staging connector did not setup the staging server connector (before my time).

Current setup is as follows:

• dc1-connector-01 (Connector installed but never configured)
• dc2-connector-01 (Primary / Healthy connector) version [2.2.1.0]

(https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-version-history#2210).

I read through the documentation on recommended upgrades, and I believe I need to perform the following on dc1-connector-01:

• Remove the current connector software (was never configured).

• Add TLS 1.2 ciphers to server (as Entra Connect now must use TLS 1.2)

• Export current connector configuration from primary server dc2-connector-01.

• Run the newest connector (2.4.21.0) setup on dc1-connector-01, import the configuration exported previously.

• Enable staging mode and start the sync process.

• Verify configuration

After I've done this and confirmed everything is okay, I will make dc2-connector-01 the staging server.

Once that is done, I plan to just implement TLS 1.2 ciphers, and upgrade the connector on the other.

The goal after being, we have two connector servers both running the same version and config, in a Primary/Staging setup.

Just a couple of questions.

• Can version 2.2.1.0 and 2.4.21.0 exist together, with the TLS enforcement changes? I believe so from this but it is a little vague.

• Any gotcha's or anything I am missing here?

Have not done this before, so going purely of MS documentation.

Many thanks in advance.

Hi all trying to learn to use the function apps in azure as i see us having some future needs for it, i wanted to start basic so all im trying to do is have it listen to a container in azure blob storage for when a file is uploaded then move it to another folder (ideally i also want it to check if its been zipped and extract it but keeping things simpler to start). I got close previously function was visible and listener worked but it copied the name of the path instead of the file at the end. since then ive completely broke it and when i upload the app the function doesnt actually appear in azure (although the files are there). Heres what i have right now any help is appreciated

import os

import azure.functions as func

import logging

from azure.storage.blob import BlobServiceClient

# Get the connection string from environment variables

CONNECTION_STRING = os.getenv("STORAGE_CONNECTION_STRING")

# Initialize BlobServiceClient

blob_service_client = BlobServiceClient.from_connection_string(CONNECTION_STRING)

# Create FunctionApp instance

app = func.FunctionApp()

# Blob trigger function to move files to 'temp' folder

@app.function_name(name="move_files_to_temp")

@app.blob_trigger(arg_name="myblob", path="containername/Production/{name}", connection="STORAGE_CONNECTION_STRING")

def move_to_temp(myblob: func.InputStream, name: str):

logging.info(f"Triggered by blob: containername/Production/{name}")

try:

# Read the blob content

blob_data = myblob.read()

logging.info(f"Successfully read the blob: containername/Production/{name}")

# Define the destination path in the 'temp' folder

temp_path = f"temp/{name}"

container_name = "containername"

blob_client = blob_service_client.get_blob_client(container=container_name, blob=temp_path)

# Upload the file to the 'temp' folder

blob_client.upload_blob(blob_data, overwrite=True)

logging.info(f"Moved file {name} to temp/{name}")

except Exception as e:

logging.error(f"Error moving file {name} to temp folder: {e}")

This week's update is up.

https://youtu.be/QcPRAhg8dOg

• Cross-sub ALB - Front and backend resources can now be in different subscriptions from the ALB resource
• ALB admin state - Admins can now set nodes to UP and DOWN to override probe health state
• ALB health status - Detailed health information can now be reported on
• AVNM UDR management - Routing policies can be centrally created then deployed to vnets via AVNM
• ER GW migration - Easy ER GW SKU migration by allowing two gateways to co-exist in the same subnet
• Elastic SAN enhancements - New SLA, CRC protection, AVS GA and in preview autoscale
• Azure File Sync MI support - Removes need to use shared keys by using managed identity instead
• Convert to Prem SSD v2 - Easy conversion from standard hdd/ssd and prem ssd v1 to prem ssd v2
• Event Hub 100% Kafka compat - For streams and transactions
• Event Hub portal data explorer - Great portal experience to help with testing/debug
• SQL Hyperscale perf improvements - 150 MB second logging, 128 TiB max size and continuous priming
• Azure SQL DB vector support - VECTOR data type and related functions
• VS SQL projects - Collabroate and deploy SQL resources via Visual Studio and VS Code
• Cosmos DB MongoDB ARM API - Create and manage via ARM templates
• Cosmos DB LangChain integration - Easy LangChain integration for JavaScript apps
• Cosmos DB Data Explorer enhancements - Better error help
• PostgreSQL Flex v17 support
• Azure CDN Edgio retire
• Zero Trust workshop available - Great workshop to help implement zero trust in your organization

Hello everyone,

For many months I'v been digging arround how to convert some specific users from our on premise domain to cloud only in ou hybrid environnment.

The only found solution was to desynchronize the account object and restore the corresponding azure one form the azure bin.

We have SSPR setup, and so far, during our tests, the restored cloud converted users were able to reset themselves their password right after the conversion.

As you can see in the screenshot, the last attempts fails to the error "OnPremisesUserNotFound"

It seems like even though the account is cloud only, it tries now to writeback the password to the on prem.

I tried to remove the on premise immutableid, but I got a new error "system error". And as far as I know, there is no way to remove every on premise attribute from a converted cloud user account.

This is very concerning cause I know this method is not supported by MS so no hope to get somme support from them.

The ability to use the SSPR for theses converted user account is necessary as the conversion causes password reset, and there are thousands accounts to migrate...

Any help is welcomed.

https://preview.redd.it/gh0p8i2n1wzd1.jpg?width=858&format=pjpg&auto=webp&s=81c8a6474632aaf54a99e3838a617cb9817abfd9

Good morning everybody.

I used to create a basic SKU vpn gateway from azure portal and use it to connect to my VNET to access the DB.

Azure removed the Basic SKU from azure portal VPN Gateway creation sometime in the last year, so I tried following this:

https://learn.microsoft.com/en-us/azure/vpn-gateway/create-gateway-basic-sku-powershell

And I'm able to create the VPN Gateway but then P2S clinet I configure and download doesn't work.

Am I missing something here or I'm just making mistakes?

I have about 33 Subscriptions over 5 or 6 tenants. I have currently deployed Lighthouse, but it is currently a blanket Contributor Access to these Subs with a Group. All deployed with the same ARM JSON.

I would like to be able to specify other Groups with different levels of access to each Subscription. Would I be correct to assume that I would need to have an individual JSON per Subscription?

Is it possible maybe to have a JSON per Tenant, and define the Subscriptions within? Is there even any point to attempting this?

Sometimes we have to setup multiple Azure Enterprise applications (SAML,OpenID configs) for different environments, and usually they are identical except for one or two customizations.

Is there a way to duplicate or clone an enterprise application so that I can have the base app and then make the customizations as needed to each?

Vaulted backups for Azure Blob Storage are now in General Availability according to this article.

https://azureaggregator.wordpress.com/2024/08/02/general-availability-vaulted-backups-for-azure-blob-storage/

Creating a daily backup policy for all blob containers in a given storage account

https://preview.redd.it/zfw8nub2gozd1.png?width=1022&format=png&auto=webp&s=be8c2012bc08c36d68010c9c917e1f7f49f298c6

Are the restore points incremental or full copy?

https://preview.redd.it/w6hi75fggozd1.png?width=1040&format=png&auto=webp&s=159065efef88e86e6cbcf30c9528f135346089e7

How much does it cost to save for 35 days? 35 times the size of the containers, or only once if nothing is added/removed?

Hi, encountered a weird issue and can't seem to find the problem.

Deployed an automation account + source control via bicep. Everything works fine if I do a manual sync, but when committing new changes to main branch, the autosync is not even triggering.

Has anyone experienced this before ?

Thanks

Hi im a student here using an azure student acc and its my first time using it and im not really informed on the credit is spent in virtual machine. Is the credit spent per hour or per month or per usage

I have 17 years of experience in Infrastructure, server installation, storage, virtualization and I want to transition to Azure Admin. In addition to the Azure Fundamentals course, what would you recommend? I have the opportunity to learn in small environments through my circle. What courses, books, would you recommend?

Hi all, We are trying to rotate the AzureADKerberosServer server key but we get the following error:

PS H:\> Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -RotateServerKey

Set-AzureADKerberosServer : Could not load file or assembly 'System.Memory, Version=4.0.1.2, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependenc

ies. The system cannot find the file specified.

At line:1 char:1

+ Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Set-AzureADKerberosServer], FileNotFoundException

+ FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.AzureAD.Kdc.Management.SetAzureADKerberosServer

Did any of you had this problem before? We rotate the key every 30 days and this is the first time we get this error. We also created a Microsoft case for this. Very much appreciated.

Hi, I am just polling to find some professionals who are into architecting solutions and have done TOGAF certifications.

Can you please share your TOGAF journey and how did it helped you with working Azure as architecting solutions. Being an Az-305 I realized that I was good at cloud engineer role but I need to orient my self little bit of architecting. I wanna be like the Sr. architects who talks lengths about the solutions rather than talking nittty gritty.

I can translate the low level architectures and low level design & create IaC for those, but I still feel lack of depth I need to talk how overall (& in-deep) an architecture works.

So please advise.