Conduct your own lab, download: Contoso Travel Policies

Repository: https://github.com/MariuszFerdyn/hands-on-lab-azure-functions-flex-openai

Step by step:

# Clone the repository
git clone https://github.com/MariuszFerdyn/hands-on-lab-azure-functions-flex-openai

# Login to Azure :
az login

# Display your account details
az account show

# Select your Azure subscription
az account set –subscription <subscription-id>

# Go to the project directory
cd <cloned-project-path>

# Authenticate using azd
azd auth login

# Create resources using the IaC defined in the infra directory
azd provision

# .azure/ignite.env

# Deploy Functions to Azure
azd env set AZURE_LOCATION eastus2 -e ignite2024mf –no-prompt
azd env refresh -e ignite2024mf

azd deploy

# Post wav file to ST via function

# Update AudioTranscriptionOrchestration01.cs

azd deploy processor

# Update AudioTranscriptionOrchestration02.cs

azd deploy processor

# Post wav file to ST via function

Tools:

• https://dotnet.microsoft.com/en-us/download/dotnet/
• https://code.visualstudio.com/
• https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli#install-or-update
• winget install microsoft.azd
• https://git-scm.com/downloads
• https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4#installing-the-msi-package
• REST Client – Visual Studio Marketplace

Introduction Copilot for SharePoint – especially Copilot for Documents in SharePoint Library.

Successor of Zero Trust Model descibed https://rzetelnekursy.pl/zero-trust-model-audit-for-free has a new version https://aka.ms/ztworkshop.

It includes:

1. Assesment
2. Workshops
3. Implementation RoadMap

All VM in Backup:

# Import necessary modules
# Import-Module Az
# Connect-AzAccount

# Get all Recovery Services Vaults
$recoveryVaults = Get-AzRecoveryServicesVault

# Initialize an array to hold backup items
$backupItems = @()

# Enumerate all Recovery Services Vaults
foreach ($vault in $recoveryVaults) {
# Set the context to the current vault
Set-AzRecoveryServicesVaultContext -Vault $vault

# Get all backup containers in the current vault
$containers = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVM

# Enumerate all backup containers
foreach ($container in $containers) {
# Get all backup items in the current container for the specified workload type
$items = Get-AzRecoveryServicesBackupItem -Container $container -WorkloadType AzureVM

# Add the backup items to the array, renaming the existing ContainerName property
$backupItems += $items | Select-Object @{Name=”VaultName”;Expression={$vault.Name}}, @{Name=”ResourceGroupName”;Expression={$vault.ResourceGroupName}}, @{Name=”BackupContainerName”;Expression={$container.Name}}, *
}
}

# Display the backup items in Out-GridView
$backupItems | Out-GridView
$backupItems | Export-CSV VMSpecSources.csv

All SQL Databases in Backup (included deleted sources databases):

# Import necessary modules
# Import-Module Az
# Connect-AzAccount
# Login to Azure account

# Get all Recovery Services Vaults
$recoveryVaults = Get-AzRecoveryServicesVault

# Initialize an array to hold backup items
$backupItems = @()

# Enumerate all Recovery Services Vaults
foreach ($vault in $recoveryVaults) {
# Set the context to the current vault
#Set-AzRecoveryServicesVaultContext -Vault $vault

# Get all backup containers in the current vault for MSSQL
$containers = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer -VaultId $vault.ID
#echo “——— containers ——–”
#echo $containers
#echo “—————————–”
# Enumerate all backup containers
foreach ($container in $containers) {
# Get all backup items in the current container for MSSQL
Set-AzRecoveryServicesVaultContext -Vault $vault
#Get-AzRecoveryServicesBackupProtectableItem -ItemType “SQLDataBase”
$items = Get-AzRecoveryServicesBackupItem -Container $container -WorkloadType MSSQL -VaultId $vault.ID
Write-Host “——— items ——–”
Write-Host “vault :” -NoNewline; Write-Host $vault.Name
Write-Host “Container:” -NoNewline; Write-Host $container.Name
Write-Host “Items: :” -NoNewline; Write-Host $items.FriendlyName
Write-Host “—————————–”

# Add the backup items to the array, renaming the existing ContainerName property
$backupItems += $items | Select-Object `
@{Name=”VaultName”; Expression={$vault.Name}}, `
@{Name=”ResourceGroupName”; Expression={$vault.ResourceGroupName}}, `
@{Name=”BackupContainerName”; Expression={$container.Name}},FriendlyName,ServerName,ParentName,ParentType,LastBackupErrorDetail,ProtectedItemDataSourceId,ProtectedItemHealthStatus,ProtectionStatus,PolicyId,ProtectionState,LastBackupStatus,LastBackupTime,ProtectionPolicyName,ExtendedInfo,DateOfPurge,DeleteState,Name,Id,LatestRecoveryPoint,SourceResourceId,WorkloadType,ContainerName,ContainerType,BackupManagementType

}
}

# Display the backup items in Out-GridView
$backupItems | Out-GridView

# Export the backup items to a CSV file
$backupItems | Export-CSV -Path “MSSQLBackupItemsAll.csv” -NoTypeInformation

All SQL Databases in Backup (databases that still exist):

# Import necessary modules
# Import-Module Az
# Connect-AzAccount
# Login to Azure account

# Get all Recovery Services Vaults
$recoveryVaults = Get-AzRecoveryServicesVault

# Initialize an array to hold backup items
$backupItems = @()

# Enumerate all Recovery Services Vaults
foreach ($vault in $recoveryVaults) {
# Set the context to the current vault
#Set-AzRecoveryServicesVaultContext -Vault $vault

# Get all backup containers in the current vault for MSSQL
$containers = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer -VaultId $vault.ID
#echo “——— containers ——–”
#echo $containers
#echo “—————————–”
# Enumerate all backup containers
foreach ($container in $containers) {
# Get all backup items in the current container for MSSQL
$items = Get-AzRecoveryServicesBackupProtectableItem -Container $container -WorkloadType MSSQL -ItemType “SQLDataBase” -VaultId $vault.ID
echo “——— items ——–”
echo “vault :”+$vault.Name
echo “Container:”+$container.Name
echo “Items: :”+$items.FriendlyName
echo “—————————–”

# Add the backup items to the array, renaming the existing ContainerName property
$backupItems += $items | Select-Object @{Name=”VaultName”;Expression={$vault.Name}}, @{Name=”ResourceGroupName”;Expression={$vault.ResourceGroupName}}, @{Name=”BackupContainerName”;Expression={$container.Name}}, `
FriendlyName, ProtectionState, ProtectableItemType, ParentName, ParentUniqueName, ServerName, `
IsAutoProtectable, IsAutoProtected, AutoProtectionPolicy, Subinquireditemcount, Subprotectableitemcount, `
Prebackupvalidation, NodesList, Name, Id, WorkloadType, ContainerName, ContainerType, BackupManagementType
}
}

# Display the backup items in Out-GridView
$backupItems | Out-GridView

# Export the backup items to a CSV file
$backupItems | Export-CSV -Path “MSSQLBackupItemsExisting.csv” -NoTypeInformation

If we query for AppID from Log Analytics,  like:

MicrosoftGraphActivityLogs

| summarize NumberOfRequests=count() by AppId

| order by NumberOfRequests desc

we usually need to combine it with the Application name.

So we need to export all Enterprise Applications and App Registrations to csv from:

• https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null
• https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps

Do not forget about Managed Identities, you can do it by this query:

resources

| where type =~ ‘Microsoft.ManagedIdentity/userAssignedIdentities’

| project name, principalId = properties.principalId, clientId = properties.clientId

Make from all of them file AppIDList.csv like:

We need to upload this file to a storage account so that it is publicly accessible.

And finally, we can make a query that combines AppID with the corresponding name, so we can execute:

let ApplicationInformation = externaldata (ApplicationName: string, AppId: string, Reference: string ) [h”https://xxxx.blob.core.windows.net/xxx-allapplicationslist/xxx.csv”] with (ignoreFirstRecord=true, format=”csv”);

MicrosoftGraphActivityLogs

| summarize NumberOfRequests=count() by AppId

| lookup kind=leftouter ApplicationInformation on $left.AppId == $right.AppId

| order by NumberOfRequests desc

| project AppId, ApplicationName, NumberOfRequests

So finally we got AppID and the Application Name.

Sample Event Driven application – that uses Storage Account as a input than trigger Azure Function, uses Computer Vision and store information in CosmosDB. All with help of Event Grid.

Full source code: https://github.com/MariuszFerdyn/Build-and-deploy-serverless-apps-with-Azure-Functions-and-Azure-AI

Complete solution for using Azure Form Recognizer / Document Intelligence Studio.

Source code used in this Lab:

https://github.com/MariuszFerdyn/AzureAI-Document-Intelligence-Studio—Form-Recognizer

One of the common feature request for Azure Devops is to have a custom messages in emails. It could be great feature, but currently we have some options – so let’s see them one by one.

The code:

produces the following report (we see the message), and email (we see the message):

The code:

produces the following report (we see the message), and email (we do not see the message):

The code:

produces the following report (we see the message), and email (we see the message):

Learn how you can build your own copilots with Microsoft Copilot Studio. In this workshop you’ll learn how Copilots can be created for use across the business. You’ll also see how you can create custom plug ins that can integrate with custom solutions. We’ll then show you how you can use Generative AI for even more intelligent responses.

The source code used in example:

https://github.com/MariuszFerdyn/Build-your-own-Copilots-with-Microsoft-Copilot-Studio

Remediation script:

# Define the new user’s username and password
$newUsername = “mfmfmf”
$newPassword = ConvertTo-SecureString “xxxx” -AsPlainText -Force

# Create the new local user
New-LocalUser -Name $newUsername -Password $newPassword -FullName “New User” -Description “This is a new user account.”

# Optionally, add the user to a group (e.g., Administrators)
Add-LocalGroupMember -Group “Administrators” -Member $newUsername

# Output a success message
Write-Output “User $newUsername has been created successfully.”

On machine where you see trust relationship is broken, log in using last credentials, but without network. In this way it should be possible. We are saving them to avoid storing AD credentials in Intune.

• Save locally the variables with permissions to reset password using this script:

$adminUsername=”xxxx\adjoinuser”
$adminPassword=”xxx”
#$cred = New-Object PSCredential $adminUsername, ($adminPassword | ConvertTo-SecureString -AsPlainText -Force)
New-Item -ItemType Directory c:\aaaa
Get-Variable admin* | Export-Clixml c:\aaaa\vars.xml
#Import-Clixml c:\aaaa\vars.xml | %{ Set-Variable $_.Name $_.Value }

• Create Intune script:
  
  • Detection script:

  • exit 1

  • Remediation script:

  • Import-Clixml c:\aaaa\vars.xml | %{ Set-Variable $_.Name $_.Value }
    #$adminUsername
    #$adminPassword
    $cred = New-Object PSCredential $adminUsername, ($adminPassword | ConvertTo-SecureString -AsPlainText -Force)
    Test-ComputerSecureChannel -Repair -Credential $cred

• Assigned to created group with machine name and/or with affected username
• After executing the script via Intune trust relationship should be fixed

You can also do this in this way, all in Intune Script but password will be stored in Intune, but without any access to affected machine

• Remediation script:

$adminUsername=”xxxx\adjoinuser”
$adminPassword=”xxx”
$cred = New-Object PSCredential $adminUsername, ($adminPassword | ConvertTo-SecureString -AsPlainText -Force)
Test-ComputerSecureChannel -Repair -Credential $cred

As you probably notice there is no GUI to export the Variables Groups, but there is a very nice API that can be called directly from your browser. So simply call

https://dev.azure.com/{organization}/{project}/_apis/distributedtask/variablegroups?api-version=5.0-preview.1

like:

https://dev.azure.com/xxx/AppGeatewyBicep/_apis/distributedtask/variablegroups?api-version=5.0-preview.1

It display all the Variables Groups in Azure DevOps like:

To display one Variable Group and Export it use this:

https://dev.azure.com/{organization}/{project}/_apis/distributedtask/variablegroups/{groupId}?api-version=5.0-preview.1

like

https://dev.azure.com/xxx/AppGeatewyBicep/_apis/distributedtask/variablegroups/4?api-version=5.0-preview.1

More info here.

VNet Flow Logs is a successor of NSG Flow Logs that works not in NSG context, but inside VNETs whats give us a better view. If you put consolidated logs to the Log Analytics Workspace there are some advantages also:

NSG Flow logs goes to AzureNetworkAnalytics_CL table that can not be exported, so can not be a part of Event Hub solution.

VNet Flow logs goes to NTANetAnalytics table, and this table can be exported to Event Hub solution.

We’re building a music recommendation service where users will be able to search and select from a set of songs, and the system will recommend similar songs to them. Below is a depiction of the architecture:

The application is composed of four different components:

• A Azure Container Apps (ACA) Jupyter Environment which teaches about and produces embeddings for our library of 11,000 songs.
• A Qdrant ACA Add-On Vector DB which stores embeddings (think of them as fingerprints) and produces our recommendations based on them.
• A ACA API app which brokers the data between the frontend UI and the vector database.
• A ACA Frontend app which provides the user-facing UI to interact with the recommendation service.

The overall intention of this application is for the user to learn about vector databases. Hence the process of deploying this application is broken up into two parts.

In part one we play the role of a data scientist or ML engineer. We will familiarize ourselves with the process of generating embeddings for our song data. This part completes when we’ve stored our embeddings in our vector database.

In part two we play the role of an application engineer and turn the stored embeddings data into a recommendation service by adding a API and frontend.

Step by Step Deployment:

az login

az provider register -n Microsoft.OperationalInsights –wait &&
az provider register -n Microsoft.ServiceLinker –wait &&
az provider register -n Microsoft.App –wait

export LOCATION=westus2
export RG=music-rec-service
export ACA_ENV=music-env
export NOTEBOOK_IMAGE=mafamafa/aca-music-recommendation-notebook
export BACKEND_IMAGE=mafamafa/aca-music-recommendation-backend
export FRONTEND_IMAGE=mafamafa/aca-music-recommendation-frontend

# create the resource group
az group create -l $LOCATION –name $RG

az containerapp env create –name $ACA_ENV –resource-group $RG –location $LOCATION –enable-workload-profiles

## Create the vector db add-on
az containerapp add-on qdrant create –environment $ACA_ENV –resource-group $RG –name qdrant

# add a workload profile for the large Jupyter image
az containerapp env workload-profile add –name $ACA_ENV –resource-group $RG –workload-profile-type D8 –workload-profile-name bigProfile –min-nodes 1 –max-nodes 1

az containerapp create –name music-jupyter –resource-group $RG –environment $ACA_ENV –image $NOTEBOOK_IMAGE –cpu 4 –memory 16.0Gi –workload-profile-name bigProfile –min-replicas 1 –max-replicas 1 –target-port 8888 –ingress external –bind qdrant

az containerapp logs show -g $RG -n music-jupyter | grep token

####Open in Portal music-jupyter url and put Token

####Start.ipnyb

####Import.ipnyb

# launch the backend application
az containerapp create –name music-backend –resource-group $RG –environment $ACA_ENV –image $BACKEND_IMAGE –cpu 4 –memory 8.0Gi –workload-profile-name bigProfile –min-replicas 1 –max-replicas 1 –target-port 8000 –ingress external –bind qdrant

####http://<YOUR_ACA_ASSIGNED_DOMAIN>/songs

az containerapp create –name music-frontend –resource-group $RG –environment $ACA_ENV –image $FRONTEND_IMAGE –cpu 2 –memory 4.0Gi –min-replicas 1 –max-replicas 1 –ingress external –target-port 8080 –env-vars UI_BACKEND=https://music-backend.<YOUR_UNIQUE_ID>.westus2.azurecontainerapps.io

 

GPU:

# create the environment first
az containerapp env create –name $ACA_ENV –resource-group $RG –location $LOCATION –enable-workload-profiles –enable-dedicated-gpu

az containerapp create –name music-jupyter –resource-group $RG –environment $ACA_ENV –image mafamafa/aca-music-recommendation-notebook:gpu –cpu 24 –memory 48.0Gi –workload-profile-name gpu –min-replicas 1 –max-replicas 1 –target-port 8888 –ingress external –bind qdrant

Complete Microsoft Build 2024 Book of News is here.

According to the document: Here is a list of features not connected with Copilot or AI:

• Khan Academy and Microsoft Announce Partnership
• Speech Analytics, Video Dubbing in Preview in Azure AI Speech
• Introducing Real-Time Intelligence in Microsoft Fabric
• New Capabilities and Updates in Microsoft Fabric
• New Capabilities in Azure Cosmos DB
• Snowflake Apache Iceberg Shortcuts in Fabric
• Azure Compute Fleet Now in Preview
• Azure Migrate and Azure Container Storage Updates
• New Azure Virtual Machine Series
• Azure App Service Boosts Performance and Security for Web App Creation
• Azure Container Apps Launches Dynamic Sessions
• Azure Functions Launches Flex Consumption Plan, Extensions
• Azure Kubernetes Service Automatic Makes Kubernetes Adoption Easy
• New Azure Event Grid Capabilities Support IoT Solutions, Event Sources
• New Enhancements and Integrations in Azure Load Testing
• Spring Batch Support for Azure Spring Apps Enterprise in Preview
• Updates to Azure Logic Apps
• Visual Studio Code for Education Now Generally Available
• Microsoft Edge for Business Boosts Defenses Against Data Leaks, Vulnerabilities
• Real-Time Video Translation in Microsoft Edge Coming Soon
• Fluid Framework 2.0 Now in Preview
• New Enhancements for Custom App Experiences Connected to Microsoft Teams

According to the document: Here is a list of AI and Copilot features:

• Azure Patterns and Practices for Private Chatbots
• Custom Generative Mode
• Azure AI Search Features Search Relevance Updates and New Integrations
• Azure AI Studio Lets Developers Responsibly Build and Deploy Custom Copilots
• Azure OpenAI Service Features Key AI Advancements
• Khan Academy and Microsoft Announce Partnership
• Microsoft Adds Multimodal Phi-3 Model Phi-3-Vision
• Safeguard Copilots with New Azure AI Content Safety Capabilities
• Speech Analytics, Video Dubbing in Preview in Azure AI Speech
• Introducing Real-Time Intelligence in Microsoft Fabric
• New AI Capabilities in Azure Database for PostgreSQL
• New Capabilities and Updates in Microsoft Fabric
• New Capabilities in Azure Cosmos DB
• Microsoft for Startups Founders Hub Gains AI Capabilities
• New AI Features for Microsoft Learn Now Available
• Azure API Center and Generative AI Capabilities in Azure API Management Now Available
• Azure App Service Boosts Performance and Security for Web App Creation
• Azure Container Apps Launches Dynamic Sessions
• Azure Functions Launches Flex Consumption Plan, Extensions
• Azure Kubernetes Service Automatic Makes Kubernetes Adoption Easy
• Azure Service Bus Updates Now in Preview
• Azure Static Web Apps Features Dedicated Pricing Plan
• Dev Box Adds Ready-to-Code, Enterprise Management Features
• Expanding Extensibility Model to Pulumi in Azure Deployment Environments
• Introducing GitHub Copilot Extensions, Featuring GitHub Copilot for Azure
• New Azure Event Grid Capabilities Support IoT Solutions, Event Sources
• New Enhancements and Integrations in Azure Load Testing
• Spring Batch Support for Azure Spring Apps Enterprise in Preview
• Updates to Azure Logic Apps
• Visual Studio 17.10 Now Integrates GitHub Copilot
• Visual Studio Code for Education Now Generally Available
• Microsoft Copilot Capabilities in Azure
• Microsoft Copilot in Azure Preview Open to All Customers
• Copilot Studio Powering Next Wave of Copilot Experiences
• Power Automate Updates Feature AI and Process Automation
• AI Extensibility for Mesh in Preview
• Fluid Framework 2.0 Now in Preview
• New AI-Powered Features and Enhanced Data Protection in Microsoft Teams Premium
• New Enhancements for Custom App Experiences Connected to Microsoft Teams
• New Features in Microsoft Teams and Loop Help Teams Collaborate More Effectively
• Microsoft Edge for Business Boosts Defenses Against Data Leaks, Vulnerabilities
• Real-Time Video Translation in Microsoft Edge Coming Soon
• Azure Patterns and Practices for Private Chatbots
• Azure AI Search Features Search Relevance Updates and New Integrations
• Azure AI Studio Lets Developers Responsibly Build and Deploy Custom Copilots
• Khan Academy and Microsoft Announce Partnership
• Azure AI Content Safety Capabilities
• Speech Analytics, Video Dubbing in Preview in Azure AI Speech
• New AI Capabilities in Azure Database for PostgreSQL
• New Azure Virtual Machine Series Optimized for AI and Cloud-Native Workloads
• Microsoft for Startups Founders Hub Gains AI Capabilities
• New AI Features for Microsoft Learn Now Available
• Azure API Center and Generative AI Capabilities in Azure API Management Now Available
• Visual Studio 17.10 Now Integrates GitHub Copilot
• Real-Time Video Translation in Microsoft Edge Coming Soon
• AI Extensibility for Mesh in Preview
• New AI-Powered Features and Enhanced Data Protection in Microsoft Teams Premium

Both list were generated by Copilot… So the Copilot/AI everywhere!

Mark Russinovich was founder of SysInternals company with these tools like PsExec, Sysmon and other commercial tools that companies bought and used debugging Windows. In 2000 year almost every enterprise used it. Nowadays’ Microsoft Azure CTO (Chief Technology Officer).

Today’s Mark Russinovich’s top of mind projects are:

• KEDA (https://keda.sh/) – event based auto-scaler for Kubernetes, e.g. allows run Azure Functions in Azure Kubernetes Cluster.
• Dapr (https://dapr.io/) – the integrated API with the underlying resources. For instance, when you’re using the Dapr publish subscribe API, you can change the message broker by swapping out a yaml component file to switch from RabbitMQ, to Kafka (or any other supported broker), without changing your application code.
• Copa (https://project-copacetic.github.io/copacetic/website/) – Patching Container Images. open-source image vulnerability patching tool. Copa is designed for the security of the container images.
• Radius (https://github.com/radius-project/radius) – supports deploying applications across private cloud, Microsoft Azure, and Amazon Web Services.

Windows Server 2025 What’s New in Active Directory and not only:

• RTM in April 2024 (Microsoft Build Conference?)
• Domain/Forest level 2025
• 32K instead 8K page size (speed)
• NUMA Support
• Replication Priority
• Kerberos AES-SHA2
• Deprecating NTLM
• IAKerb (Local KDC)
• DC Locator Improvements
• LDAP improvements e.g. confidential attributes
• SMB auth limiter
• SMB Signing required
• SMB over QUIC
• SMB alternate ports
• SMB mandate encryption

See all of them on YouTube (Lets use Copilot to do recap):

• http://aka.ms/ADTT32kPagesDemo
• http://aka.ms/ADTTNumaDemo
• http://aka.ms/ADTTDCLocatorDemo
• http://aka.ms/ADTTDmsaDemo
• http://aka.ms/ADTTLsalookupDemo
• http://aka.ms/ADTTDCLocPerfDemo
• http://aka.ms/ADTTLdapPerfDemo
• https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704
• https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insider/ba-p/3974509

Windows Server 2025 – try it now:

https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver

It was a total surprise for me… without any warning… just info from: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide

July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0

• Other fixes and improvements
  • From this version, enforcementLevel are in passive mode by default giving admins more control over where they want ‘RTP on’ within their estate
  • This change only applies to fresh MDE deployments, for example, servers where Defender for Endpoint is being deployed for the first time. In update scenarios, servers that have Defender for Endpoint deployed with RTP ON, continue operating with RTP ON even post update to version 101.23062.0010

July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0

Available in Defender for Endpoint version 101.10.72 or higher. Default is changed from real_time to passive for Endpoint version 101.23062.0001 or higher.

• Passive (passive): Runs the antivirus engine in passive mode. In this:
  • Real-time protection is turned off: Threats are not remediated by Microsoft Defender Antivirus.
  • On-demand scanning is turned on: Still use the scan capabilities on the endpoint.
  • Automatic threat remediation is turned off: No files will be moved and security admin is expected to take required action.
  • Security intelligence updates are turned on: Alerts will be available on security admins tenant.

Interesting fix and improvement… it means that eventually the attacker will be not blocked… So if you deploy MDE after July please check your settings. The good question is how… Microsoft is talking about Ansible, Puppet, and Chef for managing the defender.

The other option can be Azure RunCommand (via Azure Devops / Azure Automation / Auzre Function):

$vm=”$(VM)”
write-host $vm
Invoke-AzVmRunCommand -ResourceGroupName “$(ResourceGroupName)” -VMName $vm -CommandId “RunPowerShellScript” -ScriptPath “$(System.DefaultWorkingDirectory)\_project\scripts\xxx.ps1”

Or the future is manage at scale by using Azure Policy Guest Configuration.

https://cloudbrothers.info/en/azure-persistence-azure-policy-guest-configuration/

Unfortunately, I was not able to find ready to use Policy. So we need to write our own (How to install the machine configuration authoring module – Azure Automanage | Microsoft Learn), what can be not so easy, but stay tuned…

Create Google Organization:

GCP Account must be a part of the organization – not a “No Organization”, you can create a new one, but it must be an owner internet domain.

You can follow:

https://workspace.google.com/gcpidentity/signup?sku=identitybasic

If you have an organization you can move the existing account to it: https://cloud.google.com/identity/docs/set-up-cloud-identity-admin#migrate-projects-and-billing-accounts-and-set-permissions

1. Add billing administrator account principal from organization.
2. Add owner account principle from the organization
3. You must accept emails.

Activate Terraform API:

Just visit in GCP and activate Cloud Resource Manager API:

https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com

Install Terraform:

curl https://apt.releases.hashicorp.com/gpg | gpg –dearmor > hashicorp.gpg

sudo install -o root -g root -m 644 hashicorp.gpg /etc/apt/trusted.gpg.d/

sudo apt-add-repository “deb [arch=$(dpkg –print-architecture)] https:// apt.releases.hashicorp.com $(lsb_release -cs) main”

sudo apt install terraform

terraform –version

Prapare GCP to Send data to the Azure Sentinel:

mkdir pubsub

cd pubsub/

wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf

export GOOGLE_PROJECT=angelic-hold-403608

gcloud auth application-default login

gcloud config set project angelic-hold-403608

export GOOGLE_APPLICATION_CREDENTIALS=/root/cred.json

where cred.json – are json of credentials downloaded from service account: https://console.cloud.google.com/iam-admin/serviceaccounts

terraform init

terraform apply

In case of error:

Error: Error creating WorkloadIdentityPoolProvider: googleapi: Error 404: Requested entity was not found.

Just retry the terraform apply it is because google API is activated during first time of use.

Create App registration in Azure:

Log in to Azure and Browse to Identity > Applications > App registrations then select New registration.

Only redirect should be composed as:

https://auth.cloud.google/signin-callback/locations/global/workforcePools/50ea0418683d400787fbc13c8f6b5d0b/providers/sentinel-identity-provider

The 50… value is from Terraform Output.

Create the pub-sub resources:

cd ..

mkdir pubsub2

cd pubsub2

wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPAuditLogsSetup/GCPAuditLogsSetup.tf

terraform init

terraform apply

or for entire GCP organization

terraform apply -var=”organization-id={organizationId}”

Create Sentinel Connector:

Visit https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel

Open Sentinel you want to send the logs

Open Content Hub

Select Data connectors

Install the following:

Make sure that data connectors subpage displays “GCP Pub/Sub Audit Logs data connector ingested from Sentinel’s connector”:

Configure the connector

Open Data Connector click refres select GCP Pub/Sub Audit Logs and Open Connector Page.

Click add new connector and provide details from terraform outputs.

e.g.:

After configuration it should be like:

Test de connection

After 1 hour open log analytics and issue KQL query:

GCPAuditLogs

You should see some logs from your GCP projects, like:

More info:

https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform

https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#azure

https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started

If you want to build your solution you should follow this manual for creating Codeless GCP Connectors: https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector

The source code for the connector: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs

The solution is based on a Managed App – so be familiar with: https://rzetelnekursy.pl/azure-managed-application/

Sample Output from Terraform (it should look like):

Plan: 7 to add, 0 to change, 0 to destroy.

Changes to Outputs:

+ An_output_message = “Please copy the following values to Sentinel”

+ GCP_project_id = “angelic-hold-403608”

+ GCP_project_number = “310859431933”

+ Identity_federation_pool_id = “50ea0418683d400787fbc13c8f6b5d0b”

+ Identity_federation_provider_id = “sentinel-identity-provider”

+ Service_account_email = “sentinel-service-account@angelic-hold-403608.iam.gserviceaccount.com”

Do you want to perform these actions?

Terraform will perform the actions described above.

Only ‘yes’ will be accepted to approve.

Azure Reservations helps you save money with 1- or 3-year plans for many products. The pledge allows you to get a discount on the resources you use. Reservations can significantly reduce resource costs by up to 72% compared to pay-as-you-go pricing. Reservations provide a billing discount and do not impact the runtime state of your resources. The booking discount will be automatically applied to the matching inventory once the booking is purchased.

You can pay for your reservation in advance or in monthly installments. The total booking cost for prepaid and monthly installments is the same, and there are no additional charges for choosing monthly payments.

In short, we say that we need a given resource, e.g. a virtual machine, for 3 years and we undertake to maintain it for 3 years, or rather we undertake to pay for 3 years for which we receive a discount.

At this point, there are different strategies for selecting a reservation, the two most important ones are:

• First, run something in production, keep it in production for e.g. a month, and if you are sure about the size, buy reservations. If you change the size of the resource, you are removed from the reservation and pay normally.
• Always buy 10% plus 1 fewer reservations than you need, so if you have to turn something off you won’t lose anything.
• Remember that server-less and turning off (not production) outside working hours gives more profit than reservations.

What will happen if we choose the wrong reservation? Or do we no longer need a reservation? It depends on your cloud provider…. If you pay millions for subscriptions, there will be no problem with any provider. But if your bill is up to EUR 20,000, this may be a problem.

In this case, Microsoft Azure rose to the challenge (monthly bill of up to EUR 2,000 for subscriptions) and after reporting our intention to resign, we received the following e-mail:

Which unfortunately didn’t work out with another well-known cloud service provider. As the case is ongoing, I will not say which one…

Oficjalna dokumentacja mówi
Rezerwacje platformy Azure pomagają zaoszczędzić pieniądze dzięki rocznym lub 3-letnim planom dla wielu produktów. Zobowiązanie umożliwia uzyskanie rabatu dotyczącego używanych zasobów. Rezerwacje mogą znacznie obniżyć koszty zasobów, nawet o 72% w porównaniu do cen przy płatności zgodnie z rzeczywistym użyciem. Rezerwacje umożliwiają skorzystanie z rabatu na rozliczenia i nie mają wpływu na stan środowiska uruchomieniowego Twoich zasobów. Rabat na rezerwację zostanie automatycznie zastosowany do pasujących zasobów po zakupie rezerwacji.

Za rezerwację można zapłacić z góry lub w miesięcznych ratach. Łączny koszt rezerwacji w przypadku płatności z góry i miesięcznych rat jest taki sam, a wybór płatności miesięcznych nie pociąga za sobą dodatkowych opłat.

Mówiąc, krótko mówimy, że potrzebujemy dany zasób np. maszynę wirtualną na 3 lata i zobowiązujemy się ja utrzymać przez 3 lata a raczej zobowiązujemy się płacić przez 3 lata za co otrzymujemy rabat.

W tym momencie różne są strategie dobrania rezerwacji, dwie najważniejsze:

•  Najpierw uruchom coś produkcyjnie utrzymuj np. miesiąc produkcyjnie i jak jesteś pewien co do wielkości kup rezerwacje. Jeżeli zmienisz wielkość zasobu wypadasz z rezerwacji i płacisz normalnie.
• Zawsze kup o 10% plus jeden mniej rezerwacji niż potrzebujesz, wówczas jak będziesz musiał coś wyłączyć nie będziesz stratny.
• Pamiętaj, że server-less i wyłączanie (nie produkcji) poza godzinami pracy daje większy zysk niż rezerwacje.

Co się stanie jeżeli jednak dobierzemy złą rezerwacje? Albo już więcej nie potrzebujemy rezerwacji? To już zależy od Twojego dostawcy chmury…. Jeżeli płacisz miliony za subskrypcje – z każdym z dostawców nie będzie problemu. Ale jeżeli twój rachunek jest do 20k Euro – to już może być problem.

W tym przypadku – Microsoft Azure stanął na wysokości zadania (miesięczny rachunek do 2000 euro za subskrypcje) i po zgłoszeniu chęci rezygnacji dostaliśmy takiego maila:

Co niestety nie udało się z innym znany dostawcą usług chmurowych. Jako, że sprawa w toku nie podam jakim….

Official documentation says

In this lab, you will get a hands-on experience and learn how you can get started building plug-ins for Microsoft 365 Copilot.

Exercise 1 – Download Source Code and Install and set up Teams Toolkit for Visual Studio Code
Exercise 2 – Run sample app
Exercise 3 – Run the app in Microsoft Copilot for Microsoft 365

Follow the source-code.

In this lab, you earn how to automate testing for cloud-native applications using our sample app Contoso Traders.

You can see, how to protect and classify your sensitive data in Microsoft 365.
Exercise 1 – UI tests with Playwright – Great tool
Exercise 2 – Azure Load Testing
Exercise 3 – Azure Chaos Studio

Follow the source-code.

In this lab, you see steps how to incorporate Kubernetes, Dapr, KEDA, Bicep, using Github Copilot to sample app.

You can see, how to protect and classify your sensitive data in Microsoft 365.
Exercise 1 – Explore GitHub Codespaces
Exercise 2 – Run PetSpotR in a GitHub Codespace
Exercise 3 – Use GitHub Copilot to add Dapr to the frontend
Exercise 4 – Use Bicep to model your infrastructure as code

Follow the source-code.

In this lab, you see steps on the right and executions. No comments, so must get knowledge from external sources, e.g. step by step on GitHub.

You can see, how to protect and classify your sensitive data in Microsoft 365.
Exercise 1 – Manage Compliance Roles
Exercise 2 – Manage Sensitive Information Types
Exercise 3 – Manage Sensitivity Labels
Exercise 4 – Manage DLP Policies
Exercise 5 – Configure Insider Risk Management

Follow: https://github.com/MicrosoftLearning/SC-400T00A-Microsoft-Information-Protection-Administrator/tree/master/Instructions/Demos/Ignite%202023

Azure Active Directory B2C can be a great solution as a Identity Provider. Here is a quick PowerShell Script that export all users from Azure Active Directory B2C.

#https://github.com/cljung/AzureAD-B2C-scripts
$ApplicationID = “xxx”
$TenatDomainName = “xxx”
$AccessSecret = “xxx”

 

$Body = @{
Grant_Type = “client_credentials”
Scope = “https://graph.microsoft.com/.default”
client_Id = $ApplicationID
Client_Secret = $AccessSecret
}

$ConnectGraph = Invoke-RestMethod -Uri “https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token” -Method POST -Body $Body

$token = $ConnectGraph.access_token

$GrapUrl = ‘https://graph.microsoft.com/v1.0/users/?$select=id,displayName,mail,otherMails,EmailAddresses’
$GrapUrl = ‘https://graph.microsoft.com/v1.0/applications/fea0ec14f6364d3790b1c72b82bd0a00/extensionProperties’
$GrapUrl = ‘https://graph.microsoft.com/v1.0/applications’

Write-Host ‘———————————————————————————————————————————————–‘
Write-Host ‘—————————————————– B2C App Id ——————————————————————————‘
Write-Host ‘———————————————————————————————————————————————–‘
Write-Host ‘ — AppName — ‘
(Invoke-RestMethod -Headers @{Authorization = “Bearer $($token)”} -Uri $GrapUrl -Method Get).value.displayName+” — appID — “+(Invoke-RestMethod -Headers @{Authorization = “Bearer $($token)”} -Uri $GrapUrl -Method Get).value.appId+” — Id — “+(Invoke-RestMethod -Headers @{Authorization = “Bearer $($token)”} -Uri $GrapUrl -Method Get).value.Id
Write-Host ‘———————————————————————————————————————————————–‘
Write-Host ‘—————————— The Custom fields taken from b2c-extensions-app Id (last outputs) not appId ————————————‘
Write-Host ‘———————————————————————————————————————————————–‘
$GrapUrl = ‘https://graph.microsoft.com/v1.0/applications/2834a576-f992-44ab-b5f5-31703ba491f1/extensionProperties’
(Invoke-RestMethod -Headers @{Authorization = “Bearer $($token)”} -Uri $GrapUrl -Method Get).value
Write-Host ‘———————————————————————————————————————————————–‘
Write-Host ‘————————————————– All Users —————————————————————————‘
Write-Host ‘———————————————————————————————————————————————–‘
$GrapUrl = ‘https://graph.microsoft.com/v1.0/users/?$select=identities,displayName,mail,otherMails,id,userType,creationType,accountEnabled,createdDateTime,creationType,lastPasswordChangeDateTime,mailNickname,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,displayName,extension_a0a23b3b4e404f2ba6e711d151e13811_Level1PlayerWeight,extension_a0a23b3b4e404f2ba6e711d151e13811_Level1PlayerHeight,extension_a0a23b3b4e404f2ba6e711d151e13811_Level1PlayerSchool’
(Invoke-RestMethod -Headers @{Authorization = “Bearer $($token)”} -Uri $GrapUrl -Method Get).value|Format-List

The better view can be in GitHub.

You can also create an Excel with Microsoft Graph queries to display them as here.

Next step is PowerBI report with all users.

Some Microsoft docs.

https://jwt.ms page can be very helpfully in debugging.

When you create a new Ubuntu VM instance and you try to connect via web browser you can see:

SSH authentication has failed

In logs you can see:

google_guest_agent[734]: Creating user admin.
google_guest_agent[734]: ERROR non_windows_accounts.go:144 Error creating user: useradd: group admin exists – if you want to add this user to that group, use -g..

The solution is just add Automation script with the following:

#! /bin/bash
useradd -m -G sudo mf
echo ‘mf:Pa##w0rd’ | chpasswd
sed -i “/^[^#]*PasswordAuthentication[[:space:]]no/c\PasswordAuthentication yes” /etc/ssh/sshd_config
service sshd restart

Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

Sets the force tunneling from Azure to on-premise. But just after sometime you lost connection at all. The solution can be just restart the virtual network gateway double, even if you see traffic selectors mismatch.

More info: https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-tunneling

After you configure your first ADFS application like here:

You can Do it as a multi tenant application using this scenario:

Step by step described here:

https://blog.matrixpost.net/creating-an-ad-fs-federation-trust-between-two-organizations/