Azure AD Identity Protection Overview Part 1 Today I want to talk about Azure AD Identity Protection, in the first part of this blog I’m going to talk give an overview of what Azure Identity Protection does and cover 2 of the 3 policies it provides. I’ll cover the 3rd in a follow up post. Azure AD Identity Protection can calculate risk associated with suspicious actions of your users. This could be when they sign-in or carry out actions that seem abnormal when compared with their usual behaviour.
In part one of this series on Private Link I talked about the Private Endpoint and how it allowed you to consume PaaS services via a private IP (read more here). Private Link has a second component – Private Link Service that can be used to expose services deployed on your VNET to others who can consume it through their own Private Endpoint. One of the key things that I covered in the previous posts is that Private Endpoints work across subscriptions, Azure AD tenants and will eventually work across regions.
Microsoft recently announced Azure Private Link as a preview available initially across 6 regions in the US (East/South Central/North Central/West Central/West and West US 2). I’m going to drill into what Private Link is and why you might want to use it. What is it? First off what is Private Link? Well there are actually 2 different elements that make up Private Link. Private Endpoint Private Link Service I’m going to touch on Private Endpoint in this post and will then follow up with a post on Private Link Service as the Private Endpoint is substantial topic on its own.
So around a year ago I gave my first impressions on Azure Firewall which had just been released as a preview. An update is long overdue on my part on how this service has evolved over the last year. Like everything in the cloud the pace of change is rapid, when I first wrote about the Azure Firewall I concluded it was a welcome addition but lacked some key features, well this is no longer the case.
Background For a long time sharing custom OS images between Azure subscriptions has been a painful, time consuming process. Thankfully Microsoft have addressed that with the introduction of Shared Image Gallery (SIG). However, the SIG is only as useful as the tools that can consume it and with SIG still in preview, some tools are not yet able to leverage it. Thankfully though, the Microsoft team that manages the Jenkins Azure VM Agents plugin have been quick to update the plugin to support the SIG.
Towards the end of 2018 Microsoft announced that Azure MFA (the cloud offering) would support both hard tokens and up to 5 devices per user. Some enterprises still like hard tokens, these can be especially useful to support break-glass account types, were you can store the token in a secure physical location. Supporting multiple tokens can help ensure the account doesn’t get locked if the token gets damaged, though it does put an emphasis on keeping the tokens secure.
Azure Application Insights is an Application Performance Management (APM) service that you can use to identify runtime exceptions, performance issues and alert on application health. You can integrate it with DevOps to provide a mechanism to rapidly identify issues that can be experienced with rapid and frequent deployment of code. It has a ton of functionality, and I can’t do it justice in this blog post, so go read more about it here!
Update… This article is out of date and no longer accurate, feel free to read it but then please see this post for updates on Azure Firewall one year on… Microsoft has released the first native Azure Firewall service to public preview. I’ve taken some time to spin one up and play with it and thought I’d share my initial thoughts. So what is Azure Firewall? Image Credit – Microsoft Firstly it is sold as a service, so you don’t have to spin up any infrastructure to host it, you don’t need to patch it, HA and scalability is baked into the service.
Want to know the size of your Azure VM but don’t have access to Azure? Well if you have access to the VM itself (RDP/SSH or remote script) then the Azure Instance Metadata Service (AIMS) is the solution, it can be used to query a running VM from the VM itself. This is very useful if you don’t have access to Azure itself via the Portal, Cli or PowerShell. Off the top of my head I can think of a few of scenarios where this could be very useful:
Fun with Azure Functions and DriveAlreadyExists. I’ve recently been working with Azure Functions to automate tasks, serverless compute is great for this, just write the code and let Microsoft worry about the infrastructure that it’s running on! No need to worry about patching, scalability or high availably, that’s all taken care of for you. In this particular instance I was using PowerShell as the language of choice and using it to connect to AzureAD.