/u/MohnJaddenPowers

Can you automate emailing price sheets & usage reports from the EA portal?

We’ve got 16 Azure subscriptions under an EA. Every month, our billing people need to get the price sheet and usage report for the previous month so they can do internal chargeback stuff.

They have some new users, and we’re trying to avoid giving people read-only admin access to EA. Without that, they can’t log in and get those reports. The reports and formats they come in don’t have a counterpart in Cost Management, so that’s out.

Is there some way for us to set up an automated email or other means for them to get the price sheet and reporting? I’ve worked with our Azure DSE and they mentioned there wasn’t really a way to have these emailed directly. I found EA Portal API documentation but these are non-technical users and we’re not allowed to save keys to local machines, so I can’t just have them install Postman and double-click a shortcut to run it. Plus I can’t quite find out how I could just run the GET commands for a previous calendar month.

Is there some way to accomplish getting these people the sheets without them logging into the portal?

submitted by /u/MohnJaddenPowers
[link] [comments]

Can a Policy definition audit whether a subscription is in a Management Group?

Another infosec ask: all Azure subscriptions need to be within a Management Group that fits their geography (US or Non-US) and use case (dev, non-prod, prod). All our MGs are within other MGs, so as long as something is at the Global MG, it’s fine.

Can we audit this with Policy? I figure we can just have an Audit effect for anything that exists at the default root Management Group, but it’d be great if we can have policy check and say “yes, this subscription is within the MG tree that has Global at the top, you’re good”.

submitted by /u/MohnJaddenPowers
[link] [comments]

Can a subnet (not an entire vnet) be added as an exception to a Policy assignment?

I’ve got an Azure Policy that defines and enforces specific NSGs for all vnet subnets. We have four subnets in four different vnets that need to be exempted from the policy. The Exceptions part of the policy assignment only lets me drill down to a vnet for an exception, not the subnets.

Is there a way to accomplish this or do we have to set up exceptions for the entire vnet?

submitted by /u/MohnJaddenPowers
[link] [comments]

Is there some kind of VM/Batch compute capacity issue for standard_h16 VMs in East US?

Over the weekend, we had around 250ish VMs fail to power on when they were triggered by automation. We got an error for each one that allocation had failed due to insufficient capacity in the region. One of our major Batch pools also failed to resize due to the same error.

These started on Friday and have recurred again as recently as 1 PMish Eastern time today. All the VMs and Batch accounts/pools in question are in East US and all are standard_h16 SKU.

Is something up in East US? Service Health doesn’t show any issues.

submitted by /u/MohnJaddenPowers
[link] [comments]

int type in ARM template doesn’t recognize the minValue and maxValue properties despite them being there

I’ve got a template that deploys a new resource group via New-AzSubscriptionDeployment. It’s worked before, as far as I can recall. However, when I run it, I get an error that the template validation failed, expected Integer, actual String.

I only have one integer value, everything else is strings. That value is calling out the minValue and maxValue fields that it must be of an integer type. They’re in a type:int.

Anyone know what my issue is here?

{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "businessUnit":{ "type": "string", "metadata": { "description": "Acronym of the business unit" } }, "departmentNameOrAcronym":{ "type": "string", "metadata": { "description": "Name of team or department" } }, "functionOrUseCase":{ "type": "string", "metadata": { "description": "Function or use case" } }, "prodNonProd":{ "type": "string", "allowedValues":[ "P", "NP" ], "metadata": { "description": "P or NP" } }, "increment":{ "type": "int", "minValue":"01", "maxValue":"99", "defaultValue": 1, "metadata": { "description": "Incremented number - 01, 02, etc." } }, "resourceGroupLocation": { "type": "string", "allowedValues":[ "eastus", "westus", "southcentralus" ], "metadata": { "description": "Location for the Resource Group - eastus, westus, or southcentral" } }, "principalId": { "type": "string", "metadata": { "description": "Azure AD Security Group to receive access" } }, "roleDefinitionId": { "type": "string", "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c", "metadata": { "description": "RBAC roleDefinition GUID to apply to the resourceGroup - default is b24988ac-6180-42a0-ab88-20f7382dd24c, which grants Contributor." } }, "technicalContact": { "type": "string", "metadata": { "description": "List of comma-separated user names to be technical contacts. Do not use spaces. Terminate the list with a comma." } }, "costCenter": { "type": "string", "metadata": { "description": "Cost center code" } } }, "variables": { "resourceGroupName":"[concat(parameters('businessUnit'),'-',parameters('departmentNameOrAcronym'),'-',parameters('functionOrUseCase'),'-',parameters('prodNonProd'),'-',parameters('increment'))]" }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2019-10-01", "name": "[variables('resourceGroupName')]", "location": "[parameters('resourceGroupLocation')]", "tags": { "RSM":"[parameters('technicalcontact')]", "BusinessUnit":"[parameters('businessUnit')]", "costCenter":"[parameters('CostCenter')]" }, "properties": { "roleDefinitionId":"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]", "principalId": "[parameters('principalId')]", "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]" } } ] } 

submitted by /u/MohnJaddenPowers
[link] [comments]

Is there a job like an Azure sysadmin/troubleshooter?

I started Azure as a hybrid sysadmin/ops engineer in my last job and am presently an Azure engineer for a big financial company. I’ve noticed in the current role that I really like doing the troubleshooting, futzing, poking around parts of Azure more than sitting around and writing scripts or templates. I can understand other people’s scripts/templates without issues, but I just can’t get into writing code.

I was wondering if there was such a role as an Azure sysadmin – maybe there’s deployments involved, but trying to figure out what happened with X or Y in Azure rather than writing code all day. Does anyone do this? Have you done such a transition from engineering to sysadmin/troubleshooter?

submitted by /u/MohnJaddenPowers
[link] [comments]

Azure AD Smart Lockout: have you ever set the threshold below AD lockout threshold? Any issues thereafter?

Our infosec department has put forth a new requirement: Azure AD Smart Lockout needs to trigger after less normal lockout attempts than regular AD. The way we have it in regular AD, three bad logins locks your account. Infosec says that if someone is trying to log in with Azure AD, two bad Azure AD logins should lock the account for purposes of AD.

We have conditional access policies in place, so any login from outside the company IP space won’t even let you through – the login attempt just hangs.

I’m a bit concerned that this new policy might cause issues – if someone changes their PW and it doesn’t sync to an AD DC that Azure AD then calls for the login, it might lock them out.

Has anyone had to contend with this? Am I being paranoid or is infosec overreaching?

submitted by /u/MohnJaddenPowers
[link] [comments]

Can we list all resource provider actions used by an Azure Powershell cmdlet?

I need to add permissions to a custom role in order to allow that role to run Start-AzStorageBlobCopy. I’m going through the resource provider operations for Microsoft.storage, but I can’t quite find the action to perform the copy.

Is there a way to list all the resource provider actions that an Azure Powershell cmdlet will use? That way I can get the actions I need to add them to the role.

submitted by /u/MohnJaddenPowers
[link] [comments]

Is there a way to identify disk snapshots created by a role?

Let’s say we have a role called VM Snapshot Creator. Users with that role assignment create VM snapshots in all of our subscriptions. We want to identify any snapshots that anyone with this role created that are present in a management group and its constituent subscriptions.

Is there some way to do this via Powershell? We eventually want to set up a script that deletes snapshots older than X days, but we have other snapshots that should stay intact and as such we can’t just delete all snapshots regardless of who created them.

submitted by /u/MohnJaddenPowers
[link] [comments]

Do any built-in roles contain snapshot permissions?

I’m looking at a solution to allow some users in another team access to create snapshots of VMs and disks in Azure. Company policy is to not use custom roles. However, I can’t seem to find a built-in role that allows the microsoft.compute/snapshots resource provider in the list of built-in roles.

Anyone aware of a built-in role that would grant that permission or is a custom role the only option?

submitted by /u/MohnJaddenPowers
[link] [comments]

How do you show lists of all noncompliant resources in a subscription?

I’m coming up against a situation I never really resolved from some time ago – getting a report of Azure Policy compliance. Our infosec team wants to see a list of all noncompliant resources, the policy assignment they’re out of compliance with, their location, etc.

I put together a Powershell script, but after letting it run to completion it’s missing data – noncompliant resources are showing up in the portal, but not on the report.

I can’t be the only person who’s done this – does anyone have any experience with trying to get policy compliance reports in Azure? What did you do to accomplish it?

submitted by /u/MohnJaddenPowers
[link] [comments]

What permissions/IP ranges and ports/etc. are required to get Cost Mgmt exports to a Storage Account that can’t be fully open?

I’m essentially running into the same issue at https://www.reddit.com/r/AZURE/comments/k9pbk7/how_to_export_billing_data_with_the_selected/ – we need to create an export of Cost Management data. Company policy requires us to use only selected networks with storage accounts. Even after selecting all vnets/subnets and firewall IP ranges that we can use, I still get an error trying to create the export that the exports service is not authorized to access the specified storage account. We do have the option to allow trusted Azure services to bypass the firewall checked off.

Is there no way to get this functioning without allowing all network access from the Storage Account?

submitted by /u/MohnJaddenPowers
[link] [comments]

Compliance percentage pie chart for a specific set of assignments?

I’m looking at the Compliance dashboard. It has a pie chart that shows overall resource compliance for any and all policies. If I search for a policy term, it shows the results, but the pie chart still shows overall resource compliance for everything.

Is there a way to just get a graphic overview of percentage so we can screenshot it for auditors/senior staff? It’d be nice to search for NSG Flow Log policies and say “that’s 80% compliant,” then search for Storage Account HTTPS and say “that’s 100% compliant” without having to click through several assignments.

I know we could put them together as an initiative, but for now we need to keep them separate.

submitted by /u/MohnJaddenPowers
[link] [comments]

Is there a way to get a visual hierarchy of Management Groups and their Subscriptions?

We’re doing some reports in prep for a future audit. One of them involves showing that a policy applies to all subscriptions. We’ve deployed the policy at a Management Group level, so it applies to the subscriptions, but we’d like to have this displayed visually since we have MGs within MGs, which in turn have their subscriptions.

Other than manually putting an image together, is there a way to get a visual view that shows MG hierarchy and subscriptions in that hierarchy?

submitted by /u/MohnJaddenPowers
[link] [comments]

If you have an Azure certification, would you get one for AWS if your company was multi-cloud leaning AWS?

I work for a very big financial services company. I started in 2019 as an Azure engineer. Our Azure footprint is maybe 10% of our cloud presence, the remainder AWS. Since I started, it seems like we haven’t gotten much new from the business to put into Azure. I’ve found out that the VP in charge of cloud stuff is of the opinion that we shouldn’t have anything in Azure when it could be done in AWS.

I was thinking that I should maybe get the AWS sysops cert to bolster my marketability within the company. Despite all its faults, it’s a good place to have a nice long career with very good pay and decent 401k/financial benefits. I don’t think Azure is going to get shuttered – that 10% is a very critical and visible 10% – but I’d also like to make sure that if they end up looking at any excess Azure people, I at least don’t get first on the chopping block.

I got the AWS Cloud Practitioner cert back in 2018, so I’m not foreign to AWS. I have the Azure Administrator Associate cert from then as well.

On the other hand, I’m way more familiar with Azure and getting slowly better at ARM. Should I focus further on Azure, automation thereof, etc., or should I diversify? I’m told that Azure is growing its share as a cloud platform but I don’t want to jump jobs – I’ve had a lot of 1-year stints that weren’t temp placements. If not for the benefits and the salary, I’d like to stick around here for the bankers’ hours and no on-call.

submitted by /u/MohnJaddenPowers
[link] [comments]

Metrics question: anyone find a way to get the current quantity of space consumed on a file share, rather than average?

I’ve got a user who wants to set up a metric alert for disk quantity consumed on a file share in a few storage accounts. The File Capacity metric only shows the option to aggregate as an average, not the immediate total. Has anyone encountered this sort of need and found a way to get the total capacity consumed, preferably with 1 minute or shorter granularity? It’s for an HPC application using Batch, so they want to be able to have a quick reaction for scaling.

submitted by /u/MohnJaddenPowers
[link] [comments]