Azure Managed Disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed Disks are designed for high availability and durability, and they provide a simple and scalable way to manage your storage.
If you don't know anything about Azue Managed Disks, grab a cup of coffee( it will take you a while), you can read the official documentation to learn more about them.
There are several reasons to restrict managed disks from being imported or exported:
Security: By restricting managed disks from being imported or exported, you can reduce the risk of unauthorized access to your data.
Compliance: By restricting managed disks from being imported or exported, you can help ensure that your organization complies with data protection regulations.
## Create a managed disk with public network access disabled
az disk create --resource-group myResourceGroup --name myDisk --size-gb 128 --location eastus --sku Standard_LRS --no-wait --public-network-access disabled
If you want to restrict managed disks from being imported or exported, you can use Azure Policy to enforce this restriction. Azure Policy is a service in Azure that you can use to create, assign, and manage policies that enforce rules and effects over your resources. By using Azure Policy, you can ensure that your resources comply with your organization's standards and service-level agreements.
To restrict managed disks from being imported or exported using Azure Policy, you can use or create a policy definition that specifies the conditions under which managed disks can be imported or exported. You can then assign this policy definition to a scope, such as a management group, subscription, or resource group, to enforce the restriction across your resources.
In this post, I showed you how to restrict managed disks from being imported or exported in Azure. By restricting managed disks from being imported or exported, you can reduce the risk of unauthorized access to your data and help ensure that your organization complies with data protection regulations.
Curiosly, restrict managed disks from being imported or exported, it's not a compliance check in the Microsoft cloud security benchmark but it's a good practice to follow.
In this post, I will show you how to use Microsoft Entra ID Privileged Identity Management (PIM) to manage and monitor access to privileged roles in your organization.
Microsoft Entra ID Privileged Identity Management (PIM) is a service that helps you manage, control, and monitor access within your organization. It provides just-in-time privileged access to Azure AD and Azure resources, along with access reviews and monitoring capabilities.
There are several reasons to use Microsoft Entra ID PIM:
Security: Microsoft Entra ID PIM helps you reduce the risk of unauthorized access to privileged roles.
Compliance: Microsoft Entra ID PIM helps you meet compliance requirements by providing access reviews and monitoring capabilities.
Efficiency: Microsoft Entra ID PIM provides just-in-time access to privileged roles, reducing the risk of unauthorized access.
Monitoring: Microsoft Entra ID PIM provides monitoring and alerts that help you detect and respond to suspicious activities.
Traceability: Microsoft Entra ID PIM provides an audit trail of all access requests and approvals, helping you track who has access to privileged roles.
Maybe you can't use Microsoft Entra ID PIM to log all changess that the users do in the system, but you can use Actor Change for that.
We can manage three types of "things" in Microsoft Entra ID PIM:
Microsoft Entra roles. Microsoft Entra roles are also referred to as directory roles. They include built-in and custom roles to manage Microsoft Entra ID and other Microsoft 365 online services.
PIM for Groups. To set up just-in-time access to the member and owner role of a Microsoft Entra security group. PIM for Groups provides an alternative way to set up PIM for Microsoft Entra roles and Azure roles. It also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Microsoft Entra ID Protection.
Azure roles. Azure's role-based access control roles that grant access to management groups, subscriptions, resource groups, and resources.
If you want to use groups, you need create eligible groups, for now the maximum number of eligible groups is 500.
In the Microsoft Entra ID portal, you can manage Microsoft Entra ID roles by selecting the "Roles" tab. Here you can see all the roles that are available to you, as well as the roles that you have activated.
You can made the following actions:
Assign: Create assignments for Microsoft Entra ID roles, update existing assignments to ensure that users have just-in-time access to privileged roles.
Activate: Activate your eligible assignments to get just-in-time access to privileged roles.
Approve: List, approve, or deny activation requests for Microsoft Entra ID roles.
Audit: View and export a history of all assignments and activations done in PIM so you can identify attacks and stay compliant.
Ok, let's see how to assign a role to a group.
In the "Roles" tab, click on the role that you want to assign.
In Role settings, edit the settings for the role, modify Activation, Assignment, and Notification settings and then click "Update. These are the default settings:
Activation
Setting
State
Activation maximum duration (hours)
8 hour(s)
On activation, require
None
Require justification on activation
Yes
Require ticket information on activation
No
Require approval to activate
No
Approvers
None
Assignment
Setting
State
Allow permanent eligible assignment
Yes
Expire eligible assignments after
-
Allow permanent active assignment
Yes
Expire active assignments after
-
Require Azure Multi-Factor Authentication on active assignment
No
Require justification on active assignment
Yes
Send notifications when members are assigned as eligible to this role:
Type
Default recipients
Additional recipients
Critical emails only
Role assignment alert
Admin
None
False
Notification to the assigned user (assignee)
Assignee
None
False
Request to approve a role assignment renewal/extension
Approver
None
False
Send notifications when members are assigned as active to this role:
Type
Default recipients
Additional recipients
Critical emails only
Role assignment alert
Admin
None
False
Notification to the assigned user (assignee)
Assignee
None
False
Request to approve a role assignment renewal/extension
Approver
None
False
Send notifications when eligible members activate this role:
Type
Default recipients
Additional recipients
Critical emails only
Role activation alert
Admin
None
False
Notification to activated user (requestor)
Requestor
None
False
Request to approve an activation
Approver
None
False
In the "Assignments" tab, click on "Add assignments". In Membership, select the scope type: Application, Device, Directory, Group, Service Principal or User (It's dependes of each role) and select the identity related that you want to assign the role to. We are going to select Directory and a eligible group, and then click "Next".
Info
App registrations are supported in PIM for Microsoft Entra ID roles but only in active assignments.
In the "Settings" tab, you can set the Assigment type: Eligible or I need to do something to activate and Active or I don't need to do nothing to activate my role. You can configure too if you want that the duration of the assignment is permanent or if you want to expire the assignment after a certain period of time. Once you're done, click "Assign".
You can set the activation settings, assignment settings, and notification settings for the assignment. Once you're done, click "Assign".
In the Microsoft Entra ID portal, you can manage PIM for Groups by selecting the "Groups" tab.
First you need to discover the groups that you want to manage. In the "Groups" tab, click on "Discover groups". In the "Discover groups" pane, you can search for groups by name. Once you've found the group you want to manage, click on "Add to PIM".
Info
You must be an owner of the group or have Microsoft Entra role that allows to discover and manage group in PIM.
Now, in the "Groups" tab, you can see all the groups that you have discovered.
In the "Groups" tab, click on the group that you want to manage. You can made the following actions under manage:
Assign: Create assignments for the member and owner role of the group, update existing assignments to ensure that users have just-in-time access to privileged roles.
Activate: Activate your eligible assignments to get just-in-time access to privileged roles.
Approve: List, approve, or deny activation requests for the member and owner role of the group.
Audit: View and export a history of all assignments and activations done in PIM so you can identify attacks and stay compliant.
Ok, let's see how to assign a role to a group.
In the "Groups" tab, click on the group that you want to assign a role to.
In Role settings, edit the settings for the role, modify Activation, Assignment, and Notification settings for members or users, these settings are the same that we saw in the Microsoft Entra ID roles section.
In the "Assignments" tab, click on "Add assignments". In Select role, select the scope type: Member or Owner and in Select members select the identity related that you want to assign the role to or groupm, if you select a group, you doesn't need a eligible group, and then click "Next".
In the "Settings" tab, you can set the Assigment type: Eligible or I need to do something to activate and Active or I don't need to do nothing to activate my role. You can configure too if you want that the duration of the assignment is permanent or if you want to expire the assignment after a certain period of time. Once you're done, click "Assign".
Info
App registrations are supported in PIM for Groups but only in active assignments. I think that this is very useful for IaC for example because you can assign a role to a service principal and you can activate the role when you need it.
In the Microsoft Entra ID portal, you can manage Azure roles by selecting the "Azure resources" tab. Here you can see all the Azure roles that are available to you by scope, as well as the roles that you have activated.
First you need to select the Azure resource that you want to manage: Management groups, Subscriptions, Resource groups or Resources and follow Manage Resource.
Once here, same as the other sections, you can made the following actions for this scope:
Assign: Create assignments for the member and owner role of the group, update existing assignments to ensure that users have just-in-time access to privileged roles.
Activate: Activate your eligible assignments to get just-in-time access to privileged roles.
Approve: List, approve, or deny activation requests for the member and owner role of the group.
Audit: View and export a history of all assignments and activations done in PIM so you can identify attacks and stay compliant.
Ok, let's see how to assign a role to a identity in a scope.
Info
We already have a scope selected
In the "Assignments" tab, click on "Add assignments". In Select role, select the role that you want to assign and in Select members select the identity related that you want to assign the role to or group, if you select a group, you doesn't need a eligible group, and then click "Next".
In the "Settings" tab, you can set the Assigment type: Eligible or I need to do something to activate and Active or I don't need to do nothing to activate my role. You can configure too if you want that the duration of the assignment is permanent or if you want to expire the assignment after a certain period of time. Once you're done, click "Assign".
Info
App registrations are supported in PIM for Azure roles but only in active assignments. I think that this is very useful for IaC for example because you can assign a role to a service principal and you can activate the role when you need it.
Don't forget review settings for the role, modify Activation, Assignment, and Notification settings for members or users, these settings are the same that we saw in the Microsoft Entra ID roles section.
Microsoft Entra ID Privileged Identity Management (PIM) is a powerful service that helps you manage and monitor access to privileged roles in your organization. By using Microsoft Entra ID PIM, you can reduce the risk of unauthorized access, meet compliance requirements, and improve the efficiency of your organization. I hope this post has helped you understand how to use Microsoft Entra ID PIM and how it can benefit your organization.
If you want to play with Microsoft Enter ID PIM, you can use a test on a new tenant or the current one if you haven't used it before.
The virtual network (VNet) data gateway helps you to connect from Microsoft Cloud services to your Azure data services within a VNet without the need of an on-premises data gateway. The VNet data gateway securely communicates with the data source, executes queries, and transmits results back to the service.
A VNet data gateway acts as a bridge that allows for the secure flow of data between the Power Platform and external data sources that reside within a virtual network. This includes services such as SQL databases, file storage solutions, and other cloud-based resources. The gateway ensures that data can be transferred securely and reliably, without exposing the network to potential threats or breaches.
graph LR
User([User]) -->|Semantic Models| SM[Semantic Models]
User -->|"Dataflows (Gen2)"| DF["Dataflows (Gen2)"]
User -->|Paginated Reports| PR[Paginated Reports]
SM --> PPVS[Power Platform VNET Service]
DF --> PPVS
PR --> PPVS
PPVS --> MCVG[Managed Container<br>for VNet Gateway]
MCVG -->|Interfaces with| SQLDB[(SQL Databases)]
MCVG -->|Interfaces with| FS[(File Storage)]
MCVG -->|Interfaces with| CS[(Cloud Services)]
MCVG -.->|Secured by| SEC{{Security Features}}
subgraph VNET_123
SQLDB
FS
CS
SEC
end
classDef filled fill:#f96,stroke:#333,stroke-width:2px;
classDef user fill:#bbf,stroke:#f66,stroke-width:2px,stroke-dasharray: 5, 5;
class User user
class SM,DF,PR,PPVS,MCVG,SQLDB,FS,CS,SEC filled
The process begins with a user leveraging Power Platform services like Semantic Models, Dataflows (Gen2), and Paginated Reports. These services are designed to handle various data-related tasks, from analysis to visualization. They connect to the Power Platform VNET Service, which is the heart of the operation, orchestrating the flow of data through the managed container for the VNet gateway.
This managed container is a secure environment specifically designed for the VNet gateway’s operations. It’s isolated from the public internet, ensuring that the data remains protected within the confines of the virtual network. Within this secure environment, the VNet gateway interfaces with the necessary external resources, such as SQL databases and cloud storage, all while maintaining strict security protocols symbolized by the padlock icon in our diagram.
If you need to connect to services on others VNets, you can use VNet peering to connect the VNets, and maybe access to on-premises resources using ExpressRoute or other VPN solutions.
By utilizing a VNet data gateway, organizations can enjoy several benefits:
Enhanced Security: The gateway provides a secure path for data, safeguarding sensitive information and complying with organizational security policies.
Network Isolation: The managed container and the virtual network setup ensure that the data does not traverse public internet spaces, reducing exposure to vulnerabilities.
Seamless Integration: The gateway facilitates smooth integration between Power Platform services and external data sources, enabling efficient data processing and analysis.
Before you can create a VNet data gateway, you need to register the Microsoft.PowerPlatform resource provider. This can be done using the Azure portal or the Azure CLI.
az provider register --namespace Microsoft.PowerPlatform
Create a VNet in your Azure subscription and a subnet where the VNet data gateway will be deployed. Next, you need to delegate subnet to service Microsoft.PowerPlatform/vnetaccesslinks.
Note
This subnet can't be shared with other services.
Five IP addresses are reserved in the subnet for basic functionality. You need to reserve additional IP addresses for the VNet data gateway, add more IPs for future gateways.
You need a role with the Microsoft.Network/virtualNetworks/subnets/join/action permission
This can be done using the Azure portal or the Azure CLI.
# Create a VNet and address prefix 10.0.0.0/24
az network vnet create --name MyVNet --resource-group MyResourceGroup --location eastus --address-prefixes 10.0.0.0/24
# Create a Netwrok Security Group
az network nsg create --name MyNsg --resource-group MyResourceGroup --location eastus
# Create a subnet with delegation to Microsoft.PowerPlatform/vnetaccesslinks and associate the NSG
az network vnet subnet create --name MySubnet --vnet-name MyVNet --resource-group MyResourceGroup --address-prefixes 10.0.0.1/27 --network-security-group MyNsg --delegations Microsoft.PowerPlatform/vnetaccesslinks
A Microsoft Power Platform User with with Microsoft.Network/virtualNetworks/subnets/join/action permission on the VNet is required. Network Contributor role is not necessary.
In the top navigation bar, select the settings gear icon on the right.
From the drop down, select the Manage connections and gateways page, in Resources and extensions.
Select Create a virtual network data gateway..
Select the license capacity, subscription, resource group, VNet and the Subnet. Only subnets that are delegated to Microsoft Power Platform are displayed in the drop-down list. VNET data gateways require a Power BI Premium capacity license (A4 SKU or higher or any P SKU) or Fabric license to be used (any SKU).
By default, we provide a unique name for this data gateway, but you could optionally update it.
Select Save. This VNet data gateway is now displayed in your Virtual network data gateways tab. A VNet data gateway is a managed gateway that could be used for controlling access to this resource for Power platform users.
The VNet data gateway is a powerful tool that enables secure data transfer between the Power Platform and external data sources residing within a virtual network. By leveraging this gateway, organizations can ensure that their data remains protected and compliant with security standards, all while facilitating seamless integration and analysis of data. If you are looking to enhance the security and reliability of your data connections, consider implementing a VNet data gateway in your environment.
In the cloud era, optimizing cloud spend has become a critical aspect of financial management. FinOps, a set of financial operations practices, empowers organizations to get the most out of their Azure investment. This blog post dives into the core principles of FinOps, explores the benefits it offers, and outlines practical strategies for implementing FinOps in your Azure environment.
Traditional IT expenditure followed a capital expenditure (capex) model, where businesses purchased hardware and software upfront. Cloud computing introduces a paradigm shift with the operational expenditure (opex) model. Here, businesses pay for resources as they consume them, leading to variable and unpredictable costs.
FinOps tackles this challenge by providing a framework for managing cloud finances. It encompasses three key pillars:
People: Establish a FinOps team or designate individuals responsible for overseeing cloud costs. This team should possess a blend of cloud technical expertise, financial acumen, and business process knowledge.
Process: Define processes for budgeting, forecasting, and monitoring cloud expenses. This involves setting spending limits, creating chargeback models for different departments, and regularly reviewing cost reports.
Tools: Leverage Azure Cost Management, a suite of tools that provides granular insights into your Azure spending. It enables cost allocation by resource, service, department, or any other relevant dimension.
It's essential to adopt a FinOps mindset that encourages collaboration between finance, IT, and business teams to drive cost efficiency and value realization in the cloud.
It's important to note that FinOps is not just about cost-cutting; it's about optimizing cloud spending to align with business objectives and maximize ROI.
Azure Cost Management empowers you to analyze your Azure spending patterns and identify cost-saving opportunities. Here's a glimpse into its key functionalities:
Cost Views: Generate comprehensive reports that categorize your Azure spending by various attributes like resource group, service, or department.
Cost Alerts: Set up proactive alerts to notify you when your spending exceeds predefined thresholds.
Reservations: Purchase reserved instances of frequently used Azure resources for significant upfront discounts.
Recommendations: Azure Cost Management analyzes your usage patterns and recommends potential cost-saving measures, such as rightsizing resources or leveraging spot instances.
Tags are metadata labels that you can attach to your Azure resources to categorize and track them effectively. They play a pivotal role in FinOps by enabling you to:
Associate costs with specific departments, projects, or applications.
Identify unused or underutilized resources for potential cost savings.
Simplify cost allocation and chargeback processes.
Azure Policy helps enforce tagging standards and governance rules across your Azure environment. You can define policies that mandate specific tags for all resources, ensuring consistent cost allocation and data accuracy.
Implementing FinOps doesn't necessitate a complex overhaul. Here's a recommended approach:
Establish a FinOps Team: Assemble a cross-functional team comprising representatives from finance, IT, and business departments.
Set Clear Goals and Objectives: Define your FinOps goals, whether it's reducing costs by a specific percentage or improving budget forecasting accuracy.
Leverage Azure Cost Management: Start by exploring Azure Cost Management to understand your current spending patterns.
Implement Basic Tagging Standards: Enforce basic tagging policies to categorize your Azure resources for cost allocation purposes.
Continuously Monitor and Refine: Regularly review your cloud cost reports and identify areas for further optimization.
By following these steps and embracing a FinOps culture, you can effectively manage your Azure expenses and derive maximum value from your cloud investment.
To streamline your FinOps practices in Azure, consider leveraging the following tools:
graph LR
A[Financial Operations Practices] --> B{Cloud Spend Optimization}
B --> C{Cost Visibility}
B --> D{Cost Optimization}
B --> E{Governance}
C --> F{Azure Cost Management}
D --> G{Azure Advisor}
E --> H{Azure Policy}
F --> I{Cost Views}
F --> J{Cost Alerts}
G --> K{Cost Recommendations}
H --> L{Tag Enforcement}
This toolchain combines Azure Cost Management, Azure Advisor, and Azure Policy to provide a comprehensive suite of capabilities for managing your Azure spending effectively.
Highly recommended, you can check FinOps toolkit, it's a set of tools and best practices to help you implement FinOps in your organization, it includes tools for cost allocation, budgeting, and forecasting, as well as best practices for FinOps implementation.
FinOps is an essential practice for organizations leveraging Azure. It empowers you to make informed decisions about your cloud finances, optimize spending, and achieve your business goals. As an Azure Solutions Architect, I recommend that you establish a FinOps practice within your organization to unlock the full potential of Azure and achieve financial efficiency in the cloud.
This blog post provides a foundational understanding of FinOps in Azure.
By embracing FinOps, you can transform your cloud cost management practices and drive business success in the cloud era.