Running A Stand At A Local Secondary School Careers Fair

So a few weeks ago now, actually nearly a month ago to be honest, I attended a local secondary schools careers fair and ran a stall.

The Weald School is a secondary school in Billingshurst, West Sussex in the UK. The school is attended by around 2000+ students.

The event was attended by hundreds if not thousands of students from the school and there were around 50 exhibitors that ranged from universities, local businesses, independent individuals and enterprise businesses.

So How Did I Get Involved…?

I volunteer for a fantastic charity in the UK called, Founders 4 Schools (F4S), who specialise in putting students and young adults in touch with local businesses and industry experts. They do this to try to assist with helping these young adults bridge the gap from the end of their compulsory education into the next step in their careers.

Through this charity, schools and other local education services can post their events and request the attendance of a list of applicable attendees based upon the industries and skills they require.

This time I was lucky enough to be asked to attend, to which I gladly accepted. Once I had accepted the schools careers officer got in touch and we ironed out the finer details.

Why Did I Choose To Get Involved…?

Those of you how know me well, will know that I havenʼt been to university and am also heavily dyslexic. So whilst I can do exams and coursework etc…, writing certainly isnʼt my strength as it looks like a spider with ink on their legs has attacked my paper.

But with this hindrance and never having gone to university I have still got my dream job and do what I love on a daily basis.

Therefore I feel itʼs my responsibility to help other young adults who are in the same position as I was, at the end of their compulsory education years in the UK (GCSEs or A-Levels).

How Did The Event Go…?

Really, really well! There were so many young adults in attendance, a lot with their parents or guardians, who were really willing to open up about what their future aspirations are and their career plans.

It was also great to meet other people who volunteer their time like I do to inspire and help guide these young adults.

I had several really interesting discussions with some local businesses, university staff and other enterprises.

Key Takeaways From The Young Adults I Spoke With

  • Thereʼs still a big misconception around all the roles that are available in the
    IT industry

    • HR, Marketing, Sales etc…
    • Itʼs not an industry just full of technical people (aka geeks and nerds)
  • Some really donʼt know what they want to do as a career still which shocks me a little
    • How do you think we can help with this?
  • A lot still feel like university is the only way to go for them if they donʼt know what to do
    • I really wonder why as I feel you should study something you love if anything otherwise you wonʼt be fully committed
    • Also the amount of debt that you can rack up for something you potentially will never use again in your career seems silly to me

Speaking & Being Interviewed At Microsoft Future Decoded 2019

On Tuesday and Wednesday this week (2nd & 3rd of October) I attended Microsoft Future Decoded at the ExCel in London, UK.

For those of you who haven’t heard of Future Decoded or haven’t attended one before, I’ll give you a brief overview of the event below:

Microsoft Future Decoded is a 2 day event that is hosted in the ExCel in London, UK. The event is focused around enlightening business and technical decision makers about what the future looks like for themselves, their businesses and potential customers they work with or for. The event is not as technically focused like other events Microsoft host like Ignite/Ignite The Tour. This years focus areas where around AI, ML and Tech For Good.

Generally the event is a great chance to network with others in the industry, vendors and partners; let alone attending sessions and absorbing all of the latest a greatest announcements!

Why Was I There…?

This year I was attending both as an attendee, to see some of the keynotes and the breakout sessions, and also to assist with “stand duty” (as it’s often referred too) for the company I work for; CDW UK

I also had the privilege of presenting a talk this year in one of the expo breakout theatres for fellow attendees.

My Talk

As mentioned above, I was also presenting a talk this year at the event. I was actually asked by my company if I’d like to talk a few weeks ago at this event and I jumped at the chance.

This year Microsoft wanted the talks to be focused around the key points of this years event, AI, ML & Tech For Good. However these areas are not something I felt I could create a talk on in the time I had, so I took a different approach.

My talk title this years was “IaaS & PaaS – The Perfect Partnership”.

My approach for the talk was to explain why Azure is still the best place to run those IaaS & PaaS workloads, due to all of the AI & ML that Microsoft invest in and use to deliver the various services under these areas. I covered things like:

  • Project Tardigrade
  • Live Migration in Azure Compute
  • Azure SQL Offerings
  • Much more…

I was set to talk on the second day of the event, Wednesday, at 15:15 until 15:40 in one of the expo theatres. As it was near the end of the second day, I wasn’t expecting a lot of attendees. But to my pleasant surprise, there was only standing room available as one of my colleagues and friends, Anthony, tweeted about:

The 25 minutes flew by and all of the notes I spent hours refining and putting with my PowerPoint, I never even read! Amazing how the brain engages when you are in the moment!

I thoroughly enjoyed seeing so many people wanting to hear what I had to say about Azure. Also it was great to see so many people getting involved and coming to ask questions after the talk; this is something I highly recommend to all talk attendees, us presenters honestly don’t mind and generally are really happy to help answer/clarify any questions you may have. So next time you attend a talk, go say hi or ask a question to the presenter/s, networking is key in this industry!

Below are some more photos of me presenting:

My presentation can be download here, if you are interested.

Channel Partner Insight Interview

Near the end of Day 1, Nima Green, a reporter for Channel Partner Insight asked if id be happy to be interviewed and provide my insight into the event so far and also the Microsoft Partner world based on recent announcements etc…

I will just provide the link to the video below instead of detailing the interview. So click here to see what I had to say.


WVD Management Tool – Cross Tenant Access Fix

With the announcement of WVD (Windows Virtual Desktop) moving into GA today I thought I’d spin my lab back up again and try and get the WVD Management Web App Tool working.

My last attempt a few weekends ago was unsuccessful and I didn’t have any time to carry on troubleshooting so I deleted the Resource Group and forgot about it the long To-Do list for another day.

So this evening as the working day was nearing it’s end, I headed back into the Azure portal and attempted to deploy the WVD Management Tool.

My WVD Setup – Azure AD, Subscriptions & Resources

Issue #1 – Azure Automation Job Failing

This was a pretty simple one in the end. The Azure AD user’s password I was giving in the ARM template parameters had expired.

This user needs to be an Azure AD Global Administrator and have the RBAC permissions on the Subscription you want to deploy the WVD Management Tool too.

Issue #2 – My Subscription & Azure AD Tenant Aren’t Linked

Now most people will have a single Azure AD Tenant and all their users synced to this and also all of their Azure Subscriptions linked to the same tenant.

However I do not, for a number of reasons, mainly for giving me the opportunity to test a lot of the more complicated deployments.

See the above diagram in this post for my setup explained; hopefully!

So when the WVD Management Web App Tool deploys I have to put it in my subscriptions linked to the ‘’ Azure AD Tenant.

However all of my WVD authentication is sourced from my ‘’ Azure AD Tenant as I use Azure AD Connect to sync my users & groups from the ‘LAB-DC-01’ Active Directory Domain Controller.

Once I figured out Issue #1 and the WVD Management Tool was successfully deployed I tried to login to it with my WVD Tenant Admin User (in the ‘’ tenant) and got the below error:

As you can, sort of, see it is saying that the Application with the ID of XXXXXXXX cannot be found in the directory ‘’ (you’ll have to trust me on this one).

Now this isn’t really an issue caused by an error in the ARM template provided by Microsoft, its actually done exactly as I’ve told it too. The issue is my setup!

However this setup is likely to be fairly common, especially in a partner world or a provider doing a DaaS (Desktop-as-a-Service) offering.

The Fix

Luckily this is quite an easy one.

  1. Login to the Azure Active Directory Management Portal as a user with the Global Administrator role into the Azure AD Tenant where your Subscriptions and therefore WVD Management Tool is deployed –
  2. Select the ‘Azure Active Directory’ blade > then ‘App Registrations’ > then search for the Application ID referenced in the error or search for ‘wvd’.
  3. Select the App Registration > then select ‘Authentication’ > then scroll to the bottom of the show blade on the right until you get to the ‘Supported account types’ section. Change the radio button select to the option called: ‘Accounts in any organizational directory (Any Azure AD directory – Multitenant)’
  4. Click Save

And that is all you need to do to fix the login. This now allows other Azure AD tenants to sign into the WVD Management Tool that you created. Which is exactly what I need for my setup!

Hope this helps some of you out there!


Partner Admin Link (PAL) PowerShell Script

** Update 21/09/2019 –  PowerShell Script V2 Released **

Just a quick post today to share a new tool I have created for all Microsoft Partners out there who are helping customers design, build, manage and operate Azure.

Partner Admin Link (PAL) Overview

Partner Admin Link (PAL) is a method for partners to associate themselves to customers Azure environments, to enable them to associate themselves to that customer Azure Consumed Revenue (ACR – not Azure Container Registry this time).

A blurb from Microsoft on PAL is below:

What is Partner Admin Link?
Partner Admin Link (PAL) is designed for managed service providers (MSPs). Assuming the MSP has access to resources in the customer subscription then they can link their those accounts to their MPN ID. From that point onwards the telemetry for those resources (and only those resources) will be linked to the partner. “

Methods To Setup Partner Admin Link (PAL)

There are 3 ways to configure PAL on a customers Azure environments.

  • Via The Azure Portal
  • PowerShell
  • AZ CLI

All of which are documented nicely over in the Microsoft Docs.

My Handy PowerShell Script

I created this script for use at the company I work for, as we need to ensure this is done every time for every user when logging into a new customers Azure environment for the first time.

However, I couldn’t not share it with the community as this will likely help a lot of you out there. Also it was really nice to get some more hands on time with VS Code, Windows Terminal and PowerShell again; it’s been a couple of weeks due to mainly being in meetings etc… and no hands-on time.

Anyway, the script is available via my GitHub account in my ‘PublicScripts‘ repository.

The get access directly to the script in the repository on my GitHub account, click here.

As always please create issues or submit pull requests for any issues with the script  or anything you’d like changed. I will review them as they come in.

Finally, there are no guarantees for the functionality of this script. I have tested it several times in different Azure environments and it has worked perfectly. But please use at your own risk.

Things To Look Out For With Partner Admin Link (PAL)

Here are some quick tips, tricks and pointers about PAL that I have discovered and learnt. (I will update the Microsoft Docs pages as well if these aren’t posted over there too)

  1. You don’t need to do this on CSP Azure Environments as the ACR is already tracked automatically for you.
  2. PAL is linked on a per user, per tenant basis.
    1. With this in mind it is advised to make sure all of your employees with access to customer subscriptions should setup and configure PAL on each customer they have access to.
  3. You can have any RBAC role assigned to setup and configure PAL on a user account in a customers Azure Environment, even as low as ‘Reader’.
    1. This is because even having ‘Reader’ rights shows the customer has placed trust in you as a partner to assist them.

Azure Resource Locks – The What & Why

Today I want to give you all an overview of Azure Resource Locks. Firstly about what they are and can do, then secondly how you can use them and some best practices around them. And finally a few things to watch out for so you don’t get caught out when using them; believe me it’s easily done!

What are Azure Resource Locks?

Resource Locking within Azure provides a method to lock subscriptions, resource groups or individual resources to protect them from accidental deletion and changes; even for administrators (depending on their RBAC role).

Resource Locks come in 2 levels; CanNotDelete (displayed as ‘Delete’ in the portal) or ReadOnly (displayed as ‘Read-only’ in the portal).

As the names suggest, CanNotDelete means the resources with the lock applied can be read and modified, but they cannot be deleted. The ReadOnly lock means that the resources with the lock applied can only be read but not modified or deleted.

Both types of lock can actually cause some resources to stop functioning as you’d expect so be aware. More on this later!

Resource locks can also only be created by users assigned the ‘Owner’ or ‘User Access Administrator’ RBAC roles. More specifically any users with roles that grant the following RBAC permissions: ‘Microsoft.Authorization/*’ or ‘Microsoft.Authorization/locks/*’. So you don’t need to worry about anyone with write permissions on Resource Groups or VMs etc… creating locks on everything and potentially breaking other services without knowing about it etc…

How should I use Azure Resource Locks?

Now you may think that once deployed putting ReadOnly locks on everything is probably the best thing to go and do. And in some select scenarios I may even agree with you, however this is not best practice; so only do this if you absolutely have too!

Resource Locks can be applied at the following Azure governance scoping levels:

  • Subscription
  • Resource Group
  • Resource

In my opinion, applying locks at the Subscription level is way to high in the governance hierarchy structure and makes using Azure clunky; as everything you deploy within that subscription will inherit the lock from the subscription level.

Taking it to the other end of the governance hierarchy at placing locks at the Resource level can again be very tedious and difficult to manage and keep on top of. However in some cases it can actually be very useful.

Think of a scenario where you have applied a CanNotDelete lock at the resource group level but on the VPN gateway you have deployed within the resource group you want to restrict anyone from changing anything about its configuration. Applying a ReadOnly lock on the VPN gateway resource as well will mean that the rest of the resource group’s resources can be modified as they need to be but the VPN gateway is completely locked and cannot be modified at all without the lock being removed first. Removing the lock itself requires specific permissions, as explained in the above section, so this become a very handy way of locking things down further.

It should also be stated that if 2 locks, 1 in CanNotDelete mode & 1 in ReadOnly mode, the most restrictive lock (ReadOnly) takes precedence.

So the only scope we haven’t mentioned yet is the Resource Group level. This is where I suggest the majority of your locks are applied. However this does rely on you having split resources in some fashion between multiple resource groups. Whether that’s by application, business unit or service; as long as they are split and not all in a single resource group this approach will work nicely!

Applying locks at the Resource Group level is also the advised best practice from Microsoft under the Enterprise Scaffold framework (no part of the Cloud Adoption Framework). And as explained in the above scenario its give you the best flexibility for control without the locks becoming a restricting factor in using Azure on a daily basis.

When governance controls become a blocker for using and consuming Azure you’ll find people will try as many ways as possible to avoid following the controls you have put in place. So my advice is to use them as guard rails and not super secure enforcement rules to stop this from happening.

How do I create and apply Azure Resource Locks?

This is actually quite easy and I find doing it via the Azure Portal is the best way as you can check what resources will be impacted very easily & quickly due to the visual nature of the portal. However locks can be applied via PowerShell, AZ CLI, ARM Templates & Terraform etc…

In the below example I will place a ReadOnly lock on my test resource group which contains a single storage account.

  1. Log into the portal and select the Resource Group you wish to apply a lock to
  2. Select the ‘Locks’ blade from the navigation bar on the right
  3. Click ‘Add’
  4. Fill out the details as required and select the ‘Lock Type’ then click ‘OK’
  5. The lock will now be applied – Note the ‘Scope’ is shown in the lock overview blade as well as ‘Notes’. Make sure you use notes as it helps the next person when they come across your locks.
  6. That is it. You can follow the same instructions and a Subscription or Resource level and the steps are the same.

If we now lock at the Storage Account in this resource group we will see it has inherited the lock.

If I now try to amend the storage account you will see that even though I’m an owner on the Subscription the lock still applies to me and I must manually remove it in order to amend the storage account or delete it.

Things to watch out for with Azure Resource Locks

As mentioned at the beginning of this blog post, using resource locks can actually break some functionality with resources.

The ones I know of to date are as follows:

  1.  Listing Storage Account Access Keys This happens whether using the Portal, PowerShell, AZ CLI etc… as they all utilise the Azure Resource Manager (ARM).
  2. Azure Backup of VM’s Managed Disks(Thanks to Adin Ernie for the screenshot of this as I didn’t have one to hand at time of writing.)
    This occurs because the ‘RestorePointCollection’ object is treated as a separate Resource object by ARM. So you cannot place any locks on Resource Groups that contain these objects. The resource group name will look like this: AzureBackupRG_ukwest_1 However the region name will change depending on where you are deploying resources and backing up etc….


Hopefully this article has given you an in depth overview of Azure Resource Locks and how they can be and should be used.

Further reading can be found on the Microsoft Docs pages as always.

© 2019 Jack Tracey

Theme by Anders NorénUp ↑