Page 2 of 3

Tag All Resources Based On Resource Type In Resource Group

Recently I’ve been working closely with a few of our Azure Consultants in our delivery team around defining best practices and how we can speed up/automate as much of our deployment standards on a clients Azure environment.

At the moment we are focusing a lot on governance standards, these encompass features like:

  • Azure Policy
  • Resource Tags
  • Management Groups
  • etc…

Resource Tags are an essential part of any Azure environment. My take on them is the more there are the better! (As long as keys are consistent across resources of course)

The Problem…

We do a lot of retro-tagging on resources in our clients Azure environments to assist in bringing them inline with our standards. And also to enable their Azure subscriptions to slot into our management tools, which we use tags heavily for to control certain things etc…

One problem we face quite regularly is that some resources have started to of been tagged, whilst others haven’t. Normally we find the tags that have made their way onto resources is actually down to a deployment template from a marketplace resource. like Jenkins Server, rather than being manually created and set by an IT admin.

This normally means that scripting tag creation/setting on resources with most of the existing PowerShell scripts we have and are also available over the internet are unusable. This is because these scripts generally just replace the tags, if any are in place already; not ideal at all!

The Solution…

So with the above problem becoming ever more a time consuming block for our teams internally, I decided to get my head down in VS Code and write a new PowerShell script that will overcome this issue!

I’m glad to say that after about 3/4 hours of work and constant testing with different environment scenarios, I accomplished it!

The script is available on my ‘PublicScrips’ GitHub repository here!

Please feel free to download, use, edit, alter and report any issues with the script either below in the comments or via GitHub directly and I will do my best in my spare time to resolve any issues reported.

Obviously as with any script you find on the internet, please test it on a subset of resources before letting it loose on your entire environment. Whilst I have tested this script over 50+ times and on different environments to ensure if handled all possible scenarios, I cannot guarantee that to anyone that it is 100% error free (although I don’t think its bad, even if I do say so myself 😀 ).

Summary

Enjoy the script! And please do let me know of any issues you find.

Also let me know of any future feature requests or other common scripting issues you face that you may like me to tackle in the future, in the comments below or via Twitter!

Azure Subscription Migrations

** UPDATE – 15/07/2019 – Version 5 of the Azure Resource Migration Support Tool released – Click on link below to get a copy of it or here. **

Recently I have had an abundance of requests from our sales teams & account managers regarding Azure Subscription migrations. Whether it be from PAYG (Pay-As-You-Go) to CSP, EA to CSP, CSP to PAYG or just PAYG to PAYG.

Whatever the source and destination subscription model is, the answer I give is the same!

Every migration for each customer is going to be different 99% of the time and in the majority of cases is not as simple as the click of the migrate button from within the portal and away you go. Perhaps one day it will be; I’ll be a very happy man that day for sure!

So in this post I will share with you how I approach these requests and a tool I have developed to help speed the assessment process up significantly.

Please note this article will focus on subscription level migrations, however the tool accommodates for Resource Group level migrations as well!

Before you even think about migrating…

There are a few key points of information that you need to gather/understand when starting with one of these requests.

  1. Why does the customer want to migrate subscriptions?
  2. What subscription model are the source and destination subscriptions using; or going to use?
    1. PAYG
    2. CSP
    3. EA
    4. Other… (MSDN, BizSpark etc…)
  3. An export of all resources from all of the source subscriptions.
  4. Timescales for migration completion.

All of these questions are important to have an answer for before beginning your approach to the migration.

Questions 1 and 4 are more to help understand the “why” from the customer and to set expectations early on timescales. Because we all know sometimes timescale expectations can be unrealistic and it’s important for us to reset them accordingly if so.

Questions 2 and 3 will help define some technical paths you will need to follow and various limitations that each combination may have.

Subscription Migration Support Matrix

I feel know is a good time to lay out all of the combinations for subscription migrations and what initial approach should be taken.

Apologies for the length of this table but there are a lot of possible different combinations!

Source
Subscription
Model
Destination
Subscription
Model
Migration
Supported
Migration
Approach
Notes
PAYGEAYesJust a back-end Azure billing change.
No downtime
PAYGCSPYesResources must be migrated between subscriptions.
Possible downtime & limitations.
Check services are available in CSP.
No classic (ASM) resource supported in CSP.
PAYGMSDN/BizSparkYesResources must be migrated between subscriptions.
Possible downtime & limitations.
PAYGPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
EAPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
EACSPYesResources must be migrated between subscriptions.
Possible downtime & limitations.
Check services are available in CSP.
No classic (ASM) resource supported in CSP.
EAMSDN/BizSparkYesResources must be migrated between subscriptions.
Possible downtime & limitations.
EAEAYes/No/Not NormalIf different Azure AD Tenant same as EA to PAYG.
If same Azure AD Tenant, why are you migrating as you can just change subscription owner instead.
N.B. this not a migration I have ever come across to date.
MSDN/BizSparkEAYesJust a back-end Azure billing change.
No downtime
MSDN/BizSparkPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
MSDN/BizSparkCSPYesResources must be migrated between subscriptions.
Possible downtime & limitations.
MSDN/BizSparkMSDN/BizSparkYesResources must be migrated between subscriptions.
Possible downtime & limitations.
CSPMSDN/BizSparkYes/Not NormalResources must be migrated between subscriptions.
Possible downtime & limitations.
CSPEAYes/No/Not NormalBelieve this would have to be treated as if it were PAYG to PAYG as CSP subscription has some back-end billing differences. Therefore doubtful that EA subscription import/billing change process will not work.
Resources must be migrated between subscriptions.
Possible downtime & limitations.
CSPPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
CSPCSPYesBack end billing change but must be requested in certain way and currently no automated way to do this.
See: https://docs.microsoft.com/en-us/azure/cloud-solution-provider/customer-management/switch-subscription-to-different-csp-partner

Assessing Resource Migrations Between Subscriptions

As you have seen in the table above, the majority of migrations require you to migrate the actual Azure resources between subscriptions. As mentioned before and in the table rows, this sometime incurs downtime and also there are various limitations per Azure resource type (VM’s, NSG’s, App Services etc…).

Now there used to be a handy little tool that someone created for CSP migration assessments called the “Azure CSP Assessment”. This was an Azure hosted web app located here: https://azurecspassessment.azurewebsites.net/ but as you can see the site is now longer up and running 🙁

However using the tool was always a risk as the list of resources that support subscription migration and the various limitations changes at quite a pace; as does everything in the Azure world, right!

So it used to mean that I get an export of the customers source Azure subscription resources and resource types using the below PowerShell command:

Get-AzResource | Export-Csv PATHTOFILE.csv

Then using the exported CSV file I would use Excel and the following below pages on Azure Docs to go through each resource type and check its compatibility and limitations:

  1. https://docs.microsoft.com/en-gb/azure/azure-resource-manager/move-support-resources
  2. https://docs.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-move-resources
  3. https://docs.microsoft.com/en-us/azure/cloud-solution-provider/overview/azure-csp-available-services – Only when migrating to CSP

To say this was long winded and painful is an understatement certainly!

Azure Resource Migration Support Tool

So that’s why I have created a handy Excel Workbook that does all the work in comparing against the information in links 1 and 2 above with a simple copy and paste of specific columns from the exported CSV.

I also thought it would be a shame not to share this tool so here it is available for any of you reading this to use for free!

Azure Resource Migration Support Tool V2

Azure Resource Migration Support Tool V4

Azure Resource Migration Support Tool V5

All instructions on how to use the tool are on the “Intro Page” sheet within the workbook/spreadsheet.

I will be periodically checking the Azure Docs pages and updating any changes to resources that are now supported for migration to this tool and i will update this page with the latest version of the tool.

What do I do once I’ve used the tool to assess my resources…

Well firstly, please comment below or get in touch with me via Twitter, LinkedIn or e-mail me with any feedback or features you would like in newer releases of the tool.

Once you’ve done that and used the tool to assess your resources in your source subscription, it is highly likely you have a good idea about how you need to proceed.

I strongly suggest running this as a project within your company as it is not as simple as clicking a migrate button. I’ve even called it a “Virtual Data Centre Move” as it really can have the same potential devastating unplanned outages if you don’t treat it with the correct attention and detailed planning.

Personally I suggest building a project plan, if you have a Project Manager to help you, even better. Detail every task you are going to need to do before, during and after the migration, some examples below:

  • Create destination subscription
  • Attach destination subscription to existing (same as source subscription) Azure AD tenant – THIS IS MANDATORY AT THIS TIME, BOTH SUBSCRIPTIONS MUST BE IN THE SAME AZURE AD TENANT
  • Change Public IP SKUs for Resources: X, Y & Z
  • etc…

Once you have your plan built, start raising RFC/Changes (if required) to get this work completed. Some of this work may even require re-provisioning resources to get them on the correct SKUs etc… so it would also be prudent to get any other internal teams involved to assist with testing etc… if you aren’t able to do this yourself during your changes.

Nobody likes the dreaded out of hours phone call when something you couldn’t test doesn’t work after a change.

Once you’ve made all of the prerequisite changes, its now time to probably download the latest version of the tool, export all your resource into a CSV again and check for any additional changes that you may need to make as things may of changed from the Azure side.

If nothing has then that’s great news as you haven’t got to go back through the whole process again. You should now make sure that all Resource Providers in use in the source subscription are registered in the destination subscription.

To check the Resource Providers in use in the either subscription use the following PowerShell command (please note you’ll need to change subscriptions within your PowerShell session using the first 2 commands in the below block):

##Find Subscription ID##
Get-AzSubscription

##Change Subscription Within PowerShell Session##
Select-AzSubscription -SubscriptionId 'PASTE ID HERE'

##Check Resource Providers For Selected Subscription##
Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState

You should get the below output for the Resource Provider command. (I’m using CloudShell, check it out if you aren’t already):

Compare both subscription outputs against each other, using Export-Csv may be your friend here. And then register any providers in the destination subscription that are registered in the source subscription but not in the destination.

To register Resource Providers use the below command (again please note you’ll need to make sure you’ve changed your sessions selection to the correct subscription again using the above commands):

##Register Resource Provider##
Register-AzResourceProvider -ProviderNamespace 'PROVIDER NAMESPACE PLEASE CHANGE'

You should get the below output when registering a provider:

Once you have registered all the required providers run one last comparison check and then you can proceed to actually pushing that ‘Move to another subscription’ button on your resources/resource groups as per your plan.

Summary

As you can see by the length of this article the process is not always straight forward and can be quite a long process from start to finish.

Please let me know your feedback for the tool via any method that I mentioned above.

And more importantly I hope this article helps you plan your migration to be successful.

Passing The Azure 70-535 Exam

A few weeks ago I sat and passed the Architecting Microsoft Azure Solutions (70-535) exam at a test centre near me; yes I still prefer going to a test centre rather than doing an online proctored exam.

This exam was probably one of the toughest I have taken and certainly one of the hardest in terms of studying and preparing for. The breadth of topics, features and services to cover are vast!

So in this post I thought I would share my experience from studying to taking the exam. Even though this exam retires on the 31st December 2018, the techniques and material will still be valid for the new AZ-300/301/302 exams and certification path.

Please note you can only take the AZ-302 if you have passed this exam (70-535)!

Preparation – What To Study

As with every exam I take it is important to understand what the exam will actually test you on; learning material that you wont be tested on maybe fun and enjoyable, but it won’t help you pass the exam.

To do this I used the exam overview page here.

Using this web page I review the “Skills measured” section with great detail looking for various pieces of vital information.

Firstly the section explaining the areas and the split of them in the exam:

I note down on a OneNote page each service/feature/topic mentioned so I ensure I revise each of them.

I also lookout for exam updates, these are normally just in normal text (not highlighted or in red) and normally look something like the below:

These are very important to find if they exist for your chosen exam; they normally do for older exams! They provide an update on the “Skills measured” section/topic splits alongside new features/services to study etc… and also ones to now ignore as they have been retired/replaced.

Preparation – Revision Tools & Resources

For this particular exam I used several tools to help me study all of the required material.

Firstly I purchased Scott Duffy’s course on Udemy for the exam; link here.

I also purchased the Microsoft Official Exam Ref guide book for the exam.

And finally I use the Microsoft Azure Docs as these are now community driven and therefore usually very accurate and up-to-date. Alongside Microsoft Channel 9 videos.

Preparation – Method

As for my revision approach I do the following, however everybody learns differently so this may not work for you.

Firstly I watch all of the videos for a particular feature/service from either Scott Duffy’s Udemy Course or Microsoft Channel 9. And whilst watching I jot down rough notes in OneNote.

Once I’ve watched the videos I then further detail and refine my notes by using the relevant pages on Microsoft Azure Docs.

And then either in the evening before going to sleep or early in the morning as I eat breakfast I read the same section in the Exam Ref guide book.

This means I will of read the information 3 times, so hopefully some of it has stuck in my brain by now!

One important thing to note is that I never revise for more than 20 minutes straight. After 20 minutes has elapsed I find the quality of information being taken in by my brain is not as good and only leads to me re-revising.

After I have done this for all of the topics/features/services I need to revise I then review my notes for a specific area each day (mainly the ones I don’t use on a daily basis)

The Exam

The exam is the same style as most Microsoft exams I have taken in the past, multiple choice with different style questions like drag and drop and scenario based etc…

One thing I cannot stress enough is to book the exam at least a month before you wish to take the exam, this will force you to revise daily.

The questions I had in my exam were exactly as expected based on the exam overview page, however it was more up-to-date on features and services than I expected.

For example some of the networking questions mentioned Azure VWAN and ExpressRotue Direct, luckily I check the Azure blog at least daily for new features of note for my daily job role.

As the exam will retire I won’t mention much more about the exam in this post. Apart from it really was quite tough and revision of all topics mentioned is definitely recommended.

Summary

Hopefully my preparation steps and advice will help a lot of you pass any exam you are about to take as these skills are universal across pretty much any exam and vendor.

If you do have any specific questions around what to look out for for Azure Architecture exams then feel free to comment below or reach out to me on Twitter.

Until next time… Like, Comment & Share!

Azure & The Importance Of Azure AD

Recently the amount of conversations I have had with customers and colleagues regarding Azure AD and how it links to subscriptions etc… has been astounding.

The most common misconception I see/hear is that because it has the “AD” in its title that it is believed to be a completely separate product unrelated to the fundamental required components to get started in Azure successfully.

Also I get the question from a lot of customers who are already using Azure of “Why do we have to use separate accounts to login to Azure? 

As soon as I hear the above, I instantly smile inside, because I know they haven’t understood Azure AD and its importance at the setup stage of any Azure, Office 365, Dynamics subscription creation.

So what is the importance of Azure AD, I hear you ask?

I’ll start off by showing the below diagram as this may help initiate that lightbulb moment for some of you.

The above diagram shows a typical setup that I have configured many times in the past. At the top we have an existing on-premise Active Directory Forest & Domain (acmecoporation.local) with all existing user, groups & computer objects in an OU structure.

In the middle we have the Azure AD Tenant with the *.onmicrosoft.com domain name of acmecorporation.onmicrosoft.com. 

Some important things of note about the Azure AD tenant:

  • The *.onmicrosoft.com domain name must be globally unique
    • This means checking the availability of the desired domain name is vital before beginning the creation, here is a link to a great tool to do just that
      (Believe me when I say I have seen a surprising amount of *.onmicrosoft.com domain names already been taken for some of my customers)
    • In some circumstances Microsoft themselves can help in tracking down a desired *.onmicrosoft.com domain name and asking the existing tenant owners if they are willing to give it to you
      • However, in most cases the existing tenant owners will not want to give this up as it will involve a large migration from one tenant to another
  • The *.onmicrosoft.com domain name cannot be changed once created
  • The Azure AD tenant should be treated as a single forest & domain configuration when translating to an on-premises AD deployment.
  • Azure AD doesn’t have any trusts between Azure AD tenants like you can do with an on-premises AD deployment
    • There is a feature called Azure AD B2B which is very similar. (A blog post for the future in its own right, watch this space)

The notes above are not a definitive list however they are the most common things I come across on a daily basis.

Users, Groups & Computers can be synchronised from on-premises Active Directory domains via the use of Azure AD Connect (formerly known as DirSync).

Azure AD Connect is an awesome tool that not only synchronises objects from on-premises to your Azure AD tenant, but it also can configure authentication methods (Password Hash Sync, Pass-Through Authentication, ADFS to name a few), all from a GUI based application.

It can also synchronise objects from several other on-premises AD topologies, however Microsofts has an article for this which is very well constructed so I will link to that here.

And finally at the bottom of the diagram are the various subscriptions that are linked to the Azure AD tenant.

Subscriptions can only be linked to one Azure AD tenant, so those subscriptions will only be able to use the users, groups & computer objects that are in the Azure AD tenant.

So I appreciate there is a lot to take in there but this just reiterates my point that it is some important to get it right at the beginning of your cloud journey.

So how do I make the right choice when setting up an Azure Subscription?

Again this is not as easy of a task that a lot of people believe it is. So again to help ensure you get this right I have created a workflow that will help guide you to the correct choice.

Summary

Again I apologise for the information overload in this article however, by taking the time to read through this article (probably several times) it should help you make the right decision around what to do.

Also it should help you avoid the nasty situation of having to migrate to a new subscription which is linked to the correct Azure AD tenant. Believe me these migrations are never fun!

As always comment, like & share!

New PowerShell Module “Az”

This week the Azure Software Engineering Team announced a new PowerShell module for Azure called “Az”.

This module is also cross-platform supported which means all commands etc… are supported across all platforms/OS’s that support PowerShell; Windows, Linux, Mac OS X & Azure Cloud Shell.

I have installed this on both my Windows and Mac OS Mojave machines and all seems to be working well and I haven’t found any issues as of yet, which is always nice.

The only small niggle comes when trying to install the module on a Mac if you are not running PowerShell as an admin you get the below error:

To get around this see my other blog post about how to create a desktop shortcut to launch PowerShell as admin on a mac. Click here to view that post!

However once you’ve followed the post linked above the install process on a mac is pretty painless.

  1. Launch your new PowerShellAdmin executable from the desktop
  2. Enter your user account password to launch as sudo
  3. Enter the command:
    Install-Module Az

  4. Accept the PSGallery as an untrusted repository to install from by entering “Y” or “A” at the prompt and hit return (as shown below)
  5. Let the module download and install

It’s as easy as that!

And the same commands can be followed on a Windows machine with PowerShell running as an administrator.

Compatibility With The AzureRM Module

Now for those of you, like myself, who have an abundance of PowerShell scripts using the AzureRM module to do various tasks in Azure; I have some further good news for you all.

The team at Microsoft have also thought about this scenario and have provided a couple of commands to assist with this transition period to a new module.

The first command is:

Enable-AzureRmAlias [-Module <string>] [-Scope Process | CurrentUser | LocalMachine]

This enables you to use your legacy AzureRM module references with the new Az module.

Note if you don’t specify a specific module then all modules will have the alias enabled. Also you can set the scope for the aliases as you require, I would probably suggest “LocalMachine” for most admins out there until you have re-written your scripts.

The second command is:

Disable-AzureRmAlias [-Module <string[]>] [-Scope Process | CurrentUser | LocalMachine]

This command just disables the aliases that you may have previously enabled; to use once you have adjusted all of your scripts in my opinion.

The same rules around specifying modules and scoping as above.

Summary

Get out there and install the new module! I can only imagine that the new module will be the only one supported in a few months, so getting ahead of the curve is always a good idea!

Microsoft also mention that the Az module will replace the AzureRM one later this year!

Let me know in the comments if you find any commands that don’t work, I haven’t found any yet!

And heres to being able to use the same cmdlets across all platforms with this new module!

© 2019 Jack Tracey

Theme by Anders NorénUp ↑