Azure Security Architect

Azure Monitor Baseline Alerts for AVDs

anuj — Tue, 25 Mar 2025 17:04:19 +0000

Azure Monitor Baseline Alerts for AVDs – great for capturing common baseline events for AVD instances

The post Azure Monitor Baseline Alerts for AVDs appeared first on Azure Security Architect.

AVD Latency Issues Troubleshooting

anuj — Fri, 14 Mar 2025 15:04:12 +0000

Azure LEvel

Enable Azure Insights to capture RTT for the AVD Spin Up as well as RTT for the networking

VM LEvel

At the NIC level, Enable VM Accelerated Networking if the VM Type (and OS) supports it

FW LEvel

Ensure that Deep Packet Filtering is not causing the latency

Ensure that the outbound route to the internet is not causing the latency (if it is via a PA FW for example)

The post AVD Latency Issues Troubleshooting appeared first on Azure Security Architect.

InTune Migration PreExisting Identities

anuj — Wed, 12 Mar 2025 15:42:49 +0000

For Intune (device) migrations to be successful, two things need to be in place

The identities (for those devices) need to be in place already
The licensing for the devices needs to be in place.

The post InTune Migration PreExisting Identities appeared first on Azure Security Architect.

Storage Accounts and Blob Storage

anuj — Mon, 30 Dec 2024 17:16:49 +0000

Step 1 – Creating a NEW STORAGE ACCOUNT

Types – Storage accounts are of three types – V2 (most general purpose), V1 (hardly used anymore) and Blob Storage (can only store blobs – no table storage etc).

Replication

LRS (Locally redundant – always triple redundant within a datacenter)
Geo Redundant
Read-Access GeoRedudant

Tiers – HOT or COOL (Archive can only be set LATER)

Additional Security Options

– Bind to a VNET

Secure Transfer only

Step 2 – Adding a BLOB

Once the storage account is ready, add a new CONTAINER (BLOB).

Access type – Private (useful for BACKUPS being stored to BLOBS), Anonymous read for BLOBS only (is the second option).

The post Storage Accounts and Blob Storage appeared first on Azure Security Architect.

Azure Policy Recommended Policies

anuj — Sun, 29 Dec 2024 16:32:53 +0000

These are the top recommended policies for most customers.

Enforce resource tagging
Limit allowed locations
Prohibit specific resources deployment (e.g. Public IP addresses)
Require Secure Transfer for Storage Accounts
Block Public Access to Storage Accounts
Block Anonymous access to storage accounts
Configure Cosmos DB accounts to disable public network access
Configure Azure SQL accounts to disable public network access

The post Azure Policy Recommended Policies appeared first on Azure Security Architect.

Device Restrictions using Conditional Access Policies in Azure Entra ID

anuj — Wed, 27 Nov 2024 18:13:19 +0000

Now, there’s a policy that allows you to restrict which devices get into your Azure subscriptions. The compliant devices policy requires you to list CIDR ranges/devices that are permitted. You can also make exceptions for specific devices if you need to.

The exact error

The portal encountered an issue while attempting to retrieve access tokens. We suggest attempting to sign in again, or alternatively, continuing without access tokens, although this may result in a suboptimal user experience. Additional details: invalid_grant: AADSTS530004: AcceptCompliantDevice setting isn’t configured for this organization. The admin needs to configure this setting to allow external users access to protected resources. Trace ID: af449c59-5668-4e01-9c12-6148328d6500 Correlation ID: e0318484-7e18-4c0f-b7a9-a678a9bc8cfd Timestamp: 2024-11-27 17:58:53Z.

The post Device Restrictions using Conditional Access Policies in Azure Entra ID appeared first on Azure Security Architect.

Letting in vendors to your Entra Tenant

anuj — Sat, 23 Nov 2024 00:26:33 +0000

Use Case

Let in a set of Vendor Engineers into your Azure Subscription (typically with GLOBAL READER permissions)

Steps in Entra and in Azure

Set up SSO using the vendor’s email id as the UUID.
Grant them GUEST User licenses – into your Entra Tenant
Put all these VENDOR GUESTS into a single AAD User Group.
Now use RBAC to grant this user group Azure resource permissions.

The post Letting in vendors to your Entra Tenant appeared first on Azure Security Architect.

P2 licenses – Use Case – SSO Authentication and MFA – no mailbox

anuj — Fri, 22 Nov 2024 20:36:46 +0000

Use Case – SSO Authentication and MFA – no mailbox

P2 licenses – Cloud Only Authentication (not federated)

The post P2 licenses – Use Case – SSO Authentication and MFA – no mailbox appeared first on Azure Security Architect.

Devices versus Apps – Managed by Intune

anuj — Fri, 22 Nov 2024 20:36:05 +0000

Intune

Can be used to manage both devices as well as applications on the devices.

One can configure InTune for JUST application management (and have some other tool do the device management).

The post Devices versus Apps – Managed by Intune appeared first on Azure Security Architect.

Migration of Azure site-to-site VPN tunnel from one region to another

anuj — Mon, 18 Nov 2024 14:14:32 +0000

Option 1 – create a new VPN in the new region

Create a new VPN gateway in the desired region

Configure the new gateway with the same connection settings as the old one

and then update your on-premises VPN device to point to the new Azure gateway effectively switching the tunnel to the new region while maintaining connectivity

Most of this can be done through the Azure portal by modifying the VPN gateway’s location and connection details, ensuring your on-premises device is updated accordingly.

Option 2 – actually move the resources over (not preferred)

Entire VNet (containing the gateway Subnet) needs to be migrated

Done using the Resource Manager migration

The post Migration of Azure site-to-site VPN tunnel from one region to another appeared first on Azure Security Architect.