Year: 2017

Azure Disk Encryption and Azure Backup

If you are looking to use Azure Disk Encryption and Azure Backup you need to follow a couple of additional steps to the standard encryption procedure.

The offical documentation can be found below:

How it works

There are two types of encryption keys to consider.

  • BEK – Bit Locker Encryption Key
  • KEK – Key Encryption Key

The encryption service uses Key Vault to manage the secrets, to do this we need an application in Azure AD that has permissions (Set by a Key Vault Access Policy) to operate inside of Key Vault.

This is used if you are just using BEK or setting up KEK for Azure Backup support.

For KEK a Key must be imported or created in the Key Vault. You reference this key when running the commands.

Finally, the Backup Management Service needs permissions to access the Key Vault and the keys.

Image 1: Example of Secrets inside of Key Vault


Please note: You will need a Key Vault before you can complete this procedure. The Key Vault must be in the same region as the VM that will be encrypted.

1. Set up an Azure AD Application

In Azure Active Directory, select App registrations and create a new app registration. Enter a Name, select Web app / API and assign a sign-on URL (you will not use this so a default entry is adequate).

Image 2: App Registration in Azure Active Directory

Make a note of the Application ID and create and take note of the application Key. Please note that the Key will only be available to you after it is saved and only once on the page. After that it will be hidden.

2. Configure the permissions in the Key Vault for the new Azure AD Application

In the Key Vault set up an Access Policy for the new application.

Image 3: Setting up permissions in the Key Vault (an Access Policy)

Key Permissions need to be set to Wrap Key, Secret permissions to Set.

Image 4: Setting the Key Vault Access Policy for the Azure AD Application

3. Create a Key in Key Vault

This will be the key used to wrap the BEK, also known as the KEK

Image 5: Creating the KEK

4. Set permissions for the Backup Management Service

Select Access Policies and from the template select Azure Backup. The principal will be Backup Management Service.

Image 6: Creating the Access Policy for the Backup Management Service

5. Check the Advanced access policies to enable access to Azure Disk Encryption for volume encryption.

Image 7: Setting the Advanced Access policies for Disk Encryption

PowerShell commands for an existing VM

subscriptionName = "SUBSCRIPTION NAME"


$VMName = "VM NAME"



$VaultName= "KEY VAULT NAME"

$keyName = "KEY NAME"

$keyEncryptionKeyUri = Get-AzureKeyVaultKey -VaultName $VaultName -KeyName $keyName

$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName

$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri

$KeyVaultResourceId = $KeyVault.ResourceId

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $vmName -

AadClientID $AADClientID -AadClientSecret $AADClientSecret -

DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId

$KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUri.Id -

KeyEncryptionKeyVaultId $keyVaultResourceId

Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.

Adding a Public IP to an Existing Azure ARM VM

If you are not running a jump host in your environment I find from time to time that I need to add a Public IP to a NIC and connect to my virtual machine.

PowerShell is by far the easiest way to complete this task. The small script below outlines how to do this.

# New-AzurePublicRmIAddress creates the new IP - Run this first. 

new-azurermpublicIPAddress -Name testip -ResourceGroupName wpbackup -AllocationMethod Static -Location "Southeast Asia"

# Set the variables but getting the properties you need 
$nic = Get-AzurermNetworkInterface -ResourceGroupName Nameof ResourceGroup -Name NameofNIC
$pip = Get-AzurermPublicIPAddress -ResourceGroupName wpbackup -Name testip

# Finally set the IP address against the NIC
Set-AzureRmNetworkInterface -NetworkInterface $nic

Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.

Audit number of VHDs per Storage Account | Azure

Time for some code.  I was recently asked by a customer to help them audit the number of active VHDs in a storage account.

As ever with a little digging around and some slight adjustment I was able to provide what they were after.

Original came from the very accomplished John Savill and was posted at Windows IT Pro.

$FindStorage = Get-AzurermStorageAccount 
$out = @()
Foreach ($Storage in $FindStorage)
$Name = $Storage.StorageAccountName
$ResourceGroupName = $Storage.ResourceGroupName
$Location = $Storage.Location

$AllBlobs = Get-AzureRMStorageAccount -Name $Name -ResourceGroupName $ResourceGroupName | 
    Get-AzureStorageContainer | where {$_.Name -eq 'vhds'} | Get-AzureStorageBlob | where {$_.Name.EndsWith('.vhd')} 

$VHDsinAct = 0

foreach ($Blob in $AllBlobs)

    if($Blob.ICloudBlob.Properties.LeaseState -eq 'Leased' -and $Blob.ICloudBlob.Properties.LeaseDuration -eq 'Infinite')

$props = @{

StorageAccount = $Name
VHDs = $VHDsinAct
ResourceGroup = $ResourceGroupName
Location =$Location
 #Write-Output "Total of $VHDsinAct VHDs in $Name"
 $out += New-Object PsObject -Property $props

$out | Format-Table -AutoSize -Wrap  StorageAccount, VHDs, ResourceGroup, Location 
$out | Out-GridView -Passthru

Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.

Successfully Working from Home

I’ve learnt quite a bit about working from home in the last ten years and thought is was about time I shared one of the secrets to my success.

It will take longer to get used to than you will first admit. 

Working from home has some obvious benefits; no travel time, no interruptions, working all day in your pyjamas. It’s a breeze right? When I look back I can honestly say it took me over a year to get into the correct rhythm.  I had started a new job, I had a new baby (our first), I was sent a laptop, filing cabinet (don’t why I got that), chair, printer, tech. toys and I was away.  I knocked off what I thought was a day’s work by morning tea and was a very happy man. But how do you get by with no interaction with anyone at work? Monday is great but by Wednesday, outside of the odd phone call and customer conversation, who do you have the work chat with? What happens if you get frustrated at work and the next person you see is your new child or sleep deprived partner?  You suddenly need to slip out of work mode and into home mode, then back again.  You think Superman makes a fast change in a phone box, it’s nothing compared to mental gymnastics of the accomplished home worker.

As you get used to the transition you’ll be telling everyone how great life is but some times you’ll be doing this to convince yourself, more than anyone else. But working from home can be very rewarding and productive. It took me a while to work this out as I am not someone that has had much interest in physiology but you need to train your brain.

What did I do? I decided I had to identify in my mind where and when I was at work.  I picked a space and made sure everything was the same each time I started.  I created a routine of work, emails, calls and customer visits that I stuck to. I even cleaned and tided the space every week and set it up for Monday. I mentally told myself when I leave this spot I am no longer at work, I am at home. I moved a chair by the door and said to myself, work goes there when I leave this room. Over about twelve months I began to surprise myself with how quickly I was able to mentally switch roles.  I could stride through the house be dad, walk into my work space, sit down and get straight back into it. It was at this point working from home truly became great and productive.  

Without knowing it I was taking my brain through a series of mental exercises.  My brain was getting a workout and learning how to flip modes very quickly.

I have switched companies now and at Microsoft I have the flexibility to work at the office or at home. I can spend weeks in the office environment or at customer sites an then a period at home and the mental flexibility is still there. All I have to do is remember to get dressed when I go into the office.

This is a skill I’m sure anyone can learn.  I’d be interested in what makes working from home a success for you. I always say we all learn by sharing and if you have found another way don’t be shy, let the world know.

Audit Azure ARM Networks

Consultants love to audit environments and there is no better use of a script than for this purpose.

This script lists out the virtual networks and subnets in a subscription.

Remember there is always a better way to do things and if you have a better way don’t forget to share.

$FindNetworks = Find-AzureRmResource | where {$_.ResourceType -like "Microsoft.Network/VirtualNetworks"}</code>

$out = @()

Foreach ($Network in $FindNetworks)
$Name = $Network.Name
$ResourceType = $Network.ResourceId
$ResourceGroupName = $Network.ResourceGroupName
$Location = $Network.Location

$VNetDetail = Get-AzureRmvirtualNetwork -Name $Network.Name -ResourceGroupName $Network.ResourceGroupName

$props = @{

VNetName = $Network.Name
ResourceGroup = $Network.ResourceGroupName
Location = $Network.Location
AddressSpace = $VNetDetail.AddressSpace.AddressPrefixes
Subnets = $VNetDetail.Subnets

$out += New-Object PsObject -Property $props
$out | Format-Table -AutoSize -Wrap  VNetName, AddressSpace, Subnets, ResourceGroup, Location
$out | Out-GridView -Passthru

Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.

Hybrid Use Benefit from Image | Azure

Please see post Hybrid Use Benefit HUB | Azure for details on the Microsoft HUB process.

I have been using a slight edit on the process described so thought I would place the code I have been using below.

Please note HUB images are now available in Azure, therefore a generalised image is no longer required.

#login into azure and select the right subscription

#upload HUB file
$RGName = "Resource Group Name"
    $urlOfUploadedImageVhd = ""
    Add-AzureRmVhd -ResourceGroupName $rgName -Destination $urlOfUploadedImageVhd -LocalFilePath "C:\Source\imagename.vhd" 

#Create VM using image
$Cred = Get-Credential #Don't forget needs to be complex
$vmName = "Name of VM"
$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName $RGName -name "Resource Group Name"
$OSDiskName = "$vmName-C-01" 
$nicname = "Nic01-$vmName-Prod"
$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $OSDiskName + ".vhd" #Name & path of new VHD
$URIofuploadedImage = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "image container/image.vhd" #location of template VHD
$Location= "Azure location"

$Vnet = Get-AzureRmVirtualNetwork -Name "Virtual Network Name" -ResourceGroupName $RGName
$SubnetProduction = Get-AzureRmVirtualNetworkSubnetConfig -Name "Sub-1" -VirtualNetwork $Vnet
$Nic = New-AzureRmNetworkInterface -ResourceGroupName $RGName -Name $Nicname -Subnet $SubnetProduction -Location $Location

#Define VM Configuration
$VMConfig = New-AzureRmVMConfig -VMName $vmName -VMSize "Standard_DS2" |
    Set-AzureRmVMOperatingSystem -Windows -ComputerName $vmName -Credential $Cred -ProvisionVMAgent -EnableAutoUpdate |
    Set-AzureRmVMOSDisk -Name $OSDiskName -VhdUri $OSDiskUri -CreateOption FromImage -SourceImageUri $URIofuploadedImage -Windows |
    Add-AzureRmVMNetworkInterface -Id $Nic.ID -Primary

#Create VM
New-AzureRmVM -ResourceGroupName $RGName -Location $Location -LicenseType "Windows_Server" -VM $VMConfig

#Check license type of new VM
Get-AzureRmVM -ResourceGroupName $RGName -Name $vmName | Format-Table -AutoSize Name, LicenseType, Location, ProvisioningState

Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.