Wednesday, March 2, 2022

VMware vExpert 2022

I am very honored to be named a VMware vExpert again... and yeah it was announced on Feb 17, 2022 however at that time somehow missed that email ;)

I would like to Congratulations to all those who made in the vExpert 2022 list.

VMware vExpert directory is available here.. https://vexpert.vmware.com/directory

And my vExpert profile can be found here.

Thank you, VMware... :)


Sunday, March 28, 2021

AWS Single Sign-on and Azure AD Application Certification rotation

In this quick post would discuss the process and steps involved in rotating the expiring Azure AD application certification configured for AWS SSO login. 

This is applicable where you have your AWS account SSO configured with Azure Active Directory and the associated application password is about to expire or maybe already expired.

Before you start, make sure to have the appropriate AWS IAM and Azure AD permission or involve the teams having the required access to create an application certificate (in Azure) and rotate the same in AWS.

Now, login to AWS and take the backup of currently used metadata.

  1. Login to AWS => Go to IAM => Click on Dashboard or from the IAM menu, click on Identity Provider
  2. Click on Azure AD => From Metadata Document section, Download the current metadata file for backup purpose
Now Login to Azure,

  1. Go to Azure Active Directory => Select Enterprise applications from left menu options
  2. From the Enterprise applications section, Select the correct AWS Application used for SSO 
  3. No on the AWS Application screen, go to Single Sign-on option => SAML Signing Certificate and click Edit
  4. On SAML Signing Certificate Page, Create a new Certificate, Save and mark it as Active, close the window
  5. Now on SAML Signing Certificate Page, verify the certificate Expiry date and Download the Federation Metadata XML


  6. Go to AWS account IAM Identity Provider Section, Steps are mentioned above
  7. Within the Metadata Document section, this time Click on Replace Metadata, on pop-up window Type replace and Click on Replace tab. Just in case if you didn't download the current metadata file earlier, do that so just in case of any issue you could revert
  8. Now browse and select the Federation Metadata XML file downloaded after Azure AD application certificate rotation and click open
  9. It would take the next few seconds and you are done.
  10. Test your AWS Single Sign-on URL, you can also perform the testing from within the Azure Application SAML bases Single sign-on page.
Note: If you are using an AD account to replace the AWS Identity provider Metadata then make sure to log in prior to marking the newly created Azure application certificate active. Also, don't refresh the AWS login page until you replace the metadata.
To avoid this, simply use your AWS root account ;)

Related Demo: 

That's it, thanks :)



Friday, February 12, 2021

VMware vExpert 2021 Announced

I am very honored to be named a VMware vExpert again, this is my 7th…..Congratulations to all those who made in the vExpert 2021 list.

VMware vExpert directory is available here.. https://vexpert.vmware.com/directory

And my vExpert profile can be found here.

Thank you, VMware... :)


Wednesday, January 27, 2021

How to add your custom domain name in Azure Active Directory

In this post would discuss about the use of a custom domain name in Azure AD and how we can add one.

Before going into that, first talk about what is Azure Tenant. It's a dedicated and trusted instance of Azure AD that's automatically created when you or your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.

Now what is Azure AD, it is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:
  • External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Every new Azure AD tenant comes with an initial domain name as given, <domain-name>.onmicrosoft.com. We can't change or delete this initial domain name, however can add a custom domain aligned and reflecting ones organization's name. Adding custom domain names helps you to create user names that are familiar to your users, such as abc@vCloudClass.com, where vCloudClass.com is a custom domain.

Please note that, Only a Global Administrator can manage domains in Azure AD.

This role is automatically assigned to whomever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users.

Now I assume that you have already created a domain name with a domain registrar such as godaddy etc. and logged in to your Azure Account with as Global administrator.

The process of adding a custom domain consists these three tasks, 

1. Add your custom domain name to Azure AD                                     
Login to Azure Portal using a account having Global Administrator Role assigned => Select Custom domain names => Add your domain on this page using add domain button => once the unverified domain is added => Click on the unverified domain and note down the TXT record 

2. Add your DNS information to the domain registrar                            
Go back to your domain registrar and create a new TXT record for your domain based on your noted DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record. 
Note: You can register as many domain names as you want. However, each domain gets its own TXT record from Azure AD.

3. Verify your custom domain name                               
Note: DNS records must propagate before Azure AD can verify the domain. This process can take an hour or more.

After you've verified your custom domain name, now make it your primary domain.
The primary domain is the default domain name for a new user when you create a new user. Setting a primary domain name streamlines the process for an administrator to create new users in your AD.

You can make your domain primary by completing the following steps,
  1. Sign in to the Azure Portal with an account that's a Global Administrator for the organization.
  2. Now select Azure Active Directory => Select Custom domain names => Select the name of the domain that you want to be the primary domain => Select the Make primary command, confirm.
You can change the primary domain name for your organization to be any verified custom domain that isn't federated. Changing the primary domain for your organization won't change the user name for any existing users.

Demo:

Related reads:


Saturday, January 23, 2021

How to Re-deploy an Azure VM from Portal/PowerShell or Azure CLI

In some circumstances, as part of troubleshooting, where you are having a connectivity-related issue or agent/extension status related issue and think that this could be related to the underlying host on which this VM is running we use VM redeployment option. This VM redeployment is nothing but a process of changing the physical host where your VM is currently running.

When you redeploy a VM, Azure will shut down the VM, move the VM to a new host within the Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.

If you are coming from VMware background then this might surprise you as there you can simply vMotion a running VM from one Esxi host to another however here this is the only option to so.

The Azure redeploy operation does not impact any settings or configuration of the affected VM. However, you may lose the data on the temp drive and if using Dynamic IP then the same would also change. To avoid the IP change you can mark the assigned IP as static from vNIC settings. 

You can re-deploy a VM either directly from with VM blade on the Azure portal or using PowerShell and Azure CLI.

Azure Portal:
  1. Go to affected VM
  2. on VM blade look for VM redeploy option under Support & Troubleshooting
  3. Redeploy the VM using the re-deploy option

PowerShell: Use the following to re-deploy a VM.
#first you need to connect to your Azure account

Connect-AzAccount

#Get the list of Subscriptions availabe in your Azure account

Get-AzSubscription

#Set the desired subscription as default

Select-AzSubscription -Subscription "Subscription name"

#Set the required variable to make this scriprt reusable

$rgName = read-host "Enter the resourceGroup name where this VM reside"

$vmName = read-host "Enter the VM name"

Set-AzVM -Name $vmName ResourceGroupName $rgName -redeploy

Azure CLI: First connect to your account, set the respective subscription as default,
#first you need to connect to your Azure account
az login
#List Subscription in your Azure account
az account list --output table
#to set your Subscription as default for this session
az account set --subscription "Name of your Subscription
az vm redeploy -name "name of the VM" -group "resource group name"
During VM redeployment operation the Status of the VM changes to Updating as the VM prepares to redeploy and then changes to Starting as the VM boots up on a new Azure host.

Related demo: 

That's it...Thanks :)