Sunday, May 10, 2020

Custom Domain for Azure Active Directory


What is Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps employees sign in and access resources in:

  • External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Custom Domain for Users

Every user in Azure Active Directory has a username. This user name must have a domain name. Having our own domain name is more memorable and branding than using a generic domain name created by Azure. Our own domain name should be registered in Active Directory. If we don’s have own domain name to register in Active Directory, then we can use a generic domain name created by Azure AD.

Azure creates an initial domain as nootus.onmicrosoft.com (nootus is the name of your active directory). To add a custom domain the domain name has to be verified in Azure. We need to verify that we own the domain name. The administrator can add more than one domain to the Azure Active Directory.

Adding Custom Domain

We can associate a domain name we own with Azure AD. This enables users identified by our organization. Here are the steps to register a domain name in Azure AD.

·         Go to the Azure Active and choose then to the custom domain name              


·         Click Add Custom Domain and provide the domain name you own and click Add Domain


·         This takes to the verification page, which shows the configuration to make in our domain registration

·         Copy the configuration to setup in our domain registration

·         Now head over to the domain registrar. In my case my domain is registered with GoDaddy

·         Create the TXT record in domain management as shown above


 

·         Once the TXT record is created in our domain registration, let’s return to the Azure and click Verify

·         Azure AD verified the domain name ownership and add the Domain name in the Active Directory

·         We can make this Domain name as our primary domain name

·         Now we can see our custom domain name in the Azure AD domain names


With these steps, we can add our own domain name to the Azure Active Directory. After adding the custom domain, we can then add users in this domain to the Active Directory. Please see my other blog on adding users to the Active Directory.












Sunday, March 29, 2020

Creating Azure Active Directory


What is Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps employees sign in and access resources in:

  • External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Identity and Access Management as a service (IDaaS)

Azure Active Directory is an Identity and Access Management as a service (IDaaS) solution that extends your on-premises directories into the cloud and provides single sign-on to Azure, Office 365 and thousands of cloud (SaaS) apps and access to web apps you run on-premises.
Built for ease of use, Azure Active Directory enables enterprise mobility and collaboration and delivers advanced identity protection through multi-factor authentication (MFA), security reports, audits, alerts and adaptive conditional access policies based on device health, user location and risk level.

Creating Azure Active Directory

Here are the step-by-step screenshots on creating Azure Active Directory:
1.       First go to the create new resource and search for Active Directory



2.       Choose Active Directory resource

3.       Click Create Button on the next page


4.       Provide the necessary details


5.       Active Directory is created

Deleting Azure Active Directory

1.       Go to the Active Directory pane


2.       Choose Delete directory option


3.       Verify all the delete rules are passed. If not go to the corresponding required action.


4.       Give necessary permissions to delete the active directory


5.       Finally click Delete to Delete Active Directory

References:



Thursday, March 12, 2020

AZ-304: Microsoft Azure Architect Design Objective Domain


Objective Domain means set of skills, knowledge and abilities that are measured by the certification program.

Below is the objective domain for AZ-304:
  1. Design Monitoring (10-15%)
  2. Design Identity and Security (25-30%)
  3. Design Data Storage (15-20%)
  4. Design Business Continuity (10-15%)
  5. Design Infrastructure (25-30%)

Here are the exam skills measured and candidate profile from the Microsoft certification site

Audience Profile

Candidates for this exam are Azure Solution Architects who advise stakeholders and translate business requirements into secure, scalable, and reliable solutions.
Candidates should have advanced experience and knowledge of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data platform, budgeting, and governance. This role requires managing how decisions in each area affects an overall solution.
Candidates must have expert-level skills in Azure administration and have experience with Azure development processes and DevOps processes.

Skills Measured

1.      Design Monitoring (10-15%)

1.1.   Design for cost optimization
·         recommend a solution for cost management and cost reporting
·         recommend solutions to minimize costs
1.2.   Design a solution for logging and monitoring
·         determine levels and storage locations for logs
·         plan for integration with monitoring tools including Azure Monitor and Azure Sentinel
·         recommend appropriate monitoring tool(s) for a solution
·         choose a mechanism for event routing and escalation
·         recommend a logging solution for compliance requirements
·         NOT: resource-specific monitoring. This objective should ONLY cover the all-up holistic monitoring strategy

2.      Design Identity and Security (25-30%)

2.1.   Design authentication
·         recommend a solution for single-sign on
·         recommend a solution for authentication
·         recommend a solution for Conditional Access, including multi-factor authentication
·         recommend a solution for network access authentication
·         recommend a solution for a hybrid identity including Azure AD Connect and Azure AD Connect Health
·         recommend a solution for user selfservice
·         recommend and implement a solution for B2B integration
·         NOT: federation with ADFS
2.2.   Design authorization
·         choose an authorization approach
·         recommend a hierarchical structure that includes management groups, subscriptions and resource groups
·         recommend an access management solution including RBAC policies, access reviews, role assignments, physical access, Privileged Identity Management (PIM), Azure AD Identity Protection, Just In Time (JIT) access
2.3.   Design governance
·         recommend a strategy for tagging
·         recommend a solution for using Azure Policy
·         recommend a solution for using Azure Blueprint
2.4.   Design security for applications
·         recommend a solution that includes KeyVault
o    what can be stored in KeyVault
o    KeyVault operations
o    KeyVault regions
·         recommend a solution that includes Azure AD Managed Identities
·         recommend a solution for integrating applications into Azure AD

3.      Design Data Storage (15-20%)

3.1.   Design a solution for databases
·         select an appropriate data platform based on requirements
·         recommend database service tier sizing
·         recommend a solution for database scalability
·         recommend a solution for encrypting data at rest, data in transmission, and data in use
·         NOT: data caching
·         NOT: MariaDB, PostGreSQL, MySQL
3.2.   Design data integration
·         recommend a data flow to meet business requirements
·         recommend a solution for data integration, including Azure Data Factory, Azure Data Bricks, Azure Data Lake, Azure Synapse Analytics
3.3.   Select an appropriate storage account
·         choose between storage tiers
·         recommend a storage access solution
·         recommend storage management tools

4.      Design Business Continuity (10-15%)

4.1.   Design a solution for backup and recovery
·         recommend a recovery solution for Azure hybrid and on-premises workloads that meets recovery objectives (RTO, RLO, RPO)
·         design and Azure Site Recovery solution
o    recommend a site recovery replication policy
o    recommend a solution for site recovery capacity
o    recommend a solution for site failover and failback (planned/unplanned)
o    recommend a solution for the site recovery network
·         recommend a solution for recovery in different regions
·         recommend a solution for Azure Backup management
·         design a solution for data archiving and retention
o    recommend storage types and methodology for data archiving
o    identify business compliance requirements for data archiving
o    identify requirements for data archiving
o    identify SLA(s) for data archiving
o    recommend a data retention policy
4.2.   Design for high availability
·         recommend a solution for application and workload redundancy, including compute, database, and storage
·         recommend a solution for autoscaling
·         identify resources that require high availability
·         identify storage types for high availability
·         recommend a solution for georedundancy of workload

5.      Design Infrastructure (25-30%)

5.1.   Design a compute solution
·         recommend a solution for compute provisioning
·         determine appropriate compute technologies, including virtual machines, App Services, Service Fabric, Azure Functions, Windows Virtual Desktop, and containers
·         recommend a solution for containers
o    AKS versus ACI and the configuration of each one
·         recommend a solution for automating compute management
·         NOT: monitoring, backups, recovery, availability, security, storage; VMWare
5.2.   Design a network solution
·         recommend a solution for network addressing and name resolution
·         recommend a solution for network provisioning
·         recommend a solution for network security
o    private endpoints
o    firewalls
o    gateways
o    etc.
·         recommend a solution for network connectivity to the Internet, on-premises networks, and other Azure virtual networks
·         recommend a solution for automating network management
·         recommend a solution for load balancing and traffic routing
5.3.   Design an application architecture
·         recommend a microservices architecture including Event Grid, Event Hubs, Service Bus, Storage Queues, Logic Apps, Azure Functions, and webhooks
·         recommend an orchestration solution for deployment of applications including ARM templates, Logic Apps, or Azure Functions
o    select an automation method
o    choose which resources or lifecycle steps will be automated
o    design integration with other sources such as an ITSM solution
o    recommend a solution for monitoring automation
·         recommend a solution for API integration
o    design an API gateway strategy
o    determine policies for internal and external consumption of APIs
o    recommend a hosting structure for API management
o    recommend when and how to use API Keys
5.4.   Design migrations
·         assess and interpret on-premises servers, data, and applications for migration
·         recommend a solution for migrating applications and VMs
·         recommend a solution for migration of databases
o    determine migration scope, including redundant, related, trivial, and outdated data


Thursday, September 27, 2018

ASP.NET Core and Angular Ignore TimeZone – Part 1 of 2


Date and Time is always hard, especially when it spans across time zones. Once your application becomes global, the time zone related issues become inevitable. This becomes harder with Single Page Application Technology, now we need to sync date between the javascript running on browser and with that of server.

Have you faced issue where you are losing a day or getting a day more than what user entered in your Angular application? Chances are that your server is in one time zone and your user is in a different time zone. Your user enters the date or picks the date using a calendar control (example Expiration Date). Due to time zone difference, the date may change when it reaches server. For example, user in India picked date at 27-09-2018 at 9:00 AM, the server in California receives this date as 26-09-2018 8:30 PM. If you are considering only date part then your date will be one day less (26th instead of 27th) due to this time zone conversion.

Below are the two solutions for this problem:
  1. Ignore time zone globally when sending data between browser and server
  2. A more elegant solution is to ignore time zone only for specific date controls or properties

In this blog, I will cover the first solution and in my next blog I will go over the second solution.

Ignore time zone globally
In most applications, we do not need to consider time. In these applications, ignoring time zone is the best approach. As you know, Angular and ASP.NET by default convert the date from one time zone to another time zone. This is true even if you are sending just date.

The best way for this problem, is to remove time zones while exchanging data between ASP.NET and Angular. Unfortunately, there is no out of box solution to remove time zones. However, the solution is very easy. When the data is exchanged between ASP.NET and Angular, the data is serialized to JSON and is transferred. We can tap into this serialization process and can force date conversion to ignore time zone.

ASP.NET Core by default uses Json.NET to serialize the data. In Json serialization configuration, we can specify the date serialization to remove time zone. For this, we need to pass the Date format as shown below:

.AddJsonOptions(options =>
{
      options.SerializerSettings.DateTimeZoneHandling = DateTimeZoneHandling.Local;
      options.SerializerSettings.DateFormatHandling = DateFormatHandling.IsoDateFormat;
      options.SerializerSettings.DateFormatString = "yyyy-MM-ddTHH:mm:ss";
});
In Angular we also need to override the Json serialization. Angular internally uses Json.stringy to serialize the object. Under hood, this json serializer uses toISOString. We can override this and provide the same format we used in the ASP.NET.


  Date.prototype.toISOString = function() {
      return this.getFullYear() + "-" + this.getMonth().toString().padStart(2, "0")
          + "-" + this.getDate().toString().padStart(2, "0") + "T"
          + this.getHours().toString().padStart(2, "0") + ":"
          + this.getMinutes().toString().padStart(2, 0) + ":"
          + this.getSeconds().toString().padStart(2, 0);
  };
By providing DateFormats without time zone on both ASP.NET and Angular we can ignore time zone. With this approach our application does not lose a day while sending data to and fro.