MS Cloud Foundation

Architecture Foundation

 

 

 

 

Company / Organization: becke.ch 

Scope: 0.0 {language={en}; document-type={ott}; organization={becke.ch}; interest={business}; domain={architecture}; level={foundation}; technology={ms-cloud,azure,office-365,dynamics-365}}

Version: 1.3.0

File-name: becke-ch--ms-cloud--s0-v1--foundation.odt

Author: ms-cloud--s0-v1@becke.ch  

Copyright © 2019 becke.ch – All rights reserved

 

Document Version History

Version

Date

Author

Description

1.0.0

05.2017

Raoul Becke

Initial version

1.1.0

10.08.2017

Raoul Becke

Additional chapters: “Login PowerShell“, “Login & Select Subscription”, Data Factory

 

Extended the list of IMPORTANT CHANGES that need to be considered to guarantee a smooth deployment

1.2.0

04.09.2018

Raoul Becke

Changes according to requirements see table below version 1.2.0

1.3.0

24.08.2019

Raoul Becke

Changes according to requirements see table below version 1.3.0

 

 

Work-Product Version History

Version

Date

Author

Requirements

Components Changed

1.0.0

05.2017

Raoul Becke

MS Cloud Overview

Document

1.1.0

10.08.2017

Raoul Becke

Add documentation on: Deployment, PowerShell, Data Factory

Document

1.2.0

04.09.2018

Raoul Becke

Update copyright year, Basics chapter - added information on CaaS, new chapter "Command Line Interface: Azure CLI", new appendix-chapter "My Vsiual Studio: Developer License (MSDN): Activate Azure Benefit on Alternate Account", new appendix-chapter "Azure Data Factory – V2: ETL: Extract, Transfrom & Load: SSIS", new appendix-chapter "Azure Container Instance (ACI)", new appendix-chapter "Azure Cloud Services"

Document

1.3.0

24.08.2019

Raoul Becke

Moved entire appendix into separate document see [38].

Entirely reworked chapter: XaaS: IaaS, CaaS, PaaS, SaaS

Updated information on: CaaS

Updated information on: VPN or Expressroute, SaaS>PaaS>CaaS>IaaS, DevOps

Updated information on: PowerBI

Added information on: Management Group and Hierarchy

Updated information on: Subscription Handling, Pros and Cons

Document

 

 

 

 

 

Table of Contents

1. Introduction

2. Basics

2.1. XaaS: IaaS, CaaS, PaaS, SaaS

2.2. Migration

2.3. Microsoft Cloud Offerings & Hierarchy

2.3.1. Microsoft Cloud Offerings: Microsoft SaaS Services, Microsoft Azure PaaS & CaaS & IaaS

2.3.1.1. Microsoft SaaS Services

2.3.1.2. Microsoft Azure SaaS, PaaS, CaaS & IaaS

2.3.1.3. Notes

2.3.2. Microsoft Cloud Hierarchy: Organization, Subscription, License, User Account

2.3.2.1. Azure

2.3.2.1.1. Best Practice

2.3.2.1.2. Naming Convention

2.3.2.2. Notes

2.3.3. Processes

2.3.3.1. Sign-up

3. Security

3.1. Identity Management & Authentication

3.1.1. Login PowerShell

3.2. Access Management & Authorization

3.2.1. Group Management

3.2.1.1. Create Group

3.2.2. Database

3.2.2.1. Azure Active Directory Admin

3.2.3. Notes

4. Operations

4.1. Scripting: Azure & PowerShell

4.2. Command Line Interface: Azure CLI

4.3. Configuration & Deployment

4.3.1. Azure

4.3.1.1. Deployment Models

4.3.1.2. Deploy resources with Resource Manager templates and Azure PowerShell

4.3.1.2.1. Login & Select Subscription

4.3.1.2.2. Automation Scripts & Deployment History

4.3.1.3. Resource Manager and PowerShell

4.3.1.4. Policies

4.3.2. Deployment

4.4. Logging, Monitoring, Alerting

5. Integration

5.1. ETL – Extract Transform Load

6. Landscape

7. References and glossary

7.1. References

7.2. Glossary (terms, abbreviations, acronyms)

A. Appendix

A.1. My Vsiual Studio: Developer License (MSDN): Activate Azure Benefit on Alternate Account

A.1.1. Error: Oops: It appears that you have already used your MSDN benefit for a Microsoft Azure Subscription

 

 

Illustration Index

Illustration Index

Illustration 1: Microsoft SaaS Services        9

Illustration 2: Microsoft Azure PaaS        9

Illustration 3: Microsoft Azure IaaS        9

Illustration 4: Integration of MS Cloud Offerings with Azure AD        14

Illustration 5: MS Cloud Hierarchy (ERD)        15

Illustration 6: MS Cloud Hierarchy (Directed Relations)        16

Illustration 7: Azure Scaffold        18

Illustration 8: Functional Pattern        18

Illustration 9: Business Unit Pattern        18

Illustration 10: Geographic Pattern        18

Illustration 11: Functional, Geographic, Business Unit Pattern (for organizations that have no enterprise agreement)        19

Illustration 12: Contoso Corporation: Subscriptions, Licenses and User Accounts        20

Illustration 13: Contoso Corporation: Azure Enterprise Hierarchy        20

Illustration 14: Azure Resource-Group Deployment History        39

Illustration 15: Azure Resource-Group Deployment – Automation Script        40

Illustration 16: Azure Resource-Group Deployment – Automation Script - Error        40

 

 

Index of Tables

Index of Tables

Table 1: XaaS: IaaS, CaaS, PaaS, SaaS        6

Table 2: References        46

Table 3: Glossary        46

 

1. Introduction

This document gives an overview of the MS cloud offerings with a focus on MS Azure. It is a summary of many different Microsoft Cloud articles spread over the Internet.

 

2. Basics

2.1. XaaS: IaaS, CaaS, PaaS, SaaS

In the MS Cloud most XaaS services, where X stands for: Infrastructure, Container, Platform or Software, are available in datacenters connected all over the globe – see [2] and the user can implement and offer his application built on top of these services in the datacenter(s) located closest to the end-user respective the datacenter(s) which fulfills the legal requirements of the corresponding country.

 

Application

PaaS

Data

 

CaaS

Run-Time

 

IaaS

Middleware

O/S

 

On-Premises

Virtualization

Server (HW&SW)

Storage (HW&SW)

Network (HW&SW)

Table 1: XaaS: IaaS, CaaS, PaaS, SaaS

 

2.2. Migration

Some aspects and drivers that should be considered when moving to the cloud are:

 

2.3. Microsoft Cloud Offerings & Hierarchy

Microsoft Cloud Offerings – see [6]: Microsoft provides a hierarchy of organizations, subscriptions, licenses, and user accounts for consistent use of identities and billing across its cloud offerings.

Enterprise Agreement – see [7]: The Microsoft Enterprise Agreement offers the best value to organizations with 500* or more users or devices that want a manageable volume licensing program that gives them the flexibility to buy cloud services and software licenses under one agreement.

2.3.1. Microsoft Cloud Offerings: Microsoft SaaS Services, Microsoft Azure PaaS & CaaS & IaaS

Microsoft provides the following cloud offerings:

Microsoft SaaS Services

 

Microsoft Azure PaaS

 

Microsoft Azure IaaS

 

Microsoft Azure CaaS

MS Azure offers different kind of container solutions: non-managed and managed. Managed containers solutions e.g. AKS (Azure Kubernetes Service) or ACI (Azure Container Instance) are SaaS: MS manages the software and patches and the user only needs to perform some configurations and can focus on building and deploying the application image.  Un-managed containers solutions e.g. ACS (Azure Container Service – deprecated 2018) are IaaS and the user needs to manage the infrastructure, container-software and -patches. If the additional flexibility (and overhead) with un-managed containers is not required, then managed container solutions should be preferred. A big advantage of containers (and as well IaaS) is that the image is self-contained and therefore the application is easily portable between different cloud providers.

 

2.3.1.1. Microsoft SaaS Services

Looking at the XaaS definition we gave initially and the customization and development capabilities some Microsoft SaaS Services offer (for example Microsoft Dynamics 365); they rather qualify as (Enterprise) PaaS Services and not SaaS but as already mentioned the classification is not always easy respective crystal clear.

Microsoft Office 365 (see [8]): There exist 3 different MS Office offerings: “Office Home & Business”, “Office 365 Business”, and “Office 365 Business Premium”. The difference between them is the pricing and the number of applications and services they offer. In total Office 365 offers the following (end-user) applications and (shared) services:

 

Microsoft Dynamics 365 (see [11]): Dynamics 365 offers different licenses with different functionalities:

For detailed feature and license information see [17] (Dynamics CRM Online Licensing and Pricing guide). And to make sure that all aspects are covered it is recommended to consult with your Microsoft Dynamics Certified Partner or your Microsoft account team!

 

Microsoft Power BI (see https://docs.microsoft.com/en-us/power-bi/guided-learning): Power BI is a reporting service that provides offline data integration, as well as a wide range of connectors for different data sources, as basis for data modeling and dashboard visualizations. The access to data within a report can be restricted using RLS (Row Level Security) a combination of DAX (Direct Analysis Expression) rules per table assigned to single Azure Active Directory (AAD) Users, AAD Security Groups or Distribution Lists. The access to workspaces and published reports can be restricted to: Azure Active Directory (AAD) Users, AAD Security Groups, Office 365 Groups and Distribution Lists.

 

Azure DevOps (formerly known as Visual Studio Team Services) (see ): Azure DevOps is Microsoft’s Cloud offering for CI (Continuous Integration) and CD (Continuous Delivery). DevOps builds on Git, a distributed version control system and integrates with different artifact repositories: ....

2.3.1.2. Microsoft Azure SaaS, PaaS, CaaS & IaaS

Microsoft Azure (see [9]): Microsoft Azure provides a continuously growing list of products – see [10]. Unfortunately there exists no mapping of Azure services to XaaS classification but as a rule of thumb, based on chapter 2.1: Whenever you have to care for the O/S or if the Azure services is directly related, respective on top of Storage and Network then it is IaaS, if you build your application or service from scratch and deploy this to a run-time of the cloud provider then the corresponding Azure service classifies for PaaS and last but not least if you start with a running, production ready application or service and have (or have not) the possibility to customize it, then this offering is called SaaS. Everything that is (Docker) Container related is CaaS, BUT as already mentioned in chapter 2.1 we have either managed container services (ACI, AKS, etc.) which classify themselves as PaaS or we have unmanaged containers which classify as IaaS.

SaaS:

PaaS:

CaaS:

IaaS:

2.3.1.3. Notes

Microsoft Office 365: Some further important aspects to consider:

Microsoft Dynamics 365: Some further important aspects to consider:

 

2.3.2. Microsoft Cloud Hierarchy: Organization, Subscription, License, User Account

Microsoft Cloud Hierarchy - see [6]: The Microsoft cloud offerings can be mapped into the following hierarchy of organizations, subscriptions, licenses, and user accounts

 

 

Illustration 4: Integration of MS Cloud Offerings with Azure AD

 

In the logical class diagram below is shown a high level overview of the MS Cloud Hierarchy including all relevant objects and relations. This diagram includes as well objects and relations from chapters further below.

 

Illustration 5: MS Cloud Hierarchy (ERD)

 

Again same diagram but this time instead of showing the association ends in crow feet notation it shows the direction of the relation:


Illustration 6: MS Cloud Hierarchy (Directed Relations)

 

2.3.2.1. Azure

Azure has some additional hierarchy elements that do not exist in the other MS Cloud Offerings.

Enterprise Agreement (see [7]) / Enterprise Portal (see [21]): An Enterprise Agreement (EA) falls under the Microsoft Products and Services Agreement (MPSA) and provides for licensing of software and services through a single agreement. This agreement contractually locks a company into a 36-month agreement and requires them to “true-up” their licenses each year. The EA is designed for companies with 250+ seats (changing to 500+ in July 2016) who want to standardize their Microsoft products, have the rights for the most-current version of the software, and only want to account for additional seats once a year.
Via the Enterprise Agreement Microsoft also gives customers access to the Azure Enterprise Portal, a resource for customers managing multiple accounts or subscriptions. The following hierarchy elements can be managed in the enterprise portal:

Management Group (GA Mid 2018): Azure management groups provide a level of scope above subscriptions. Subscriptions are organized into containers called "management groups" and governance conditions: policies & RBAC (Role Based Access Control) can be applied to these management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give enterprise-grade management at a large scale no matter what type of subscriptions the user might have.

Azure Resource Manager (see [21]): Azure Resource Manager is the deployment and management service for Azure. Azure Resource Manager enables you to work with the resources (virtual machine, storage account, and virtual network, or a web app, etc.) in your solution as a group. You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. You use a template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.
See [https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-deployment-model]: Azure originally provided only the classic deployment model. In this model, each resource existed independently; there was no way to group related resources together. Instead, you had to manually track which resources made up your solution or application, and remember to manage them in a coordinated approach. In 2014, Azure introduced Resource Manager, which added the concept of a resource group. A resource group is a container for resources that share a common lifecycle. To simplify the deployment and management of resources, Microsoft recommends that you use Resource Manager for all new resources. If possible, Microsoft recommends that you redeploy existing resources through Resource Manager. ONLY Cloud Services1 does not support Resource Manager deployment model and therefore I recommend not to use it but instead use azure app services, otherwise the complexity of deployment and management increases significantly when mixing 2 deployment models.
    1. a.Define and deploy your infrastructure through the declarative syntax in Resource Manager templates, rather than through imperative commands. 

    2. b.Define all deployment and configuration steps in the template. You should have no manual steps for setting up your solution. 

    3. c.Run imperative commands to manage your resources, such as to start or stop an app or machine. 

    4. d.Arrange resources with the same lifecycle in a resource group. Use tags for all other organizing of resources. 

2.3.2.1.1. Best Practice

Azure enterprise scaffold - prescriptive subscription governance (see [23]): The following image describes the components of the scaffold. The foundation relies on a solid plan for departments, accounts, and subscriptions. The pillars consist of Resource Manager policies and strong naming standards. The rest of the scaffold comes from core Azure capabilities and features that enable a secure and manageable environment:

 

Illustration 7: Azure Scaffold

 

Azure Enrollment Patterns: Based on the hierarchy diagrams shown in the previous chapter, Microsoft suggests three common patterns for Azure Enrollments

The functional pattern

The business unit pattern

The geographic pattern

 

Illustration 8: Functional Pattern

 
 
 

Illustration 10: Geographic Pattern

 

 

But two important hierarchy levels were forgotten when drawing these 3 different patterns: “management group (GA mid 2018) andresource group” (which was introduced with the new deployment model in 2014). These additional layers above respective below a subscription especially support organizations that have no Enterprise Agreement and therefore no possibility to group their subscription on: Enterprise, Department and Account level. The resource group is predestined to group related resources to an application respective solution – see pros and cons below.

Management Group & Resource Group “Pattern”: Applying management groups and resource groups to a functional, geographic or business unit pattern (for organizations that have no enterprise agreement) the result could look as follows:

 

 

 

Illustration 11: Functional, Geographic, Business Unit Pattern (for organizations that have no enterprise agreement)

 

Pros and Cons of having applications respective solutions grouped on resource group level (and not on subscription level):

Recommendation: Resource Group per Application: Based on the arguments listed above the recommendation is to use one resource group per application and to use different subscriptions only where we need to enforce a separation on billing level, where we need to overcome subscription limitations and/or where we require different AADs respective IAMs for different application (groups)!

Azure Best Practices Example: Contoso Corporation: Subscriptions, Licenses and User Accounts: See [28]:

Contoso Corporation:  Subscriptions, Licenses and User Accounts

Contoso Corporation: Azure Enterprise Hierarchy

 

 
 

 

 

2.3.2.1.2. Naming Convention

Before defining a naming-convention the following should be considered:

Element/Application/Solution characteristics and definition – see ...:

Element/Application/Solution: Structure (Interface), Behavior: Every element (application, solution, artifact, module, component, work-product, etc.) is declared and defined through its structure and behavior. The structure consists of an external and an internal part. The external part is called the interface and is exposed externally for interaction whereas the internal part can only be accessed internally.

Element: Composition: Atomic Element: Elements are normally composed of other elements and the way they are composed determines their structure and behavior. Some elements are contained in respective internal part of the composition and accordingly deployed together with the composed element while other elements are located outside respective external to the composition, can be shared between different instances, copies and potentially different compositions and are not necessarily deployed together with the composition. Furthermore some elements are exclusively dedicated for this composition while others can be reused in other compositions. Elements that are exclusively dedicated for this composition have the same life-cycle as the composed element whereas elements reused in other compositions have an own life-cycle driven by the compositions where they are used. The composition ends once we reach the atomic element level. Through composition new elements are created.

Scope and Version convention – see …:

While versioning is a well known and established concept it only covers the time-dimension related validity of an element/application/solution/work-product/etc. and is often not enough to differentiate similar, coexisting elements that have the same purpose and were therefore given the same name respective identifierentirely comprise its validity. Therefore further dimensions respective scopes are required to comprise & describe the boundaries & validity of an element. These dimensions respective scopes enable the differentiation and comprehensive realization of concepts like: multi-client capability (Mandantefähigkeit), language support, etc.
Element boundaries are based on the elements they consist of (composition) and the scope of the (group of) people creating and modifying the element. Structure and behavior They determine whether other elements (composition) and/or people can use it or not. To differentiate elements with the same name respective the same point of origin and purpose also known as element branches, two identifiers (IDs) are used: Version ID and Scope ID. The version ID helps to differentiate changes done by the same (group of) people over time whereas the scope ID helps to differentiate changes done by different (groups of) people (at the same time)
.

Element: Scope: The structure and behavior of an element have a certain scope they cover respective boundaries they are restricted to and this scope correlates to the “scope” of the group of people i.e. (their mindsetcapabilities specifying, designing and implementing the element. The people specifying the requirement say WHAT they want and the people designing and implementing the element decide HOW it's done. This (build-time) scope information should be assigned to the element to differentiate it from other elements that have the same name respective the same point of origin and serve the same purpose but that were specified, designed and implemented by a different group of people2. This scope information is then used during build- respective run-time to determine whether it matches the scope of the related elements (composition) respective user and to be able to act accordingly. In addition the people specifying, designing and implementing the element together with their function: business analyst, requirements engineer, architect, developer, etc. and time-stamp of last modification could be assigned to the element as well. The time-stamp of last modification is required to retrieve the scope of the people at the time they specified, designed and implemented the element. This function-holder information cannot replace the scope information because the scope of the function-holders normally is larger and only a part of it is realized into the element during specification, design and implementation.

Based on the azure best practices naming-conventions in [29] I’ve done some modifications and extensions that can be found below.

Domain Name: Most resources have a (dynamic) IP address and a corresponding DNS entry how they can be reached. Therefore all names should follow the DNS naming convention – see https://tools.ietf.org/html/rfc1034 :

Hyphen “-” and double Hyphens “--”:  Besides the dot “.” which has a special meaning the only character that can be used for separation of words is the hyphen “-” character. In order to be able to copy an artifact/resource to a different location and/or naming system without conflicts respective collisions the company / organization name plus all (relevant) parts of the FQN should be prepended or appended to the artifact name. This adds redundancy (duplication) to the final FQN but enables the element to be copied to other directories and/or naming systems without naming conflicts respective collisions. In order to be able to prepend or append the FQN nodes the path-delimiters need to be replaced with (double) word-delimiters i.e. double hyphens “--”.

Multi Entity Capability / scope:  Based on the multi-entity-capability respective scope description in [39]Error: Reference source not found, “the structure and behavior of an element have a certain scope they cover respective boundaries they are restricted to and this scope correlates to the “scope” of the group of people (their mindset) specifying, designing and implementing the element. This scope information should be assigned to the element to differentiate it from other “identical” elements i.e. elements serving the same purpose but that were specified, designed and implemented by a different group of people. This scope information is then used during run-time to determine whether it matches the scope of the user and to be able to act accordingly.Therefore this scope information should be part of the element name to differentiate it from other “identical” elements i.e. elements with the same name that are serving the same purpose but that were specified, designed and implemented by a different group of people.

Versioning: During build-time (modification cycle) the structure, behavior and/or scope of an element respective artefact change. Therefore an element should have a version assigned to differentiate it from other coexisting elements that have the same point of origin and serve the same purpose but due to changes have different structure, behavior and/or scope.

Composition: Normally an application is composed of several artifacts respective elements.

The resulting resource name looks as follows: organizationName“--”applicationName”--s”majorScopeId”-v”majorVersionNumber[”--”useCase]

 

https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions

Based on the best practices in the previous chapter I suggest to include

 

2.3.2.2. Notes

Microsoft Cloud Administration & Portals: The different hierarchy elements for the different cloud offerings are administered using different web portals:

PaaS: Custom Domain Names (CDN): Limited: Only a few Azure PaaS components support custom domain names (CDN) (Q2 2018: Azure Cloud Service, Azure Web Apps, Azure Blob Storage).

2.3.3. Processes

2.3.3.1. Sign-up

 

Sign up for Azure as an organization: https://docs.microsoft.com/en-us/azure/active-directory/sign-up-organization

https://account.windowsazure.com/organization

 

 

3. Security

Microsoft Cloud Security: See [Microsoft Cloud Security for Enterprise Architects: https://go.microsoft.com/fwlink/p/?linkid=842070]: The security of the Microsoft cloud services is a partnership between the customer (C) and Microsoft (MS).

Responsibility

SaaS

PaaS

IaaS

On-Premise

Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization.

  • Develop cloud security policies: Document security policies, Balance security and usability, Document protocols and processes, Embrace “Shadow IT”. 

  • Manage continuous threats: Establish operational capabilities (monitor, investigate & initiate), Build external context (threat intelligence feeds, Information Sharing and Analysis Centers (ISACs)), Validate your security posture (authorized red team see White paper: Microsoft Enterprise Cloud Red Teaming: http://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf and/or penetration testing) 

  • Manage continuous innovation: Define a monthly cadence, Prevent configuration drift with periodic reviews (stay in compliance with your policies and protocols) 

  • Contain risk by assuming breach: Identifying your most critical assets, Enhancing isolation between security zones (increase rigor of exception management, apply threat modeling techniques to all authorized exceptions), Focus containment within a security zone (preserving integrity of the administrative model rather than on network isolation) 

C

C

C

C

Administrative control: Defend against the loss of control of your cloud services and on-premises systems

  • Least privilege admin model: Limit the number of administrators or members of privileged groups, Delegate less privileges to accounts, Provide privileges on demand, Have existing administrators perform tasks, Provide processes for emergency access 

  • Harden security dependencies: Security dependencies for cloud services commonly include identity systems 

  • Use strong authentication: Use credentials secured by hardware, Multi-Factor Authentication (MFA), and conditional access for all identities with administrative privileges 

  • Use dedicated admin accounts and workstations: Use dedicated accounts for privileged administrative roles, Use dedicated, hardened workstations for administration, Do not use high privilege accounts on devices where email and web browsing take place 

  • Enforce stringent security standards: Rigorously measure and enforce stringent security standards on administrative accounts and systems 

  • Monitor admin accounts: And configure alerts. See: What is conditional access in Azure Active Directory? https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 

  • Educate and empower admins 

Data: Identify and protect your most important information assets: Establish information protection priorities, Protect High Value Assets (HVAs), Find and protect sensitive assets, Set organizational minimum standards

User identity and device security: Strengthen protection of accounts and devices:

  • Use Strong Authentication: Use credentials secured by hardware or Multi-Factor Authentication (MFA) for all identities. 

  • Manage trusted and compliant devices: Apply configuration standards and rapidly install security updates. See Identity and device access configurations: https://docs.microsoft.com/en-gb/microsoft-365/enterprise/microsoft-365-policies-configurations 

  • Educate, empower, and enlist users: Educate users on likely threats and their role in protecting business data, Increase adversary cost to compromise user accounts, Explore gamification 

  • Monitor for account and credential abuse: detect anomalous activity of an account. 

C

C

C

C

Application security: Ensure application code is resilient to attacks:

  • Secure applications that you acquire: Review the security development processes and operational practices of vendors, follow security configuration guidance and recommendations provided by the vendor, apply all vendor security updates, discontinue your use of software before it reaches end of support status 

  • Follow the Security Development Lifecycle (SDL) 

Network: Ensure connectivity, isolation, and visibility into anomalous behavior:

M

C

C

C

Microsoft Security Certifications:

Microsoft Cloud Security for Enterprise Architects: https://go.microsoft.com/fwlink/p/?linkid=842070 What is an Azure AD directory? https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx

What is Azure Active Directory? https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

Microsoft Cloud Identity for Enterprise Architects: https://technet.microsoft.com/library/dn919927.aspx#identity

https://go.microsoft.com/fwlink/p/?LinkId=524586

3.1. Identity Management & Authentication

Microsoft Cloud Identity & Azure Active Directory: See [Microsoft Cloud Identity for Enterprise Architects: https://technet.microsoft.com/library/dn919927.aspx#identity]: Integrating your identities with the Microsoft cloud provides access to a broad range of services and applications. Azure Active Directory (Azure AD) integration provides:

(*) - these features are only available in AAD Basic and Premium edition – furthermore only available in these editions: “Group-based access management and provisioning”, “Self-service password reset for cloud users”, “Company branding (logon pages, Access Panel customization)”, “Enterprise SLA of 99.9%”

(**) - these features are only available in AAD Premium edition – furthermore only available in this edition: “Self-service group and app management, self-service application additions, dynamic groups”, “Self-service password reset, change, unlock with on-premises write-back”, “MIM CAL + MIM Server”, “Automatic password rollover for group accounts”

User Account (see [14]): Microsoft Account (Microsoft Live ID) versus Work / School Account (see [14]): There exist two types: a Microsoft account (formerly known as Microsoft Live ID) and a work or school account, which is an account stored in Azure AD.
Although Azure originally allowed access only by Microsoft account users, it now allows access by users from both systems. This was done by having
all the Azure properties trust Azure AD for authentication, having Azure AD authenticate organizational users, and by creating a federation relationship where Azure AD trusts the Microsoft account consumer identity system to authenticate consumer users. As a result, Azure AD is able to authenticate “guest” Microsoft accounts as well as “native” Azure AD accounts.
B
ut basically users can be added

Authentication: Azure Active Directory (AAD) versus Proprietary: All MS SaaS solutions support AAD based authentication. Regarding PaaS we have to differentiate between Management Access and Data Access – see .… All Management Access is authenticated against AAD whereas Data Access is often authenticated proprietary in the corresponding component itself.

Using Work or School Accounts Frequently Asked Questions (FAQ): https://msdn.microsoft.com/en-us/subscriptions/dn531048.aspx

Merge office365 and live accounts that use the same email address: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/5214614-merge-office365-and-live-accounts-that-use-the-sam

Work account vs Microsoft account: how to use them properly? OneNote: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_account/work-account-vs-microsoft-account-how-to-use-them/4508c511-6a6b-4d1d-bad2-1aab994d4a39

Add new users or users with Microsoft accounts to Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-create-users

Add users from other directories or partner companies in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-create-users-external

 

Compare B2B collaboration and B2C in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-compare-b2c

 

Making Office 365 Work with an External SAML Identity Provider: http://www.viewds.com/blog/making-office-365-work-with-an-external-saml-identity-provider.html

Use a SAML 2.0 identity provider to implement single sign-on: https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx

SP-Initiated SSO—POST-POST: https://documentation.pingidentity.com/pingfederate/pf80/index.shtml#gettingStartedGuide/task/spInitiatedSsoPost.html

 

Authorize access to web applications using OAuth 2.0 and Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

What is application access and single sign-on with Azure Active Directory? https://docs.microsoft.com/en-us/azure/active-directory/active-directory-appssoaccess-whatis

Customizing claims issued in the SAML token for pre-integrated apps in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

Authentication Scenarios for Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios

Azure AD token reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims

 

Microsoft Graph or the Azure AD Graph: https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph

Azure AD Graph API reference: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog#

 

3.1.1. Login PowerShell

Perform the following steps to login with PowerShell:

  1. 1.Precondition: PowerShell ist installed see chapter 4.1. 

  2. 2.Sign in to the Azure portal: Login-AzureRmAccount  

    1. a.Click “N” and do not allow to start data collection: 

    2. b.Login: ms-cloud--s0-v1@beckech.onmicrosoft.com 

    3. c.Password: E... 

PS C:\Users\raoul-becke--s0-v1> Login-AzureRmAccount

WARNING: Microsoft Azure PowerShell collects data about how users use PowerShell cmdlets and some problems they encounter.  Microsoft uses this information to improve our PowerShell cmdlets.  Participation is voluntary and when you choose to participate your device automatically sends information to Microsoft about how you use Azure PowerShell.

If you choose to participate, you can stop at any time by using Azure PowerShell as follows:

1. Use the Disable-AzureDataCollection cmdlet to turn the feature Off. The cmdlet can be found in the AzureRM.Profile

module

To disable data collection: PS > Disable-AzureDataCollection

If you choose to not participate, you can enable at any time by using Azure PowerShell as follows:

1. Use the Enable-AzureDataCollection cmdlet to turn the feature On. The cmdlet can be found in the AzureRM.Profile

module

To enable data collection: PS > Enable-AzureDataCollection

Select Y to enable data collection [Y/N]:

WARNING: You choose not to participate in Microsoft Azure PowerShell data collection.

WARNING: The setting profile has been saved to the following path 'C:\Users\raoul-becke—s0-v1\AppData\Roaming\Windows Azure Powershell\AzureDataCollectionProfile.json'.

 

 

Environment           : AzureCloud

Account               : ms-cloud--s0-v1@beckech.onmicrosoft.com

TenantId              : af081cc6-...

SubscriptionId        : 35dc9a55...

SubscriptionName      : Pay-As-You-Go

CurrentStorageAccount :

 

  1. 3.Do a quick check that everything is OK: View all the subscriptions for this account: Get-AzureRmSubscription 

PS C:\Users\raoul-becke--s0-v1> Get-AzureRmSubscription

Name     : Pay-As-You-Go

Id       : 35dc9a55-...

TenantId : af081cc6-...

State    : Enabled

 

 

3.2. Access Management & Authorization

Subscription & Access Control (see [15]): Access control in Azure starts from a billing perspective:

Directory Users & Roles: As with subscription administrators, the Azure AD administrative roles can be either Microsoft accounts or work or school accounts. Azure AD administrative roles are also used by other services such as Office 365 and Microsoft Intune. Azure subscription admins can manage resources in Azure and can view the Active Directory extension in the Azure classic portal (because the Azure classic portal is an Azure resource). Directory admins can manage properties in the directory. Azure AD has a different set of administrative roles to manage the directory and identity-related features – see [19] (important roles are underlined or bold, deprecated or reserved roles are strike-through): “Billing Administrator”, “Compliance Administrator”, “Conditional Access Administrator”, “CRM Service Administrator”, “Device Administrators”, “Directory Readers”, “Directory Synchronization Accounts”, “Directory Writers”, “Exchange Service Administrator”, “Global Administrator / Company Administrator”, “Guest Inviter”, “Intune Service Administrator”, “Mailbox Administrator”, “Partner Tier 1 Support”, “Partner Tier 2 Support”, “Password Administrator / Helpdesk Administrator”, “Power BI Service Administrator”, “Privileged Role Administrator”, “Security Administrator”, “Security Reader”, “Service Support Administrator”, “SharePoint Service Administrator”, “Skype for Business / Lync Service Administrator”, “User Account Administrator”  .

 

Get started with Role-Based Access Control in the Azure portal: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is

Built-in roles for Azure Role-Based Access Control: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

Create custom roles for Azure Role-Based Access Control: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

 

Add or change Azure administrator roles that manage the subscription or services: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator

Transfer ownership of an Azure subscription to another account: https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer

About Office 365 admin roles: https://support.office.com/en-us/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d

Assign admin roles in Office 365: https://support.office.com/en-us/article/Assign-admin-roles-in-Office-365-EAC4D046-1AFD-4F1A-85FC-8219C79E1504?ui=en-US&rs=en-US&ad=US

 

3.2.1. Group Management

Groups in the MS Cloud: see [https://support.office.com/en-us/article/Compare-groups-758759ad-63ee-4ea9-90a3-39f941897b7d ]:

3.2.1.1. Create Group

We create a new security group (NOT office 365 group) containing the DB Administrators:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-manage-groups

One of the features of Azure Active Directory (Azure AD) user management is the ability to create groups of users. You use a group to perform management tasks such as assigning licenses or permissions to a number of users at once. You can also use groups to assign access permission to

Membership Type: “Assigned”

Dynamic memberships for groups require an Azure AD Premium license to be assigned to

Enable Office features? NO

https://mastersinmicrosoft.com/2017/02/group-based-licensing-now-in-preview-in-azure-ad/

Make sure you don’t select the “Enable Office features” when creating the group. In that case it’s not a security group and you won’t be able to select this group when setting the licenses.

 

http://www.techmikael.com/2017/02/all-you-never-wanted-to-know-about.html

The Azure AD Admin UI allows you to create the following:

 

And add the DB AD Admin User to this group.

 

3.2.3. Database

This chapter is related to the steps described in the chapter database in appendix document [38] Error: Reference source not found.

 

3.2.3.1. Azure Active Directory Admin

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins

Azure Active Directory admin: One Azure Active Directory account, either an individual or security group account, can also be configured as an administrator. It is optional to configure an Azure AD administrator, but an Azure AD administrator must be configured if you want to use Azure AD accounts to connect to SQL Database. For more information about configuring Azure Active Directory access, see Connecting to SQL Database or SQL Data Warehouse By Using Azure Active Directory Authentication (https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication ) and SSMS support for Azure AD MFA with SQL Database and SQL Data Warehouse (https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ssms-mfa-authentication ).

Precondition is that a corresponding group has already been created see chapter 3.2.1.1

  1. 1.Open database server: becke-ch--app--s0-v1  

 
  1. 2.Select “Active Directory Admin”
    Azure Active Directory authentication allows you to centrally manage identity and access to your Azure SQL Database V12.
    https://go.microsoft.com/fwlink/?LinkID=616886  

  2. 3.Click “Set Admin” 

  3. 4.Select “db-admin-group--s0-v1” 

  4. 5.Click “Save” 

 

 

 

3.2.4. Notes

Microsoft Account (Microsoft Live ID) versus Work / School Account:

 

4. Operations

 

4.1. Scripting: Azure & PowerShell

 

https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-4.0.0

Recommended Precondition: Windows Management Framework 5.1: E.g. For Windows 7 64 Bit select “Win7AndW2K8R2-KB3191566-x64.zip”, extract and run “Win7-KB3191566-x86.msu”, enter admin password for installation, click yes, accept license agreement and when installation finished reboot.

Alternatively Install: PackageManagement PowerShell Modules Preview - March 2016: 64 Bit select “PackageManagement_x64.msi” and you get the error message: “Package Management requires Microsoft .NET Framework 4.5 or new, and Windows PowerShell 3.0 or 4.0 ...” And therefore I suggest to upgrade to WMF 5.1!

 

 
  1. 1.Start: Windows PowerShell. 

Windows PowerShell

Copyright (C) 2016 Microsoft Corporation. All rights reserved.

 

  1. 2.Check PowerShellGet is available and has correct version (should be the case when you followed the preconditions listed above): 

PS C:\Users\raoul-becke--s0-v1> Get-Module PowerShellGet -list | Select-Object Name,Version,Path

Name          Version Path

----          ------- ----

PowerShellGet 1.0.0.1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1

 

  1. 3.Install Azure PowerShell 

PS C:\Users\raoul-becke--s0-v1> Install-Module AzureRM

Install-Module : Zur Installation von Modulen in "C:\Program Files\WindowsPowerShell\Modules" sind Administratorrechte

erforderlich. Melden Sie sich unter einem Konto mit Administratorrechten beim Computer an, wiederholen Sie den

Vorgang, oder installieren Sie "C:\Users\raoul-becke--s0-v1\Documents\WindowsPowerShell\Modules", indem Sie Ihrem

Befehl "-Scope CurrentUser" hinzufügen. Sie können auch versuchen, die Windows PowerShell-Sitzung mit erhöhten Rechten

(Als Administrator) auszuführen.

At line:1 char:1

+ Install-Module AzureRM

+ ~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidArgument: (:) [Install-Module], ArgumentException

+ FullyQualifiedErrorId : InstallModuleNeedsCurrentUserScopeParameterForNonAdminUser,Install-Module

 

  1. 4.Right click on “Windows PowerShell” program, run as administrator and Install PowerShell: 

    1. a.Click “Y” to install the “NuGet-Provider” 

    2. b.Click “Y” to trust a non-trust-worthy repository 

PS C:\Windows\system32> Install-Module AzureRM

Der NuGet-Anbieter ist erforderlich, um den Vorgang fortzusetzen.

PowerShellGet erfordert die NuGet-Anbieterversion 2.8.5.201 oder höher für die Interaktion mit NuGet-basierten Repositorys. Der NuGet-Anbieter muss in "C:\Program Files\PackageManagement\ProviderAssemblies" oder

"C:\Users\admin--s0-v1\AppData\Local\PackageManagement\ProviderAssemblies" verfügbar sein. Sie können den

NuGet-Anbieter auch durch Ausführen von 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force' installieren. Möchten Sie den NuGet-Anbieter jetzt durch PowerShellGet installieren und importieren lassen?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

Nicht vertrauenswürdiges Repository

Sie installieren die Module aus einem nicht vertrauenswürdigen Repository. Wenn Sie diesem Repository vertrauen, ändern  Sie dessen InstallationPolicy-Wert, indem Sie das Set-PSRepository-Cmdlet ausführen. Möchten Sie die Module von 'PSGallery' wirklich installieren?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y

WARNING: Source Location 'https://www.powershellgallery.com/api/v2/package/Azure.Storage/3.2.1' is not valid.

PackageManagement\Install-Package : Package 'Azure.Storage' failed to download.

At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21

+ ...          $null = PackageManagement\Install-Package @PSBoundParameters

+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : ResourceUnavailable: (C:\Users\admin-...e.Storage.nupkg:String) [Install-Package], Excep

   tion

    + FullyQualifiedErrorId : PackageFailedInstallOrDownload,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPac

   kage

 

  1. 5.If there occurs an error during installation than this is (in my case) probably due to nework connection issues (or maybe firewall issues). 

ATTENTION: Be prepared that, through a lot of dependent packages around 600 MB (unzipped) are going to be installed (in C:\Program Files\WindowsPowerShell\Modules) and therefore make sure you’ve a stable network connection and enough disk space!

 

  1. 6.(As regular user) Load the AzureRM module 

PS C:\Users\raoul-becke--s0-v1> Import-Module AzureRM

Import-Module : File C:\Program Files\WindowsPowerShell\Modules\AzureRM\4.2.1\AzureRM.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at

http://go.microsoft.com/fwlink/?LinkID=135170.

At line:1 char:1

+ Import-Module AzureRM

+ ~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException

    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand

 

  1. 7.(As regular user) Set execution policy as described here: https://stackoverflow.com/questions/4037939/powershell-says-execution-of-scripts-is-disabled-on-this-system  

    1. a.Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
      (You can undo this change later by calling “Set-ExecutionPolicy Restricted”) 

    2. b.Click “Y” (You can undo this change by calling “Set-ExecutionPolicy Restricted”) 

PS C:\Users\raoul-becke--s0-v1> Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Execution Policy Change

The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose

you to the security risks described in the about_Execution_Policies help topic at

http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y

 

4.2. Command Line Interface: Azure CLI

https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest

The Azure CLI 2.0 is Microsoft's cross-platform command line experience for managing Azure resources.

Azure CLI 2.0 is optimized for managing and administering Azure resources from the command line, and for building automation scripts that work against the Azure Resource Manager.

Use the Cloud Shell to run the CLI in your browser, or install it on macOS, Linux, or Windows.

  1. 1.Download the MSI Installer: https://aka.ms/installazurecliwindows 

  2. 2.Double-click on the installer file: “azure-cli-2.0.33.msi” (21 MB) 

  3. 3.Click on the button “Execute” to confirm the installation 

  4. 4.Accept the License Agreement and click “Install”. 

  5. 5.Log-in as administrator to continue with the istallation. 

 

Log in with Azure CLI 2.0: The recommended approach is to use service principals, which are permissions-restricted accounts. None of your private credential information is stored locally. Instead, an authentication token is generated by Azure and stored. After logging in, your login token is valid until it goes for 14 days without being used. At that point, you need to re-authenticate.

  1. 1.Run the login command: az login --tenant af081cc6-...  

C:\Users\raoul-becke--s0-v1>az login --tenant af081cc6-…

To sign in, use a web browser to open the page https://microsoft.com/devicelogin

 and enter the code CXH... to authenticate.

  1. 2.Use a web browser to open the page https://microsoft.com/devicelogin and enter the code CXH... to authenticate 

 
  1. 3.Log in with your account credentials in the browser: Enter: Email and Password and last but not least close the browser: 

 

  1. 4.And finally the resulting command prompt should look similar to the following (sensitive information removed with ...): 

C:\Users\raoul-becke--s0-v1>az login --tenant af081cc6-...

To sign in, use a web browser to open the page https://microsoft.com/devicelogin

 and enter the code CXH... to authenticate.

[

  {

    "cloudName": "AzureCloud",

    "id": "35dc9a55-...",

    "isDefault": true,

    "name": "Pay-As-You-Go",

    "state": "Enabled",

    "tenantId": "af081cc6-...",

    "user": {

      "name": "ms-cloud--s0-v1@beckech.onmicrosoft.com",

      "type": "user"

    }

  },

  {

    "cloudName": "AzureCloud",

    "id": "b15f2881-...",

    "isDefault": false,

    "name": "MSDN Platforms",

    "state": "Enabled",

    "tenantId": "af081cc6-...",

    "user": {

      "name": "ms-cloud--s0-v1@beckech.onmicrosoft.com",

      "type": "user"

    }

  }

]

  1. 5.(Optional) The issue with multiple subscriptions is that most cli commands run against the default subscription which might not be appropriate. Therefore in case of errors or before executing the cli commands set the default subscription: az account set --subscription <subscription-name-or-subscription-id> 

C:\Users\raoul-becke--s0-v1>az account set --subscription "MSDN Platforms"

C:\Users\raoul-becke--s0-v1>az account list --output table

Name            CloudName    SubscriptionId                        State    IsDefault

--------------  -----------  ------------------------------------  -------  -----------

Pay-As-You-Go   AzureCloud   35dc9a55-b0fe-439b-9487-4c648c901613  Enabled  False

MSDN Platforms  AzureCloud   b15f2881-d58b-419f-920c-e86c21caa5d5  Enabled  True

 

  1. 6.And last but not least at the end of the CLI journey log out again using the username provided during log-in:
    az logout --username ms-cloud--s0-v1@beckech.onmicrosoft.com  

 

4.3. Configuration & Deployment

The configuration and deployment is different for each MS Cloud Offering.

4.3.1. Azure

4.3.1.1. Deployment Models

Azure Deployment Models (see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-deployment-model):The Resource Manager and classic deployment models represent two different ways of deploying and managing your Azure solutions. You work with them through two different API sets, and the deployed resources can contain important differences. The two models are not completely compatible with each other.

Classic Deployment Model: Azure originally provided only the classic deployment model. In this model, each resource existed independently; there was no way to group related resources together. Instead, you had to manually track which resources made up your solution or application, and remember to manage them in a coordinated approach. To deploy a solution, you had to either create each resource individually through the classic portal or create a script that deployed all the resources in the correct order. To delete a solution, you had to delete each resource individually. You could not easily apply and update access control policies for related resources. Finally, you could not apply tags to resources to label them with terms that help you monitor your resources and manage billing. In the remaining chapter we will only focus on the Resource Manager Deployment Model because it offers a lot of benefits see below and therefore I strike-through the Classic Deployment Model! I.e. all resources should be created with the “new” Resource Manager Deployment Model because it offers a lot of benefits see below!

Resource Manager Deployment Model: In 2014, Azure introduced Resource Manager. For an overview and description of the different elements in Azure Resource Manager see chapter 2.3.2.1. Resource Manager offers the following benefits:

Application/Solution == Resource Group: Based on the decision in chapter 2.3.2.1.2 the resource-group is the boundary of a solution respective application and therefore if we want to deploy an entire application then we basically need to deploy the corresponding resource-group.

Resource Manager: Support: To discover whether a service supports Resource Manager, see Resource providers and types https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services . If the service you wish to use does not support Resource Manager, you must continue using classic deployment. If you create a resource through classic deployment now, the resource is automatically created within a default resource group for that service, even though you did not specify that resource group at deployment. However, just existing within a resource group does not mean that the resource has been converted to the Resource Manager model.

PowerShell: Created with the Resource Manager version of the Azure PowerShell cmdlets. These commands have the format Verb-AzureRmNoun.

New-AzureRmResourceGroupDeployment

4.3.1.2. Deploy resources with Resource Manager templates and Azure PowerShell

Automate deploying resources with Azure Resource Manager templates in a single, coordinated operation. Define resources and configurable input parameters and deploy with script or code.

Deploy resources with Resource Manager templates and Azure PowerShell – see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy : The Resource Manager template you deploy can either be a local file on your machine, or an external file that is located in a repository like GitHub.

Incremental and complete deployments: When deploying your resources, you specify that the deployment is either an incremental update or a complete update. The primary difference between these two modes is how Resource Manager handles existing resources in the resource group that are not in the template:

For both modes, Resource Manager attempts to provision all resources specified in the template. If the resource already exists in the resource group and its settings are unchanged, the operation results in no change. If you change the settings for a resource, the resource is provisioned with those new settings. If you attempt to update the location or type of an existing resource, the deployment fails with an error. Instead, deploy a new resource with the location or type that you need.

By default, Resource Manager uses the incremental mode.

To use complete mode, use the Mode parameter:

New-AzureRmResourceGroupDeployment -Mode Complete -Name ExampleDeployment `

  -ResourceGroupName ExampleResourceGroup -TemplateFile c:\MyTemplates\storage.json

 

4.3.1.2.1. Login & Select Subscription

Before Deployment with PowerShell can start perform the following steps:

  1. 1.Precondition: PowerShell ist installed see chapter 4.1. 

  2. 2.Sign in to the Azure portal: Login-AzureRmAccountsee chapter 3.1.1. 

  3. 3.(Optional – only required if there are more than one subscription) Select the subscription that you want to work with: Get-AzureRmSubscription -SubscriptionName <SUBSCRIPTION NAME> | Set-AzureRmContext 

PS C:\Users\raoul-becke--s0-v1> Get-AzureRmSubscription -SubscriptionName Pay-As-You-Go | Set-AzureRmContext

Environment           : AzureCloud

Account               : ms-cloud--s0-v1@beckech.onmicrosoft.com

TenantId              : af081cc6-...

SubscriptionId        : 35dc9a55-...

SubscriptionName      : Pay-As-You-Go

CurrentStorageAccount :

 

 

4.3.1.2.2. Automation Scripts & Deployment History

Application/Solution/Resource-Group: Deployment History – see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template: In the azure-portal [31] navigate to the corresponding resource group and click on “Deployments”:

 

Illustration 14: Azure Resource-Group Deployment History

 

Application/Solution/Resource-Group: Export Template – see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template: If you have manually changed your resources or added resources in multiple deployments, retrieving a template from the deployment history does not reflect the current state of the resource group. In the azure-portal [31] navigate to the corresponding resource group, click on “Automation script”:

 

Illustration 15: Azure Resource-Group Deployment – Automation Script

 

ATTENTION: You cannot export a template for a resource group that has more than 200 resources.

ERROR: 2 resource types cannot be exported yet and are not included in the template.

ANALYZE: Click on “See error details.”

 

Illustration 16: Azure Resource-Group Deployment – Automation Script - Error

 

Export template operation completed with errors. Some resources were not exported. Please see details for more information. (Code: ExportTemplateCompletedWithErrors)

 

SOLUTION/WORKAROUND: There currently exists no solution to this problem i.e. these resources need to be handled outside the automation script individually:

Once these errors are fixed respective the deployment scripts have been constructed manually continue with:

  1. 1.Click on “Download” - this will download all the scripts and templates required to construct this Resource-Group/Application in one zip file “ExportedTemplate-becke-ch—app--s0-v1.zip” containing: 

    1. a.template.json: This is the main file that contains all the resources that need to be constructed: 

 

4.3.1.3. Resource Manager and PowerShell

Manage resources with Azure PowerShell and Resource Manager: https://docs.microsoft.com/en-us/azure/azure-resource-manager/powershell-azure-resource-manager

 

 

 

4.3.1.4. Policies

Resource policy overview:

Resource policy (see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-policy): Resource policies enable you to establish conventions for resources in your organization. Policies are inherited by all child resources. Policy focuses on resource properties during deployment.

Policies are evaluated when creating and updating resources (PUT and PATCH operations).

For example policies can as well be used to enforce naming conventions:

{

    "displayName": "Naming Convention",

    "description": "This policy enforces the naming convention",

    "policyRule": {

      "if": {

        "not": {

          "field": "location",

          "in": "[parameters('allowedLocations')]"

        }

      },

      "then": {

        "effect": "deny"

      }

    }

  }

}

 

4.3.2. Deployment

 

In general

 

4.4. Logging, Monitoring, Alerting

 

 

5. Integration

5.1. ETL – Extract Transform Load

Azure Data Factory (ADF): The tool of choice when doing E(T)L in Azure is the Azure Data Factory, which comes along as a PaaS solution. There exist a lot of other tools that offer ETL functionality like for example Oracle Data Integrator (ODI), Jaspersoft ETL or Apache Kafka but none of them are out of the box integrated in Azure but instead need to be installed and maintained as an IaaS (or potentially CaaS) solution. For further information see [34]. The reason why “(T)” is bracketed, is because in its first version “ADF V1” was just offering Extract and Load capabilities in the form of copy jobs and the Transformation had to be done outside the tool, mostly in stored procedures in the source and/or destination. Since June 2018 see “ADF V2” is fully integrated with SQL Server Integration Services (SSIS) and therefore offers full ETL capabilities. For further information see [35]. The simple copying functionality of V1 is still available in V2 and should be preferred when doing simple transfer of data instead of using the rather heavy weight SSIS functionality.

Criteria: Good articles regarding criteria on how to select an ETL tool can be found in [36]. Listed here are some main criteria from these articles:

Hands on information regarding ADF v2 see corresponding chapter in appendix document [38] Error: Reference source not found.

6. Landscape

 

 

7. References and glossary

7.1. References

Reference

Location

Remarks

[1]

https://azure.microsoft.com/en-us/overview/what-is-iaas/

IaaS: Infrastructure as a Service.

[2]

https://www.microsoft.com/en-us/cloud-platform/global-datacenters

Global Data-centers (DC)

[3]

https://azure.microsoft.com/en-us/overview/what-is-paas/

PaaS: Platform as a Service

[4]

https://feedback.azure.com/forums/217313-networking/suggestions/6785079-blob-from-azure-virtual-network

Storage Account deployed in Virtual Network - Feature Request

[5]

https://azure.microsoft.com/en-us/overview/what-is-saas/

SaaS: Software as a Service

[6]

https://technet.microsoft.com/en-us/library/mt765146.aspx and

https://technet.microsoft.com/library/dn919927.aspx

Microsoft Cloud Offerings

[7]

https://www.microsoft.com/en-us/licensing/licensing-programs/enterprise.aspx

and https://wazcommunity.files.wordpress.com/2017/01/azuredirecteacustomeronboardingguide_en.pdf

Enterprise Agreement

[8]

https://products.office.com/business  

Microsoft Office 365

[9]

https://azure.microsoft.com

Microsoft Azure

[10]

http://azureplatform.azurewebsites.net/en-us/

Microsoft Azure Product Overview

[11]

https://www.microsoft.com/en-us/dynamics365/home

Microsoft Dynamics 365

[12]

https://msdn.microsoft.com/en-us/library/gg309396.aspx

Microsoft Dynamics Custom Entity

[13]

https://www.microsoft.com/en-us/cloud-platform/microsoft-intune

Microsoft Intune

[14]

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-how-subscriptions-associated-directory

Merge office365 and live accounts that use the same email address

Work account vs Microsoft account: how to use them properly?

User Account: Microsoft Account (Microsoft Live ID) versus Work / School Account

[15]

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-understanding-resource-access

Subscription & Access Control

[16]

https://azure.microsoft.com/en-us/pricing/details/bandwidth/

Bandwidth Pricing

[17]

http://download.microsoft.com/download/1/B/6/1B632F92-F67A-4FB1-92F9-23E0169ABA79/Microsoft%20Dynamics%20CRM%20Online%20Licensing%20and%20Pricing%20Guide%20Spring%202016.pdf

Dynamics CRM Online Licensing and Pricing guide

[18]

https://manage.windowsazure.com/

Azure Classic Portal

[19]

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

Active Directory Admin Roles

[20]

https://account.windowsazure.com/subscriptions

Azure Accounts Center

[21]

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

Azure Resource Manager

[22]

https://www.microsoft.com/en-US/dynamics/crm-customer-center/billing-faqs-for-dynamics-365-online.aspx

Dynamics 365 Billing FAQ

[23]

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance

Azure Enterprise Scaffold

[24]

https://azure.microsoft.com/pricing/details/virtual-network

Azure Virtual Network Pricing

[25]

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources

Azure Move Resources

[26]

https://docs.microsoft.com/en-us/azure/billing/billing-understand-your-bill

Azure Bill

[27]

https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits

Azure Service Limits & Quotas

[28]

https://technet.microsoft.com/en-us/library/mt775345.aspx

Azure Best Practice Example Contoso Corporation

[29]

https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions

Azure Naming Convention

[30]

https://www.microsoft.com/en-us/trustcenter/Privacy/You-own-your-data#leave

Data Retention Period

[31]

http://portal.azure.com

Azure Portal

[32]

http://www.itprotoday.com/microsoft-azure/azure-container-instances-and-azure-container-service

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-orchestrator-relationship

https://searchitoperations.techtarget.com/tip/Azure-Container-Instances-provide-an-opt-out-option-for-cluster-ops

CaaS: Container Instance versus Container Service

[33]

https://success.docker.com/article/does-docker-for-windows-server-2016-support-gui-based-applications

https://stackoverflow.com/questions/35652644/access-windows-2016-server-container-docker-container-via-gui

CaaS: Docker: No RDP support.

[34]

https://www.jamesserra.com/archive/2017/03/azure-data-factory-and-ssis-compared/ (this article is based on “ADF V1” and is therefore not fully accurate because SSIS is since June 2018 integrated in “ADF V2”)

https://www.predictiveanalyticstoday.com/top-free-extract-transform-load-etl-software/

Integration: ETL: ADF versus SSIS and other ETL tools compared

[35]

https://azure.microsoft.com/en-us/blog/azure-data-factory-new-capabilities-are-now-generally-available/

Azure Data Factory new capabilities are now generally available

[36]

http://www.dataintegration.ninja/how-to-select-an-etl-tool/

https://www.etltool.com/categories-and-criteria-examined/

ETL: Selection Criteria

[37]

Conceptual overview of custom domain names in Azure Active Directory

Configure a custom domain name

PaaS:

Domain Name Basics

[38]

HTML, HTML A4, PDF

MS Cloud foundation: Architecture Foundation: Appendix

[39]

http://www.becke.ch/convention/scopeandversion/ch_becke_convention_scope_and_version_s1_v0_9.pdf

Describes the scope and version convention that should be applied.

Table 2: References

7.2. Glossary (terms, abbreviations, acronyms)

Terms / Abbreviations / Acronyms

Description

DC

Data-center see [2]

Table 3: Glossary

 

 

7.2.0.0.0.A. Appendix

Due to its huge size and issues keeping the content up-to-date, the entire appendix containing hands-on instructions for the different Azure Services has been moved into a separate document “becke-ch--ms-cloud--s1-v1” see [38]. Only the sub-chapter “A.1 My Vsiual Studio: Developer License (MSDN): Activate Azure Benefit on Alternate Account” was not moved (due to backward compatibility) because this chapter is often referenced.

7.2.0.0.0.A.1. My Vsiual Studio: Developer License (MSDN): Activate Azure Benefit on Alternate Account

Chrome (or Firefox): Always use the Chrome (or Firefox) Browser to e.g. avoid „strange” SSO behavior of IE.

Email: Wait for your confirmation of the MSDN Platform Subscription:

 

My Vsiual Studio: Developer License (MSDN): https://my.visualstudio.com/subscriptions

Log in with your business account.

Go to “Subscriptions” and click on “Add alternate account”:

 

Go to “Benefits” and copy the hyperlink on “Activate”: https://account.windowsazure.com/signup?offer=MS-AZ... (DO NOT CLICK ON THE HYPERLINK!)

 

Close all browsers.

Log-In with your private account: https://my.visualstudio.com/

Enter the hyperlink (you copied previously) in the browser: https://account.windowsazure.com/signup?offer=MS-AZ...

 

Select: “I agree to the subscription agreement, offer details, and privacy statement” and click on “Purchase”

DONE – you can now click on “Or get started with your Azure subscription”: https://portal.azure.com/

 

SUCCESS:

 
7.2.0.0.0.A.1.1. Error: Oops: It appears that you have already used your MSDN benefit for a Microsoft Azure Subscription

If you get the error: Oops: It appears that you have already used your MSDN benefit for a Microsoft Azure Subscription:

 

Solution: You need to go to your respective MSDN Subscription responsible, delete your MSDN Subscription and assign it new. You will then get again an Email and can start as described in the previous chapter.

 

 

 

 

1Like Azure App Service, Cloud Services technology is designed to support applications that are scalable, reliable, and inexpensive to operate. In the same way that App Service is hosted on virtual machines (VMs), so too is Azure Cloud Services. However, you have more control over the VMs. You can install your own software on VMs that use Azure Cloud Services, and you can access them remotely.

2For example in flight critical systems the same requirements are designed and implemented by two (or more) different companies and both of the software run in parallel and in case the output values differ the system shuts down and the pilot has to take over manual control.