Category: Host pool

List all Linux VM extensions in one query using Azure Resource Graph


azure

The kusto query below will give you a list of all Linux VMs and the extensions they have…
It was handy when the OMI vulnerability was out.

You will get the following info:

VM Name
Operating System
Extensions
Add additional columns to get more info.

Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
    JoinID = toupper(id),
    OSName = tostring(properties.osProfile.computerName),
    OSType = tostring(properties.storageProfile.osDisk.osType),
    VMSize = tostring(properties.hardwareProfile.vmSize)
| join kind=leftouter(
    Resources
    | where type == 'microsoft.compute/virtualmachines/extensions'
    | extend
        VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
        ExtensionName = name
) on $left.JoinID == $right.VMId
| where OSType == 'Linux'
| summarize Extensions = make_list(ExtensionName) by OSName, OSType
| order by tolower(OSName) asc
The result looks something like this:
LinuxKusto
Happy resource mining!

References
https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

List all UDR User Defined Routes in one query using Azure Resource Graph


azure

The kusto query below will give you a list of all manually added routes/UDRs in all of your Route Tables(RT) in all subnets in all subscriptions. (Where you have access).
This is a great way to keep track of your UDRs…lest they get out of hand…

You will get the following info from each UDR:

Subcription Name
Resource Group Name
Subnet Name
RT Name
UDR Name
Target Prefix
Next Hop Type
Next Hop IP Address
Provisioning State
Has BGP Override

In my current Azure network, the total UDR count is around 413, in 39 different RTs. Its not easy to keep track and t-shoot the network, not easy at all.

Use different sort or where clauses to filter and sort on what you are currently looking for, if you for example filter on
| where addressPrefix == ‘0.0.0.0/0’
you will see only the routes for ‘unrouted’ traffic.
| where nextHopType == ‘VirtualAppliance’
will list all routes to your(?) Virtual appliance Firewall, and so on.
(You can add the where clauses at the end below the last line)

resources
| where type =~ "Microsoft.Network/routeTables"
| mv-expand rules = properties.routes
| join kind=leftouter (resourcecontainers 
| where type=='microsoft.resources/subscriptions' 
| project SubcriptionName=name, subscriptionId) on subscriptionId
| extend subnet_name = split((split(tostring(properties.subnets), '/'))[10], '"')[0]
| extend addressPrefix = tostring(rules.properties.addressPrefix)
| extend nextHopType = tostring(rules.properties.nextHopType)
| extend nextHopIpAddress = tostring(rules.properties.nextHopIpAddress)
| extend hasBgpOverride = tostring(rules.properties.hasBgpOverride)
| extend provisioningState = tostring(rules.properties.provisioningState)
| extend udrname = rules.name
| extend rtname = name
| project SubcriptionName, resourceGroup, subnet_name, rtname, udrname, addressPrefix, nextHopType, nextHopIpAddress, provisioningState, hasBgpOverride
| sort by SubcriptionName, resourceGroup asc, rtname asc, addressPrefix asc
The result looks something like this:
UDRKusto
Happy resource mining!

References
https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Error: Policies attempted to append some fields which already exist in the request with different values


azure

In our current environment, this is starting to show up more and more.
We have a number of policies in Azure, among them are ‘resources-tag-enforcement’, the one that adds a number of required Tags on resources on our production Resource Groups. Because we have them and they are required on all resources on the groups, things fail.
It is changes that start to fail, unrelated to the Tag policy really…
Example 1: We tried to change pricing tier on an App Service plan – Fail
Example 2: We deleted a rule in Azure Firewall – Fail
Example 3: We resized a VM – Fail

All due to one thing, the Resource Manager seems to think in the backend, that these changes are really not just changes, but we are adding new resources to the resource groups, triggering the policy, and that fails to append the Tags since the Tags are already there…
Same scenario with a ‘Allowed location’ policy, if a resource was once created outside of the allowed scope, changes are not allowed since the RM seems to think that you are really adding new resources, not just making adjustments.

The error you will see from the Tag policy is this:

Failed to resize virtual machine ‘XXX-NNNN’ to size ‘Standard DXXX’. Error: Policies attempted to append some fields which already exist in the request with different values. Fields: ‘tags[nnn1],tags[nnn2]’. Policy identifiers:'[{“policyAssignment”:{“name”:”Assignment – resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyAssignments/Assignment – resources-tag-enforcement”},”policyDefinition”:{“name”:”resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyDefinitions/resources-tag-enforcement”}}]’. Please contact the subscription administrator to update the policies.
 
Resolution:
Temporarily Disable the assignment of the policy. Look up the Resource Group, go to policys, assignments, then the correct policy and open it.
A bit down, you have to switch to disable it.
WindowsUpdate2
Set it to Disabled and Review+Save, then Save.
Done.
Remember to enable it again after you are done.
 
 
Good luck!
 
References


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Error: Policies attempted to append some fields which already exist in the request with different values


azure

In our current environment, this is starting to show up more and more.
We have a number of policies in Azure, among them are ‘resources-tag-enforcement’, the one that adds a number of required Tags on resources on our production Resource Groups. Because we have them and they are required on all resources on the groups, things fail.
It is changes that start to fail, unrelated to the Tag policy really…
Example 1: We tried to change pricing tier on an App Service plan – Fail
Example 2: We deleted a rule in Azure Firewall – Fail
Example 3: We resized a VM – Fail

All due to one thing, the Resource Manager seems to think in the backend, that these changes are really not just changes, but we are adding new resources to the resource groups, triggering the policy, and that fails to append the Tags since the Tags are already there…
Same scenario with a ‘Allowed location’ policy, if a resource was once created outside of the allowed scope, changes are not allowed since the RM seems to think that you are really adding new resources, not just making adjustments.

The error you will see from the Tag policy is this:

Failed to resize virtual machine ‘XXX-NNNN’ to size ‘Standard DXXX’. Error: Policies attempted to append some fields which already exist in the request with different values. Fields: ‘tags[nnn1],tags[nnn2]’. Policy identifiers:'[{“policyAssignment”:{“name”:”Assignment – resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyAssignments/Assignment – resources-tag-enforcement”},”policyDefinition”:{“name”:”resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyDefinitions/resources-tag-enforcement”}}]’. Please contact the subscription administrator to update the policies.
 
Resolution:
Temporarily Disable the assignment of the policy. Look up the Resource Group, go to policys, assignments, then the correct policy and open it.
A bit down, you have to switch to disable it.
WindowsUpdate2
Set it to Disabled and Review+Save, then Save.
Done.
Remember to enable it again after you are done.
 
 
Good luck!
 
References


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

One Bastion to access them all (All peered vNets)


azure

Until now, Azure Bastion has been restricted to use within the one vNet where it is connected.
It could not work across vNet peerings or vNets connected to Virtual VAN’s.
If you wanted to use Bastion, you needed to create separate Bastions per vNet. Bastion with regular use comes with a cost of approximately $120/Bastion and Month, $1500/Bastion/Year. (10 vNets = $15.000)
This have now changed. Now, $1500/customer/year is enough (Well worth it!). (10 vNets = $1.500)

Bastion can now work across vNet peering!
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

Note.
If you have a virtual VAN and your vNets are connected this way, you can add peering in a hub & spoke modell to the vNet where your Bastion is located, this will allow you to use Bastion anyway without disturbing the Virtual VAN functionality.

All you have to do, is create a 2 way peering between the vNet with a Bastion, and the second vNet, and Bastion will show up in the portals ‘Connect’ dialogue.

Bastion2

Bastion1

 
References

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

 


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to clear out all local admin accounts


azure

In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators. To mitigate this, we planned to  do the following:

  • Delete all accounts except the default administrator (Disable default on 2016)
  • Rename the default to a different name
  • Set a new ‘impossible’ password that nobody knows (45chrs)
  • Leave as-is domain users in the local administrators group

Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended). Both can however also be used locally on the servers.
What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. We had both so we needed two scripts.
(Apologies for the bad formatting in this blog-template)

Windows Server 2016 and later:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$Admins = Get-LocalGroupMember -Group 'Administrators' | Select-Object ObjectClass, Name, PrincipalSource | Where-Object {$_.PrincipalSource -eq "Local"} | Select-Object Name
$DefaultAdmin = (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | ? {$_.SID -like "S-1-5-21-*-500"}).Name
foreach($Admin in $Admins) {
  $UserName = ($Admin.Name).ToString().split("\")[1]
  Disable-LocalUser $UserName
  If ($UserName -ne $DefaultAdmin) {
    Remove-LocalUser $UserName
    Write-Host "Removed Admin: $UserName"
  }
  else {
    $Random = ConvertTo-SecureString ((1..45 | ForEach-Object   {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join "") -AsPlainText -Force
    Set-LocalUser -Name $DefaultAdmin -Password $Random
    Write-Host "Default Admin password reset to 45 chrs long random string"
    if ($DefaultAdmin -ne $NewAdminName){
      Rename-LocalUser -Name $DefaultAdmin -NewName $NewAdminName
      Write-Host "Renamed default Admin: $UserName to $NewAdminName"
    }
  }
}
Write-host "Done - Server secured :-)"
 
– – – – – – – – – – – – – – – – – – – –
Pre Windows Server 2016:
 
# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$LocalAdmins = (get-wmiobject -ComputerName $Env:Computername win32_group -filter "name='Administrators' AND LocalAccount='True'").GetRelated("win32_useraccount")
foreach ($LocalUser in $LocalAdmins){
  $UserName = $LocalUser.Name
  $UserSID = $LocalUser.SID
  $userDomain = $LocalUser.Domain
  if ($LocalUser.Domain -eq $Env:Computername)
  {
    If ($userSID -like "S-1-5-21-*-500"){
      Write-Host "OK Default: $userName $userDomain" -ForegroundColor Green
      If ($UserName -ne $NewAdminName){
        $LocalUser.Rename($NewAdminName)
      }
      $Random = (1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join ""
      [adsi]$User = "WinNT://./$NewAdminName,user"
      $User.SetPassword($Random)
      $User.SetInfo()
    }
    else {Write-Host "DELETE: $userName $userDomain" -ForegroundColor Red
    [ADSI]$server = "WinNT://$Env:computername"
    $server.delete("user",$UserName)
  }
}
else {Write-Host "OK Domain: $userName $userDomain" -ForegroundColor Green}
}
 
Happy PowerShell scripting!
 

References
Not this one


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to Add ACL, permission or Role assignment on all objects in all subscriptions


azure

The following script is made for those of you who has many subscriptions, or many objects, and you want to do something with them…
In my case, I needed to add the DBA’s AAD Group as Reader to all the disks of the SQL Server VM’s. Migrated servers, 6 disks each…you do not want to do that manually in the portal…

Run it a PowerShell tool of choice, prompt from script, ISE, VS Code or in CloudShell.
! However, there is a verified bug in a Az module used by New-AzRoleAssignment, tested and verified to work in CloudShell with Az module az.resources 2.5.1

  • Get-AzDisk can be replaced with Get-AzXXX to get any type of object you need.
  • New-AzRoleAssignment can be replaced with just about anything you want to do to the objects.
# Adds a Role assignment(ACL/RBAC) on all disks in all subscriptions based on strings in disks names
# In this example, the AAD Group ‘AAD-Group’ is added as Reader on all disks in all subscriptions, where the disks name contains the keywords: VM1, VM2 or SQL1
 
$Group = Get-AzADGroup -SearchString “AAD-Group”
$MySubs = Get-AzSubscription
Foreach ($Sub in $MySubs){
    Write-host $Sub.name
    Select-AzSubscription $sub.Name
    $Disks = Get-AzDisk | Where-Object { $_.Name -match ‘VM1’ -or $_.Name -match ‘VM2’ -or $_.Name -match ‘SQL1’}

    ForEach ($Disk in $Disks){
        Write-Host $Disk.name
        # Reader, Contributor, Owner, etc.
        New-AzRoleAssignment  -ObjectId $Group.Id -RoleDefinitionName ‘Reader’ -ResourceName $Disk.Name -ResourceGroupName $Disk.ResourceGroupName -ResourceType $Disk.Type
    }
}
 
– – – – – – – – – – – – – – – – – – – –
 
# Adds a Role assignment(ACL/RBAC) on all recovery vaults in all subscriptions
# In this example, the AAD Group ‘AAD-Group’ is added as Reader on all Recovery vaults in all subscriptions.
$Group = Get-AzADGroup -SearchString “AAD-Group”
$MySUbs = Get-AzSubscription # Get-AzSubscription
#Write-Output $MySubs
Foreach ($Sub in $MySubs){
    Write-host $Sub.name
    Select-AzSubscription $sub.Name
    $Vaults = Get-AzRecoveryServicesVault

    ForEach ($Vault in $Vaults){
        Write-Host $Vault.name
        # Reader, Contributor, Owner, etc.
        New-AzRoleAssignment  -ObjectId $Group.Id -RoleDefinitionName ‘Reader’ -ResourceName $Vault.Name -ResourceGroupName $Vault.ResourceGroupName -ResourceType $Vault.Type
    }
}
 
Happy PowerShell scripting!
 

References
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Install the PowerShell Az module (even if AzureRM is installed)


azure

If you are having trouble getting from the ‘old’ AzureRM PowerShell commends to the ‘new’ Az…
The following script solves it for you, run it and you will end up having the ‘new’ Az module installed (New-AzVM etc.) and if you had a conflicting AzureRM installed, that is resolved for you, by itself!

Run it a PowerShell tool of choice, prompt from script, ISE or VS Code. But run the tool as Administrator, the operation requires elevated mode.

# This script needs to be run in an elevated PowerShell, prompt, ISE or VSCode
# Written by Thomas Odell Balkeståhl - www.candelit.se

Write-Host "Starting AZ Module installer" -ForegroundColor Green

if ((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
Write-host "Running in elevated mode - Ok'" -ForegroundColor Green
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-InstalledModule -ErrorAction Ignore -WarningAction Ignore -Name 'azureRM'))

{

Write-Warning -Message ('AzureRM module is installed. Having both the AzureRM and ' +

'Az modules installed at the same time is not supported.')

Write-host "Would you like to uninstall the AzureRM module now? (Default is Yes)" -ForegroundColor Yellow

$Readhost = Read-Host " ( y / n ) "

Switch ($ReadHost)

{

Y {Write-host "Yes, Uninstalling AzureRM"; $UninstallSetting=$true}

N {Write-Host "No, Skip uninstall..."; $UninstallSetting=$false}

Default {Write-Host "Default, Uninstalling AzureRM"; $UninstallSetting=$true}

}

If ($UninstallSetting){

Uninstall-Module AzureRM -Force

Write-Host "AzureRM module uninstalled"

Write-Host "Next, Installing Az Module"

try {

Install-Module -Name Az -AllowClobber -SkipPublisherCheck

Get-InstalledModule -Name Az -AllVersions

Write-Host "Az Module installed!" -ForegroundColor Green

}

catch {

Write-Host "Something went wrong, try running the command 'Install-Module -Name Az -AllowClobber' manually to see what went wrong" -ForegroundColor Yellow

}

}




}

else {

if (!(Get-InstalledModule -Name Az -AllVersions -ErrorAction Ignore)){

Write-Host "Az Module missing, Installing"

try {

Install-Module -Name Az -AllowClobber -SkipPublisherCheck

Get-InstalledModule -Name Az -AllVersions

Write-Host "Az Module installed!" -ForegroundColor Green

}

catch {

Write-Host "Something went wrong, try running the command 'Install-Module -Name Az -AllowClobber' manually to see what went wrong" -ForegroundColor Yellow

}

}

else {

Get-InstalledModule -Name Az -AllVersions

Write-Host "Az Module is installed" -ForegroundColor Green

}

}
}
else{
Write-host "You have to run the script in elevated mode - 'run as admin'" -ForegroundColor Yellow
}
Happy PowerShell scripting!

References
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

List all NSG security rules in one query using Azure Resource Graph


azure

The kusto query below will give you a list of all manually added security rules on all of your NSGs in all of your subnets. (Where you have access).
This is a great way to keep track of your vNets and subnets, what is allowed where…

You will get the following info from each NSG security rule:

Subcription Name
Resource Group Name
Subnet Name
NSG Name
Direction
Priority
Destination IP Prefix
Destination Port
Source IP Prefix
Source Port
Description
(Optional: SubscriptionId, extended.properties)

In my current Azure network, the count is around 200, in 75 different NSGs. Its not easy to keep track and find the ‘holes’ if you cannot get a good overview.

Use different sort or where clauses to filter and sort on what you are currently looking for, if you for example filter on
| where destport == ‘*’
you will see only the rules allowing traffic to any port.
| where destprefix == ‘*’
will list all rules allowing traffic to any ip address on the subnet, and so on.

Resources
| where type =~ "microsoft.network/networksecuritygroups"
| join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubcriptionName=name, subscriptionId) on subscriptionId
| where resourceGroup == 'production' or resourceGroup == 'testing'
// Only if you don't want to see all, add more resourceGroups as needed: or resourceGroup == 'xxx'
| mv-expand rules=properties.securityRules
| extend direction = tostring(rules.properties.direction)
| extend priority = toint(rules.properties.priority)
| extend description = rules.properties.description
| extend destprefix = rules.properties.destinationAddressPrefix
| extend destport = rules.properties.destinationPortRange
| extend sourceprefix = rules.properties.sourceAddressPrefix
| extend sourceport = rules.properties.sourcePortRange
| extend subnet_name = split((split(tostring(properties.subnets), '/'))[10], '"')[0]
//| where destprefix == '*'
| project SubcriptionName, resourceGroup, subnet_name, name, direction, priority, destprefix, destport, sourceprefix, sourceport, description //, subscriptionId, rules.properties
| sort by SubcriptionName, resourceGroup asc, name, direction asc, priority asc
Happy resource mining!

References
https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn