Error: Policies attempted to append some fields which already exist in the request with different values


azure

In our current environment, this is starting to show up more and more.
We have a number of policies in Azure, among them are ‘resources-tag-enforcement’, the one that adds a number of required Tags on resources on our production Resource Groups. Because we have them and they are required on all resources on the groups, things fail.
It is changes that start to fail, unrelated to the Tag policy really…
Example 1: We tried to change pricing tier on an App Service plan – Fail
Example 2: We deleted a rule in Azure Firewall – Fail
Example 3: We resized a VM – Fail

All due to one thing, the Resource Manager seems to think in the backend, that these changes are really not just changes, but we are adding new resources to the resource groups, triggering the policy, and that fails to append the Tags since the Tags are already there…
Same scenario with a ‘Allowed location’ policy, if a resource was once created outside of the allowed scope, changes are not allowed since the RM seems to think that you are really adding new resources, not just making adjustments.

The error you will see from the Tag policy is this:

Failed to resize virtual machine ‘XXX-NNNN’ to size ‘Standard DXXX’. Error: Policies attempted to append some fields which already exist in the request with different values. Fields: ‘tags[nnn1],tags[nnn2]’. Policy identifiers:'[{“policyAssignment”:{“name”:”Assignment – resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyAssignments/Assignment – resources-tag-enforcement”},”policyDefinition”:{“name”:”resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyDefinitions/resources-tag-enforcement”}}]’. Please contact the subscription administrator to update the policies.
 
Resolution:
Temporarily Disable the assignment of the policy. Look up the Resource Group, go to policys, assignments, then the correct policy and open it.
A bit down, you have to switch to disable it.
WindowsUpdate2
Set it to Disabled and Review+Save, then Save.
Done.
Remember to enable it again after you are done.
 
 
Good luck!
 
References


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

One Bastion to access them all


azure

Until now, Azure Bastion has been restricted to use within the one vNet where it is connected.
It could not work across vNet peerings or vNets connected to Virtual VAN’s.
If you wanted to use Bastion, you needed to create separate Bastions per vNet. Bastion with regular use comes with a cost of approximately $120/Bastion and Month ($1500/Bastion/Year)
This have now changed. Now, $1500/customer/year is enough (Well worth it!).

Bastion can now work across vNet peering!
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

Note.
If you have a virtual VAN and your vNets are connected this way, you can add peering in a hub & spoke modell to the vNet where your Bastion is located, this will allow you to use Bastion anyway without disturbing the Virtual VAN functionality.

All you have to do, is create a 2 way peering between the vNet with a Bastion, and the second vNet, and Bastion will show up in the portals ‘Connect’ dialogue.

Bastion2

Bastion1

 
References

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

 


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to clear out all local admin accounts


azure

In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators. To mitigate this, we planned to  do the following:

  • Delete all accounts except the default administrator (Disable default on 2016)
  • Rename the default to a different name
  • Set a new ‘impossible’ password that nobody knows (45chrs)
  • Leave as-is domain users in the local administrators group

Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended). Both can however also be used locally on the servers.
What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. We had both so we needed two scripts.
(Apologies for the bad formatting in this blog-template)

Windows Server 2016 and later:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin"
$Admins = Get-LocalGroupMember -Group 'Administrators' | Select-Object ObjectClass, Name, PrincipalSource | Where-Object {$_.PrincipalSource -eq "Local"} | Select-Object Name
$DefaultAdmin = (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | ? {$_.SID -like "S-1-5-21-*-500"}).Name
foreach($Admin in $Admins) {
$UserName = ($Admin.Name).ToString().split("\")[1]
Disable-LocalUser $UserName
If ($UserName -ne $DefaultAdmin) {
Remove-LocalUser $UserName
Write-Host "Removed Admin: $UserName"
}
else {
$Random = ConvertTo-SecureString ((1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join "") -AsPlainText -Force
Set-LocalUser -Name $DefaultAdmin -Password $Random
Write-Host "Default Admin password reset to 45 chrs long random string"
if ($DefaultAdmin -ne $NewAdminName){
Rename-LocalUser -Name $DefaultAdmin -NewName $NewAdminName
Write-Host "Renamed default Admin: $UserName to $NewAdminName"
}
}
}
Write-host "Done - Server secured :-)"
 
– – – – – – – – – – – – – – – – – – – –
Pre Windows Server 2016:
 
# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin"
$LocalAdmins = (get-wmiobject -ComputerName $Env:Computername win32_group -filter "name='Administrators' AND LocalAccount='True'").GetRelated("win32_useraccount")

foreach ($LocalUser in $LocalAdmins){
$UserName = $LocalUser.Name
$UserSID = $LocalUser.SID
$userDomain = $LocalUser.Domain
if ($LocalUser.Domain -eq $Env:Computername)
{

If ($userSID -like "S-1-5-21-*-500"){
Write-Host "OK Default: $userName $userDomain" -ForegroundColor Green
If ($UserName -ne $NewAdminName){
$LocalUser.Rename($NewAdminName)
}

$Random = (1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join ""
[adsi]$User = "WinNT://./$NewAdminName,user"
$User.SetPassword($Random)
$User.SetInfo()
}
else {Write-Host "DELETE: $userName $userDomain" -ForegroundColor Red
[ADSI]$server = "WinNT://$Env:computername"
$server.delete("user",$UserName)
}
}
else {Write-Host "OK Domain: $userName $userDomain" -ForegroundColor Green}
}
 
Happy PowerShell scripting!
 

References
Not this one


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Office 365 News – First release for select users


 Office365logo

First release can now be offered to a select group of users!

(Including a funny mistake by a Microsoft developer)

ImageLife made even simpler for the admins

First release has until now been something that you do not want to enable in a production tenant for the organization, because the impact can be to big with untested changes and additions made regularly.
The common option for the administrator thirsting for knowledge has been to create an evaluation tenant and enable First Release there.
Cumbersome and difficult…is what that was!
A drawback has also been that you could not test anything with the real users, real data or real life scenarios.

No more so, now, the option to enable First Release for only selected users are available.

This is how you do it:

1. Log into your tenants Admin portal: https://portal.office.com/admin/default.aspx
2. Go to Service Settings, Updates.
3. Under First Release, check Select People, you will get a popup asking if you are sure, click Yes.
4. Locate the users you want to set as first release users.
5. Select the users in the box below and click on save (It does not have to be administrators).
5.5 Bulk update (You can also create a list of UPN’s and sumbit it as a bulk update.)
6. Done!
7. Undo

In Pictures:

1. Log into your tenants Admin portal: https://portal.office.com/admin/default.aspx

FirstRelease1

2. Go to Service Settings, Updates.

FirstRelease2

3. Under First Release, check Select People, you will get a popup asking if you are sure, click Yes.
(Entire organization is the old choice, this affects everyone in the tenant)

FirstRelease3x

Like I said, select Yes in the popup dialog.

FirstRelease4
4. In the dialog to your right, search for the user/users you want to set as First Release users.

FirstRelease35x

a. Start typing aname to search for the user…

FirstRelease5

b. Located users are moved to the userslist.

FirstRelease6

c. Select all users in the list.

FirstRelease7

5. Select the users in the box below and click on save (It does not have to be administrators).
(You can also create a list of UPN’s and sumbit it as a bulk update.)

FirstRelease8

You do not get any conformation that it is changed, but it is.

5.5 Bulk update

For a bulk update, do this:

a. Create a list of the users UPN’s, User Principle Names (i.e. Emailaddresses) and save it as a textfile (.txt)
The file can named anything and can be saved anywhere you like.

FirstReleaseBulk3

b. In the Admin portal, Service Settings, Updates, Click on Bulk add people

FirstReleaseBulk0x

c. Browse to your userlist

FirstReleaseBulk1

d. Select the file and click Open

FirstReleaseBulk4

Note the path…(someone at Microsoft made a mistake…\fakepath\ ??). The path shown does not matter, it will work, trust me!

FirstReleaseBulk5x

e. Now click on Next to finish

FirstReleaseBulk6

f. As you can see, the result is shown in the resultlist, success and fail are listed. You can also get a view of a very simple logfile.
Click on finish when you are ready.

FirstReleaseBulk7

Bulk import Done!
6. All Done!

7. Undo

To reset the tenant and go back to noone having first release, do this:

In the Admin portal, Service Settings, Updates, Click on Standard

undo2

Agree to the popup

Undo

And you’re back to normal!

I’

Credits

Niklas Danell, Microsoft Sweden
Erik Fryksén, Xperta AB

References

Microsoft Support on the First Release options

  Office365logo _________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 News – Office 365 Limited Admin Roles are here


 Office365logo

Finally! Office 365 Limited Admin Roles are here!

(2015-05-22: In my tenant, this option has now gone away…)

SharePoint administrator
Exchange Administrator
Lync Administrator
User/AD Administrator
Helpdesk Administrator
Support Administrator

This has been one of the major missing features in Office 365, one that many has asked for, it has been on the roadmap and ‘In Development’ and ‘Rolling Out’ for a very long time as well. Now it is HERE! In a ‘First Release’ tenant. (Coming to all tenants in due time) To use the limited roles, do this:

1. Go to the Office 365 Admin Portal https://portal.office.com/admin/default.aspx

2. Select Users -> Active Users

1

3. Locate a user using search

15

4. On the Righthand side, Click on Edit User Roles

2

5. Next, select Limited Admin Role and then check the roles you want the user to have, one or many.

Meg Ryan gets to be a SharePoint Admin only

3

6. Enter an alternate email, same as you do/did for a Global Administrator account

It cannot be a email address that residen within the tenant

7. Save and you are done!

References and Credits

Myself, I get all the credit this time! 🙂 

  Office365logo _________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn