Azure Security – MFA, Conditional Access and AAD Identity Protection

Scenario
You have been asked to create a proof of concept of features that enhance Azure Active Directory (Azure AD) authentication. Specifically, you want to evaluate:
– Azure AD multi-factor authentication
– Azure AD conditional access
– Azure AD Identity Protection
NOTE: For all the resources in this lab, we are using East US region.

Exercise 1: Deploy an Azure VM by using an Azure Resource Manager template
Task 1: Deploy an Azure VM by using an Azure Resource Manager template
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type custom template and select Deploy a custom template under the list of Services.
NOTE: You can also select Template Deployment (deploy using custom templates) from the Marketplace list.

3. On the Custom deployment blade, click the Build your own template in the editor option.

4. On the Edit template blade, click Load file, locate the \Allfiles\Labs\04\az-500-04_azuredeploy.json file and click Open.
NOTE: Review the content of the template and note that it deploys an Azure VM hosting Windows Server 2019 Datacenter.

5. On the Edit template blade, click Save.

6. Back on the Custom deployment blade, click Edit parameters.

7. On the Edit parameters blade, click Load file, locate the \Allfiles\Labs\04\az-500-04_azuredeploy.parameters.json file and click Open.
NOTE: Review the content of the parameters file noting the adminUsername and adminPassword values.

8. On the Edit parameters blade, click Save.

9. On the Custom deployment blade, ensure that the following settings are configured (leave any others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	click Create new and type the name AZ500LAB04
Location	(US) East US
Vm Size	Standard_D2s_v3
Vm Name	az500-04-vm1
Admin Username	Student
Admin Password	Pa55w.rd1234
Virtual Network Name	az500-04-vnet1

NOTE: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

10. Click Review + create, and then click Create.
NOTE: Do not wait for the deployment to complete but proceed to the next exercise. You will use the virtual machine included in this deployment in the last exercise of this lab.
RESULT: You have initiated a template deployment of an Azure VM az500-04-vm1 that you will use in the last exercise of this lab.

Exercise 2: Implement Azure MFA
Task 1: Create a new Azure AD tenant
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.

2. On the blade displaying Overview of your current Azure AD tenant, click + Create a tenant.

3. On the Basics tab of the Create a tenant blade, ensure that the option Azure Active Directory is selected and click Next: Configuration >.

4. On the Configuration tab of the Create a tenant blade, specify the following settings:

Setting	Value
Organization name	AdatumLab500-04
Initial domain name	a unique name consisting of a combination of letters and digits
Country or region	United States

NOTE: Record the initial domain name. You will need it later in this lab.

5. Click Review + Create and then click Create.
NOTE: Wait for the new tenant to be created. Use the Notification icon to monitor the deployment status.

Task 2: Activate Azure AD Premium P2 trial
1. In the Azure portal, in the toolbar, click the Directory + subscription icon, located to the right of the Cloud Shell icon.

2. In the Directory + subscription blade, click the newly created tenant, AdatumLab500-04.
NOTE: You may need to refresh the browser window if the AdatumLab500-04 entry does not appear in the Directory + subscription filter list.

3. On the AdatumLab500-04 blade, in the Manage section, click Licenses.

4. On the Licenses | Overview blade, in the Manage section, click All products and then click + Try / Buy.

5. On the Activate blade, in the Azure AD Premium P2 section, click Free Trial and then click Activate.

Task 3: Create Azure AD users and groups.
1. Navigate back to the AdatumLab500-04 Azure Active Directory blade and, in the Manage section, click Users.

2. On the Users | All users blade, click + New User.

3. On the New user blade, ensure that the Create user option is selected, and specify the following settings (leave all others with their default values) and click Create:

Setting	Value
User name	aaduser1
Name	aaduser1
Password	ensure that the option Auto-generate password is selected and click Show Password
Groups	0 groups selected
Roles	click User, then click Global administrator, and click Select
Usage Location	United States

NOTE:
– Record the full user name. You can copy its value by clicking the Copy to clipboard button on the right hand side of the drop-down list displaying the domain name.
– Record the user’s password. You will need this later in this lab.

4. Back on the Users | All users blade, click + New User.

5. On the New user blade, ensure that the Create user option is selected, and specify the following settings (leave all others with their default values):

Setting	Value
User name	aaduser2
Name	aaduser2
Password	ensure that the option Auto-generate password is selected and click Show Password
Groups	0 groups selected
Roles	User
Usage Location	United States

NOTE: Record the full user name and the password.

6. Back on the Users | All users blade, click + New User.

7. Click New User,complete the new user configuration settings, and then click Create.

Setting	Value
User name	aaduser3
Name	aaduser3
Password	ensure that the option Auto-generate password is selected and click Show Password
Groups	0 groups selected
Roles	User
Usage Location	United States

NOTE: Record the full user name and the password.

8. On the New user blade, click Create.
NOTE: At this point, you should have three new users listed on the Users page.

Task 4: Assign Azure AD Premium P2 licenses to Azure AD users
1. On the Users | All users blade, click the entry representing your user account.

2. On the blade displaying the properties of your user account, click Edit.

3. In the Settings section, in the Usage location drop down list, select the United States entry and click Save.

4. Navigate back to the AdatumLab500-04 Azure Active Directory blade and, in the Manage section, click Licenses.

5. On the Licenses | Overview blade, click All products, select the Azure Active Directory Premium P2 checkbox, and click + Assign.

6. On the Assign licenses blade, click Users.

7. On the Users blade, select aaduser1, aaduser2, aaduser3, and your user account and click Select.

8. Back on the Assign licenses blade, click Assignment options, ensure that all options are enabled, and click OK.

9. Back on the Assign licenses blade, click Assign.

10. Sign out from the Azure portal and sign back in using the same account. This step is necessary in order for the license assignment to take effect.
NOTE: At this point, you assigned Azure Active Directory Premium P2 licenses to all user accounts you will be using in this lab. Be sure to sign out and then sign back in.

Task 5: Configure Azure MFA settings.
1. In the Azure portal, navigate back to the AdatumLab500-04 Azure Active Directory tenant blade.
NOTE: Make sure you are using the AdatumLab500-04 Azure AD tenant.

2. On the AdatumLab500-04 Azure Active Directory tenant blade, in the Manage section, click Security.

3. On the Security | Getting started blade, in the Manage section, click MFA.

4. On the Multi-Factor Authentication | Getting started blade, click the Additional cloud-based MFA settings link.
NOTE: This will open a new browser tab, displaying multi-factor authentication page.

5. On the multi-factor authentication page, click the service settings tab. Review verification options. Note that Text message to phone, Notification through mobile app, and Verification code from mobile app or hardware token are enabled. Click Save and then click close.

6. Switch to the users tab, click aaduser1 entry, click the Enable link, and, when prompted, click enable multi-factor auth.

7. Notice the Multi-Factor Auth status column for aaduser1 is now Enabled.

8. Click aaduser1 and notice that, at this point, you also have the Enforce option.
NOTE: Changing the user status from Enabled to Enforced impacts only legacy Azure AD integrated apps which do not support Azure MFA and, once the status changes to Enforced, require the use of app passwords.

9. With the aaduser1 entry selected, click Manage user settings and review the available options:
– Require selected users to provide contact methods again.
– Delete all existing app passwords generated by the selected users.
– Restore multi-factor authentication on all remembered devices.

10. Click Cancel and switch back to the browser tab displaying the Multi-Factor Authentication | Getting started blade in the Azure portal.

11. In the Settings section, click Fraud alert.

12. On the Multi-Factor Authentication | Fraud alert blade, configure the following settings:

Setting	Value
Allow users to submit fraud alerts	On
Automatically block users who report fraud	On
Code to report fraud during initial greeting	0

13. Click Save.
NOTE: At this point, you have enabled MFA for aaduser1 and setup fraud alert settings.

14. Navigate back to the AdatumLab500-04 Azure Active Directory tenant blade, in the Manage section, click Properties, next click the Manage Security defaults link at the bottom of the blade, on the Enable Security Defaults blade, click No. Select My Organization is using Conditonal Access as the reason and and then click Save.
NOTE: Ensure that you are signed-in to the AdatumLab500-04 Azure AD tenant. You can use the Directory + subscription filter to switch between Azure AD tenants. Ensure you are signed in as a user with the Global Administrator role in the Azure AD tenant.

Task 6: Validate MFA configuration
1. Open an InPrivate browser window.

2. Navigate to the Azure portal and sign in using the aaduser1 user account.
NOTE: To sign in you will need to provide a fully qualified name of the aaduser1 user account, including the Azure AD tenant DNS domain name, which you recorded earlier in this lab. This user name is in the format aaduser1@<your_tenant_name>.onmicrosoft.com, where <your_tenant_name> is the placeholder representing your unique Azure AD tenant name.

3. When prompted, in the More information required dialog box, click Next.
NOTE: The browser session will be redirected to the Additional security verification page.

4. On the Keep your account secure page, select the I want to set up a different method link, in the Which method would you like to use? drop-down list, select Phone, and select Confirm.

5. On the Keep your account secure page, select your country or region, type your mobile phone number in the Enter phone number area, ensure that the Text me a code option is selected, and click Next.

6. On the Keep your account secure page, type the code you received in the text message on your mobile phone, and click Next.

7. On the Keep your account secure page, ensure that the verification was successful and click Next.

8. On the Keep your account secure page, click Done.

9. When prompted, change your password. Make sure to record the new password.

10. Verify that you successfully signed in to the Azure portal.

11. Sign out as aaduser1 and close the InPrivate browser window.
RESULT: You have created a new AD tenant, configured AD users, configured MFA, and tested the MFA experience for a user.

Exercise 3: Implement Azure AD Conditional Access Policies
Task 1: Configure a conditional access policy.
1. In the Azure portal, navigate back to the AdatumLab500-04 Azure Active Directory tenant blade.

2. On the AdatumLab500-04 blade, in the Manage section, click Security.

3. On the Security | Getting started blade, in the Protect section, click Conditional Access.

4. On the Conditional Access | Policies blade, click + New policy.

5. On the New blade, configure the following settings:
– In the Name text box, type AZ500Policy1
– Click Users and groups, select the Users and Groups checkbox, on the Select blade, click aaduser2, and click Select.
– Click Cloud apps or actions, click Select apps, on the Select blade, click Microsoft Azure Management, and click Select.
NOTE: Review the warning that this policy impacts access to the Azure Portal.
– Click Conditions, click Sign-in risk, on the Sign-in risk blade, review the risk levels but do not make any changes and close the Sign-in risk blade.
– Click Device platforms, review the device platforms that can included and click Done.
– Click Locations and review the location options without making any changes.
– Click Grant in the Access controls section, on the Grant blade, select the Require multi-factor authentication checkbox and click Select
– Set the Enable policy to On.

6. On the New blade, click Create.
NOTE: At this point, you have a conditional access policy that requires MFA to sign in to the Azure portal.

Task 2: Test the conditional access policy.
1. On the Identity Protection | Overview blade, in the Protect section, click user risk policy

2. Configure the User risk remediation policy with the following settings:
– Click Users; on the Include tab of the Users blade, ensure that the All users option is selected.
– On the Users blade, switch to the Exclude tab, click Select excluded users, select your user account, and then click Select.
– Click User risk; on the User risk blade, select Low and above, and then click Done.
– Click Access; on the Access blade, ensure that the Allow access option and the Require password change checkbox are selected and click Done.
– Set Enforce policy to On and click Save.

Task 3: Configure sign-in risk policy
1. On the Identity Protection | User risk policy blade, in the Protect section, click Sign-in risk policy

2. Configure the Sign-in risk remediation policy with the following settings:
– Click Users; on the Include tab of the Users blade, ensure that the All users option is selected.
– Click Sign-in risk; on the Sign-in risk blade, select Medium and above, click Select, and then click Done.
– Click Access; on the Access blade, ensure that the Allow access option and the Require multi-factor authentication checkbox are selected and click Done.
– Set Enforce Policy to On and click Save.

Task 4: Simulate risk events against the Azure AD Identity Protection policies
1. In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the az500-04-vm1 Azure VM.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.

3. On the Virtual machines blade, click the az500-04-vm1 entry.

4. On the az500-04-vm1 blade, click Connect and, in the drop down menu, click RDP.

5. Click Download RDP File and use it to connect to the az500-04-vm1 Azure VM via Remote Desktop. When prompted to authenticate, provide the following credentials:

Setting	Value
User name	Student
Password	Pa55w.rd1234

NOTE:
– Wait for the Remote Desktop session and Server Manager to load.
– The following steps are performed in the Remote Desktop session to the az500-04-vm1 Azure VM.

6. In Server Manager, click Local Server and then click IE Enhanced Security Configuration.

7. In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off and click OK.

8. Start Internet Explorer, click the cog wheel icon in the toolbar, in the drop-down menu, click Safety and then click InPrivate Browsing.

9. In the InPrivate Internet Explorer window, navigate to the ToR Browser Project at https://www.torproject.org/projects/torbrowser.html.en.

10. Download and install the Windows version of the ToR Browser with the default settings.

11. Once the installation completes, start the ToR Browser, use the Connect option on the initial page, and browse to the Application Access Panel at https://myapps.microsoft.com.

12. When prompted, attempt to sign in with the aaduser3 account.
NOTE: You will be presented with the message Your sign-in was blocked. This is expected, since this account is not configured with multi-factor authentication, which is required due to increased sign-in risk associated with the use of ToR Browser.

13. Use the Sign out and sign in with a different account option to sign in as aaduser1 account you created and configured for multi-factor authentication earlier in this lab.
NOTE: This time, you will be presented with the Suspicious activity detected message. Again, this is expected, since this account is configured with multi-factor authentiation. Considering the increased sign-in risk associated with the use of ToR Browser, you will have to use multi-factor authentication.

14. Use the Verify option and specify whether you want to verify your identity via text or a call.

15. Complete the verification and ensure that you successfully signed in to the Application Access Panel.

16. Close your RDP session.
NOTE: At this point, you attempted two different sign ins. Next, you will review the Azure Identity Protection reports.

Task 5: Review the Azure AD Identity Protection reports
1. Back in the Azure portal, use the Directory + subscription filter to switch to the AdatumLab500-04 Azure Active Directory tenant.

2. On the AdatumLab500-04 blade, in the Manage section, click Security.

3. On the Security | Getting started blade, in the Reports section, click Risky users.

4. Review the report and identify any entries referencing the aaduser3 user account.

5. On the Security | Getting started blade, in the Reports section, click Risky sign-ins.

6. Review the report and identify any entries corresponding to the sign-in with the aaduser3 user account.

7. Under Reports click Risk detections.

8. Review the report and identify any entries representing the sign-in from anonymous IP address generated by the ToR browser.
NOTE: It may take 10-15 minutes to risks to show up in reports.
RESULT: You have enabled Azure AD Identity Protection, configured user risk policy and sign-in risk policy, as well as validated Azure AD Identity Protection configuration by simulating risk events.

Clean up resources
We need to remove identity protection resources that you no longer use.
Use the following steps to disable the identity protection policies in the AdatumLab500-04 Azure AD tenant.
1. In the Azure portal, navigate back to the AdatumLab500-04 Azure Active Directory tenant blade.

2. On the AdatumLab500-04 blade, in the Manage section, click Security.

3. On the Security | Getting started blade, in the Protect section, click Identity Protection.

4. On the Identity Protection | Overview blade, click User risk policy.

5. On the Identity Protection | User risk policy blade, set Enforce policy to Off and then click Save.

6. On the Identity Protection | User risk policy blade, click Sign-in risk policy

7. On the Identity Protection | Sign-in risk policy blade, set Enforce policy to Off and then click Save.

Use the following steps to stop the Azure VM you provisioned earlier in the lab.
1. In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the az500-04-vm1 Azure VM.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.

3. On the Virtual machines blade, click the az500-04-vm1 entry.

4. On the az500-04-vm1 blade, click Stop and, when prompted to confirm, click OK

Do not remove any resources provisioned in this lab, since the PIM lab has a dependency on them.

Azure Security – Resource Manager Locks

Scenario
You have been asked to create a proof of concept showing how resource locks can be used to prevent
accidental deletion or changes. Specifically, you need to:
– Create a ReadOnly lock
– Create a Delete lock

Exercise 1: Resource Manager Locks
Task 1: Create a resource group with a storage account.
1. Sign-in to the Azure portal https://portal.azure.com/.

2. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.

3. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

4. In the PowerShell session within the Cloud Shell pane, run the following to create a resource group (verify with your instructor regarding the value of the location parameter):

New-AzResourceGroup -Name AZ500LAB03 -Location 'EastUS'

5. In the PowerShell session within the Cloud Shell pane, run the following to create a storage account in the newly created resource group:

New-AzStorageAccount -ResourceGroupName AZ500LAB03 -Name (Get-Random -Maximum 999999999999999) -Location  EastUS -SkuName Standard_LRS -Kind StorageV2 
Note: Wait until the storage account is created. This might take a couple of minutes.

6. Close the Cloud Shell pane.

Task 2: Add a ReadOnly lock on the storage account.
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

2. On the Resource groups blade, select the AZ500LAB03 resource group entry.

3. On the AZ500LAB03 resource group blade, in the list of resources, select the new storage account.

4. In the Settings section, click the “Locks” icon.

5. Click + Add and specify the following settings:

Setting	Value
Lock name	ReadOnly Lock
Lock type	Read-only

6. Click OK.
Note: The storage account is now protected from accidental deletion and modification.

Task 3: Test the ReadOnly lock
1.In the Settings section of the storage account blade, click Configuration.

2. Set the Secure transfer required option to Disabled and then click Save.

3. You should be able to spot a notification stating Failed to update storage account.

4. Click the Notifications icon in the toolbar at the top of the Azure portal and review the notification, which will resemble the following text:
“Failed to update storage account ‘xxxxxxxx’. Error: The scope ‘xxxxxxxx’ cannot perform write operation because following scope(s) are locked: ‘/subscriptions/xxxxx-xxx-xxxx-xxxx-xxxxxxxx/resourceGroups/AZ500LAB03/providers/Microsoft.Storage/storageAccounts/xxxxxxx’. Please remove the lock and try again”

5. Return the the Configuration blade of the storage account and click Discard.

6. On the storage account blade, select Overview and, on the Overview blade, click Delete.

7. On the Delete storage account blade, type in the name of the storage account to confirm that you intend to proceed and then click Delete.

8. Review the newly generated notification, which will resemble the following text:
“Failed to delete storage account ‘xxxxxxx’. Error: The scope ‘xxxxxxx’ cannot perform delete operation because following scope(s) are locked: ‘/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxxx/resourceGroups/AZ500LAB03/providers/Microsoft.Storage/storageAccounts/xxxxxxx’. Please remove the lock and try again.”

Note: You have now verified that a ReadOnly lock will stop accidental deletion and modification of a resource.

Task 4: Remove the ReadOnly lock and create a Delete lock.
1.In the Azure portal, navigate back to the blade displaying properties of the newly created storage account.

2. In the Settings section , select Locks.

3. On the Locks blade, click on the Delete icon on the far right of the ReadOnly Lock entry.

4. Click + Add and specify the following settings:

Setting	Value
Lock name	Delete Lock
Lock type	Delete

5. Click OK.

Task 5: Test the Delete lock.
1. In the Settings section of the storage account blade, click Configuration.

2. Set the Secure transfer required option to Disabled and then click Save.
Note: This time, the change should be successful.

3. On the storage account blade, select Overview and, on the Overview blade, click Delete.

4. On the Delete storage account blade, type in the name of the storage account to confirm that you intend to proceed and then click Delete.

5. Review the notification that resembles the following text:
‘xxxxxx’ can’t be deleted because this resource or its parent has a delete lock. Locks must be removed before this resource can be deleted”
Note:
– You have now verified that a Delete lock will allow configuration changes but stop accidental deletion.
– By using Resource Locks you can implement an extra line of defense against accidental or malicious changes and/or deletion of the most important resources. Resource locks can be removed by any user with the Owner role, but doing so requires a conscious effort. Locks supplement Role Based Access Control.

Results: In this exercise, you learned to use Resource Manager locks to protect resources from modification and accidental deletion.

Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click Reconnect.

2. In the PowerShell session within the Cloud Shell pane, run the following to remove the delete lock:

$storageaccountname = (Get-AzStorageAccount -ResourceGroupName AZ500LAB03).StorageAccountName

$lockName = (Get-AzResourceLock -ResourceGroupName AZ500LAB03 -ResourceName $storageAccountName -ResourceType Microsoft.Storage/storageAccounts).Name

Remove-AzResourceLock -LockName $lockName -ResourceName $storageAccountName  -ResourceGroupName AZ500LAB03 -ResourceType Microsoft.Storage/storageAccounts -Force

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group:

Remove-AzResourceGroup -Name "AZ500LAB03" -Force -AsJob

4. Close the Cloud Shell pane.

Create AKS and ACR in a minutes

1. Go to Azure CLI
2. Create a working directory

3. Change to the directory that you created and lists the files in the current working directory.

4. Clone the repository from Github

5. To lists the file whether already exist in the working directory and navigate to the Github working directory.

6. To check the file in this working directory and code the file name which call aks-arc.sh

7. Enter your GROUPNAME, LOCATION,AKSNAME,ACRNAME and SUBID.

8. To get the version of the AKS and set the region in “EASTUS“

9. Click on Save and Close Editor.

10. Run the following command to create AKS and ACR.

Results:

Credit to Jay Gordon (Github)
Video: Youtube

Azure Security – Azure Policy

Scenario
You have been asked to create a proof of concept showing how Azure policy can be used. Specifically you need to:

• Create an Allowed Locations policy that ensures resource are only created in a specific region
• Test to ensure resources are only created in the Allowed location

Exercise 1: Implement Azure policy
Task 1: Create a resource group for the lab.
1. Sign-in to the Azure portal https://portal.azure.com/.
Note: Sign in to the Azure portal using an account that has the Owner or Contributor role in the Azure subscription you are using for this lab.

2. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.

3. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

4. In the PowerShell session within the Cloud Shell pane, run the following to create a resource group (verify with your instructor regarding the value of the location parameter):

New-AzResourceGroup -Name AZ500LAB02 -Location 'East US'

5. In the PowerShell session within the Cloud Shell pane, run the following to list resource groups to verify that the new resource group was created:

Get-AzResourceGroup | format-table

6. Close the Cloud Shell.

Task 2: Create an Allowed Locations policy assignment.
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Policy and press the Enter key.

2. On the Policy blade, in the Authoring section, select Definitions.

3. Take a minute to browse the built-in definitions. Use the Category drop-down to filter the list of policies.

4. In the Search text box, type Allowed locations.
Note: The Allowed locations policy allows you to restrict location of resources, not resource groups. To restrict locations of resource groups, you can use the Allowed locations for resource groups policy.

5. Click the Allowed locations policy definition to display its details.
Note: This policy definition takes an array of locations as parameters. A policy rule is an ‘if-then’ statement. The ‘if’ clause checks if the resource location is included in the parameter list, and if not, the ‘then’ clause denies the resource creation or, for existing resources, marks them as non-compliant.

6. On the Allowed locations blade, click Assign.

7. On the Basics tab of the Allowed locations blade, click the Ellipsis (…) button next to the Scope text box and, on the Scope blade, specify the following settings:

Setting	Value
Subscription	the name of you Azure subscription
Resource group	AZ500LAB02

8. Click Select.

9. On the Allowed locations blade, on the Basics tab, specify the following settings (leave others with their default values):

Setting	Value
Assignment name	Allow UK South for AZ500LAB02
Description	Allow resources to be created in UK South Only for AZ500LAB02
Policy enforcement	Enabled

10. Click Next.

11. On the Parameters tab of the Allowed locations blade, in the Allowed locations drop-down list, select UK South as the only allowed location.
Note: You can select more than one location. If the policy required a different set of parameters, this tab would provide those selections.

12. Click Review + create, followed by Create to create the policy assignment.
Note:
– You will see a notification that the assignment was successful, and that the assignment might take around 30 minutes to complete.
– The reason the Azure policy assignment might take up to 30 minutes to take effect is that is has to replicate globally. Typically this takes only a few minutes. If the next task fails, simply wait a few minutes and attempt its steps again.

Task 3: Test the Allowed Locations policy assignment
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual networks and press the Enter key.

2. On the Virtual Networks blade, click + New.
Note: First, you will try to create a virtual network in East US. Since this is not an allowed location, the request should be blocked.

3. On the Basics tab of the Create virtual network blade, specify the following settings (leave others with their default values):

Setting	Value
Resource group	AZ500LAB02
Name	myVnet
Region	(US) East US

4. Click Review + create.

5. On the Review + create tab of the Create virtual network blade note the Validation failed message.
Note: If the Validation Failed warning does not appear, click Previous and wait a few more minutes.

6. Click the error message to open the Errors blade. You will see the detailed error message stating that the deployment of the resource myVnet was disallowed by policy.

7. Close the Errors blade, on the Create virtual network blade, click the Basics tab, and, in the Region drop-down list, select (Europe) UK South.

8. Click Review + create, verify that validation passed, click Create, and verify that the virtual network was created successfully.

Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click Reconnect.

2. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB02" -Force -AsJob

3. Close the Cloud Shell pane.

Postman Report with Azure DevOps

From the previous post, sharing how to generate report in the local machine. For this article, will share about how to implement postman with Azure DevOps pipeline.

1. Install the node.js
2. Run the following command for installation by using Bash in your local machine.

3. In the package.json, add the following code.

4. In the Azure pipeline yml file add the following code.

5. Click on Run button in Azure DevOps.

6. You will get the result of coverage in Azure DevOps.

Tool:

Kubernetes YAML Generator

Azure Security – Role-Based Access Control

Scenario
You have been asked to create a proof of concept showing how Azure users and groups are created. Also, how role-based access control is used to assign roles to groups. Specifically, you need to:
– Create a Senior Admins group containing the user account of Joseph Price its member.
– Create a Junior Admins group containing the user account of Isabel Garcia as its member.
– Create a Service Desk group containing the user account of Dylan Williams as its member.
– Assign the Virtual Machine Contributor role to the Service Desk group.
NOTE: For all the resources in this lab, we are using East US region.

Exercise 1: Create the Senior Admins group with the user account Joseph Price as its member
Task 1: Use the Azure portal to create a user account for Joseph Price
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.

3. On the Overview blade of the Azure Active Directory tenant, in the Manage section, select Users, and then select + New user.

4. On the New User blade, ensure that the Create user option is selected, and specify the following settings:

Setting	Value
User name	Joseph
Name	Joseph Price

5. Click on the copy icon next to the User name to copy the full user.

6. Ensure that the Auto-generate password is selected, select the Show password checkbox to identify the automatically generated password. You would need to provide this password, along with the user name to Joseph.

7. Click Create.

8. Refresh the Users | All users blade to verify the new user was created in your Azure AD tenant.

Task 2: Use the Azure portal to create a Senior Admins group and add the user account of Joseph Price to the group.
1. In the Azure portal, navigate back to the blade displaying your Azure Active Directory tenant.

2. In the Manage section, click Groups, and then select + New group.

3. On the New Group blade, specify the following settings (leave others with their default values):

Setting	Value
Group type	Security
Group name	Senior Admins
Membership type	Assigned

4. Click the No owners selected link, on the Add owners blade, select Joseph Price, and click Select.

5. Click the No members selected link, on the Add members blade, select Joseph Price, and click Select.

6. Back on the New Group blade, click Create.

Exercise 2: Create a Junior Admins group containing the user account of Isabel Garcia as its member.
Task 1: Use PowerShell to create a user account for Isabel Garcia.

In this task, you will create a user account for Isabel Garcia by using PowerShell.
1. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.

2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to create a password profile object:

$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

4. In the PowerShell session within the Cloud Shell pane, run the following to set the value of the password within the profile object:

$passwordProfile.Password = 'Pa55w.rd1234'

5. In the PowerShell session within the Cloud Shell pane, run the following to connect to Azure Active Directory:

Connect-AzureAD

6. In the PowerShell session within the Cloud Shell pane, run the following to identify the name of your Azure AD tenant:

$domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].Name

7. In the PowerShell session within the Cloud Shell pane, run the following to create a user account for Isabel Garcia:

New-AzureADUser -DisplayName 'Isabel Garcia' -PasswordProfile $passwordProfile -UserPrincipalName "Isabel@$domainName" -AccountEnabled $true -MailNickName 'Isabel'

8. In the PowerShell session within the Cloud Shell pane, run the following to list Azure AD users (the accounts of Joseph and Isabel should appear on the listed):

Get-AzureADUser

Task 2: Use PowerShell to create the Junior Admins group and add the user account of Isabel Garcia to the group.
In this task, you will create the Service Desk group and assign Dylan to the group

1. In the same PwerShell session within the Cloud Shell pane, run the following to create a new security group named Junior Admins

New-AzureADGroup -DisplayName 'Junior Admins' -MailEnabled $false -SecurityEnabled $true -MailNickName JuniorAdmins

2. In the PowerShell session within the Cloud Shell pane, run the following to list the Azure AD groups (the list should include the Senior Admins, and Junior Admins groups):

Get-AzureADGroup

3. In the PowerShell session within the Cloud Shell pane, run the following to obtain a reference to the user account of Isabel Garcia:

$user = Get-AzureADUser -Filter "MailNickName eq 'Isabel'"

4. In the PwerShell session within the Cloud Shell pane, run the following to add the user account of Isabel to the Junior Admins group:

Add-AzADGroupMember -MemberUserPrincipalName $user.userPrincipalName -TargetGroupDisplayName "Junior Admins" 

5. In the PpwerShell session within the Cloud Shell pane, run the following to verify that the Junior Admins group contains the user account of Isabel:

Get-AzADGroupMember -GroupDisplayName "Junior Admins"

Result: You used PowerShell to create a user and a group account, and added the user account to the group account.

Exercise 3: Create a Service Desk group containing the user account of Dylan Williams as its member.
Task 1: Use Azure CLI to create a user account for Dylan Williams
1. In the drop-down menu in the upper-left corner of the Cloud Shell pane, select Bash, and, when prompted, click Confirm.

2. In the Bash session within the Cloud Shell pane, run the following to to identify the name of your Azure AD tenant:

DOMAINNAME=$(az ad signed-in-user show --query 'userPrincipalName' | cut -d '@' -f 2 | sed 's/\"//')

3. In the Bash session within the Cloud Shell pane, run the following to create a user, Dylan Williams. Use yourdomain.

az ad user create --display-name "Dylan Williams" --password "Pa55w.rd1234" --user-principal-name Dylan@$DOMAINNAME

4. In the Bash session within the Cloud Shell pane, run the following to list Azure AD user accounts (the list should include user accounts of Joseph, Isabel, and Dylan)

az ad user list --output table

Task 2: Use Azure CLI to create the Service Desk group and add the user account of Dylan to the group
1. In the same Bash session within the Cloud Shell pane, run the following to create a new security group named Service Desk.

az ad group create --display-name "Service Desk" --mail-nickname "ServiceDesk"

2. In the Bash session within the Cloud Shell pane, run the following to list the Azure AD groups (the list should include Service Desk, Senior Admins, and Junior Admins groups):

az ad group list -o table

3. In the Bash session within the Cloud Shell pane, run the following to obtain a reference to the user account of Dylan Williams:

USER=$(az ad user list --filter "displayname eq 'Dylan Williams'")

4. In the Bash session within the Cloud Shell pane, run the following to obtain the objectId property of the user account of Dylan Williams:

OBJECTID=$(echo $USER | jq '.[].objectId' | tr -d '"')

5. In the Bash session within the Cloud Shell pane, run the following to add the user account of Dylan to the Service Desk group:

az ad group member add --group "Service Desk" --member-id $OBJECTID

6. In the Bash session within the Cloud Shell pane, run the following to list members of the Service Desk group and verify that it includes the user account of Dylan:

az ad group member list --group "Service Desk"

7. Close the Cloud Shell pane.

Exercise 4: Assign the Virtual Machine Contributor role to the Service Desk group
Task 1: Create a resource group
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

2. On the Resource groups blade, click + Add and specify the following settings:

Setting	Value
Subscription name	the name of your Azure subscription
Resource group name	AZ500Lab01
Location	East US

3. Click Review + create and then Create.
Note: Wait for the resource group to deploy. Use the Notification icon (top right) to track progress of the deployment status.

4. Back on the Resource groups blade, refresh the page and verify your new resource group appears in the list of resource groups.

Task 2: Assign the service Desk Virtual Machine Contributor permissions.
1. On the Resource groups blade, click the AZ500LAB01 resource group entry.

2. On the AZ500Lab01 blade, click Access control (IAM).

3. On the AZ500Lab01 | Access control (IAM) blade, click + Add and then, in the drop-down menu, click Add role assignment.

4. On the Add role assignment blade, specify the following settings:

Setting	Value
Role	Virtual Machine Contributor
Assign access to	User, group, or service principal
Select	Service Desk

5. Choose Save to create the role assignment.

6. From the Access control (IAM) blade, select Role assignments.

7. On the AZ500Lab01 | Access control (IAM) blade, on the Check access tab, in the Search by name or email address text box, type Dylan Williams.

8. In the list of search results, select the user account of Dylan Williams and, on the Dylan Williams assignments – AZ500Lab01 blade, view the newly created assignment.

9. Close the Dylan Williams assignments – AZ500Lab01 blade.

10. Repeat the same last two steps to check access for Joseph Price.
Result: You have assigned and checked RBAC permissions.

Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal.

2. In the drop-down menu in the upper-left corner of the Cloud Shell pane, select PowerShell, and, when prompted, click Confirm.

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB01" -Force -AsJob

4. Close the Cloud Shell pane.

Generate Report with newman

Step 1: Export Postman Collection
1. Go to Collections, click on 3 dots(…).

2. From the menu, select Export.

3. Click on Export button and save the json file in same repository.

Step 2: Generate the Report for newman
Run the following command for installation by using Bash
1. Installation

2. Generate HTML Report

You will see a newman folder that contain HTML report

CodeQL Analysis on GitHub

1. On GitHub, navigate to the main page of the repository.
2. Under your repository name, click Security.

3. To the right of “Code scanning”, click Set up code scanning.

4. Under “Get started with code scanning”, click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow.

5. To customize how code scanning scans your code, edit the workflow.

6. Use the Start commit drop-down, and type a commit message.

7. Choose whether you’d like to commit directly to the default branch, or create a new branch and start a pull request and click Commit new file.

Viewing the logging output from code scanning
After enabling code scanning for your repository, you can watch output of the actions as they run.

1. Under your repository name, click Actions.

You’ll see a list that includes an entry for running the code scanning workflow.

2. Click the entry for the code scanning workflow.

3. Click the job name on the left. For example, Analyze(python).

4. Review the logging output from the actions in this workflow as they run.

5. View the GitHub Code scanning alerts dashboard.

Reference: docs.github.com

Testing with Mocha, Junit Reporter and code coverage with nyc

1. Install the mocha by the using the terminal with Visual Studio Code
   npm install –global mocha
2. Install the mocha-junit-reporter by the terminal with Visual Studio Code
   npm install mocha-junit-reporter –save-dev
3. Install the nyc by the using the terminal with Visual Studio Code
   npm install nyc –save-dev
4. Add both test script in package.json file

4. Now we typing the command
npm run coverage

5. You will see the output for the code coverage as below.

Get Started with JMeter: Installation

How to install JMeter:
1. Download the latest 64-bit JRE or JDK (Windows x64 Installer).

2. Download the Apache JMeter Binaries to your computer.

3. Extract Apache JMeter

4. Go to Apache JMeter bin folder and click the jmeter.bat file

5. The batch file will run for a second and then your JMeter UI will be launched