All posts by Gregor Reimling

I am pleased to support the MS Ignite as an ATE (Ask The Experts)

Short note, I am pleased to announce that I support some Microsoft Ignite sessions as an ATE (Ask the Experts). Which this means? I support the Product Team in the Live sessions with answer additional questions. There are many possibilities to get in touch with the Microsoft Product owner of each service, so view the Session scheduler and join relevant sessions to ask the Product owner about services, features, possibilities and more.

I will support the following sessions:

Ask the Expert: disk storage, core compute and networking on Tuesday

Septemper 22 | 9:15 PM – 9:45 PM CEST

Ask the Expert: Be prepared for what´s next: kick start your cloud journey with Azure Migrate Program

September 23 | 10:45 PM – 11:15 PM CEST

My upcoming Community engagements in 2nd half of 2020

These times are challenging and I hope everyone is safe and healthy. Normally we have a lot of in person community conference, but actually we move a lot of this community meetings to online meetings. The good thing is we have more time for our family and need lees time for driving and so on.

In the 2nd half of 2020 I have the honor to speak at the following events:

Azure Bonn Meetup

Our Azure Bonn Meetup is also running as an virtual event and we have planned some exiting topics:

Are you interested in holding a session at our Azure Bonn Meetup – that sounds great. Please use the Microsoft form to let us know about you and your session and we look forward to welcoming you. Session language can be German or English 🙂

Virtual Cloud Identity Summit 2020

And finally the virtual Cloud Identity Summit 2020. This is our first event and we will focus only on Cloud Identity topics. This idea came up from Thomas Naunheim and we are really happy to realize this conference. The first speakers with great topics are announced and there coming more. Did you interested in how to secure your Cloud Identitys – this conference is a must see.

Howto setup and monitor Break Glass Accounts in your Tenant

09/07/2024 – Update 2

Microsoft enforce since 1st of July 2024 the need for Multifactor Authentication if a account access the Azure Portal. This also affects Break Glass accounts when the will use to access the Azure Portal. To reflect this new requirements classic Breakglass Accounts which only have a password enabled for login will won`t work after the rollout.

Microsoft recommend to use FIDO2 or certificate based authentication for these accounts. I`ve updated the article to enable FIDO2 for Breakglass accounts.

19/01/2022 – Update 1

I´ve updated the article because the actual sign-in query only logs all login attempts of the break glass account (successfully, unsuccessfully, etc.) . I added the different IDs so that you can setup the alert mail based on a indivudal filter. Thank you goes out to Eric Soldierer for this note. I also updated some changed services that had left their preview status.


In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:

  • the MFA service is down
  • we create a Conditinal Access that with a wrong rule set and lost sign-in access
  • we do not regulary update our control list and the admin account goes lost

For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:

  • only use a generic account
  • create a complex password with more than 16 characters
  • use a seperate FIDO2 key for every breakglass account
  • up to 256 characters possible – the limit of 16 character is removed
  • for compliance reason divide the password into two parts
  • save each part in a different location
  • create a security group that contains the break glass accounts
  • create two break glass accounts with no standard username like breakglass@ or emergency
  • use the Tenant name for the account
  • do not use a custom domain name
  • in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)

Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login. The use of a generic name can be a risk and the usage of this account most be transparenet for every tenant admin. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.

Continue reading Howto setup and monitor Break Glass Accounts in your Tenant

Move Azure VMs between Azure Global Regions

In the last couple of days I get a lot of question how to move Azure VMs between regions. So I decided to write a blog post about this question. First of all it is really important to understand which topics this article covers and which not.

To understand the article right, keep the follow settings in mind:

  • This article will cover how to move Azure VMs between global regions with ASR
  • Global regions mean all the standard available regions
  • This article doesn´t cover the movement between Azure Global and Azure Germany, Azure Governance or China
  • For moving Azure VMs from Azure Germany to Azure Global there there is planned to write an additional article
  • For a general movement of Azure resources (SQL databases, Web Apps and more) a futher post will follow

This article focuses on how to move Azure VMs between Azure global regions using Azure Site Recovery (ASR). Another article will focus on how to move other Azure resources between regions.

General

To move Azure VMs between different global regions with ASR there are some requirements needed:

  • Azure subscriptions are allowed to create Azure VMs in the target regions
  • User rights to create the Azure ressources (Azure VMs, VNETs, NICs, etc.)
  • Install latest updates on Windows/Linux OS
  • Check that the VM has Internet access without Proxy or Firewall between VM and Internet
  • When there is a firewall or proxy in place, check the needed requirements
  • Configure the VNET and Subnet in the target destination before move the VM to a different region

The process to move Azure VMs between different Global regions is straight forward. But don´t forget, all related management tasks to the VM, like Backup, Log analytics Workspace, Start Stop Runbooks will be lost after the migration.

Continue reading Move Azure VMs between Azure Global Regions

New Azure Exams Az-303 and Az-304 are available (replacement for Az-300/301)

In one of the last blog article on the old Microsoft Community Learning site was announced the new Azure exams Az-303 and Az-304 as beta. Why the last blog article, because they move the blog and all related content to a new page at TechCommunity.

Continue reading New Azure Exams Az-303 and Az-304 are available (replacement for Az-300/301)

Microsoft MVP for Azure 2020-2021

Yesterday was beginning of the new fiscal year for Microsoft and the renewal day for all MVPs from the last year. I´m very happy to announce that I received my 2nd MVP award in the category Microsoft Azure 🙂

I feel so honored to have received my 2nd award and now I am really sure that the first time was no mistake. It is a honor to work for the community, to discuss and learn from and with the community. I hope to share additional good things and hints in the next year for Microsoft Azure. Please feel free to reach for questions or ideas to some Azure topics. Hope to see you soon in person.

I would like to thank my wife Jessica for her great support, my best buddies Eric, Marcel and Thomas for their constant support. And finally, thanks the community and Microsoft for this great award.

Passed Azure Administrator Associate Exam Az-104

I reveived a cool mail some days ago with an information, that I had passed successful the new Azure Administrator Exam Az-104 and get the renewal of the Microsoft Certified: Azure Administrator Associate.

Two years ago Microsoft released the first new Rolebased exams with the Az-100/Az-101. I´ve passed both exams, but the exams are only valid for two years after passing. With the new Az-104 I got a renewal of the title for the next two years.

The Az-104 certification is a further development of the Az-103, as it will be discontinued at the end of July. To see the necessary skills and the differences to the Az-103, please have a look at the document “Az-104 Skills measured“.

Preparation and study guides

In preparation, all I can say is practice, practice, practice. Create different Azure Services, manage and administer them and interact with them. This helps a lot to understand the individual service and the different functions.

There are a lot of good study guides out there:

If you have any questions, please do not hesitate to contact me. Good luck and happy study.

Links

CONFIGURE AZURE FILES ON-PREMISES ACTIVE DIRECTORY (AD DS) AUTHENTICATION FOR FILESERVER OR WVD

Update 2

Please note: This article is replaced by All you need to know about Azure Files SMB authentication via Active Directory Domain Services.

Update 1

Azure Files on-premises Active Directory Domain Services authentication is since 11/06/20 GA. The article is upgraded and integrated the latest features and improvements.

Update 2

12/06/20 Azure Files Hybrid PowerShell Module upgrate to v. 0.2.0

In the past I had a lot of talks about Azure File Sync, a lightwight solutions to sync servers from different locations and branches via Azure Files. One often questions was, it is possible to use Azure Files directly with integrated on-premises Active Directory (AD DS) authentication – the great answer since a few days is Yes, this is possible.

Now you can use Azure Files with on-premises Active Directory authentication as a fully replacement for Fileservers. No need for Azure Active Directory Domain Services (Azure AD DS) or different settings on Azure Files. This gives great new ways to use Azure Files as an replacement for Windows based fileservers or for using as an profile store for Windows Virtual Desktop and come closer to a cloud native solution.

In this article I will explain how Azure files AD DS authentication works, how to configure it, some basic steps and more. Please feel free to use the comment section or Twitter to get in touch with me and give me feedback or ask questions.

Continue reading CONFIGURE AZURE FILES ON-PREMISES ACTIVE DIRECTORY (AD DS) AUTHENTICATION FOR FILESERVER OR WVD

Connect and Secure Azure PaaS services to Virtual Networks with Private Link

Azure allows to use IaaS and PaaS solution together over the same network. But all Azure PaaS services using a public interface for connection. When configure the PaaS firewall to allow traffic only from internal VNETs the public interface still exists. With Azure Private Link there is a new service to disable the public interface and add a private endpoint to secure connect to PaaS from your own VNET.

When configuring the internal service Firewall to block all traffic from outside the VNET, the Firewall make a mapping from internal VNET traffic to the Public IP and block all other IP- Adress ranges – and here comes the new Azure Service Private Link into play. This blog post will cover how Private Link works and how to configure this service for your environment including own DNS solution to get a complete private based Azure VNET.

Continue reading Connect and Secure Azure PaaS services to Virtual Networks with Private Link

Speaking at the ESPC AzureWeek about Azure Policy with Azure Security Center

This is a challenging time for everyone and I hope you are well. Many community conferences cancelled or moved to an online event. The online events give the oppurtunity to learn and discuss in an different way. The European Sharepoint Conference (ESPC) Team has announced the Azure Week between 25.05. – 29.05.20 as a webinar week.

The Azure Week has an great lineup with very useful sessions. Thomas Maurer open the week with a session about Modern Azure Cloud operations for IT Ops and I have the pleasure to close the week with a session about Azure Policy with Azure Security Center.

In this session we will dive into the many aspects of Azure Policy and Azure Security Center and see how they work together.

Continue reading Speaking at the ESPC AzureWeek about Azure Policy with Azure Security Center