In this blog, I will explain how to create a virtual network (VNET) using the Microsoft Azure portal. A virtual network is the basic building block for your private network in Azure. It enables Azure resources, like VMs (Virtual Machines), to safely communicate with each other and with the internet.
1- Type in the search bar (virtual networks) to find or from the Azure portal menu select virtual networks.
2- In the virtual network default directory click on create a virtual network.
3- In the create virtual network wizard, select your subscription. Click on create new next to Resource group to create a new resource group.
4- Type a resource group name (rg-vnet) and then click OK.
5- Under instant details enter the name of your virtual network (vnet01). Then select a location to use as the basis for your virtual network. Choose a location that is close to your location to increase performance. Select Next: IP Addresses >
6- Provide an address space IPv4 address space, I am selecting 10.1.0.0/8, but if you prefer to use a different address feels free. Click + Add subnet
7- Add subnet wizard, and then enter a subnet name (vnet-subnet) and type 10.1.0.0/24 for the Subnet address range. To create a service endpoint policy to allow traffic then select a service under services.
8- Click Next : Security >
9- Select DDos protection, Firewall and then Next : Tag >
10- Create virtual network tag click Next : Review + Create >
11- Virtual network validation passed and then selects Create.
12- Virtual network deployment succeeded.
13- Your deployment is complete select go to resource.
Attach extra disk to Azure VM In this blog, we will show you how to create and attach a managed disk to a Windows Azure VM through the Azure portal.
Create a Managed Disk
Log in to the Microsoft Azure Portal using your subscription.
1- Click Azure portal menu and from services list click on the virtual machines.
2- From the Virtual Machine default directory List, click on the VM.
3- Click on the Disks under settings.
Attach Extra Disk to Azure
4- Now click on the + Add data disk and under name select Create disk.
5- Create a Manage disk wizard, type the name of new disk (Extra), select resources group. By default 1 TB size Premium SSD selected, If you would like to change disk size then click on Change size under Size.
6- Select disk size as you want and then click OK.
7- I am going to select the default size 1 TB Premium SSD and click on Create button.
8- Successfully created disk.
9- Under Host caching choose Read/Write and to attach the data disk, click on Save option.
10- After few seconds the managed disk was attached to the VM.
11- Select virtual machine tab.
12- Select your virtual machine.
13- Select Connect and then choose RDP.
14- Click download RDP file.
15- Enter your credentials and then click OK.
16- Once you logged into the VM, under Server Manager click File and Storage Services.
17- Select Disks option, select your 1 TB unknown disk, under Volumes to create a volume start the new volume wizard.
18- New volume wizard click next.
19- Select server and disk, click Next.
20- Selected disk will be brought online click OK.
21- Choose a volume size as per your requirement and then click next.
22- Assign a drive letter and then click next.
23- Enter a volume label and then click next.
24- Verify the settings and then click create.
25- Click close.
26- The new disk is online now.
27- Open MY PC You can able to see the newly attached managed disk as (F) drive.
Capture a managed image azure in this article I will show you how to Capture a virtual machine (VM) and Create a new VM from that Image with Managed Disk.
A managed image resource possible created from a generalized virtual machine (VM) that is stored as either a managed disk or an unmanaged disk in a storage account. The captured image can be used to create multiple VMs.
1- Login to the Azure Portal and then select virtual machine.
2- Select the VM you want to capture image.
3- VM’s Details pane click on Capture
4- Type a name to your new Managed Image and select an existing Resource Group. Please select to delete this VM after creating the image is created or leave it to delete later. Type the virtual machine name and then click create.
5- Now you can see in the notification successfully created image.
6- Click on virtual machine.
7- Select the virtual machine and then click on delete.
8- Click yes under confirm delete and click the delete button.
Generalize the Windows VM using Sysprep, Using Sysprep command removes all your personal account & security information, and then prepares the machine to be used as an image.
Please make sure the server roles running on the machine are supported by Sysprep
Important Note:
After you run the Sysprep on a Virtual Machine that VM is considered generalized & cannot be restarted. The process of generalizing the windows Virtual Machine is not reversible.
To generalize the Windows Virtual Machine, follow the below steps:
1- Sign in to your Windows VM.
2- Open the Run command by pressing Windows key+R button. Change the directory to %windir%\system32\sysprep and then hit Ok.
3- Double click on sysprep.exe file to run the setup.
4- In the System Preparation Tool Wizard dialog box, choose Enter System Out-of-Box Experience (OOBE) under system cleanup action and then select the Generalize checkbox. Under Shutdown Options, select Shutdown and then select OK.
5- Processing generalize phase Sysprep plugin.
When Sysprep completes, it will shuts down the Virtual Machine. Please do not restart the VM.
Create Virtual Machine in Azure In this guide I am going to deploy a new virtual machines (VMs) through the Microsoft Azure portal. This procedure provides a browser based user interface to create VMs and their associated resources. These steps will show you how to use the Azure portal to deploy a virtual machine (VM) in Microsoft Azure that runs Microsoft Windows Server 2019.
1- Azure menu bar, select Virtual machines or Type virtual machines in the search In the Virtual machines page, select +Add or click create virtual machine.
2- Create a Virtual Machine Basics tab, under Project details, select your subscription, and then choose to create a new resource group.
3- Type a resource group name (RG-VM) and then click OK.
4- Under Instance details, type a Virtual machine name and select East US for your Region, and then select Windows Server 2019 Datacenter for the Image. By default VM size selected if you want to change the size then click on select size.
5- Select a VM size as per your requirement and then click OK.
6- Deploy Virtual Machine Administrator account option; type a username, as you want, and a password. Under Inbound port rules, select Allow selected ports and then select ports under select inbound ports I am going to choose only RDP (3389) because I am testing in my home lab. Select Next : Disks >
7- Leave it default settings or if you need to view the disk size then click create and attach a new disk.
8- Create a new disk wizard 1TB premium default selected if you want to change then click change size button.
9- Select a disk size as per your requirement
10- Click next : networking >
11- Review the VM network settings and click Next : Management >
Adding an organization fails within the 401: Unauthorized and Connect to PowerShell Access Denied errors in Office 365 tenants with enabled Security Defaults
Require MFA (Multi-Factor Authentication) for all users, including administrators & Azure management. Require Azure MFA (Multi-Factor Authentication) registration Block legacy authentication
Conditional Access: Require MFA for all users Create a Conditional Access policy
The below steps will help you to create a Conditional Access policy to require All users to perform multi-factor authentication.
Adding an organization fails 401:
1- Signin Microsoft Azure as a security administrator, global administrator, or Conditional Access administrator. Select the Azure Active Directory
2- Select Security under manage tab.
3- Under protect tab select Conditional Access.
4- Click on + New policy.
5- Type your policy a name. We recommend that institutional create a meaningful standard for the names of their policies. Select Users and groups Under Assignments
6- Select Include tab, and then select All users.
7- Select Exclude tab and then select Users and groups.
8- Select your organization’s emergency access or break-glass accounts and then choose the select button.
9- Select Cloud apps or actions, select Include and select All cloud apps.
10- Select the Exclude tab, select excluded cloud apps, choose any applications that do not require multi-factor authentication, and click on the create button.
11- Choose the Conditions tab, select Client apps (Preview), and then select Configure to Yes. Under Select the client apps this policy will apply to leave all defaults selected and then select Done.
12- Under Access controls option select Grant, choose Grant access, select Require multi-factor authentication checkbox and select Select.
13- Confirm your settings and choose Enable policy to On. Select Save to create to enable your policy.
Add Office 365 Organization using modern authentication, after successfully configuring modern authentication now I am going to add organizations with veeam backup for office 365.
How to add to the Veeam Backup for Microsoft Office 365 scope, an Office 365 organization using modern authentication
Now I am ready to add our tenant to Veeam backup for Microsoft Office 365.
1- Open Veeam Backup for Office 365 console, select organization and then Add Org.
2- Select the Organizations deployment type, select the services you want to protect and then click next.
3- Select region of your tenant and which authentication you need to use. Of course we are going for the modern authentication now (allow for using legacy authentication protocols) and then click next.
4- Exchange Online Credentials setup we need to provide all our collected information. Meaning the application ID, the application secret, our username, the app password and then click next.
5- Click the close button after verifying connection and organization parameters. The tenant will be added to your Veeam console successfully.
6- Now you can see an Organization successfully added.
The release of version 4 of Veeam Backup for Office 365, now we are able to use the so-called modern authentication. This means using service accounts enabled for MFA (multi-factor authentication).
We need an Azure Active Directory custom application and a service account that has MFA (Multi-Facture Authentication) enabled. The custom application (App application) registered in Azure Active Directory will allow Veeam Backup for Office 365 to access the Microsoft Graph API. With this access, we can pick up the data from the “Microsoft Office 365 organization tenant”.
In this strategy, the service account will be used to connect to the EWS and PowerShell services.
Preparation
In instance, we want to use modern authentication with Veeam Backup for Office 365.
The below steps should be done for using the modern authentication.
Register a custom application in Azure Active Directory Collect your Application ID and Secret Create a new client secret Create a new service account in Azure Active Directory Enable Multi-Factor Authentication (MFA) on this service account Assign roles to the service account Grant a service account required roles and permissions Get App password for an MFA-enabled service account Add tenant to Veeam with the service account
Register a custom application in Azure Active Directory
1- Open your Azure Active Directory admin center under the Manage tab and then select App registration.
2- Click on + new registration Under App registrations tab.
3- Enter new custom application a name; select the supported account type and then click on the register button.
4- After creating a new custom application, we need to provide it with some permission. For that go to your newly created app application and then select the + API Permissions button.
5- Now we need to add Microsoft Graph permissions to our custom app application. In the request API permissions wizard and then select Microsoft Graph.
6- Select Application permissions.
7- Expand Director Option and select Directory.Read.All. Expand Group option and select Group.Read.All from the list of available permissions, and then click Add permissions 1- Directory.Read.All 2- Group.Read.All These two permissions are needed to access the organization tenant.
8- This type of permission requires administrator consent. To grant administrator consent, click on Grant admin consent for (tenant name).
9- Click Yes to confirm granting permissions
10- Successfully granted admin consent for the request permission, Click + Add a permission button.
11- Scroll down and then select SharePoint.
12- Select Application permission and expand sites, select Sites.FullControll.all and then click on add permission.
13- Click on Grant admin consent for (tenant name)
14- Click Yes to confirm granting permissions
15- Successfully configured permissions click on + Add a Permission button.
16- Scroll down and then select exchange options
17- Choose Application permissions.
18- Click on Grant admin consent for (tenant name)
19- Click Yes to confirm granting permissions
20- We have successfully registered a custom application in your Azure Active Directory and you have successfully set the required permissions.
How to get your Application secret
Create a new client secret
1- To create a new client secret for our newly created custom application. Under Manage select Certificates & secrets and then click on + New client secret button under client secrets.
2- Add a New client secret wizard, specify a description, an expiration date, and then click Add button.
We have successfully created your application secret. The secret can be reviewed in the main settings area of your custom application under the Certificates & secrets options.
Collect Application Secret
3- To collect application secrets, go to the Certificates & secrets settings within your custom application and copy and then save it in note pad the value of it.
Collect Application ID
4- The first thing you need to collect the application ID. If you go back to the main site of the app registrations, copy application (client) ID and then save it in a note pad.
How to create a new service account in Azure Active Directory
1- Now we need to create the service user, which will connect from Veeam Backup for Office 365 to your tenant. In the Office 365 admin center, click on + new user to create a user without a product license.
2- The user which we are going to create will be our service user for MFA (Multi-Factor Authentication). Type a name, initial password and then click on create
How to configure an MFA-enabled service account
After successfully created a service user, now we can proceed with activating MFA for it. Go back to the all users overview within your azure active directory admin center.
3- Select your newly created service user. Select … On the top right of the ribbon, and then select Multi-Factor Authentication.
4- Select your service user on the left side and then click enable (MFA) on the right side under quick steps.
5- Click on enable multi-factor auth button.
6- The account is successfully enabled for MFA. Click close.
7- Now you can review your user which is now enabled for MFA.
Assign roles to the service account
The user needs the correct permissions and roles to backup Exchange Online and SharePoint Online. We have the choice to do this via the Exchange Admin Center.
For Exchange Online (Global Administrator or Exchange Administrator) role. Additionally, you need the ApplicationImpersonation role.
For SharePoint Online (Global Administrator or SharePoint Administrator) role.
I have this as testing purposes and for this blog post. I would not recommend assigning the Global Administrator in a production environment. Either uses the Exchange Administrator and the SharePoint Administrator role.
1- Select user account (veeam_vbo).
2- Click on Assigned roles under manage and then click on + Add assignments.
3- Select the role in the Directory role wizard on the left hand side and then click add.
4- Successfully assigned the roles.
SharePoint Admin Center
1- Login with SharePoint Admin Center, select access control, and then Apps that don’t use modern authentication.
2- Verify allow access is selected.
How to grant a service account required roles and permissions
1- Add ApplicationImpersonation role via the Exchange Admin Center. Select the permission tab on the left-hand side. Under admin, roles click the + button to add a new role.
2- Type a role group name and description. Select the Write Scope to default and then click the + button.
3- Under Roles to add the ApplicationImpersonation, Mail Recipient, Mail Search, View only configuration, View only recipient role from the list, and then click ok.
5- Add a member, it means our service account for this new role group. For that click on the + button under Members.
6- Select your newly created service user, click on add button and then click OK.
7- Click on save button.
8- The user has been granted the ApplicationImpersonation role.
To get an app password for an MFA-enabled service account
1- The last thing we need to do before adding our tenant to Veeam Backup for Microsoft Office 365 is to collect your app password. Login with new user account & go through the additional security verification methods for this new account.
2- Now we need to select if we would like to receive text messages or if Microsoft calls you within the configuration of the phone verification. I am going to select an Authentication phone option (country code phone number) and select send me a code by text message and then click Next.
3- Type the verification code and then click on verify button.
4- This app password is wanted within the Tenant configuration in Veeam Backup for Office 365. Copy it in notepad or save it for our later use. Click on the done button.
5- After login to user office 365 account, click on my account icon and then click my account
6- You will be redirected to https://portal.office.com/account. Under my account select the Security & Privacy tab to create and manage your passwords. Click on create and manage passwords.
7- Additional security verification (app passwords) click on create button.
8- Enter a name and then click next.
9- Copy your password and save it in notepad and then click close.
10- You will need to sign in with this user if you have an existing service account. In the right-hand upper corner, select the settings and then your app settings (Office 365).
I have created a new user, so I don’t want to do that here.
Add Azure Blob Storage, In this guide, I will add a new Microsoft Azure blob storage repository to the Veeam Backup for Microsoft Office 365 backup infrastructure.
1- Open Veeam Backup for Microsoft Office 365, select the Backup Infrastructure tab and then select Backup Repositories.
6- Specify location for backup repository click next.
7- Specify if you want to extend your backup repository to object storage option, choose to offload backup data to object storage, and select Azure Blob (you just created it).
8- Choose Encrypt data uploaded to object storage, click Add for Password.
9- Enter a Password and then click OK.
10- Click the next button.
11- Specify retention policy settings, I am going to keep the default settings, click Advanced.
12- Advanced Settings wizard, you can change the retention policy schedule as you want and click ok.
13- Click Finish.
14- Now you can see storage repository successfully added.
Add Object Storage Repository, In this article, I will explain how to add object storage repository in Veeam backup for office 365. Object storage repository is used to store Microsoft Office 365 & on-premises Microsoft organization backups using the following cloud.
S3 Compatible object storage Amazon S3 object storage Microsoft Azure Blob storage IBM Cloud Object Storage
Add Object Storage Repository
1- Open Veeam shortcut to Login with Veeam backup for Microsoft Office 365 server. Click the connect button on the Veeam Backup for Microsoft Office 365 console.
2- Veeam Backup for Microsoft Office 365 home console, select Backup Infrastructure.
6- Object storage type option, select Microsoft Azure Blob Storage and then click next.
7- Microsoft Azure storage Account option, click the Add button on Specify account credentials to connect to Microsoft blob storage item.
8- Now paste Azure storage account name as Account and paste key1 as Shared key (we copied them when we created Azure storage account) and click ok.
9- Add object storage repository, Microsoft Azure storage Account , select Azure Global (Standard) under Region and then click next.
10- Microsoft Azure Blob container, select an Azure Blob container (we created it previously when you create Azure Storage Account & settings), click the Browse button under Folder.
11- Select the folder option, click New Folder. Type a name as the new folder name and then click ok.
12- Microsoft Azure Blob container, click Advanced.
13- Advanced Settings option, if you would like to control the storage spends. Then select Limit object storage consumption & put the storage size for it, click ok.
14- Add object storage repository Microsoft Azure Blob container wizard, then click Finish.
15- Now you can see object storage repository in Veeam successfully created.
Create Storage Account Azure, in this guide I will create an Azure storage account. A Microsoft Azure storage account contains all of our Azure Storage data “objects – blobs, files, tables, queues & disks”. Microsoft Azure storage accounts offer a unique name space for Storage data that one is accessible from anywhere in the world over the “HTTP or HTTPS”. Data in the Azure storage account is “durable & highly available, secure, & massively scalable”.
Create Storage Account Azure
1- Login to Azure portal and then click + Create a resource.
2- On the new wizard, type storage account and then select Storage account – blob, file, table, queue.
3- On the Storage account page, click Create.
4- Create storage account page, select your Azure subscription, Resource group and then click create new.
5- Enter a name for the resource group name and then click OK.
6- Storage account name: Type a name for the storage account. Location: select your location. Performance: select Standard. Account kind: select Storage V2 (general purpose v2). Replication: select Locally-redundant storage (LRS). Access tier (default): select Cool and then click Next-Networking >
7- Create a Storage account Networking page, select Public endpoint (all network), and then click Next:Advanced >.
8- Advanced page, configure as follow Secure transfer required: select Enabled. Large file shares: select Disabled. Blob soft delete: select Disabled. Hierarchical namespace: select Disabled and then click Next:Tags >.
10- Review + create page, make sure Validation passed and then click on Create.
11- It will take few minutes to create the new storage account, click Go to resource after the storage account is ready.
12- Created storage account page, select Access keys.
13- Access keys under settings option, copy the “Storage account name” & key of “key1” that we need this key for Veeam storage repository settings later.
14- Created storage account page, select Containers under blob service.
15- Containers page, click +Container.
16- New container page, type a name for the new container, choose Private (no anonymous access) as Public access level and then click on create button.