Introducing Virtual Machine restore points – a simpler way to protect Azure workloads
Virtual Machine restore point are now generally available. Customers and Azure partners who are looking to build business continuity and disaster recovery solutions can use VM restore points to capture app consistent and crash consistent backups natively on the Azure platform. This can then be used to restore disks and VMs during scenarios such as data loss, data corruption or disaster recovery.Enable Secure access to Azure Storage Account across multiple subscriptions
Public read access to Azure containers and blob storage is an easy and convenient way to share data, however it also poses a security risk. For better and enhanced security, public access to the entire storage account can be disallowed regardless of the public access setting for an individual container present within the storage container. Disallowing public access to storage prevents a user from enabling public access for a container in the respective storage account. Ensuring secure access to storage account(s) across subscriptions and storage accounts can be tedious as we grow. Here is a solution that can help you to disallow public access to storage account(s) at scale. You can extract the list of all storage accounts from the Azure subscription(s) and use the same .csv file as an input in the solution below to disallow access to storage account containers at scale across all your subscriptions. Pre-Requisite: - Az Modules must be installed - Service Principal created as part of Step 1, must be having contributor level access to subscriptions Steps to follow: Step 1: Create a service principal Please refer: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-5.7.0 Post creation of service principal, please retrieve below values. Tenant Id Client Secret Client Id Step 2: Create a PowerShell function which will be used in generating authorization token function Get-apiHeader{ [CmdletBinding()] Param ( [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $TENANTID, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $ClientId, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $PasswordClient, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $resource ) $tokenresult=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://$resource/"; "client_id" = "$ClientId"; "client_secret" = "$PasswordClient" } $token=$tokenresult.access_token $Header=@{ 'Authorization'="Bearer $token" 'Host'="$resource" 'Content-Type'='application/json' } return $Header } Step 3: Invoke API to retrieve authorization token using function created in above step Note: Replace $TenantId, $ClientId and $ClientSecret with value captured in step 1 $AzureApiheaders = Get-apiHeader -TENANTID $TenantId -ClientId $ClientId -PasswordClient $ClientSecret -resource "management.azure.com" Step 4: Extracting list of storage accounts across accessible subscriptions $subscriptionList = Get-AzSubscription $subscriptionIdList = $subscriptionList.Id foreach($subscriptionId in $subscriptionIdList) { $resourceURL = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Storage/storageAccounts?api-version=2021-01-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $TableData = $resourcedetails.value.ID } Step 5: Enable secure access to storage account foreach($Data in $TableData) { #Select Current Subscription and get All Storage Accounts $resourceid=$Data $resourceURL="https://management.azure.com$($resourceid)?api-version=2021-02-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $resourcelocation=$resourcedetails.location $permissions=$resourcedetails.properties.allowBlobPublicAccess if($permissions -eq $false) { Write-Output "Public access to Storage Account: $($resourcedetails.name) is already disabled" } Else { Write-Output "Changing ACL for Storage Account: $($resourcedetails.name)" $body = @" { "location":"$($resourcelocation)", "properties": { "allowBlobPublicAccess": "false" } }"@ Invoke-RestMethod -Uri $resourceURL -Method Put -Headers $AzureApiheaders -Body $body } } Overall Script: function Get-apiHeader{ [CmdletBinding()] Param ( [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $TENANTID, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $ClientId, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $PasswordClient, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $resource ) $tokenresult=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://$resource/"; "client_id" = "$ClientId"; "client_secret" = "$PasswordClient" } $token=$tokenresult.access_token $Header=@{ 'Authorization'="Bearer $token" 'Host'="$resource" 'Content-Type'='application/json' } return $Header } $AzureApiheaders = Get-apiHeader -TENANTID $TenantId -ClientId $ClientId -PasswordClient $ClientSecret -resource "management.azure.com" $subscriptionList = Get-AzSubscription $subscriptionIdList = $subscriptionList.Id foreach($subscriptionId in $subscriptionIdList) { $resourceURL = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Storage/storageAccounts?api-version=2021-01-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $TableData = $resourcedetails.value.ID foreach($Data in $TableData) { #Select Current Subscription and get All Storage Accounts $resourceid=$Data $resourceURL="https://management.azure.com$($resourceid)?api-version=2021-02-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $resourcelocation=$resourcedetails.location $permissions=$resourcedetails.properties.allowBlobPublicAccess if($permissions -eq $false) { Write-Output "Public access to Storage Account: $($resourcedetails.name) is already disabled" } Else { Write-Output "Changing ACL for Storage Account: $($resourcedetails.name)" $body = @" { "location":"$($resourcelocation)", "properties": { "allowBlobPublicAccess": "false" } }"@ Invoke-RestMethod -Uri $resourceURL -Method Put -Headers $AzureApiheaders -Body $body } } } References: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=powershellAzure Storage Mover can now migrate your SMB shares to Azure file shares.
Azure Storage Mover can now migrate your SMB shares to Azure file shares. Storage Mover is a fully managed migration service that enables you to migrate on-premises files and folders to Azure Storage while minimizing downtime for your workload. Together with Just-in-time permission setting and Azure Key Vault, your migration is secure from source to target. Besides the existing general available capability to migrate from an on-premises NFS share to an Azure blob container, Storage Mover will support many additional source and target combinations in the near future.
