Purview AMA March 12 - Ask Questions Below!
The next Purview AMA covering Data Security, Compliance, and Governance takes place on 12 March at 8am Pacific. Register HERE! Your subject matter experts are: Maxime Bombardier - Purview Data Security and Horizontals Sandeep Shah - Purview Data Governance Peter Oguntoye - Purview Compliance And, if you'd like to get started now, feel free to post your questions as comments below. They may be answered live, or if we don't get to them, they will be answered in-text below (you may also note what you'd prefer!) Thank you for being a part of the Purview community, we can't do exciting events like this without you! Don't forget to register ✏️Microsoft Purview Best Practices
Microsoft Purview is a solution that helps organizations manage data and compliance. It also uses AI to classify data, monitor compliance, and identify risks. Key features include data discovery, classification, governence, retention, compliance management, encryption, and access controls. Purview ensures data security, prevents insider threats, and helps implement data loss prevention policies to meet compliance requirements. Hello everyone - This is just a short introduction, I am Dogan Colak. I have been working as an M365 Consultant for about 5 years, holding certifications such as MCT, SC-100, SC-200, SC-300, and MS-102, with a focus on Security & Compliance. This year, I am excited to share what I have learned with the Microsoft Technology Community. In the coming days, I will be publishing videos and articles based on the training agenda I have created. I will also share these articles on LinkedIn, so feel free to follow me there. I am always open to feedback and suggestions. See you soon!
Log Analytics Agent-based Azure Management Services: Shut down starting 28 February 2025
Overview The legacy Log Analytics (LA) agent, which has played a critical role in transferring data logs for software and applications to Azure, was deprecated on August 31, 2024. Subsequently, all Azure services and solutions relying on the Log Analytics agent for data collection are also being phased out. This transition ensures a seamless shift to more robust replacement products, enhancing continuity, security, and performance for customers' IT estates. Two of the Azure Automation solutions provided management of machines using the LA agent namely, Azure Automation Update Management for streamline software update deployment & Azure Change Tracking & Inventory for tracking changes and inventory for in-guest environments. These agent-based services were also deprecated on 31 st August 2024. Over the last 6 months, these solutions were maintained, giving customers time to move their management processes to the replacement products. In order to ensure a security posture of the customer environments, these LA agent-based solutions will be completely shut down starting 28 th February 2025. You may encounter your existing patching jobs fail and staleness in the changes data in the log analytics workspace after this date. Following captures further details on the impact to operations for the machines that continue to be on these solutions and provides additional guidance. What will change after 28 th February 2025? a) You will not be able to access both Azure Automation Update Management & Azure Change Tracking & Inventory enabled with the LA agent from the Azure Portal. b) For Azure Automation Update Management, no new periodic assessments or patching data corresponding to configured machines will be populated. c) For Change Tracking & Inventory with LA agent, no new changes or inventory logs will be captured. Note: Historical data for the last 30 days will continue to be available in LA workspace and can be directly queried from the LA tables LA workspace table Purpose ConfigurationData To obtain inventory logs for auditing and compliance needs ConfigurationChange To obtain logs corresponding to the changes made in customer environment Update To query periodic assessments and patched updates data for pending updates view What next? If you have any machines configured with legacy version of above-mentioned services, please use one of the following available methods to migrate to replacements products – Product Service Product Migration Guidance Azure Change Tracking & Inventory with LA agent a) Migrate to Azure Monitoring Agent (AMA) version of Change Tracking & Inventory – Using Azure Portal Using PowerShell b) If you have enabled File Integrity monitoring (FIM) with LA agent & managing it via Change Tracking & Inventory experience, here are the available options to migrate to - Move to Change Tracking & Inventory with AMAfor enhanced insights for data types including Files, Registry Keys, Software, Windows Services, Linux Daemons, File content changes. Move to FIM with MDE (part of Defender for Servers Plan 2) Azure Automation Update Management Migrate to Azure Update Manager (Does not rely on AMA) Using Azure Portal Using Runbook scripts Additionally, you can refer to these instructions to disable LA agent from your environment. Please feel free to reach out to us on aumpm@microsoft.com for any queries or feedback.End-to-end TLS with AKS, Azure Front Door, Azure Private Link Service, and NGINX Ingress Controller
This article shows how Azure Front Door Premium can be set to use a Private Link Service to expose an AKS-hosted workload via NGINX Ingress Controller configured to use a private IP address on the internal load balancer.Azure Landing Zones - Policy Refresh Q2 FY25
As before, we release updates to Azure Landing Zones policies (and the portal accelerator) on a quarterly basis to reduce the burden of managing change frequently. The policy updates part of this release process are consumed by all the reference implementations (Portal, Terraform, Bicep) but the portal changes are only applicable to the portal accelerator. An important note, is that the ALZ portal accelerator and all Azure Policy provided by Azure Landing Zones are maintained in the same GitHub repository, which is why policy and portal accelerator changes are grouped together. This release has been slightly delayed due to the festive season and new security patches deployed by resource providers that have had impacted Azure Landing Zones deployments. These are the highlights of this release: Policy With the announcement and preview release of policy versioning back in May 2024, we've been tracking the potential impact on Azure Landing Zones. To this end as part of this releases we've implemented support for policy versioning in all ALZ initiatives and initiative/policy assignments referring to a built-in policy/initiative. This means that all the ALZ initiatives and assignments are now pinned to the current validated major version of the built-in policy (defined as `1.*.*`, or whatever the current major version is). A policy's major version is incremented whenever there is a breaking change to the definition/function of the policy. Pinning to the current major version of the policy gives us control in determining the version that we've validated, tested and confirmed to work with ALZ. As new major versions are published we'll review the changes we need to make, test and validate the new version and then publish as part of our regular policy release cadence (quarterly). This change also required us to update the Policy(Set) API version to the latest version which supports policy versioning. We've also included a number of fixes and updates requested by the community. A community request for better tag auditing based on an array of required tags, has resulted in two new custom policies: Audit-Tags-Mandatory-Rg Audit-Tags-Mandatory Policy updates are available today in the portal accelerator, and will be included in the Terraform and Bicep accelerators in the coming weeks. Portal Accelerator With this release we've added support for deploying Azure Virtual Network Manager (AVNM) for Hub & Spoke and NVA network topologies. You will now have the option to deploy it as part of the network configuration: Today, we only support the Security Admin rules feature of AVNM, which we deploy to manage the Intermediate Root management group scope, include Network Groups for all scopes under the Intermediate Root management group and deploy policies to automatically add virtual networks under those scopes to the relevant Network Group. To illustrate the Network Groups, this is an example of a multi-region (Sweden Central and UK South) deployments Network Groups: As part of the deployment, we've included a Security Admin rule collection that blocks high-risk ports from the internet (Protect High-Risk Ports) that we apply to the "all virtual networks" network group. We've had feedback that for the Workload Specific Compliance section some of the controls are very restrictive out of the box and the ask was to include an "Audit Only" option for each of the guard rails. We've updated the portal accelerator and enabled this by changing the iniative enforcement mode to "DoNotEnforce" if the "Audit Only" option is selected. Once audit compliance has been remediated, you can then choose to update the assignment to enable enforcement to activate the guardrails. Under the hood we've also made significant quality of life changes: We now register all required resource providers with all included subscriptions in the ALZ deployment, which helps avoid issues for new tenants (greenfield environments). We've also changed how we wait for management groups to be registered which has significantly improved the reliability and consistency of ALZ deployments using the portal accelerator. Important Links Quick link to the portal accelerator: And as always, to get all the details, please review: ALZ What's NewNow Open Source: nxtools, managing Linux IaC just got simpler using Automanage machine configuration
We are "nxcited" to announce the release of nxtools, an opensource collection of class-based DSC resources for commonly used Linux / Unix modules and built-in Machine Configuration packages for customers. Azure Automanage Machine Configuration (previously known as Azure Policy Guest Configuration) enables configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.Exciting News: AMBA Portal Accelerator is now Generally Available!
We are thrilled to announce that the Azure Monitor Baseline Alerts-Azure Landing Zones (AMBA-ALZ) Portal Accelerator has officially reached General Availability (GA). This achievement is a big step forward in our goal to make onboarding and simplify monitoring your Azure environment regardless of whether or not you are fully aligned to Azure Landing Zones. Screenshot of Azure Landing Zone portal Accelerator What is the AMBA Portal Accelerator? As we introduced AMBA into the ALZ portal experience (not to be confused with this accelerator!) and with the increased flexibility AMBA-ALZ provided for the preferred action notification types, this introduced a need to provide a post ALZ-AMBA Portal to accommodate those notification types that required an existing resource (Azure Function, Event Hub, and Logic App) and in the case of deploying ALZ possibly for the first time these resources may not be present. The AMBA-ALZ Portal Accelerator is designed to simplify the process of setting up baseline alerts, helping you boost your observability maturity in your Azure environment with minimal effort or expertise. You can set up alerts faster and with more confidence. You'll get timely notifications about critical metrics and log anomalies that might signal potential issues with your Azure workloads. What Scenarios Does The Accelerator Help Address? There are a few scenarios as to where the Accelerator can help meet you where you are in your journey: You are an existing Azure customer and looking to mature your observability posture (and at the same time with low effort move one step closer to being aligned to Azure Landing Zones You have an existing Azure Landing Zones implementation prior to AMBA being released and are looking to update your environment to include AMBA-ALZ You may be new to Azure and deploying Azure Landing Zones (the recommended way to onboard to Azure) and wanting to use Azure Function, Event Hub, and Logic App Notification Types Getting Started To begin using the AMBA-ALZ Portal Accelerator, navigate to https://aka.ms/amba/alz/portal or click the "Deploy to Azure" button on the documentation page. Detailed deployment instructions and further guidance are available to help you get started quickly and efficiently. If you have any further feedback please use the following links: 💬 - Feedback GitHub Issues: https://aka.ms/amba/issues 💬 - Feedback survey: https://aka.ms/ambaSurvey
"Program/Portfolio Management" features?
Hi, I noticed the following feature 'ticked' in Planner 3 and Planner 5 plans: Plan, execute, and control multiple related projects or initiatives within the projects to achieve strategic goals or business objectives. Can the features please be described in detail? The only program/portfolio management feature I see here is that we can attach a plan to a Group but I do not see anywhere in Groups where I can list out all related plans. I would expect at the least to be able to compare multiple project plans. Please advise as we are assessing whether to rollout this product for the organisation
