Now Open Source: nxtools, managing Linux IaC just got simpler using Automanage machine configuration
We are "nxcited" to announce the release of nxtools, an opensource collection of class-based DSC resources for commonly used Linux / Unix modules and built-in Machine Configuration packages for customers. Azure Automanage Machine Configuration (previously known as Azure Policy Guest Configuration) enables configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.
Azure Change Tracking & Inventory: Simplified onboarding to manage in-guest changes on Azure Arc VMs
Explore new Azure native few clicks onboarding experience for Change Tracking & Inventory on Azure Arc servers, streamlining in-guest change management operations, while strengthening your adaptive cloud strategy.Everything New in Azure Governance @ Ignite 2024
You've come to the right place if you're looking for everything happening with Azure Governance at Microsoft Ignite, November 19-22, 2024. Azure Governance is an ecosystem of neatly integrated services that provide the ability to ensure speed and control across your cloud environment. From enforcing rules in your cloud environment to querying the state of your resources at-scale, Azure Governance services keep your resources secure and compliant with corporate standards. The Azure Governance team is excited to share all the following new features across our product portfolio. For each of the features, you will find an accompanying announcement with scenario details, documentation and blog posts to follow along! Azure Change Analysis Change Actor – Generally Available We are excited to announce the General Availability of Change Actor in Azure, a feature that enhances Change Analysis by identifying who made changes to your resources and how. With this update, you can audit changes across all tenants and subscriptions, seeing who initiated changes and with which identity. Changes are available in under five minutes and are queryable for fourteen days, allowing for timely auditing and troubleshooting. Additionally, you can craft charts and pin results to Azure dashboards based on specific change queries through Azure Resource Graph, providing a comprehensive view of changes across your environment. Change Actor experience in Azure Portal Overview of change analysis: https://learn.microsoft.com/azure/governance/resource-graph/changes/get-resource-changes?tabs=azure-cli Change analysis portal experience: https://learn.microsoft.com/azure/governance/resource-graph/changes/view-resource-changes Change actor blog announcement: https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/announcing-the-general-availability-of-change-actor/4171801 Azure Policy Policy Versioning support Built-in Definitions – Public Preview With Versioning, you can now gradually ingest built-in definition changes with zero-gap in enforcement! All Azure Policy built-in definitions will now follow a standardized version pattern: at assignment time, simply specify the version number of the built-in definition to enforce on your environment. Have a previous definition version already assigned? Leverage assignment-level selectors and overrides property to gradually update the assignment to the latest version of the built-in definition. Additionally, versioning awareness is displayed in compliance logs on a per-resource basis, enhancing your ability to govern and evolve your cloud governance policies with greater agility. Tech Community Blog: https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/public-preview-announcement-azure-policy-built-in-versioning/4186105 MS Learn Documentation: https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-basics#version-preview Query Component-level policy compliance in Azure Resource Graph Effortlessly query policy compliance down to the component-level across your AKS, Key Vault, and Managed HSM resources in Azure Resource Graph! With component-level granularity of AKS Policy compliance, you verify if your pods are using approved base images, audit the labelling of your namespaces or ensure your Managed HSM instances to configure the required security settings—all through ARG. Through a unified experience with Azure Policy and Azure Resource Graph, you can gain deeper insights into the compliance state of each AKS component with precision, ensuring your resources are always in line with your organization’s standards. AKS Policy component-level compliance in ARG CEL-based support for AKS Policy (preview) Introducing CEL and VAP support in AKS Policy! Common Expression Language (CEL) is a Kubernetes-native expression language that can be used to declare validation rules of a policy. Validating Admission Policy (VAP) feature provides in-tree policy evaluation, reduces admission request latency, and improves reliability and availability. The supported validation actions include Deny, Warn, and Audit. Custom policy authoring for CEL/VAP is allowed, and existing users won't need to convert their Rego to CEL as they will both be supported and be used to enforce policies. You'll be able to view violation messages at request time and audit results in the portal just like with Rego. MS Learn documentation: https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#171 Support for Expansion in AKS Policy Introducing expansion, a shift left feature that lets you know up front whether your workload resources (Deployments, ReplicaSets, Jobs, etc.) will produce admissible pods. Expansion shouldn't change the behavior of your policies; rather, it just shifts Gatekeeper's evaluation of pod-scoped policies to occur at workload admission time rather than pod admission time. To enable expansion for a given policy definition, set.policyRule.then.details.source to All, and if needed, use a mutation with source Generated to mutate the what-if pods for evaluation purposes. MS Learn documentation: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#170 Expanded list of Policy for AKS Built-In Definitions – Generally Available Azure Policy has expanded the list of mutation built-in definitions for Azure Kubernetes Service (AKS). These new definitions allow you to automatically remediate the configuration of your AKS pods and containers at scale across your cluster. With this update, you can manage and enforce configuration changes more efficiently, ensuring consistency and compliance within your AKS environment. With Mutation policies, you can: Enforcing Resource Limits: Automatically set resource limits on pods and containers to prevent any single workload from consuming too many resources. Injecting Sidecars: Mutate pod specifications to include sidecar containers for logging, monitoring, or security purposes, without requiring changes to the original pod definitions. Setting Environment Variables: Specify the environment variables set in containers, which can be used for configuration or to pass secrets securely. MS Learn documentation: https://learn.microsoft.com/azure/aks/policy-reference Azure Machine Configuration Support for User Assigned Identity Based Access for Configuration Packages – Generally Available User Assigned Identity support for configuration package access in Azure Machine Configuration is now Generally Available, reinforcing our commitment to security and simplicity in at-scale server management for all Azure customers. This feature enhances your server configuration management lifecycle by providing a secure and straightforward alternative to the use of Shared Access Signature (SAS) Tokens for anonymous access. With User Assigned Identities, you can now privately access configuration packages stored in Azure Storage Blobs, ensuring that your server management operations are both secure and efficient. Tech Community Blog: Securely store your Machine Configuration packages in Azure Storage using User Assigned Identities MS Learn Documentation: https://learn.microsoft.com/azure/governance/machine-configuration/how-to/create-policy-definition SSH Posture control through Machine Configuration – Generally Available Additional built-in capabilities to enhance your Linux management scenarios are now generally available through Azure policy and Machine Configuration! Through new built-in policies, you can manage your SSH configuration settings declaratively at-scale. SSH Posture Control also provides detailed Reasons describing how compliance or non-compliance was determined. These Reasons help you to document compliance for auditors with confidence and evidence. They also enable you to take action when non-compliance is observed. MS Learn documentation: https://learn.microsoft.com/azure/osconfig/overview-ssh-posture-control-mc Azure Resource Graph ARG PowerBI – Generally Available We are pleased to announce General Availability of the Azure Resource Graph Power BI connector! Now, you can run queries against your Azure resources and visualize the results directly in Power BI. With seamless integration, you can connect Azure Resource Graph with Power BI Desktop or Power BI service to analyze your Azure resources, and the connector has an optional setting to return all records if your query results exceed 1,000 records. This feature provides deeper insights and more control over your Azure resources, enhancing your ability to manage and govern your cloud infrastructure. Learn documentation: https://learn.microsoft.com/azure/governance/resource-graph/power-bi-connector-quickstart?tabs=power-bi-desktop Azure Resource Graph Copilot – Public Preview With the release of the Azure Resource Graph (ARG) skill within Copilot, customers can access the ARG query skill through Azure Portal or Github Copilot. Questions about resource governance like “how many Linux VMs do I own” will be sent to the ARG Skill. With this release, customers can easily turn natural language questions into ARG queries. ARG Copilot helps users create queries to quickly surface insights about resources and simplify operational investigations. ARG Copilot in Azure Portal ARG Copilot in Github Copilot MS Learn documentation: https://learn.microsoft.com/azure/copilot/get-information-resource-graph ARG GET/LIST API - Private preview Now available for private preview is the Azure Resource Graph GET/LIST API, a highly scalable, fast, and performant alternative to existing control plane GET and List API calls within the Azure ecosystem. This API allows you to mitigate issues related to throttling, such as performance degradation and failed requests offering a 10X higher Read throttling quota to callers, ensuring faster and more efficient read operations for your critical cloud native workload. Contact argpms@microsoft.com to join the private preview program! Azure Resource Manager All New Azure Resource Manager Throttling Experience We are thrilled to announce the modernization of Azure Resource Manager throttling. This upgrade introduces a revamped throttling experience for Azure subscriptions, bringing increased limits and a token bucket algorithm for managing API requests! Throttling limits have increased by roughly 30 times for writes, 2.4 times for deletes, and 7.5 times for reads. Tech Community Blog: https://azure.microsoft.com/updates?id=azure-resource-manager-throttling Learn documentation: https://learn.microsoft.com/azure/azure-resource-manager/management/request-limits-and-throttling Azure Resource Notification ContainerserviceEventresources System Topic for AKS - Public Preview We are excited to announce public preview of the Azure Resource Notification ContainerServiceEventResources system topic that empowers customers with proactive notifications for critical AKS cluster maintenance events, covering statuses such as scheduled, started, and completed. By enhancing planning capabilities, this feature reduces operational disruptions and minimizes costs, allowing you to manage maintenance with greater confidence and efficiency. MS Learn documentation: https://learn.microsoft.com/azure/event-grid/event-schema-containerservice-resources Stay Updated Keep in touch with Azure Governance products, announcements, and key scenarios. Bookmark the Azure Governance Tech Community Blog, then follow us @AzureGovernance on X (previously known as Twitter) Share Product feedback/ideas with us here- Azure Governance · Community For questions, you can reach us at: Azure Policy: policypm@microsoft.com Azure Resource Graph: argpms@microsoft.com
Azure Update Manager to support CIS hardened images among other images
What’s coming in by first week of August: Azure Update Manager will add support for 35 CIS hardened images. This is the first time that Update Management product in Azure is supporting CIS hardened images. Apart from CIS hardened images, Azure Update Manager will also add support for 59 other images to unblock Automation Update Management migrations to Azure Update Manager. What’s coming in September: After this release, another batch of 30 images will be added support for. Please refer to the article below to check the details of which images will be supported. Below 35 CIS images will be supported by Azure Update Manager by first week of August. Please note Publisher for all these images is center-for-internet-security-inc. Offer Plan cis-windows-server cis-windows-server2016-l1-gen1 cis-windows-server2019-l1-gen1 cis-windows-server2019-l1-gen2 cis-windows-server2019-l2-gen1 cis-windows-server2022-l1-gen2 cis-windows-server2022-l2-gen2 cis-windows-server2022-l1-gen1 cis-windows-server-2022-l1 cis-windows-server-2022-l1 cis-windows-server-2022-l1-gen2 cis-windows-server-2022-l2 cis-windows-server-2022-l2 cis-windows-server-2022-l2-gen2 cis-windows-server-2019-v1-0-0-l1 cis-ws2019-l1 cis-windows-server-2019-v1-0-0-l2 cis-ws2019-l2 cis-windows-server-2016-v1-0-0-l1 cis--l1 cis-windows-server-2016-v1-0-0-l2 cis-ws2016-l2 cis-windows-server-2012-r2-v2-2-1-l2 cis-ws2012-r2-l2 cis-rhel9-l1 cis-rhel9-l1 cis-rhel9-l1-gen2 cis-rhel-8-l1 cis-rhel-8-l2 cis-rhel8-l2 cis-rhel-7-l2 cis-rhel7-l2 cis-rhel cis-redhat7-l1-gen1 cis-redhat8-l1-gen1 cis-redhat8-l2-gen1 cis-redhat9-l1-gen1 cis-redhat9-l1-gen2 cis-ubuntu-linux-2204-l1 cis-ubuntu-linux-2204-l1 cis-ubuntu-linux-2204-l1-gen2 cis-ubuntu-linux-2004-l1 cis-ubuntu2004-l1 cis-ubuntu-linux-1804-l1 cis-ubuntu1804-l1 cis-ubuntu cis-ubuntu1804-l1 cis-ubuntulinux2004-l1-gen1 cis-ubuntulinux2204-l1-gen1 cis-ubuntulinux2204-l1-gen2 cis-oracle-linux-8-l1 cis-oracle8-l1 Apart from CIS hardened images, below are the other 59 images which will be supported by Azure Update Manager by first week of August: Publisher Offer Plan almalinux almalinux-x86_64 8_7-gen2 belindaczsro1588885355210 belvmsrv01 belvmsrv003 cloudera cloudera-centos-os 7_5 cloud-infrastructure-services rds-farm-2019 rds-farm-2019 cloud-infrastructure-services ad-dc-2019 ad-dc-2019 cloud-infrastructure-services sftp-2016 sftp-2016 cloud-infrastructure-services ad-dc-2016 ad-dc-2016 cloud-infrastructure-services hpc2019-windows-server-2019 hpc2019-windows-server-2019 cloud-infrastructure-services dns-ubuntu-2004 dns-ubuntu-2004 cloud-infrastructure-services servercore-2019 servercore-2019 cloud-infrastructure-services ad-dc-2022 ad-dc-2022 cloud-infrastructure-services squid-ubuntu-2004 squid-ubuntu-2004 cognosys sql-server-2016-sp2-std-win2016-debug-utilities sql-server-2016-sp2-std-win2016-debug-utilities esri arcgis-enterprise byol-108 byol-109 byol-111 byol-1081 byol-1091 esri arcgis-enterprise-106 byol-1061 esri arcgis-enterprise-107 byol-1071 esri pro-byol pro-byol-29 filemagellc filemage-gateway-vm-win filemage-gateway-vm-win-001 filemage-gateway-vm-win-002 github github-enterprise github-enterprise matillion matillion matillion-etl-for-snowflake microsoft-ads windows-data-science-vm windows2016 windows2016byol microsoft-dsvm ubuntu-1804 1804-gen2 netapp netapp-oncommand-cloud-manager occm-byol nginxinc nginx-plus-ent-v1 nginx-plus-ent-centos7 ntegralinc1586961136942 ntg_oracle_8_7 ntg_oracle_8_7 procomputers almalinux-8-7 almalinux-8-7 procomputers rhel-8-2 rhel-8-2 RedHat rhel 8_9 redhat rhel-byos rhel-lvm79 rhel-lvm79-gen2 rhel-lvm8 rhel-lvm82-gen2 rhel-lvm83 rhel-lvm84 rhel-lvm84-gen2 rhel-lvm85-gen2 rhel-lvm86 rhel-lvm86-gen2 rhel-lvm87-gen2 rhel-raw76 redhat rhel 8.1 redhat rhel-sap 7.4 redhat rhel-sap 7.7 redhat rhel 89-gen2 southrivertech1586314123192 tn-ent-payg Tnentpayg southrivertech1586314123192 tn-sftp-payg Tnsftppayg suse sles-sap-15-sp2-byos gen2 suse sles-15-sp5 gen2 talend talend_re_image tlnd_re thorntechnologiesllc sftpgateway Sftpgateway veeam office365backup veeamoffice365backup veeam veeam-backup-replication veeam-backup-replication-v11 zscaler zscaler-private-access zpa-con-azure Below images will be supported in September: Publisher Offer Plan aod win2019azpolicy win2019azpolicy belindaczsro1588885355210 belvmsrv03 belvmsrv001 center-for-internet-security-inc cis-rhel-7-v2-2-0-l1 cis-rhel7-l1 center-for-internet-security-inc cis-rhel-7-stig cis-rhel-7-stig center-for-internet-security-inc cis-win-2016-stig cis-win-2016-stig center-for-internet-security-inc cis-windows-server-2012-r2-v2-2-1-l1 cis-ws2012-r2-l1 cloudrichness rockey_linux_image rockylinux86 Credativ Debian 8 microsoftdynamicsnav dynamicsnav 2017 microsoftwindowsserver windowsserver-hub 2012-r2-datacenter-hub 2016-datacenter-hub MicrosoftWindowsServer WindowsServer-HUB 2016-Datacenter-HUB ntegralinc1586961136942 ntg_cbl_mariner_2 ntg_cbl_mariner_2_gen2 openvpn openvpnas access_server_byol rapid7 nexpose-scan-engine nexpose-scan-engine rapid7 rapid7-vm-console rapid7-vm-console suse sles 12-sp3 suse sles-15-sp1-basic gen1 suse sles-15-sp2-basic gen1 suse sles-15-sp3-basic gen1 gen2 suse sles-15-sp4-basic gen2 suse sles-sap 12-sp3 15 gen2-15 suse sles-sap-byos 15 suse SLES-SAP-BYOS 15 suse sles-sap-15-sp1-byos gen1 Tenable tenablecorenessus tenablecorenessusbyolGenerally available: Automation Update Management to Azure Update Manager migration tool
Azure Automation Update Management will be deprecated on 31 st August 2024 as the Log Analytics agent it uses, also known as the Microsoft Monitoring Agent (MMA), will be retired. Therefore, if you are using the Azure Automation Update Management solution, we recommend that you move to Azure Update Manager before 31 st August 2024. Follow the guidance to move your machines and schedules from Automation Update Management to Azure Update Manager. Methods to move from Automation Update Management to Azure Update Manager: First Method: Using automated migration tool (GA): This provides a minimal click, automated way to move resources. This tool migrates machines and schedules at an automation account level. You can click on “Migrate Now” from the deprecation banner in the portal and subsequently select an automation account. The tool will list all resources in the selected automation account that need to be moved. You can view details of the resources that need to be moved. Post that, it is a 3-step process as also shown in the screenshot below. Learn more. Step 1: Prerequisites: Onboard Non-Azure machines on to Azure Arc: Arc connectivity is a prerequisite for Azure Update Manager and hence you need to onboard all non-Azure machines on to Azure Arc. Create user managed identity: Download and run a PowerShell script locally on the machine to create user managed identity with necessary permissions to carry out the migration process. Step 2: “Migrate Now” button: It imports MigrateToAzureUpdateManager runbook into your automation account and then you can run the script. It moves all machines and schedules from Automation Update Management to Azure Update Manager. Step 3: “Run clean up script” button: It imports clean up script DeboardFromAutomationUpdateManagement into your automation account and you can run it to deboard resources from Automation Update Management. Second Method: Using automated migration scripts: You can move resources using automated migration scripts. This allows you to move resources in an automation account to Azure Update Manager in an automated fashion instead of manually migrating each resource. It is a scripts version of the portal experience explained above. Learn more. Third method: Using manual migration guidance: If you have built automation/customizations on top of your Automation Update management solution, then using portal migration tool or migration scripts might not make sense for you and you would need to move resources manually from Automation Update Management to Azure Update Manager. Learn more. What's new: GA in Mooncake and Fairfax regions: Azure Update Manager and the experience to migrate from Automation Update Management to Azure Update Manager is Generally Available in Mooncake and Fairfax regions. FAQs: What will happen post 31 st August 2024 if you do nothing? Automation Update Management will no longer be supported by Microsoft and the service will work for an undetermined time before it is shut down. This means that customers won’t be able to create any support cases on Automation Update Management post 31 st Aug 2024. We strongly recommend that you move to Azure Update Manager before 31 st August 2024. Any new onboarding to Automation Update Management will be blocked. The following actions will be prevented after retirement on 31 st August 2024: Creating a new schedule in Automation Update Management Adding a new machine to an existing schedule Enabling Automation Update Management on a new machine Enabling Automation Update Management on a new Log Analytics workspace Note: This list is not exhaustive, and we will prevent any action considered as adding to the old solution in any way. For more FAQs on retirement and move to Azure Update Manager, refer to Retirement FAQs.Rehosting On-Premises Process Automation when migrating to Azure
Many enterprises seek to migrate on-premises IT infrastructure to cloud for cost optimization, scalability, and enhanced reliability. During modernization, key aspect is to transition automated processes from on-premises environments, where tasks are automated using scripts (PowerShell or Python) and tools like Windows Task Scheduler or System Center Service Management Automation (SMA). This blog showcases successful transitions of customer automated processes to the cloud with Azure Automation, emphasizing script re-use and modernization through smart integrations with complementing Azure products. Using runbooks in PowerShell or Python, the platform supports PowerShell versions 5.1, and PowerShell 7.2. To learn more, click here. Additionally, Azure Automation provides seamless certificate authentication with managed identity, eliminating the need to manage certificates and credentials while rehosting. Azure Automation safeguards the keys and passwords by wrapping the encryption key with the customer-managed key associated to key vault. Integration with Azure Monitor coupled with Automation’s native job logs equip the customers with advanced monitoring and error/failure management. Azure Automation platform efficiently manages long-running scripts in the cloud or on-premises with resource limits options with Hybrid runbook worker. Hybrid runbook worker also equips you to automate workloads off-Azure while utilizing the goodness of Azure Automation runbooks. Rehosting on-premises operations with minimal effort covers scenarios listed below. Additional efforts involve modernizing scripts for cloud-native management of secrets, certificates, logging, and monitoring. – State configuration management - Monitor state changes in the infrastructure and generate insights/alerts for subsequent actions. Build, deploy and manage resources - Deploy virtual machines across a hybrid environment using runbooks. This is not entirely serverless and requires relatively higher manual effort in rehosting. Periodic maintenance - to execute tasks that need to be performed at set timed intervals like purging stale data or reindex a SQL database. Checking for orphaned computer and users in Active Directory Windows Update notifications Respond to alerts - Orchestrate a response when cost-based (e.g. VM cost consumption), system-based, service-based, and/or resource utilization alerts are generated. Specifically, here are some of the scenarios of managing state configuration of M365 suite where our customer rehosted the on-premises PowerShell script to cloud with Azure Automation Scenarios for State Configuration Management of M365 Suite User Permission & access control management Mailbox alerts configuration Configuring SharePoint sites availability Synchronizing Office 365 with internal applications Example: Rehosting User Permission & access control management in M365 mailboxes Here is how one of the customers rehosted a heavy monolithic PowerShell script to Azure. The objective of the job was to identify – List of shared mailboxes --> list of permissions existing for these mailboxes --> users & groups mapped to the mailboxes --> list of permissions granted (& modified overtime) to these users/groups --> Final output with a view of Mailbox Id, Groups, Users, Permissions provided, Permissions modified (with timestamps). 1. Shared mailboxes credentials ########################################### # Get Shared Mailboxes ########################################### $forSharedMailboxes = @{ Properties = "GrantSendOnBehalfTo" RecipientTypeDetails = "SharedMailbox" ResultSize = "Unlimited" } $sharedMailboxes = Get-EXOMailbox @forSharedMailboxes 2. Obtain shared Mailbox permissions ########################################### # Get Shared Mailbox Permissions ########################################### $sharedMailboxesPermissions = foreach ($sharedMailbox in $sharedMailboxes) { # ------------------------------------------------------------------------------------------------------- # Get Send As Permissions # ------------------------------------------------------------------------------------------------------- try { $forTheSharedMailbox = @{ Identity = $sharedMailbox.Identity ResultSize = "Unlimited" } $recipientPermissions = @(Get-EXORecipientPermission @forTheSharedMailbox) $recipientPermissions = $recipientPermissions.Where({ $_.Trustee -ne "NT AUTHORITY\SELF" }) $recipientPermissions = $recipientPermissions.Where({ $_.Trustee -notlike "S-1-5-21*" }) if ($recipientPermissions) { foreach ($recipientPermission in $recipientPermissions) { [SharedMailboxPermission]@{ MailboxDisplayName = $sharedMailbox.DisplayName MailboxEmailAddresses = $sharedMailbox.EmailAddresses MailboxId = $sharedMailbox.Id MailboxUserPrincipalName = $sharedMailbox.UserPrincipalName Permission = $recipientPermission.AccessRights PermissionExchangeObject = $recipientPermission.Trustee } } } } catch { Write-Warning ("Getting send as permissions for $($sharedMailbox.Identity).") continue } 3. User & groups mapped to the mailboxes ########################################### # Get Entra and Exchange User Objects ########################################### $forEntraAndExchangeUserObjects = @{ Connection = $forTheSharedMailboxGovernanceSite Identity = $entraAndExchangeUserObjectListRelativeUrl } $userObjectsList = Get-PnPList @forEntraAndExchangeUserObjects $fromTheEntraAndExchangeUserObjectsList = @{ Connection = $forTheSharedMailboxGovernanceSite List = $userObjectsList PageSize = 5000 } $userObjectsListItems = (Get-PnPListItem @fromTheEntraAndExchangeUserObjectsList).FieldValues ########################################### # Get Entra and Exchange Group Objects ########################################### $forEntraAndExchangeGroupObjects = @{ Connection = $forTheSharedMailboxGovernanceSite Identity = $entraAndExchangeGroupObjectListRelativeUrl } $groupObjectsList = Get-PnPList @forEntraAndExchangeGroupObjects $fromTheEntraAndExchangeGroupObjectsList = @{ Connection = $forTheSharedMailboxGovernanceSite List = $groupObjectsList PageSize = 5000 } $groupObjectsListItems = (Get-PnPListItem @fromTheEntraAndExchangeGroupObjectsList).FieldValues 4. List of permissions granted (& modified overtime) to these users/groups # ---------------------------------------- # Get Full Access Permissions # ------------------------------------- try { $forTheSharedMailbox = @{ Identity = $sharedMailbox.Identity ResultSize = "Unlimited" } $mailboxPermissions = @(Get-EXOMailboxPermission @forTheSharedMailbox) $mailboxPermissions = $mailboxPermissions.Where({ $_.User -ne "NT AUTHORITY\SELF" }) $mailboxPermissions = $mailboxPermissions.Where({ $_.User -notlike "S-1-5-21*" }) if ($mailboxPermissions) { foreach ($mailboxPermission in $mailboxPermissions) { [SharedMailboxPermission]@{ MailboxDisplayName = $sharedMailbox.DisplayName MailboxEmailAddresses = $sharedMailbox.EmailAddresses MailboxId = $sharedMailbox.Id MailboxUserPrincipalName = $sharedMailbox.UserPrincipalName Permission = $mailboxPermission.AccessRights PermissionExchangeObject = $mailboxPermission.User } } } } catch { Write-Warning ("Getting full access permissions for $($sharedMailbox.Identity).") continue } # ------------------------------------------------------------------------------------------------------- # Get Send On Behalf Of Permissions # ------------------------------------------------------------------------------------------------------- $grantSendOnBehalfToPermissions = @($sharedMailbox.GrantSendOnBehalfTo) $grantSendOnBehalfToPermissions = $grantSendOnBehalfToPermissions.Where({ $_ -notlike "S-1-5-21*" }) if ($grantSendOnBehalfToPermissions) { foreach ($grantSendOnBehalfToPermission in $grantSendOnBehalfToPermissions) { [SharedMailboxPermission]@{ MailboxDisplayName = $sharedMailbox.DisplayName MailboxEmailAddresses = $sharedMailbox.EmailAddresses MailboxId = $sharedMailbox.Id MailboxUserPrincipalName = $sharedMailbox.UserPrincipalName Permission = "SendOnBehalfOf" PermissionExchangeObject = $grantSendOnBehalfToPermission } } } } As the customer modernized from On-premises to Azure via Azure Automation, the following list captures the aspects that have to be updated. The changes were mostly an improvement in terms of experience offered by Azure Automation leveraging smart integrations with other Azure capabilities and little to no reliance on custom scripts. Setup Logging & Monitoring methods - In On prem setup, customers authored custom scripts for logging, which was no more needed with Azure Automation. Customers utilized in-portal Azure Monitor integration to forward logs to Azure monitor, quey logs, and set up alerts for insights. Handling certificate authentication – Managed Identity based authentication provides improved means to store secrets and passwords without doing regular updates to code credentials. Azure Automation supports both PS script and in-built portal experience to configure Managed Identity Storing passwords and security keys – Key Vault integration with Azure Automation helped the customers to transition this on-prem experience seamlessly. The sample PS script below is recommended to enable Key Vault integration. Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery -Force Install-Module Az.KeyVault -Repository PSGallery -Force Import-Module Microsoft.PowerShell.SecretManagement Import-Module Az.KeyVault $VaultParameters = @{ AZKVaultName = $vaultName SubscriptionId = $subID } Register-SecretVault -Module Az.KeyVault -Name AzKV -VaultParameters $VaultParameters If you are currently utilizing Azure Automation for rehosting such light weight environment agnostic operations from on-prem to cloud or want to know more details, please reach out to us on askazureautomation@microsoft.com.Now Open Source: Simplify authoring custom machine configuration policy using the Powershell module!
Teaser: Following the open sourcing of nxtools, we are excited to expand our suite of open-source features by making the GitHub repository of the Guest Configuration PowerShell Module publicly available!
