Using AzureAD Conditional Access to block a Native App

Standard

Last week I was asked to research a scenario where the customer wants to block the use of a native app and only want to allow the browser experience from compliant devices. My first answer was that this was difficult to implement. But after looking into AzureAD Conditional Access it was relative easy to configure. In this series of blogposts I’m using Microsoft Teams as an example. I’m focusing on these scenario’s: The first scenario is blocking the Microsoft Teams Native App and only allow browser access to Microsoft Teams and the second scenario is to only allow the Microsoft Teams app and blocking the browser access.

Continue reading

Prevent a Azure AD MFA User Lockout

Standard

Within Azure Multi-Factor authentication, a user can configure multiple options for the 2nd factor authentication. Beside those options the user can also configure multiple numbers within Azure Multi-Factor authentication which can be used when doing the 2nd factor authentication. But in practice most users will only configure one phone number. When the user than loses his phone or access to his number the user cannot use Azure MFA anymore. The user cannot change his phone number because a 2nd factor authentication is needed to access this information. So, this means that the user is locked out of Azure MFA and the only solution in this scenario is to call the Helpdesk and change the phone number. But there is a solution which prevents a user MFA lockout. This can be achieved by simply configuring a phone number in the user his account in your Active Directory or Azure Active Directory.
Continue reading

Using Azure MFA cloud based protection with the RD Gateway

Standard

Last week Microsoft released Azure MFA cloud based protection from your on premise servers/devices. In this blogpost Microsoft announced this functionality and showed how this can be used with a VPN device. Before yesterday you had to install the Azure MFA server to provide MFA to RDS sessions through the RD Gateway. Since the MFA Server and the cloud based MFA were different systems with different settings for users this was not the most ideal situation. But with this new functionality we can use the cloud based MFA for the RD Gateway role. If you’re looking for a detailed description about how to setup the RD Gateway with the on premise MFA servers please check this blogpost.
Continue reading

Creating a Storage Spaces Direct Performance Dashboard

Standard

In this blogpost I want to show you how you can easily create a PowerBI dashboard based on Storage Spaces Direct performance metrics. PowerBI is great in visualizing data and reports are easy to create. Before you can execute the steps in this blogpost you will need to create a PowerBI account on https://www.powerbi.com. I’ve tested the blogpost below with PowerBI Pro account but based on this page it should also work with a PowerBI free account. Looking to Storage Spaces Direct this blogpost is based on Windows Server 2016. I’ve not tested this on earlier versions and I expect that this is only working on 2016 and later. I’ve created this blogpost to monitor my S2D environment hosting the Remote Desktop Service User Profile Disks, so expect that this dashboard is focusing on delivering an overview for that purpose.
Continue reading

Sizing the RDS 2016 Connection Broker DB to Azure SQL Database

Standard

With Remote Desktop Services 2016 we can use Azure SQL Database for hosting your RD Connection Broker Database (RDCB). Back in the RDS 2012 days we had to either build a SQL Mirroring or SQL Always On solution to provide High Availability to the RD Connection Broker database. Both SQL HA solutions were expensive especially on Azure. As a best-practice SQL needed to have premium storage for hosting the data and log files. Now with RDS 2016 we can use Azure SQL database for the RD Connection Broker database, but how about sizing the Azure SQL database service. In Azure SQL database you cannot simply chose the number of CPU cores and Memory which you want to use. On the Azure SQL database platform the performance is measured by Database Transaction Units (DTU’s). In this blogpost I want to explian how you can collect some performance metrics from your existing SQL Server and size your Azure SQL database.
Continue reading

Deploy your HA RDS environment through an Azure ARM template

Standard

Last week I finally published my first Azure ARM template for deploying a RDS environment. This template was based on a Azure AD Domain Services environment and depends on the Azure AD Application Proxy for publishing the RD Web and RD Gateway role. The good news for this deployment was that no DMZ was necessary. The bad news was that the UPD channel of the RD gateway cannot be used. Today I will publish a template which is based on a existing Azure Active Directory (not specially Azure AD Domain Services) and on publishing the RD Web and RD Gateway roles in the DMZ for publishing the environment. This template is basically re-using 75% of the template and scripts of the Cloud Only Deployment.

Continue reading

How to Deploy your ‘Cloud-Only’ RDS environment – Part 5

Standard

After my visit of MVP Summit and speaking on ExpertsLive I’ve finally some time to produce some blogposts which were staying @ the backlog of my blog. Starting with the last part in the series ‘how to deploy your cloud-only RDS environment’. In part 1 till 4 the environment is described and also the instructions how to create the same environment in your own subscription. In this last blogpost I’m describing how to deploy the RDS environment with a Azure ARM template. In part 3 and 4 I already explained the scripts used by the template to deploy a Storage Spaces Direct cluster and the Remote Desktop Services environment. With a Azure ARM template we can deploy all the needed resources on Azure and also execute the scripts on these servers.
Continue reading

How to Deploy your ‘Cloud-Only’ RDS environment – Part 4

Standard

This week I made some really nice progress in achieving my end goal: ‘an automated Cloud Only Remote Desktop Services deployment’. This series consists of multiple blogposts, each blogpost covers a section which describes in detail how to configure the used technology. In the first blogpost of the series I described that this series is based on a CloudOnly deployment of RDS 2016 with as much PaaS services as possible and using Azure ARM templates for deploying the resources. The good news is that with all the progress made this week I’ve a working deployment which creates all the resources, configures Storage Spaces Direct as high available storage solution and a high available Remote Desktop Services environment.
Continue reading

How to Deploy your ‘Cloud-Only’ RDS environment – Part 3

Standard

In this series of blogposts I’m showing you how you can deploy your ‘Cloud-Only’ RDS environment. This environment consists of as much PaaS services as possible and all components are hosted on Microsoft Azure. In the first blogpost I’ve explained how to create and prepare Azure AD Domain Services together with the corresponding Virtual Networks. In the second post I described the deployment of all Remote Desktop Services resources and roles through an Azure ARM template and explained how the initial configuration can be done from this template. In this blogpost I want to focus on providing high-available storage for hosting the User Profile disks. Since the GA of Windows Server 2016 we can use Storage Spaces Direct for this. So this blogpost describes the deployment and configuration of a Storage Spaces Direct Cluster from an Azure ARM template.

Continue reading

My Personal ‘EMS / RDS’ Ignite Recap

Standard

Unfortunately this year It was not possible for me to attend the ignite conference. So the news came through the social media platforms to me. One week later I want to summarize some important announcements and news presented on Ignite. Of course the most important announcement was about the General Availability of Windows Server 2016 and System Center 2016. Windows Server can be download as evaluation from this location and become available on MSDN later this month. But what about other announcements about Remote Desktop Services presented in several sessions on Ignite.
Continue reading