Just want to fill in a gap in our public documentation. The Account Owner ID (displayed as email address) must be unique across the Azure environment (i.e. unique across the entire public cloud or the entire Azure Government cloud).
This is because subscriptions created by the Account Owner inherit settings like enrollment ID, AD tenant, etc. from the Account Owner. If the Account Owner sits in two enrollments, the subscription won’t know which to inherit from.
When my customers get started with Azure, one of the first things that trips them up is the terminology. This is a quick primer of the terms you’ll encounter as you begin your journey.
The Azure enrollment is an Azure usage agreement often tied to an Microsoft Enterprise Agreement. One enrollment = one bill. Under the enrollment you create Azure accounts, subscriptions, and ultimately resources (VMs, storage, DBs).
A tenant is a instance of Azure Activity Directory (AAD). A tenant is similar to a Windows AD domain. Within the AAD you can have users, groups, etc. Each instance of Azure, O365, Dynamics, etc. requires a tenant. These tenants can be shared or you can use a unique instance for each one.
*each subscription can use a separate tenant*
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant
An Azure subscription is the unit where all resources (VMs, DBs, etc.) reside. The this is the highest level in an enrollment that can incur charges. A subscription is equivalent to an AWS account.
One of the first things I discuss with new government customers is where they want to deploy – Azure Commercial (aka the public cloud) or Azure Government. Many organizations feel that they should “obviously” be in the government cloud because they are either part of the state, local, or federal government or work closely with those groups.
The fact is Azure Government exists to meet a specific set of guidelines that government agencies often (but not always) must follow (FEDRAMP, DISA IL4, ITAR, etc.). Each organization needs to understand what attestations/certifications/regulations matter to them and chose the LEAST RESTRICTIVE cloud environment that meets those stipulations.
The truth is most “government” organizations in the United States use Azure [commercial] either exclusively or for at least some of their cloud space.
When making your decision:
| Comparison Point | Microsoft Azure Commercial (MAC) | Microsoft Azure Government (MAG) |
| Operational staff | Microsoft screening | Screened US citizens |
| Physical security | Biometrics, isolation, fencing, etc. | Same as MAC |
| Scope of offering | All Azure features | Features limited by certification |
| Portal (ARM) | https://portal.azure.com | https://portal.azure.us |
| Pricing concerns | Base pricing, minus EA/commitment discount (if any) | Base pricing, plus MAG premium, minus EA/commitment discount (if any) |
| Availability | Anyone, on demand | Requires approval from Microsoft |
| Identity (Azure AD) | Integrates Office 365 & 3rd party SaaS | Isolated, no integration |
| Coverage | World Wide | CONUS Only (traffic will not leave US) |
Recently I had a customer hit an issue that was hard to resolve…..until we stopped looking at the data and reconsidered our design.
The customer installed a relatively small and innocent piece of software, rebooted, and then we entered the BSOD loop — hard to see since it was on a guest in Azure. After working through the night on the Azure aspect and out of ideas, we asked an AD guru to take a look. Within minutes he had figured it out!
Basically our DC is so secure, even we can’t use it! Luckily a DC is easily rebuilt and we all know better than to only have a single DC in the domain, right?
If you want to Bitlocker your DCs, put all those critical DC bits on the C$!
*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2016/01/bitlocker-and-domain-controller-logical-disks/
*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2016/04/moving-azure-provider-images-from-the-commercial-to-azure-government-cloud-mag/
Some times we see customers move Microsoft provided images from the Azure commercial cloud to the Azure Government (MAG) cloud. While this is technically supported, there are several things to consider. When using the Microsoft provided images, there are configuration settings that are specific to the cloud environment. When you move the VM (by moving the VHD), you risk having the wrong settings for your new cloud location.
Below is a list of settings that need to be changed. This is NOT comprehensive and will be updated as needed. Keeping mind the various endpoint that are different as well (https://azure.microsoft.com/en-us/documentation/articles/azure-government-developer-guide/)
| Commercial Value | MAG Value | |
| KMS | kms.core.windows.net:1688 | kms.core.usgovcloudapi.net:1688 |
Seen in the Azure Activity Logs solution view.
Detail: Access to the subscription was lost. Ensure that the XXX subscription is in the XXX Azure Active Directory tenant. If the subscription is transferred to another tenant, there is no impact to the services, but information for the tenant could take up to an hour to propagate.
SourceSystem: OpsManager
SoureComputerID: all zeros
OperationStatus = Failed
OperationCategroy = Azure Activity Log Collection
Solution: AzureActivity
Disconnect the “problem” subscription from the Azure Activity Logs via the Azure ARM Portal.
Remove the OMS Azure Activity Logs solution (also known as Activity Log Analytics) either via the OMS portal or the Azure ARM Portal. Then re-add the solution to your workspace.
Notes:
*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2017/03/oms-azure-activity-log-error-access-to-the-subscription-was-lost/
If you are unable to alert from the Azure Portal, or simple wish to have all your alerting from one source, consider leveraging OMS (Operations Management Suite). With the free tier option (7 days of day retained) there is no additional cost!
Azure Service events are logged automatically in the Azure Portal –> Monitoring –> Activity Log (only incidents believed to impact your subscription(s) will be listed). This article will show you how to use OMS to review and alert on these events.
1. Create a new workspace – https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-get-started#2-create-a-workspace
1. Add the Activity Logs Analytics solution – https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-get-started#3-add-solutions-and-solution-offerings (only steps 1-4 are required)
1. Open the OMS portal (URL varies based on your cloud)
2. Click on Log Search
3. In the query window, enter: Type=AzureActivity Category=ServiceHealth
4. Click Alert in the top left
5.Configure the alerting options (see https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-creating#create-an-alert-rule for more details)
*The alert looks every 15min (alert frequency) for events matching the query that were raised in the past 15min (time window). If there are more than 0 found (number of results), then an email is sent to all recipients listed. These emails do NOT need to be associated with an Azure logon, etc. Any publically routable email address will work.
Your recipients will now receive an email for Azure Service incidents. It will look something like this:
*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2017/03/using-oms-to-alert-on-azure-service-outages/
Below are the quick and dirty details you need to connect your Windows servers to OMS hosted in Microsoft Azure Government (MAG). Any server with internet access can report to an OMS workspace (including but not limited to servers located on-premises, in the Azure Commercial cloud, hosted by other cloud providers, etc.).
To update an existing OMS or SCOM agent to point to a new/additional OMS workspace you can either manually configure the new workspace via the GUI or leverage PowerShell.
1. Interactively via the GUI, see https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-an-agent-manually-or-add-additional-workspaces
2. Programmatically via PowerShell. Note: the 1 at the end of the AddCloudWorkspace cmdlet indicates the workspace is in Azure Government.
$workspaceID =”yourworkspaceID”
$workspacekey= “yourkey”
$mma = New-Object -ComObject ‘AgentConfigManager.MgmtSvcCfg’
$mma.AddCloudWorkspace($workspaceId, $workspaceKey, 1)
$mma.ReloadConfiguration()
*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2017/05/the-oms-agent-for-azure-government-a-cheat-sheet/
A lot of the pre-managed disk documentation has become hard to find. Below is a cheat-sheet on where to find the documents you need to work with Azure ARM VMs, images, and storage accounts.
Create an Azure VM from custom image (VHD) – https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sa-upload-generalized
Create an Azure VM from existing VHD – https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sa-create-vm-specialized
Create an Azure VM Image (and VM) from existing Azure VM – https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sa-copy-generalized
*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2017/07/working-with-vms-images-and-unmanaged-disk-storage-accounts/
This week I attended an internal Microsoft conference. The little group I spend my week with was fairly diverse – largely American but with Finnish, Israeli, and Indian participants; male and female; some from large cities other from small towns. This group broke the cardinal rule of polite conversation and discussed religion, politics, and diversity at length…..without antagonism! How did we manage this? We give credit to the growth mindset fostered at Microsoft and essential to survival in a cloud-first world.
For those of you not familiar with the concept of a growth mindset, psychologist Carol Dweck describes it as follows:
In a fixed mindset students believe their basic abilities, their intelligence, their talents, are just fixed traits. They have a certain amount and that’s that, and then their goal becomes to look smart all the time and never look dumb. In a growth mindset students understand that their talents and abilities can be developed through effort, good teaching and persistence. They don’t necessarily think everyone’s the same or anyone can be Einstein, but they believe everyone can get smarter if they work at it.[
As babies we are born with a growth mindset. We are constantly trying new things, right or wrong, eager to learn and improve. The result is important (i.e. learning to walk and talk) but so is the journey – think of parents applauding every attempt to stand, crawl, and walk for months in addition to the final accomplishment of walking. Over the years though, we are retrained by society to focus on results or accomplishments. Kids won’t raise their hand in class because having the wrong answer is worse than no answer. Kids don’t try out for sports because they are worried they won’t make the team. Without correction, these kids become adults with a fixed mindset – more focused on how they are perceived than actually being intelligent. Often these individuals come to believe they have all the required answers and are unwilling to accept additional information that challenges their views.
For me, three key items helped me transition to a growth mindset. This was a very natural journey for me, but also difficult. So much of my self-worth and identity was wrapped up in “being right” and I had to sacrifice my ego to grow.
1. Having conclusive evidence that I wasn’t the smartest. When one friend scored a 1600 on the SAT and another’s science fair project on chaos theory placed at state (in 7th grade!), I had to accept there is often more than one “smart person” in a room. If your ego prevents you from learning from others you can’t have a growth mindset; you must decouple your ego from your “smart person” status.
2. Dating a person who challenged me. When I began dating my now-husband, my ego took a huge hit. He kept beating at games, trivia, and even remembering key data points. I was used to be “always right” and was forced to realize that maybe I didn’t know as much as I thought.
3. Talking with children. Kids are endlessly curious and it’s infectious. When my son was a preschooler he asked me, “what is the difference between a seed and a nut?” After a brief pause I replied, “I don’t know. Let’s look that up.” Children are a constant reminder that adults still have so much to learn about our world and how things work. Just because we are out of school does not mean we are done learning.
All of us live in a technology-driven society that constantly changes. And it’s not just the technology that changes, it’s anything that technology touches…which is EVERYTHING. Doctors, mechanics, parents, teachers all take continuing education. Having a fixed mindset will at best hold you back and at worst lead to poor decisions that could have deadly consequences. Having a growth mindset allows you to take advantage of the latest discoveries, innovations, and all the benefits they offer.
A growth mindset is key to succeeding information technology. Standards from five years ago are fading, those from ten years ago are archaic, and those from 15+ years ago are almost completely gone. We must build on the past as we reach toward the future. We must be willing to try new technologies and IT strategies. Do new paradigms and technologies scare you? If so, take time to evaluate why. One of the common reasons is fear — fear of change, fear of uncertainty, fear of becoming obsolete. With a growth mindset, these concerns are opportunities to grow not possibilities to fear.
My advice? Keep trying new things and keep learning!
Only be learning and taking risks will you stay afloat. By learning continually, you can thrive.
previously posted on https://blogs.msdn.microsoft.com/nicole_welch/2018/02/the-importance-of-a-growth-mindset-in-a-technology-first-world/
Nicole Welch 