You need reliable backup and restore of for your data, within hours – not weeks or months. Microsoft 365 Backup is your in-place solution for lightning-fast restorability, ensuring business continuity. We appreciate the value our partner ecosystem brings to extend our core offering.

On this episode, guest host, Brad Gussin (Principal PM Manager on the SharePoint team) and me provide an overview of the core Microsoft offering. You’ll then hear Brad (Microsoft) interview our valued partner, Brad Kirby (Senior Director of Product Management at Commvault) about their integration of Commvault Cloud with our Microsoft 365 Backup storage platform – extending data recoverability and searchability.

OK, this episode is all backed up and ready to restore your backup and recovery knowledge base.

The Intrazone, episode 112:

Subscribe to The Intrazone podcast + show links and more below.

Data sheet screenshot: Commvault® Cloud: Backup and Recovery for Microsoft 365®.

Microsoft 365 Backup screenshot from one of the steps on the Microsoft 365 admin center: Choose a recommended restore point from ‘Select a faster restore point’ which offers a faster restore compared to standard restore points.

Links to important on-demand recordings and articles mentioned in this episode:  

Hosts, guests, and related links and information

Brad Kirby (Commvault) | LinkedIn | @Commvault [guest]
Brad Gussin | LinkedIn [guest co-host]
SharePoint | Facebook | @SharePoint | SharePoint community blog | Feedback
Mark Kashman |@mkashman [co-host]

Related videos, common admin articles and sites

“Microsoft Announces General Availability of Microsoft 365 Backup and Microsoft 365 Backup Storage” by Zach Rosenfield [July 31, 2024]
Learn more about Commvault’s Microsoft 365 Backup solution
Learn more about Microsoft 365 Backup (adoption.microsoft.com)
Watch “The Ins and Outs of Microsoft 365 Backup & Archive“
Microsoft Docs – The home for Microsoft documentation for end users, developers, and IT professionals.
Microsoft Tech Community Home
Stay on top of Office 365 changes
Listen to other Microsoft podcasts

Upcoming Events

TechCon365 – DC | Washington DC | Aug. 12-16, 2024
CollabDays Hamburg | August 31, 2024 – Hamburg, Germany
Microsoft Power Platform Conference | September 18-20 – Las Vegas, NV, USA
CollabDays Portugal Porto 2024 (previously CollabDays Lisbon)| Sept. 21 Venue: Instituto Superior de Engenharia do Porto
CollabDays New England | October 18-19, 2024 – Burlington, Massachusetts, USA
TechCon365 – Dallas | Nov. 11-15, 2024 | Dallas, TX, USA
Microsoft Ignite (+ more info) | Nov 18-22, 2024, “Save the date,” Chicago, IL 
ESPC | European SharePoint Conference | Dec 2-5, 2024 | Stockholm, Sweden

+ always review and share the CommunityDays.org website to find your next event.

Subscribe today!

Thanks for listening! If you like what you hear, we’d love for you to Subscribe, Rate and Review on iTunes or wherever you get your podcasts.

Be sure to visit our show page to hear all episodes, access the show notes, and get bonus content. And stay connected to the SharePoint community blog and where we’ll share more information per episode, guest insights, and take any questions or suggestions from our listeners and SharePoint users via email at TheIntrazone@microsoft.com.

Get The Intrazone anywhere and everywhere

Main show page

Apple Podcasts

Spotify

Pandora

TuneIn

Podchaser

iHeart

RSS feed

Listen to other Microsoft podcasts at aka.ms/microsoft/podcasts.

The Intrazone, a show about the Microsoft 365 intelligent intranet (aka.ms/TheIntrazone)

​Microsoft Tech Community – Latest Blogs –Read More 

Microsoft Azure Red Hat OpenShift (ARO) has taken a significant step forward in empowering organizations with greater control over their cluster security. The “bring your own” Network Security Group (NSG) feature offers a flexible approach to managing network security for ARO clusters. Let us explore this feature and see how it can benefit your organization.

What is an NSG?

Network Security Groups (NSGs) are crucial for maintaining robust security and efficient traffic management within cloud environments. They provide essential control over network traffic by defining rules that determine which IP addresses, ports, and protocols are allowed or denied, thereby safeguarding resources from unauthorized access and cyber threats. By segmenting security policies according to specific network segments or resources, NSGs enable tailored and precise protection, ensuring sensitive data and systems are shielded while allowing necessary traffic to flow seamlessly. Additionally, NSGs support compliance with regulatory standards by enforcing strict access controls and facilitating effective monitoring and auditing of network activity. Overall, NSGs play a vital role in securing cloud infrastructure, making network management more streamlined and responsive to evolving security needs.

Understanding the NSG Challenge

Traditionally, when creating an ARO cluster, the ARO Resource Provider (RP) would generate a dedicated resource group containing cluster-specific resources, including Network Security Groups (NSGs).

While this approach ensured a baseline level of security, organizations often sought more flexibility and control over their network security configurations. The new “bring your own” Network Security Group (NSG) feature addresses these needs by offering:

Enhanced Control: Customers can now configure NSGs to meet their specific security requirements.
Organizational Alignment: The ability to customize NSGs allows for better alignment between security, networking, and cluster operations teams.
Improved Compliance: Organizations can now more easily implement specific network rules to meet strict security policies and regulatory requirements.
Flexibility for Networking Teams: Network administrators can implement their own rules and adapt the NSGs to fit within broader network security strategies.
Customized Approach: The new feature accounts for the diverse security needs of different industries and organizational structures.

These enhancements provide customers with greater control over their network security in ARO environments. Organizations needed a way to maintain the benefits of a fully managed OpenShift service while still having the flexibility to implement their own security policies and network rules.

The “Bring Your Own NSG” Solution

In response to these customer demands, ARO now offers the ability to attach your own preconfigured NSG to the ARO cluster subnets. This NSG resides in your base or VNET resource group, giving you full control over its rules throughout the cluster’s lifecycle.

Key Benefits:

Customization: Tailor your network security rules to match your organization’s specific requirements.
Flexibility: Add or remove rules as needed, even after the cluster is created.
Compliance: Ensure your ARO clusters align with your company’s security policies and regulatory requirements.

Use Case: Financial Services Company

Let us consider a financial services company, FinSecure, that wants to deploy an ARO cluster for their trading platform. They have strict security policies that require:

Limiting API (Application Programming Interfaces) server access to specific IP ranges
Controlling inbound traffic to their OpenShift router
Implementing custom rules for their Kubernetes services

Implementation:

Create a VNET with master and worker subnets.
Create rule specific preconfigured NSGs and attach them to the subnets. See documentation for rule requirements for your preconfigured NSG.
Deploy the ARO cluster using the new feature:

Update the NSGs with FinSecure’s custom rules:

   – Allow inbound traffic to port 6443 only from FinSecure’s office IP range

   – Restrict access to ports 80 and 443 on the OpenShift router

   – Implement specific rules for their Kubernetes services

By leveraging this new feature, FinSecure can maintain a robust security posture while enjoying the benefits of Azure Red Hat OpenShift.

Considerations and Limitations

While this feature offers great flexibility, it is important to note a few key points:

– NSGs must be attached to both master and worker subnets before cluster creation.

– The feature can only be enabled during cluster creation, not for existing clusters.

– Manual updates to NSG rules are required when creating new Kubernetes LoadBalancer services or OpenShift routes.

– Certain rules must be added to ensure the service can run its operations. Please see the documentation for these rules.

Conclusion

The “bring your own NSG” feature for Azure Red Hat OpenShift clusters represents a significant step forward in cloud-native security customization. By offering greater control over network security, Microsoft and Red Hat are empowering organizations to confidently deploy and manage OpenShift clusters in Azure while adhering to their unique security requirements.

As you explore this capability, remember to carefully plan your NSG rules and keep them updated as your cluster evolves. With the right approach, you can create a secure, compliant, and flexible OpenShift environment in Azure that meets your organization’s specific needs.

Availability and Getting Started

ARO customers can start using this feature immediately when creating new clusters. To enable the feature, simply use the –enable-preconfigured-nsg flag when creating a new ARO cluster using the Azure CLI (command-line interfaces), as demonstrated in the use case above. This feature is available for all ARO clusters running OpenShift version 4.12 and onwards.

New customers can get started by following these steps:

Set up an Azure subscription if you do not already have one.
Install the Azure CLI and log in to your account.
Create a resource group, VNET, and subnets for your ARO cluster.
Create and configure your custom NSGs.
Use the az aro create command with the –enable-preconfigured-nsg flag to create your cluster.

For more detailed information and best practices, visit the official Azure Red Hat OpenShift documentation at https://docs.microsoft.com/en-us/azure/openshift/ and the Red Hat OpenShift documentation at https://docs.openshift.com/.

For technical support and troubleshooting, please refer to the Azure support channels or contact Red Hat support if you have an OpenShift subscription

Resources:

Bring your own Network Security Group to Azure Red Hat OpenShift – Azure Red Hat OpenShift | Microsoft Learn

Getting started with ARO:

Red Hat OpenShift Kubernetes

OpenShift vs Kubernetes: What’s the Difference?

eBook, Getting started with Azure Red Hat OpenShift

Azure Red Hat OpenShift Workshop

​Microsoft Tech Community – Latest Blogs –Read More 

this appears to be set but does not work

​this appears to be set but does not work   Read More

​

Overview: 

Azure Administrators often come across challenges while tracking multiple Azure role assignments and removals. At present Azure provides Activity Logs but they make less sense to non-techsavy stakeholders. For example it includes Role Id, Principal Id but doesn’t indicate Role names and Principal names which can make the report more readable. To ensure proper tracking and accountability, we need a comprehensive report that includes the following details:

Initiator and Timestamp
User/Group/Principal assigned/removed
Role assigned/removed
Scope of the Attempt   
          

Pre-Requisites:

Export subscription level Activity Logs to a Log Analytics Workspace. For this navigate to Subscription > Activity log > Export Activity Log > Add Diagnostic Setting 

Add Diagnostic Setting to export Administrative logs to a Log Analytic Workspace of your choice and hit the save button:
 

Navigate to the Workspace and Retrieve the Workspace ID from the overview section, we’ll require this in our script.

Solution:

We have created a solution that retrieves and refines information from the Log Analytic Workspace stored Activity Logs and creates a readable CSV report.

Sample Output:

PowerShell Script:

Please replace with appropriate workspace ID(line 32,33) and output CSV file path(line 57, 78). You can provide same values for both at multiple places. Based on the requirement and Log Analytics Retention the no. of days can also be edited(line 6,20)

#Login Azure Account
Add-AzAccount

#Log Analytics query for retrieving Role Assignment addition activities for the past 2 days
$addqr = ‘AzureActivity
| where TimeGenerated > ago(2d)
| where CategoryValue =~ “Administrative” and OperationNameValue =~ “Microsoft.Authorization/roleAssignments/write” and ActivityStatusValue =~ “Start”
| extend RoleDefinition = extractjson(“$.Properties.RoleDefinitionId”,tostring(Properties_d.requestbody),typeof(string))
| extend PrincipalId = extractjson(“$.Properties.PrincipalId”,tostring(Properties_d.requestbody),typeof(string))
| extend PrincipalType = extractjson(“$.Properties.PrincipalType”,tostring(Properties_d.requestbody),typeof(string))
| extend Scope = extractjson(“$.Properties.Scope”,tostring(Properties_d.requestbody),typeof(string))
| extend RoleId = split(RoleDefinition,”/”)
| extend InitiatedBy = Caller
| extend Operation = split(OperationNameValue,”/”)
| project TimeGenerated,InitiatedBy,Scope,PrincipalId,PrincipalType,RoleID=RoleId[4],Operation= Operation[2]’

#Log Analytics query for retrieving Role Assignment removal activities for the past 2 days
$rmqr = ‘AzureActivity
| where TimeGenerated > ago(2d)
| where CategoryValue =~ “Administrative” and OperationNameValue =~ “Microsoft.Authorization/roleAssignments/delete” and (ActivityStatusValue =~ “Success”)
| extend RoleDefinition = extractjson(“$.properties.roleDefinitionId”,tostring(Properties_d.responseBody),typeof(string))
| extend PrincipalId = extractjson(“$.properties.principalId”,tostring(Properties_d.responseBody),typeof(string))
| extend PrincipalType = extractjson(“$.properties.principalType”,tostring(Properties_d.responseBody),typeof(string))
| extend Scope = extractjson(“$.properties.scope”,tostring(Properties_d.responseBody),typeof(string))
| extend RoleId = split(RoleDefinition,”/”)
| extend InitiatedBy = Caller
| extend Operation = split(OperationNameValue,”/”)
| project TimeGenerated,InitiatedBy,Scope,PrincipalId,PrincipalType,RoleID=RoleId[6],Operation= Operation[2]’

#Please replace with appropriate workspace ID
$addqueryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId “<replace with Workspace ID>” -Query $addqr
$rmqueryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId “<replace with Workspace ID>” -Query $rmqr

#Isolating Log Analytics query results
$addqrs = $addqueryResults.Results
$rmqrs = $rmqueryResults.Results

#For each add query result find user/group name and role name to append into the CSV report
foreach ($qr in $addqrs)
{
$rd = Get-AzRoleDefinition -Id $qr.RoleID
if($qr.PrincipalType -eq ‘User’)
{
$prncpl = Get-AzADUser -ObjectId $qr.PrincipalId
}
elseif($qr.PrincipalType -eq ‘Group’){
$prncpl = Get-AzADGroup -ObjectId $qr.PrincipalId
}
else{
$prncpl = Get-AzADServicePrincipal -ObjectId $qr.PrincipalId
}
$qr | Add-Member -MemberType NoteProperty -Name ‘Role’ -Value $rd.Name
$qr | Add-Member -MemberType NoteProperty -Name ‘PrincipalName’ -Value $prncpl.DisplayName

#Replace with appropriate path
$qr | Export-Csv -Path “<Replace Path><FileName.csv>” -NoTypeInformation -Append
}

#For each remove query result find user/group name and role name to append into the CSV report
foreach ($qr in $rmqrs)
{
$rd = Get-AzRoleDefinition -Id $qr.RoleID
if($qr.PrincipalType -eq ‘User’)
{
$prncpl = Get-AzADUser -ObjectId $qr.PrincipalId
}
elseif($qr.PrincipalType -eq ‘Group’){
$prncpl = Get-AzADGroup -ObjectId $qr.PrincipalId
}
else{
$prncpl = Get-AzADServicePrincipal -ObjectId $qr.PrincipalId
}
$qr | Add-Member -MemberType NoteProperty -Name ‘Role’ -Value $rd.Name
$qr | Add-Member -MemberType NoteProperty -Name ‘PrincipalName’ -Value $prncpl.DisplayName

#Replace with appropriate path
$qr | Export-Csv -Path “<Replace Path><FileName.csv>” -NoTypeInformation -Append
}

# End of Script

Hope this helps!

​Microsoft Tech Community – Latest Blogs –Read More