Tag Archives: microsoft
How can i a 41 yr old single mother with next to no income start a non profit in my community
Im looking to start a non profit but i dont even know where to begin but my concept is golden i believe. I live in the tulsa oklahoma area and see so many people i would love to help but dont know where to start or if its even prorbable. Any suggestions?
Im looking to start a non profit but i dont even know where to begin but my concept is golden i believe. I live in the tulsa oklahoma area and see so many people i would love to help but dont know where to start or if its even prorbable. Any suggestions? Read More
The specific release date for Recall feature being available on W11?
I’m curious on the specific release date of Recall, more of to give myself a deadline on a specific endeavor.
I’m curious on the specific release date of Recall, more of to give myself a deadline on a specific endeavor. Read More
How to fix QuickBooks direct deposit Error 40001 Windows 10/11?
I’m encountering “QuickBooks direct deposit Error 40001” when trying to process payroll. The error message states there’s an issue with my bank account details. How can I resolve this problem to ensure smooth payroll processing?
I’m encountering “QuickBooks direct deposit Error 40001” when trying to process payroll. The error message states there’s an issue with my bank account details. How can I resolve this problem to ensure smooth payroll processing? Read More
Upgrade to 2403 failed
[Failed]:Remove the certificate registration point site system role and all policies for company resource access features. These features are no longer supported as of March 2022. Company resource access includes email, certificate, VPN, Wi-Fi, and Windows Hello for Business profiles.
We don’t have this role installed.
All Workloads are moved to intune.
Can someone help?
[Failed]:Remove the certificate registration point site system role and all policies for company resource access features. These features are no longer supported as of March 2022. Company resource access includes email, certificate, VPN, Wi-Fi, and Windows Hello for Business profiles.We don’t have this role installed.All Workloads are moved to intune.Can someone help? Read More
How to troubleshoot Activate direct deposit error message 40001 in QuickBooks Desktop after update?
I am getting an ‘Activate direct deposit error message 40001’ in QuickBooks Desktop. Can you help me understand what this error means and provide some troubleshooting solutions to resolve it?
I am getting an ‘Activate direct deposit error message 40001’ in QuickBooks Desktop. Can you help me understand what this error means and provide some troubleshooting solutions to resolve it? Read More
Why is My QuickBooks crashes when opening payroll after update windows?
I am experiencing an issue where QuickBooks crashes whenever I try to open the payroll section. This problem started recently, and I need to process payroll urgently. Can anyone provide detailed troubleshooting steps to resolve this issue?
I am experiencing an issue where QuickBooks crashes whenever I try to open the payroll section. This problem started recently, and I need to process payroll urgently. Can anyone provide detailed troubleshooting steps to resolve this issue? Read More
Edge slowdown issues on the public release Version 125.0.2535.51
We are facing very slow or no responses on our Dotnet forms application,
Checked the same on the chrome browser and everything runs fine,
The issues seems to be creeped up after the Version 125.0.2535.51 update on the public release version of the edge browser.
We checked the site with the developer tools and seems like the issue is related to the javascript rendering, is there a way by which we can optimise our own application and maybe the edge product team can also check for this issue.
We are facing very slow or no responses on our Dotnet forms application,Checked the same on the chrome browser and everything runs fine, The issues seems to be creeped up after the Version 125.0.2535.51 update on the public release version of the edge browser.We checked the site with the developer tools and seems like the issue is related to the javascript rendering, is there a way by which we can optimise our own application and maybe the edge product team can also check for this issue. Read More
Revolutionizing Healthcare: The Impact of Cloud Computing and Artificial Intelligence
In recent years, the healthcare industry has undergone a significant transformation, largely driven by advancements in technology. Among these advancements, the convergence of Cloud Computing and Artificial Intelligence (AI) stands out as a game-changer, enabling more efficient, effective, and personalized care. This blog explores the unique and specific ways in which cloud computing and AI are revolutionizing healthcare, from diagnostics to patient care and beyond.
Cloud Computing in Healthcare
Cloud Computing refers to the delivery of computing resources over the internet, allowing healthcare providers to access and store data and run applications remotely. Key benefits of cloud computing in healthcare include:
Data Storage and Management: Healthcare generates vast amounts of data, including patient records, medical images, and research data. Cloud storage solutions offer scalable, secure, and cost-effective ways to manage this data.
Interoperability: Cloud platforms facilitate the integration of disparate healthcare systems, enabling seamless data sharing and collaboration among different healthcare providers and stakeholders.
Remote Access: With cloud-based systems, healthcare professionals can access patient information and other critical data from anywhere, improving the efficiency and flexibility of care delivery.
Artificial Intelligence in Healthcare
Artificial Intelligence involves the development of algorithms and systems that can perform tasks requiring human intelligence, such as learning, reasoning, and problem-solving. In healthcare, AI applications include:
Predictive Analytics: AI algorithms can analyze large datasets to identify patterns and predict outcomes, such as disease outbreaks or patient deterioration, enabling proactive interventions.
Diagnostic Tools: AI-powered diagnostic tools can interpret medical images and other diagnostic data with high accuracy, assisting doctors in identifying conditions such as cancer, cardiovascular diseases, and neurological disorders.
Personalized Medicine: AI can analyze genetic information and other patient data to tailor treatments to individual patients, improving the efficacy of therapies and reducing side effects.
The Synergy: Cloud Computing and AI in Healthcare
The integration of cloud computing and AI in healthcare is creating powerful solutions that enhance patient care and streamline operations. Here are some specific and unique examples of this synergy in action:
AI-Powered Telemedicine
Telemedicine has gained widespread adoption, especially during the COVID-19 pandemic. Cloud computing supports telemedicine platforms by providing the necessary infrastructure for video consultations, secure data storage, and real-time data sharing. When combined with AI, telemedicine becomes even more powerful:
Virtual Health Assistants: AI-driven chatbots and virtual assistants can conduct preliminary assessments, schedule appointments, and provide health information, improving patient engagement and reducing the burden on healthcare providers.
Remote Monitoring: AI algorithms can analyze data from wearable devices and remote monitoring systems to detect anomalies and alert healthcare providers to potential health issues, enabling timely interventions.
Enhanced Diagnostics with AI and Cloud
Radiology and Imaging: Cloud-based AI tools can process and analyze medical images (such as X-rays, CT scans, and MRIs) at scale. For example, Google’s DeepMind has developed AI algorithms that can detect eye diseases from retinal scans with high accuracy. These tools not only assist radiologists in diagnosing conditions but also expedite the diagnostic process.
Pathology: AI algorithms can analyze tissue samples to identify cancerous cells. Cloud platforms facilitate the sharing of these large image files and the deployment of AI models, making advanced diagnostic tools accessible to remote and underserved areas.
Streamlining Operations with AI and Cloud
Hospital Management: AI-driven analytics platforms, hosted on the cloud, can optimize hospital operations by predicting patient admissions, managing staff schedules, and optimizing resource allocation. This leads to improved efficiency and reduced operational costs.
Electronic Health Records (EHR): Cloud-based EHR systems integrated with AI can automatically update patient records, extract relevant information, and provide clinical decision support, enhancing the accuracy and efficiency of healthcare delivery.
Personalized Treatment Plans
Genomics and Precision Medicine: AI can analyze genomic data to identify genetic markers associated with diseases. Cloud platforms provide the computational power and storage needed to process these large datasets. This integration enables the development of personalized treatment plans based on an individual’s genetic makeup.
Chronic Disease Management: AI-powered applications can monitor patients with chronic diseases, analyze their health data, and provide personalized recommendations. For instance, cloud-based platforms can collect data from diabetic patients’ glucose monitors and use AI to suggest dietary and medication adjustments.
Addressing Challenges and Ethical Considerations
While the combination of cloud computing and AI offers immense potential, it also presents challenges:
Data Privacy and Security: Protecting sensitive patient data is paramount. Healthcare providers must ensure compliance with regulations such as HIPAA (Health Insurance Portability and Accountability Act) and implement robust security measures, including encryption and access controls.
Bias and Fairness: AI algorithms must be trained on diverse datasets to avoid biases that could lead to unequal treatment outcomes. Ongoing monitoring and validation of AI models are essential to ensure fairness.
Integration and Interoperability: Seamlessly integrating AI and cloud solutions with existing healthcare systems can be complex. Standardized protocols and collaborative efforts are needed to achieve interoperability.
Future Prospects
The future of healthcare lies in the continued integration of cloud computing and AI. Emerging trends and innovations include:
Edge Computing: Combining edge computing with cloud services will enable real-time data processing at the point of care, reducing latency and improving the responsiveness of AI applications in critical care settings.
Federated Learning: This approach allows AI models to be trained across multiple decentralized devices or servers holding local data samples, without exchanging them. This enhances data privacy and security, making it particularly relevant for healthcare.
Quantum Computing: Quantum computing has the potential to solve complex problems that are currently infeasible with classical computing. In healthcare, it could revolutionize drug discovery and the modeling of complex biological systems.
Conclusion
The convergence of Cloud Computing and Artificial Intelligence is revolutionizing healthcare, providing powerful tools and solutions that enhance patient care, streamline operations, and drive personalized medicine. As these technologies continue to evolve, they hold the promise of addressing some of the most pressing challenges in healthcare, leading to a future where medical care is more efficient, effective, and accessible to all. By embracing these innovations, healthcare providers can deliver better outcomes and improve the quality of life for patients worldwide.
Microsoft Tech Community – Latest Blogs –Read More
Extracting data from unstructured forms using Azure AI Document Intelligence.
In this blog we are going to take a scenario where our business is a business-to-business(B2B) product to help other businesses extract data from unstructured forms such as pdfs, emails, websites etc.
In this scenario we are faced with manual extraction of relevant information which is time-consuming and prone to error.
Let’s see how we can leverage Azure AI Document intelligence and come up with a simple pipeline to ingest data, process and give us structured data.
What you need to get started.
Azure account with a subscription: To create one use the following link: Azure portal Want to know what azure subscription is? azure subscription
Azure blob storage: A storage account to store documents which need to be extracted. Learn more about azure blob storage: Azure blob storage docs
What is Azure AI Document Itelligence?
Azure AI Document Intelligence is a cloud-based document processing system that uses AI (artificial intelligence) and OCR (optical character recognition) to quickly extract text and structure from documents.
With this service, you can efficiently turn documents into usable data, allowing you to focus on acting on information rather than spending time compiling it.
Illustration of data extraction.
The image shows Azure AI document intelligence taking the unstructured documents. Using cognitive services and Azure open AI services to extract the data. It then response back to the server where the response is served to the client.
Choosing the appropriate model.
Available models include:
Prebuilt Models
Custom Models
Prebuilt models perform document processing without the need to train it. You can automatically extract relevant information from documents.
Custom models require training to extract distinct data from documents. This allows your system to learn and structure intelligently.
Learn more about these models: more about available models
What should you consider when choosing the model?
Model type – Either using prebuilt model or custom model.
Document type – Different models are optimized for specific document types i.e., invoices, forms, and receipts.
Accuracy – Evaluate the accuracy of the model if it meets the threshold.
Secuity and compliance – Protect sensitive information during extraction and ensure that the model complies with privacy regulations.
Tour to Document Intelligence Studio.
Note: Azure form recognizer is now called the Azure AI Document Intelligence.
Document Intelligence Studio is an online tool provided by Microsoft Azure that allows you to visually explore, understand, train models, and integrate features from the Document Intelligence service into your applications.
We shall be using the OCR Read model because it is a prebuilt model which extracts data from large text-heavy documents like pdfs, scanned images, and HTML documents.
OCR Read model has various development options in that we can use Document Intelligence Studio, REST APIs and SDK we are provided with.
Step 1: Create Document intelligence resource
Use the following link to create a resource: Create Document Intelligence Resource, alternatively, you can use the search option, input “document intelligence” then search.
Choose document intelligences from the search results:
Click Create:
Step 2: Fill in the basic details:
Create a resource group with a name of your choice
Select a region near you
Give a unique name to your resource
Choose the pricing tier which suits your needs
Review and create
Leave the other options of networking on default. Then click create, after the deployment is complete, click on go to resource:
Step 3: Copy your API key and your resource endpoint.
From the side navigation, expand the Resource management and choose keys and endpoint.
Step 4: Try different Models in Document Intelligence studio
I mentioned that we shall use the prebuilt Read OCR model.
Navigate to Document Intelligence studio to start trying out the model. Use the following link to navigate: documentintelligence . To use the document intelligence studio, paste your key and end point of your resource.
Now it is time to upload your files that are received from B2B scenario so that we can extract them. I have stored an example of a pdf business letter in the Azure blob storage. Here is a link to the file, copy it: https://storebusinessletters.blob.core.windows.net/businessletters/business%20letters.pdf
Click on Fetch from URL and paste the given link.
Configure options gives you the flexibility to customize what you need in the results like range of pages which should be analyzed. I have chosen to extract the first 5 pages.
After you are done, click on save and Run analysis of your document. You should get the result in the side panel where the data has been processed and available in a Json format.
We have achieved the goal of extracting data from unstructured documents, they are now structured in a JSON format in key and value pair. The data obtained can then be used to make meaningful decisions.
Advantages of using Azure AI Document Intelligence.
Automated Data Extraction: we get the advantage of extracting unstructured documents as the service automatically identifies relevant data.
Scalability: Azure AI Document Intelligence is cloud-based and can handle large volumes of documents.
Accuracy and confidence scores: The service gives confidence scores that let you know if the threshold is met. With a well-trained model, there is a reduction in inaccurate data extraction.
Language support: Whether your documents are in English, Spanish, Chinese, or any other language, Azure AI Document Intelligence can handle them.
Read more
Introduction to Azure AI Document Intelligence
Document-intelligence SDKs
Document Intelligence models
Analyze document API response
Document Intelligence add-on capabilities
Code examples on SDKs
.NET Code Samples
Python Code Samples
Java Code Samples
JavaScript Code Samples
Microsoft Tech Community – Latest Blogs –Read More
How to Reset your password for QuickBooks Desktop after new update?
I’m unable to reset my password for QuickBooks Desktop. I’ve followed the instructions, but I’m still having trouble accessing my account. What steps can I take to resolve this issue?
I’m unable to reset my password for QuickBooks Desktop. I’ve followed the instructions, but I’m still having trouble accessing my account. What steps can I take to resolve this issue? Read More
What to Do When quickbooks payroll taxes not calculating correctly after latest Update
I’m having trouble with my QB payroll taxes not calculating correctly. How can I resolve this issue to ensure accurate payroll tax calculations?
I’m having trouble with my QB payroll taxes not calculating correctly. How can I resolve this issue to ensure accurate payroll tax calculations? Read More
Why is my QuickBooks Stop Hosting multi user access after latest update?
I’m experiencing an issue with QuickBooks where it keeps stopping hosting multi-user access. I’ve tried restarting the software and my computer, but the problem persists. How can I fix this and ensure that multi-user access works properly?
I’m experiencing an issue with QuickBooks where it keeps stopping hosting multi-user access. I’ve tried restarting the software and my computer, but the problem persists. How can I fix this and ensure that multi-user access works properly? Read More
What To Do When stuck in QuickBooks Error 40001 while Activating Direct Deposit after update?
I’m encountering QuickBooks Error 40001 while trying to activate Direct Deposit for my employees. This error prevents me from completing the setup process. Can you provide detailed troubleshooting steps to resolve this issue?
I’m encountering QuickBooks Error 40001 while trying to activate Direct Deposit for my employees. This error prevents me from completing the setup process. Can you provide detailed troubleshooting steps to resolve this issue? Read More
What to Do When QuickBooks Unable to Send Invoices after new update
After updating QuickBooks to the latest version, I am unable to send invoices. Every time I try, an error message appears. Has anyone else experienced this issue? How can I resolve it?
After updating QuickBooks to the latest version, I am unable to send invoices. Every time I try, an error message appears. Has anyone else experienced this issue? How can I resolve it? Read More
What to Do When Cannot send invoice in quickbooks desktop after latest update
I’m having trouble sending invoices in QB Desktop after the latest update. It was working fine before, but now I keep getting an error message. I’ve tried restarting the program and my computer, but nothing seems to help. Has anyone else experienced this issue? Any suggestions on how to fix it?
I’m having trouble sending invoices in QB Desktop after the latest update. It was working fine before, but now I keep getting an error message. I’ve tried restarting the program and my computer, but nothing seems to help. Has anyone else experienced this issue? Any suggestions on how to fix it? Read More
What to Do When QuickBooks PDF Component Missing Issue on Window 10/11
I’m encountering an issue with QuickBooks on Windows 10/11 where the PDF component is missing. This prevents me from printing or saving invoices as PDFs. How can I resolve this problem?
I’m encountering an issue with QuickBooks on Windows 10/11 where the PDF component is missing. This prevents me from printing or saving invoices as PDFs. How can I resolve this problem? Read More
Steps to Fix Quickbooks administrator permissions needed after update
How do I fix the issue of needing QuickBooks administrator permissions after updating QB? I’ve recently updated QuickBooks, and now it keeps asking for administrator permissions, preventing me from accessing certain features. What steps can I take to resolve this?
How do I fix the issue of needing QuickBooks administrator permissions after updating QB? I’ve recently updated QuickBooks, and now it keeps asking for administrator permissions, preventing me from accessing certain features. What steps can I take to resolve this? Read More
Exchange Search failure
While running Test-ExchangeSearch on Exchange Server 2019, we are getting the following error message “Test-ExchangeSearch failed for database DB-XXX at 2024-05-23 07:09:28, SearchTimeInSeconds : 0 and Error : Mapi Error for mailbox database “DB-XXX”: [Microsoft.Exchange.Data.Storage.IllegalCrossServerConnectionException]: Cannot open mailbox /o=XXXX/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=XXXXVM-SMBX02/cn=Microsoft System Attendant. Inner error [Microsoft.Mapi.MapiExceptionIllegalCrossServerConnection]: MapiExceptionIllegalCrossServerConnection: Monitoring mailbox [] with application ID [Client=Management] is not allowed to make cross-server calls from [XXXXVM-SMBX04.xxx.abc] to [XXXXVM-SMBX02.xxx.abc]. But when we run Test-ExchangeSearch on the server itself, it passes for the database hosted/mounted on the server but fails for databases mounted/hosted on other Exchange Servers. We have 4 Exchange Server 2019 configured with DAG and have 24 databases.
While running Test-ExchangeSearch on Exchange Server 2019, we are getting the following error message “Test-ExchangeSearch failed for database DB-XXX at 2024-05-23 07:09:28, SearchTimeInSeconds : 0 and Error : Mapi Error for mailbox database “DB-XXX”: [Microsoft.Exchange.Data.Storage.IllegalCrossServerConnectionException]: Cannot open mailbox /o=XXXX/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=XXXXVM-SMBX02/cn=Microsoft System Attendant. Inner error [Microsoft.Mapi.MapiExceptionIllegalCrossServerConnection]: MapiExceptionIllegalCrossServerConnection: Monitoring mailbox [] with application ID [Client=Management] is not allowed to make cross-server calls from [XXXXVM-SMBX04.xxx.abc] to [XXXXVM-SMBX02.xxx.abc]. But when we run Test-ExchangeSearch on the server itself, it passes for the database hosted/mounted on the server but fails for databases mounted/hosted on other Exchange Servers. We have 4 Exchange Server 2019 configured with DAG and have 24 databases. Read More
Automating Azure Remediation for Policy Initiatives with Azure PowerShell
Introduction and Current Challenges:
Policy remediation is a critical aspect in Azure Policy, a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so they stay compliant with your corporate standards and service level agreements.
As part of testing policy initiative, you might encounter an inconvenience where you cannot create remediation tasks for all policies inside an initiative assignment with a single click. Instead, you need to manually select and remediate each policy, which could be time-consuming if you have multiple policies created inside the policy initiative. In this blog post, we aim to address this challenge and provide a method for automation to create remediation tasks that apply to all policies of an initiative.
Prerequisites:
Before we dive into the solution, ensure you have the following:
An active Azure Subscription.
Azure PowerShell installed. If not, you can get it from here: How to install Azure PowerShell | Microsoft Learn
A clear understanding of Azure Policy and Policy Remediation: Remediate non-compliant resources – Azure Policy | Microsoft Learn
Automating Remediation Tasks for a Policy Initiative:
To automate the creation of remediation tasks for policy initiative, we will utilize Azure PowerShell script. The script loops through each policy and creates a remediation task for all “deployIfNotExists” or “modify” effect policies with non-compliant resources.
Here is the step-by-step breakdown of the script:
Declare your Initiative name as variables.
$InitiativeAssignmentName = “<myInitiativeAssignment>”
The script then retrieves all non-compliant policies that can be remediated within the initiative.
$RemediatablePolicies = Get-AzPolicyState | Where-Object { $_.PolicyAssignmentName -eq $InitiativeAssignmentName -and ($_.PolicyDefinitionAction -eq “deployIfNotExists” -or $_.PolicyDefinitionAction -eq “modify” -or $_.PolicyDefinitionAction -eq “append”) } | select-object PolicyDefinitionReferenceId, PolicyAssignmentId -Unique
It then loops through each policy and creates individual remediation tasks.
foreach ($policy in $RemediatablePolicies) {
$remediationName = “rem.” + $policy.PolicyDefinitionReferenceId
Start-AzPolicyRemediation -Name $remediationName -PolicyAssignmentId $policy.PolicyAssignmentId -PolicyDefinitionReferenceId $policy.PolicyDefinitionReferenceId -ResourceDiscoveryMode ReEvaluateCompliance
}
Detailed Explanation:
1. The variable $InitiativeAssignmentName should be assigned the actual name of your Initiative.
2. The $RemediatablePolicies line fetches all non-compliant policies from Azure which can be remediated based on the conditions specified in the Where-Object cmdlet. It uses the Initiative name provided and filters based on the policy definition actions (either “deployIfNotExists”, “modify”, or “append”). It then selects policies based on their PolicyDefinitionReferenceId and PolicyAssignmentId. The “-Unique” flag is used to remove duplicates.
3. The foreach loop then iterates through each of these policies. For each policy, a remediation task is created with a unique name by concatenating “rem.” with the policy’s PolicyDefinitionReferenceId. This remediation task is then started using the Start-AzPolicyRemediation cmdlet. This cmdlet uses the previously created unique name, the policy’s PolicyAssignmentId and PolicyDefinitionReferenceId, and a ResourceDiscoveryMode of ReEvaluateCompliance to start the remediation task.
Please find the complete script from below:
Complete Script
# Declare your Initiative name as variables
$InitiativeAssignmentName = “<your initiative name>”
# Get all non-compliant policies that can be remediated
$RemediatablePolicies = Get-AzPolicyState | Where-Object { $_.PolicyAssignmentName -eq $InitiativeAssignmentName -and ($_.PolicyDefinitionAction -eq “deployIfNotExists” -or $_.PolicyDefinitionAction -eq “modify” -or $_.PolicyDefinitionAction -eq “append”) } | select-object PolicyDefinitionReferenceId, PolicyAssignmentId -Unique
# Loop through each policy and create individual remediation tasks
foreach ($policy in $RemediatablePolicies) {
$remediationName = “rem.” + $policy.PolicyDefinitionReferenceId
Start-AzPolicyRemediation -Name $remediationName -PolicyAssignmentId $policy.PolicyAssignmentId -PolicyDefinitionReferenceId $policy.PolicyDefinitionReferenceId -ResourceDiscoveryMode ReEvaluateCompliance
}
With this script, you can automate the process of creating remediation tasks for each policy in a policy initiative. You can customize this script as per your requirements, or use it as a starting point to build more complex automation workflows.
Summary and Conclusion
In this blog post, we’ve highlighted a common challenge when dealing with policy remediation tasks for policy initiatives and presented a solution using Azure PowerShell to automate this process. The provided script offers a way to loop through all non-compliant policies and start remediation tasks for each, significantly simplifying the process and saving valuable time.
As always, we recommend testing this script in a controlled environment before deploying it in a production scenario. For further details on the remediation cmdlets, you can refer to the Azure PowerShell documentation.
I hope this post has been helpful. Stay tuned for more tips and tricks for managing your Azure subscriptions more effectively.
Disclaimer
The sample scripts are not supported by any Microsoft standard support program or service. The sample scripts are provided AS IS without a warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Microsoft Tech Community – Latest Blogs –Read More
Automatically enable system managed identity for App Service apps with Azure Policy
A common challenge when updating app service apps with the standard App service ARM template is the mandatory “serverFarmId” property. The policy engine is unable to dynamically extract properties from the resource being evaluated during runtime for deployment, making it infeasible to update any App Service property with the conventional App service ARM template in the deployIfNotExists (DINE) policy.
However, managed identity can be enabled with the Azure PowerShell command: Set-AzWebApp -AssignIdentity. Furthermore, this command can be executed by utilizing a unique resource type known as deploymentScripts. This resource type can run commands/scripts in the deployment section of the DINE policy, thereby enabling managed identity for app services.
Now, let’s take a look at the policy definition which enables the system managed identity for Azure App Services, it’s necessary to understand its structure and functionality.
{
“mode”: “Indexed”,
“policyRule”: {
“if”: {
“allOf”: [{
“field”: “type”,
“equals”: “Microsoft.Web/sites”
}
]
},
“then”: {
“effect”: “deployIfNotExists”,
“details”: {
“type”: “Microsoft.Web/sites/config”,
“name”: “web”,
“existenceCondition”: {
“anyOf”: [{
“field”: “Microsoft.Web/sites/config/managedServiceIdentityId”,
“exists”: “true”
}, {
“field”: “Microsoft.Web/sites/config/xmanagedServiceIdentityId”,
“exists”: “true”
}
]
},
“roleDefinitionIds”: [
“/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c”
],
“deployment”: {
“properties”: {
“mode”: “incremental”,
“template”: {
“$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“webAppName”: {
“type”: “string”
},
“resourceGroupName”: {
“type”: “string”
},
“location”: {
“type”: “string”
},
“userAssignedIdentities”: {
“type”: “string”
}
},
“resources”: [{
“type”: “Microsoft.Resources/deploymentScripts”,
“apiVersion”: “2020-10-01”,
“name”: “[concat(‘policyUpdateSystemManagedIdentityFor-‘, parameters(‘webAppName’))]”,
“location”: “[parameters(‘location’)]”,
“kind”: “AzurePowerShell”,
“identity”: {
“type”: “UserAssigned”,
“userAssignedIdentities”: {
“[parameters(‘userAssignedIdentities’)]”: {}
}
},
“properties”: {
“azPowerShellVersion”: “11.4”,
“scriptContent”: “param([string] $Name, [string] $ResourceGroupName); Set-AzWebApp -AssignIdentity $true -Name $Name -ResourceGroupName $ResourceGroupName”,
“arguments”: “[concat(‘-Name’, ‘ ‘, parameters(‘webAppName’), ‘ ‘, ‘-ResourceGroupName’, ‘ ‘, parameters(‘resourceGroupName’))]”,
“timeout”: “PT30M”,
“cleanupPreference”: “OnSuccess”,
“retentionInterval”: “P1D”
}
}
]
},
“parameters”: {
“webAppName”: {
“value”: “[field(‘name’)]”
},
“resourceGroupName”: {
“value”: “[resourceGroup().name]”
},
“location”: {
“value”: “[field(‘location’)]”
},
“userAssignedIdentities”: {
“value”: “[parameters(‘userAssignedIdentities’)]”
}
}
}
}
}
}
},
“parameters”: {
“userAssignedIdentities”: {
“type”: “String”,
“metadata”: {
“displayName”: “userAssignedIdentities”,
“description”: “user Assigned Identity ID with appropriate permission for running the Azure PowerShell command”
}
}
}
}
Let’s break down the key components of the policy:
In the “if” section, the policy is targeting resources of the type “Microsoft.Web/sites”, which refers to Azure App Services. Thus, the policy will only be applied to these resources.
The “details” section outlines the specific operations performed by the policy. Here, the “effect” is set to “deployIfNotExists”, indicating that the policy will take action only if the defined conditions are not already met. The “type” and “name” fields specify the resource details that should exist. The “existenceCondition” then checks whether the fields “Microsoft.Web/sites/config/managedServiceIdentityId” and “Microsoft.Web/sites/config/xmanagedServiceIdentityId” already exist. If these fields exist, it implies that Managed Identity is already enabled for the App Service, and the policy doesn’t need to take any action.
The “deployment” section provides the details of the action to be taken if the “existenceCondition” is not met. It includes an ARM template that deploys a ‘Microsoft.Resources/deploymentScripts’ resource. This script will execute the Azure PowerShell command to enable Managed Identity on the App Service.
Before we dive into more details, it’s worth noting that this solution can be implemented either from the command-line or from the Azure Portal. The steps below guide you through the command-line process. However, if you prefer using the GUI, you can refer to the following documents for creating managed identity and policy from Azure Portal:
Manage user-assigned managed identities – Managed identities for Azure resources | Microsoft Learn
Assign Azure roles using the Azure portal – Azure RBAC | Microsoft Learn
Tutorial: Build policies to enforce compliance – Azure Policy | Microsoft Learn
You can follow the steps below to implement this solution from the command-line.
Step 0: Create a User Managed Identity and Assign RBAC Role:
Deployment scripts require a security principal to run Azure CLI/PowerShell commands/scripts. Therefore, prior to implementing the policy, we need to prepare a user-assigned Managed Identity with the necessary permissions. This identity will be passed as a policy parameter for script execution. Please note, this identity should not be confused with the system-managed identity utilized for app service apps.
In this example, we will create a new user assigned managed identity and assign it the Contributor role to the scope where we intend to assign the policy.
Create User Managed Identity:
Open your Azure PowerShell and create a new user managed identity with the following command:
New-AzUserAssignedIdentity -ResourceGroupName <ResourceGroupName> -Name <IdentityName>
Ensure to replace <ResourceGroupName> and <IdentityName> with your resource group name and the desired name for the new identity.
Assign the Contributor Role:
Next, we will assign the Contributor role to this user managed identity. This role allows the identity to manage resources in Azure. Use the following command to assign the role:
New-AzRoleAssignment -ObjectId <PrincipalId> -RoleDefinitionName ‘Contributor’ -Scope “/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>”
Replace <PrincipalId> with the principal id of the User Managed Identity you just created. Replace <SubscriptionId> and <ResourceGroupName> with your Azure subscription id and resource group name respectively.
Step 1: Create a JSON file:
Create a JSON file and paste the provided JSON policy object in it. You can name the file as per your convenience, let’s name it “policy.json”.
Step 2: Create a Policy Definition:
Now, create a policy definition using Azure PowerShell with the following command:
New-AzPolicyDefinition -Name ‘SystemManagedIdentity’ -DisplayName ‘Deploy System Managed Identity for Azure App Services’ -Description ‘This policy deploys system managed identity to Azure App services’ -Policy ‘policy.json’ -Mode Indexed
Step 3: Assign the Policy:
Once the policy is defined, we need to assign it to a scope. This scope could be a management group, subscription, resource group, or individual resources. Use the following command to assign the policy:
New-AzPolicyAssignment -Name ‘SystemManagedIdentityAssignment’ -Scope ‘/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}’ -PolicyDefinition ‘SystemManagedIdentity’ -PolicyParameterObject @{ “userAssignedIdentities” = @{ “value” = “/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userAssignedManagedIdentityName}” } }
Ensure to replace {subscriptionId}, {resourceGroupName} and {userAssignedManagedIdentityName} with your subscription id, resource group name and user assigned managed identity name respectively.
Conclusion:
By following these steps, you can enable the system managed identity for Azure App services using a policy. This methodology provides a standardized and automated way to ensure that your Azure App services are always running with system managed identities. It not only helps to eliminate the manual process of enabling managed identities but also reduces the risk of misconfigurations. This, in turn, helps in securing your Azure environment and makes the management of identities simpler and more consistent.
Microsoft Tech Community – Latest Blogs –Read More