Translate

Sunday, April 3, 2022

Azure - How to move resources between subscriptions under different tenants

To make a long story short. Directly this does not work at least until now (2022-04). But as often there is a good workaround.

ATTENTION! This is an unsupported workaround. So do not blame me if you loose something important. Backup (e.g. ARM Templates, data etc.) is always a good idea! So this is out of any warranty. These steps were working a couple times for me but that does not mean it will work for you. THIS IS ON YOUR OWN RISK!

First of all you need to know. Not all resources can be moved. Check here which resource you can move.
Move operation support by resource type - Azure Resource Manager | Microsoft Docs

You need to differentiate between move from:

  • Resource to another resource group
  • Resource to another subscription
  • Resource to another region

Also keep mind some pieces you can not move at all. Whenever you have some access assignments based on your active directory you will loose them and you need to recreate them in a another tenants active directory.

Also if you have some scripts or resource identifiers you may need to update them as well.

As a direct move is not possible you can do it with a intermediate "Pay as you go" subscription.
This type of subscription can easily move between tenants. But you need to be member of the tenant and need the right to add subscriptions (in my case I am global admin so I do not care. But you need to be at least Account Administrator).


And then simply move the subscription from one to another directory. All directories your account had sufficient access should be shown in the selection list.

Therefore go to to your resource group and ensure you have selected all resources.

Then click on MOVE (dropdown) in the top toolbar  -> Select there the "Move to another subscription".

While you do this you are asked for the right subscription. In case of the transfer you use the Pay as you go one. And in the second step you repeat it and you select your final target subscription.

While you do this you need to move the resources into a new resource group name. I use there the old one and add an -payg at the end. And in the target subscription I use another extension. But that's your choice what you use there. It must be just different then the one you use in the pay as you go subscription.

Actually you do the same thing twice (moving resources between subscriptions):
1. Moving resources from source tenant resource group to PAYG-subscription into an intermediate resource group.

2. Moving the PAYG-subscription to another tenant.

3. Ensuring you are owner of the PAYG-subscription in the target tenant.

4. Moving the resources from the PAYG-subscription to the target subscription in the target tenant.

And do that stuff immediately. Otherwise the PAYG subscription might be charged for you! So do not wait one or a few days in between! Especially if you have to pay with your own credit card!

Are you in doubt if the target resource group remains still empty (after a few seconds/minutes)? Be patient it will take a while. Sometimes even hours. So do not get nervous.

This hint was not by my own. I found an article from Damir Dobric (MVP). So credits go to him (including the great graphics above!): Azure: How to move resources between subscriptions under different tenants? - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)



Monday, March 21, 2022

Monday, January 17, 2022

Microsoft Build of OpenJDK

Microsoft is now offering a free and maintained OpenJDK package!

The Microsoft Build of OpenJDK is a no-cost distribution of OpenJDK that's open source and available for free for anyone to deploy anywhere.

It includes Long-Term Support (LTS) binaries for Java 11 and Java 17 on x64 server and desktop environments on macOS, Linux, and Windows, AArch64/ARM64 on Linux and Windows, and binaries for macOS on Apple Silicon (AArch64/M1). Additionally Java 16 is also provided (non-LTS).

The Microsoft Build of OpenJDK binaries are based on OpenJDK source code, following the same build scripts used by the Eclipse Adoptium project and tested against the Eclipse Adoptium Quality Assurance suite (including OpenJDK project tests).

More you can learn from here:
https://docs.microsoft.com/en-us/java/openjdk/overview

You can download the OpenJDK packages here:
https://docs.microsoft.com/en-us/java/openjdk/download

With Windows Package manager its in PowerShell:

Search for the OpenJDK version:

winget search Microsoft.OpenJDK

To Install the corresponding version its: 

winget install Microsoft.OpenJDK.17


Wednesday, December 8, 2021

Windows Performance Analyzer (WPA) & Recorder (WPR)


Recently I got a mail from someone who is complaining about bad logon performance on RDS hosts. To diagnose something like this and many other performance related issues it's great to make use of the Microsoft Performance Toolkit which is part of the Windows ADK.




It contains 2 important tools:

Windows Performance Recorder (WPR),
which is used to record the performance in a binary ETW file. (Event Trace for Windows).

Windows Performance Analyzer (WPA),
which is used to examine the ETW file generated by the WPR.

These tools are extremely helpful to nail down the root cause for performance issues. Nevertheless they are not really designed for newbies and you need a solid understanding of the Windows architecture to deal with them.

See it more likely as a combined super ProMon & Process Explorer on steroids. 




This Build Conference video here is explaining the toolset with demos.



Here is a good tutorial to start with. 

Other cool side effect the WPA can open any ETL file. So if you do some other tracing with built-in tools creating ETL files you can open them with WPA either.

Also checkout the rest of the comprehensive WPA/WPR resources on docs.microsoft.com

Actually the learning curve is very steep. Especially if you try to catch up with a series of videos. There was a pretty good one in the old & retired Microsoft virtual academy with 8 hours of content (Chell Sterioff & Milad Aslaner). There is paid copy available via: Windows Performance Jump Start (trainingvideocenter.com)

But a book might be better to dig deeper into this matter. Fortunately Michael Milirud and Alex Kirshenbaum wrote a new book about it. Actually Michael you already met in the build 2011 video above. ;-)

So checkout their new book here:  
Fundamentals of… by Alex Kirshenbaum et al. [PDF/iPad/Kindle] (leanpub.com)

Tuesday, November 30, 2021

Easy dealing with different identities in Edge Chromium

When it comes to deal with different identities in the browser (Edge Chromium) then its sometimes hard to keep track which one is used in which browser window. To here is my ultimate tip to simplify this. 

Simple make use of color themes. Its pretty simple but very effective.

Due to the nature of different functions and also different demo environments I need to keep track which credentials where used where. So the "good old times" of having 2 different browsers (using InPrivate mode there) to have 3 different identities are gone. And also 3 are not enough in our days.

See here mine different ones:




How to make this working? - Simply select the color themes in the browser settings.


This is very simple, safe and effective. Just try it. I won't miss it now!

And yes what you see in the first screenshot isn't a leak. Now its official that Win365 Enterprise gets also AAD Only (now in private preview but officially announced.)

Friday, August 27, 2021

Windows365 is there

Update from 09/14/2021 (at the end of the article)!

Yeah I know from a timing perspective Windows365 is already here since July 15th 2021. But I had not yet time to write about it. I am glad to be a tester for Windows 365 since October last year. This was the most confidential TAP program we were ever involved. We were even not allowed to talk to German techy Microsofties about it. ;-)

So to make a long story short and demystify the "Windows got streamed to your device" marketing story. Yes it felt like something is "streamed" to your device. But in reality its:

  1. A Microsoft managed virtual machine 
  2. Sitting on Azure
  3. Dedicated for you
  4. Running all the time
  5. Enabled for regular management with Microsoft Endpoint Manager
  6. Part of your your own domain (hybrid domain joined, Azure AD only is on the roadmap)
  7. Paid on a single flat price (n $ per month)
  8. Accessed via RDP protocol on any device (Windows, IOS, macOS, Android, Browser, Linux)
  9. Very simple to setup and maintain!
And it is for whom?

Actually its not a default device you would give everybody in the whole company. But its a great complementary solution for specific use cases and that could be:

  • Regulated scenarios like banking, healthcare, government (outside of Germany ;-))
  • Changing demands like mergers & acquisitions, temps, contractors or partners
  • Bring your own device scenarios (very popular e.g. in Switzerland)
  • New hires (day one) until you get your real device
  • Device shortages (while you wait until your new or replacement device is there)
  • Working scenarios like retail workers or call center.
  • Special LOB applications
  • Design  & Development (even with hardware accelerated VMs for CAD)
  • Software testing
  • Pandemic situations

You may have heard of Azure Virtual Desktop. How is that related to Win365?



To learn more about it I gave 2 webcasts including demos:

GERMAN webcast held with my colleague Karsten Kleinschmidt in our own glueckkanja-gab AG webcast studio.
YOUTUBE - Windows 365 Cloud PC - German

ENGLISH webcast held with Ragnar Heil together from home office & vacation bus ;-)
YOUTUBE - Windows 365 Cloud PC - English



Pricing and plans are found here:
Windows 365 Plans and Pricing | Microsoft


Windows 365 Documentation found here:
Windows 365 Enterprise documentation | Microsoft Docs

And yes there is also a Business version available. Difference here:
  1. Azure AD only
  2. No network connection to on-premises
  3. No custom images
  4. Limited to max 300 users
So not really an option a larger enterprise would think of.

If you want to know what's new and currently available:
What's new in Windows 365 | Microsoft Docs

If you are interested in what's coming next then look here:
In development - Windows 365 | Microsoft Docs

In another post later I will talk about tips & tricks for deployment & troubleshooting. Stay tuned!

PS: Microsoft stopped the trial temporary due to overwhelming success and a large amount of requests for it. You can still "try" with a paid subscription. If you are seriously interested then the probably 32 US$ per month aren't too much for a paid test machine.

(UPDATE 9/14/2021):
To get a first glimpse here you get access to a interactive demo experience!
Interactive Demo (azureedge.net)

And if you want to see current feature requests, upvoting or adding a new one.
Windows 365 feature requests - Microsoft Tech Community

Tuesday, May 4, 2021

MS deprecates TLS 1.0 and TLS 1.1 in AzureAD

Microsoft announced they will deprecate TLS 1.0 and TLS 1.1 as authentication mechanism in AzureAD. This was already done with Office 365 with less impact. This time the impact will be much bigger!

Reason for this is security as there are serious vulnerabilities out there like Heartblead, POODLE, BEAST and others. Also other major vendors will deprecate the usage of TLS 1.0 and TLS 1.1 as also specified in RFC8996!

The MS cloud application catalog is reporting already more than 2.700 apps from the 17.000 apps not supporting TLS 1.0 or TLS 1.1.  If Azure AD is used for authentication for one of the affected apps they may fail after June 30th 2021!

Also old on-premises stuff will fail when used in combination with Azure Active Directory e.g. but not limited to: 

  • Use of outdated operating systems (Windows 7 / Window 8 without "extension", Servers older as Windows Server 2012 R2
  • Use of outdated browsers (used for app compat reasons)
  • New AzureAD device registration on older OSes
  • Older Versions of Azure AD connect, PTA agents oder AppProxy connectors
  • MFA extensions on ADFS servers with older OSes
  • NPS extensions for Azure MFA on older OSes
  • Azure AD integrated applications and PowerShell scripts based on older .Net Framework version not configure for use of TLS 1.2
  • Software as a Service (SaaS) applications or other Line of Business applications hosted on platforms without TLS 1.2 support
  • Webproxy with SSL inspection which are not supporting TLS 1.2
This list may not be complete but should show the full impact on this!

How you can solve this issue in certain scenarios you find here more information's:



You can do some testing on this also on: https://www.ssllabs.com/ssltest/
(Please keep in mind that more than one URL might be involved in an authentication process!)


If you have Microsoft's Cloud App Security you find with this advanced filter all the affected software!



And last but not least you can find for all authentications on your tenant a report showing outdated authentications. How reliable this report is, judge on your self in your environment. We found still some strange reports.

TLS deprecation report (every 2 days you see a new one. You only see the last 3 reports!)
https://servicetrust.microsoft.com/AdminPage/TlsDeprecationReport/Download