Disable access for everyone to the Azure Red Hat OpenShift portal

When creating an Azure Red Hat OpenShift (ARO) cluster you will notice that everyone with an AAD account will have access to the portal and to create a project. If you would like to disable this behavior and only let certain users to access ARO you can do this by edit the ARO Enterprise Application in AAD.

Under properties change “User assignment required” to “Yes”. Then populate the “Users and groups” on the Enterprise Application with the users that should have access to the ARO portal.

/usr/bin/python: No module named azure

If you get the message “/usr/bin/python: No module named azure” when running the az command in a Linux VM where you have installed azure-cli. Your problem could be that you are using an old version of Python.

Check what Python version is used with the command: python -V

If using an old Python version, install a newer. Check documentation how to update the Python version at your system. At the time of writing I am using 3.2.8.
After the installation check the bin directory for Python using the command:
ls -l /usr/bin/python*

To change for a new Python version, you need to remove and create a new link. Use the following command:
sudo rm /usr/bin/python
sudo ln -s /usr/bin/python3 /usr/bin/python

Check what version is used after creating a new link. Command:
python -V

Export TCP connections for a server to Excel

I work with many customers that need to know how a server connects to other systems before migrating the VM to Azure.

I have created a query in Azure Log Analytics together with Service Map that maps all the TCP connections so it can expored an Excel spreadsheet. The query is based on a query at the Service Map docs so please have a look there to get more inspiration.

Copy and paste the following query in your Log Analytics query window, where you have Service Map enabled. This query will show all servers in the Log Analytics workspace and their connections. If there is a need to only show connections to one server, add the server name after “where Computer like” at the first line.

// the machines of interest
let machines = ServiceMapComputer_CL | where Computer like "" | distinct ResourceName_s;
// map of ip to monitored machine in the environment
let ips=materialize(ServiceMapComputer_CL
| summarize ips=makeset(todynamic(Ipv4Addresses_s)) by MonitoredMachine=ResourceName_s, MonitoredComputer=Computer
| mvexpand ips to typeof(string));
// all connections to/from the machines of interest
let out=materialize(VMConnection
| where Machine in (machines)
| summarize arg_max(TimeGenerated, *) by ConnectionId);
// connections to localhost augmented with RemoteMachine
let local=out
| where RemoteIp startswith "127."
| project ConnectionId, Direction, Machine, Computer, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine=Machine;
// connections not to localhost augmented with RemoteMachine
let remote=materialize(out
| where RemoteIp !startswith "127."
| join kind=leftouter (ips) on $left.RemoteIp == $right.ips
| summarize by ConnectionId, Direction, Machine, Computer, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine=MonitoredMachine, RemoteComputer=MonitoredComputer);
// the remote machines to/from which we have connections
// the remote machines to/from which we have connections
let remoteMachines = remote | summarize by RemoteMachine;
// all augmented connections
| union (remote)
//Take all outbound records but only inbound records that come from either //unmonitored machines or monitored machines not in the set for which we are computing dependencies.
| where Direction == 'outbound' or (Direction == 'inbound' and RemoteMachine !in (machines))
| summarize by ConnectionId, Direction, Machine, Computer, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine, RemoteComputer
// identify the remote port
| extend RemotePort=iff(Direction == 'outbound', DestinationPort, 0)
// construct the join key we'll use to find a matching port
| extend JoinKey=strcat_delim(':', RemoteMachine, RemoteIp, RemotePort, Protocol)
// find a matching port
| join kind=leftouter (VMBoundPort 
| where Machine in (remoteMachines) 
| summarize arg_max(TimeGenerated, *) by PortId 
| extend JoinKey=strcat_delim(':', Machine, Ip, Port, Protocol)) on JoinKey
// aggregate the remote information
| summarize Remote=makeset(iff(isempty(RemoteMachine), todynamic('{}'), pack('Machine', RemoteMachine, 'Process', Process1, 'ProcessName', ProcessName1))) by Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteComputer

Azure Role to start and stop a VM

Here is an example how to give start and stop access to a user on a VM in Azure. The role also gives read access to the VM.

  "Name": "Virtual Machine Start and Stop",
  "IsCustom": true,
  "Description": "Can start and stop virtual machines.",
  "Actions": [
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
Import the role in Azure

Open Azure cloud shell and use bash. Type the command “code start_stop_vm.json”, paste the role-json-code and save it.

In the shell, run the following command: az role definition create –role-definition “start_stop_vm_role.json”

Add users to the role that only should have permissions to start and stop the VM.

For more inspiration see this links:

Using parse in Azure Log Analytics to create fields in queries

This is an example of how to grab information from a string in Azure Log Analytics and create a field to be used later in a query. In the example I will show how to collect the SubjectUserName, SubjectDomainName, ObjectName and AccessMask from EventData in a SecurityEvent.

This is the query I have created with the command parse to collect the SubjectUserName, SubjectDomainName, ObjectName and AccessMask.

| parse EventData with * '<Data Name="SubjectUserName">' SubjectUserName "</Data>" *
| parse EventData with * '<Data Name="SubjectDomainName">' SubjectDomainName "</Data>" *
| parse EventData with * '<Data Name="ObjectName">' ObjectName "</Data>" *
| parse EventData with * '<Data Name="AccessMask">' AccessMask "</Data>" *
| where EventID == "4656"
| where ObjectName like "."
| where ObjectName like @"F:\shares"
| where AccessMask == "0x10080"
| sort by TimeGenerated 
| project TimeGenerated, UserName = SubjectUserName, DomainName = SubjectDomainName, File = ObjectName

Below are some EventData sample from SecurityEvent and under the sample are the results from the query.

<EventData xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”> <Data Name=”SubjectUserSid”>S-1-5-21-1225449125-278733945-481909518-72603</Data> <Data Name=”SubjectUserName”>duck</Data> <Data Name=”SubjectDomainName”>CORP</Data> <Data Name=”SubjectLogonId”>0x1dac58</Data> <Data Name=”ObjectServer”>Security</Data> <Data Name=”ObjectType”>File</Data> <Data Name=”ObjectName”>F:\shares\1234\Folder2\myfile.txt</Data> <Data Name=”HandleId”>0xeac</Data> <Data Name=”TransactionId”>{00000000-0000-0000-0000-000000000000}</Data> <Data Name=”AccessList”>%%1537 %%4423 </Data> <Data Name=”AccessReason”>%%1537: %%1801 D:(A;ID;FA;;;BA) %%4423: %%1801 D:(A;ID;FA;;;BA) </Data> <Data Name=”AccessMask”>0x10080</Data> <Data Name=”PrivilegeList”>-</Data> <Data Name=”RestrictedSidCount”>0</Data> <Data Name=”ProcessId”>0x4</Data> <Data Name=”ProcessName”></Data> <Data Name=”ResourceAttributes”>-</Data> </EventData>

Results from the query.