Top 50 Azure Blogs

Reading Time: < 1 minute

I am pleased to announce that has been listed on the popular Feedspot website as one of the Top 50 Microsoft Azure Blogs, Websites and Influencers in 2020!

It’s news like this which drives us to work harder to document and share information with others. Thankyou very much to all involved at Feedspot. Keep up the great work.

2020 has been a difficult year for all of us around the World, but this did not stop us from posting and sharing information. We managed to publish over 50 posts in the year 2020. We hope that the posts have been beneficial to you.

We also launched a new website to help support and grow the Azure community. Please check out the website at

If you have not already subscribed to our website, please subscribe and we’ll send you a weekly update of all the latest posts. We will never send you spam or forward your email address to third parties.

If you have any questions, please feel free to contact me via the Contact us page or via Twitter @ITSupportBlog or @AzureCrazy

Thankyou for your support this year and all the best for 2021

Enable Self Service Password Reset in Azure

Reading Time: 5 minutes

Azure Active Directory (Azure AD) self service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user’s account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can’t sign in to their device or an application.

With Azure Active Directory (Azure AD) self service password reset (SSPR), users can update their password or unlock their account using a web browser. Please note that in a hybrid environment where Azure AD Connect is used to sync accounts from Active Directory to Azure AD, this scenario can cause passwords to be different between the two directories if password write back is not enabled. Password write back can be used to synchronise password changes in Azure AD back to your on premises Active Directory environment. Azure AD Connect provides a secure mechanism to send these password changes back to an existing on premises directory from Azure AD.

The password reset feature includes a set of capabilities that allow users to manage any password from any device, at any time, from any location, while remaining in compliance with company security policies.

In this blog post, I will go through the process of enabling password write back within Azure AD Connect, enabling self service password reset for a group of Azure AD users, go through the authentication methods and registration options.

  1. Login to your Azure AD Connect Server if you’re syncing your Active Directory accounts to Azure AD

2. Enabled Password Write Back in Azure AD Connect and save settings

3. Let’s confirm Azure AD has picked up the change

4. Login to the Azure Portal

5. Click Azure Active Directory or locate via the search box

6. Click Password Reset located in the left menu

7. Click On-premises integration

8. Done, see screen shot below.

Notice the additional option to allow users to unlock accounts without resetting their password. This feature designates whether or not users who visit the password reset portal should be given the option to unlock their on premises Active Directory accounts without resetting their password. By default, Azure AD will always unlock accounts when performing a password reset, this setting allows you to separate those two operations. If set to yes, then users will be given the option to reset their password and unlock the account, or to unlock without resetting the password. If set to no, then users will only be able to perform a combined password reset and account unlock operation.

I have left the default settings

9. Now, let’s enable self password reset, click Azure Active Directory and click password reset

10. The password reset feature is disabled by default

11. I will be clicking selected and applying the policy to a security group named CloudBuildPR. Click select

12. Click Save

13. While in the password reset section, you’ll notice Authentication methods in the left menu. Here you can setup the number of authentication methods, including prompting your users to setup security questions as additional authentication options. You can specify your own custom questions that will be visible to the user or select the built in ones provided by Microsoft.

For the purpose of this demo, I will leave the default options enabled. Note that all features may not be available depending on your license type.

14. Moving down the menu, you’ll find Registration including the option on how often you require your users to re-confirm their authentication information they originally submitted. By default it’s 180 days and users are required to register when signing in.

15. The next option down is notifications. The default settings are shown below and are self explanatory.

16. Finally, it’s customization. You could add a link to your online helpdesk portal or an email address to allow users to contact IT in the event they require further assistance. I have already covered on-premise integration earlier so won’t cover that one again

17. Ok, so i’m all set. I have enabled password write back within Azure AD Connect and enabled Password Reset. I have confirmed the configuration has been picked up within Azure AD.

18. That’s it. Visit to test

If you’re using a free trial account, you’ll receive the below message. At the time of writing this blog post, the password reset option does not function with trial accounts.


You can’t reset your own password because you haven’t registered for password reset.

You haven’t registered the necessary security information to perform password reset

Further Azure Password Reset FAQ’s can be located at the following Microsoft link Azure Self Password Reset FAQ

Configure Conditional Access Policy in Azure

Reading Time: 4 minutes

In this blog post I will go through the process of configuring a conditional access policy within Azure AD.

Conditional Access policies are simply if and then statements, for example, if a user wants to access a resource, then they must complete an action. Example: A staff member wants to access the payroll application and is required to perform multi-factor authentication to access it.

Note: Using this feature requires an Azure AD Premium P1 license

1. Login to the Azure Portal
2. Click Azure AD or locate via the search box
3. Click Security

4. Click Conditional Access

5. Click New Policy

6. For the purpose of this demo, I have selected:

– Selected Users and groups
– Selected the Sales group

7. Next, click Cloud apps or actions

8. Select what this policy applies to. For the purpose of this demo, I have clicked select apps

9. Select your apps. For the purpose of this demo, I have selected Office 365 only

10. Next, click Conditions

Up to this point I have selected the Sales group and the application Office 365. I will now continue to apply conditions to the Sales group. Click Conditions

11. Click Device Platforms

12. For the purpose of this demo, I want this policy to apply for Sales people using an IOS device, such as an iphone

13. Click Locations

14. Here you could configure a location, for example you could prevent a conditional access policy from applying to your trusted locations but apply the policy everywhere else. Note the exclude option below where you could exclude locations from this policy.

15. Here you can control user access to target specific client applications not using modern authentication.

Note: When not configured, policies now apply to all client apps, including modern and legacy auth.

16. Click device state

17. Here you can control user access when the device the user is signing in from is not Hybrid Azure AD joined or marked as compliant.

18. Next, click grant

19. Here you can decide what you want this policy to do, block or allow access based on conditions. If you allow, you can select what conditions the users have to meet when authenticating. You could also select several options and select require all the selected controls or require one of the selected controls.

20. Finally, you have the option to enable the policy by clicking On. Clicking Off and the policy will not apply. Or clicking Report-Only which will only log events for you to analyse but not apply to users.

21. Click Create

Note: if you receive the below message after clicking create, you must disabled security defaults before you can create your policy.

Security defaults must be disabled to enable conditional access policy.

Out of the box, Microsoft now provide secure default settings that Microsoft manage on behalf of organisations to keep customers safe until they are ready to manage their own identity security. Security defaults is now enabled by default when setting up a new tenant.

You can disable security defaults by:

  1. Logon in to the Azure portal at
  2. Click Azure Active Directory, or search using the search box
  3. Click properties located in the left pane
  4. Browse to the bottom of the page, and click the link Manage Security Defaults

22. and here is the policy

Notice the option What If below. This option allows you to test what a conditional access policy would do if applied to a user.

How to assign licenses for Microsoft 365 using a security group

Reading Time: 3 minutes

In this blog post I will go through the process of automatically assigning users 365 licenses based on group membership

  1. Login to the 365 portal and launch the Azure AD Admin Center
  2. Click licenses located in the left pane

3. Click All products

4. Click on the license you want to link to a group

5. Click Assign

6. Select the security group and click select

7. Click Assignment options

8. Here is where you can decide what applications you want to assign members of your security group.

9. Click ok and assign

Licenses assigned

10. To check if the group has been assigned and the number of users assigned a license, click the license type

11. Click Licensed groups

12. and to check licensed users, click Licensed users from the left pane

You could also check licenses and apps assigned by visiting the 365 admin center, expand users and click active users

Click the user name and click licenses and apps (You may need to wait for a moment while replication occurs)

Monitor Windows Virtual Desktop with Azure Monitor

Reading Time: 7 minutes

With an Azure virtual machine you get host CPU, disk and up/down state of your VMs out of the box.  Enabling additional monitoring capabilities provides insights into the performance and dependencies for your virtual machines.You will be billed based on the amount of data ingested and your data retention settings.

Note: It can take between 5-10 minutes to configure the virtual machine and the monitoring data to appear.

In this blog post I will be going through the process of monitoring my Windows Virtual Desktop session hosts via Azure monitor. I will configure an Azure Log Analytics Workspace, enable diagnostic settings for my host pool, application group and workspace. I will also enable diagnostic settings for Azure AD user sign ins. Finally, I will create a workbook to provide a visual display of stats from my WVD solution.

Let’s get started

Create an Azure Log Analytics Workspace

1. Login to the Azure Portal
2. Locate and click Log Analytics Workspace

3. Click Add

4. Complete details for your new Log Analytics Workspace. For the purpose of this demo, I have inputted the details below.

5. Click next to move onto pricing tier. There is only one option available

6. Click review + create, allow validation to pass and click create

7. Next, let’s enable diagnostics starting within the Windows Virtual Desktop Host pool. Click Windows Virtual Desktop or locate via the search box

8. Click Host pools

9. Click your host pool

10. Click Diagnostic Settings

11. Click + Add diagnostic setting

12. Select the required log categories

13. Click the option to send to Log Analytics workspace and input a name. When done, click save. That’s the host pool diagnostics linked up to the new Log Analytics Workspace.

Note: If you receive the below error after clicking save, wait a couple of minutes and click save again. The resource does register after the error message appears. If you want to confirm microsoft.insights has registered:

– Click your subscription
– Click Resource Providers from the left pane
– Locate microsoft.insights

Failed to update diagnostics for ‘ ‘.{“code”:”SubscriptionNotRegistered”,”message”:”The subscription ‘0000000-0000-0000-0000-00000000000’ is not registered to use microsoft.insights.”}.

14. Repeat the steps (10 – 13) for Application Groups, Workspaces and also Azure AD Sign in Logs (Name accordingly)

Note the message about requiring Azure AD Premium when clicking user sign ins within Azure AD Diagnostic Settings. This refers to Azure Heat Map only that won’t work unless you have an AD P1 or P2 license.

15. Let’s enable the workspace agent on the session hosts. Locate Azure Monitor and click

16. Select Virtual Machines from the left pane

17. Click not monitored

18. Click enable against each session host you wish to deploy the agent

19. Click enable and perform the same step for the remaining session hosts you wish to install the agent

20. Select your workspace and click enable

The process may take up to 10 minutes

21. Once enabled, click your Log Analytics Workspace and click Advanced settings located in the left pane

22. Click Data and Windows Performance Counters

23. There were 36 performance and diagnostic counters to add at the time of writing this post. Travis Roberts has created a power shell script to automate the adding of these performance counters. The script is available to at performance and diagnostic data

You also have the option to add them manually (36 to add)

At the time of writing this blog post there was a limit of 20 performance counters which can be added at once through the Azure Portal. If adding manually, ensure you add the counters in batches to avoid the error below. Add batch one, save and then add batch two, or break down into smaller batches and save after each batch.

If adding manually, add the performance counter, click the blue + button and change the sample interval from 10 seconds to 60 seconds to avoid high costs

At the time of writing this blog post, the up to date performance counters are listed below (Visit Travis Roberts Git Hub page for the most up to date list)

‘Terminal Services Session()\% Processor Time’,
‘Terminal Services()\Active Sessions’,
‘Terminal Services()\Inactive Sessions’,
‘Terminal Services()\Total Sessions’,
‘LogicalDisk()\% Free Space’,
‘LogicalDisk()\Avg. Disk sec/Read’,
‘LogicalDisk()\Avg. Disk sec/Write’,
‘LogicalDisk()\Current Disk Queue Length’,
‘LogicalDisk()\Disk Reads/sec’,
‘LogicalDisk()\Disk Transfers/sec’,
‘LogicalDisk()\Disk Writes/sec’,
‘LogicalDisk()\Free Megabytes’,
‘Processor(_Total)\% Processor Time’,
‘Memory()\% Committed Bytes In Use’,
‘Network Adapter()\Bytes Received/sec’,
‘Network Adapter()\Bytes Sent/sec’,
‘Process()\% Processor Time’,
‘Process()\% User Time’,
‘Process()\IO Read Operations/sec’,
‘Process()\IO Write Operations/sec’,
‘Process()\Thread Count’,
‘Process()\Working Set’,
‘RemoteFX Graphics()\Average Encoding Time’,
‘RemoteFX Graphics()\Frames Skipped/Second – Insufficient Client Resources’, ‘RemoteFX Graphics()\Frames Skipped/Second – Insufficient Network Resources’,
‘RemoteFX Graphics()\Frames Skipped/Second – Insufficient Server Resources’, ‘RemoteFX Network()\Current TCP Bandwidth’,
‘RemoteFX Network()\Current TCP RTT’,
‘RemoteFX Network()\Current UDP Bandwidth’,
‘RemoteFX Network()\Current UDP RTT’,
‘PhysicalDisk()\Avg. Disk Bytes/Read’,
‘PhysicalDisk()\Avg. Disk Bytes/Write’,
‘PhysicalDisk()\Avg. Disk sec/Write’,
‘PhysicalDisk()\Avg. Disk sec/Read’,
‘PhysicalDisk()\Avg. Disk Bytes/Transfer’,
‘PhysicalDisk(*)\Avg. Disk sec/Transfer’

24. Performance counters added and interval set from 10 to 60 seconds

25. Click Save

26. Next, we’ll add the work book so we can view the data

27. Click Azure Monitor from within the portal

28. Click Workbooks from the left Pane

29. Click New

30. Click the icon </> as shown below

31. Copy and paste the code from the following WVD Community Git Hub page replacing the code currently displayed – Monitoring Workbook code

32. Click apply after replacing the code

33. Click to select your work analytics workspace if you see warnings such as the one below.

34. Click Done Editing

35. Click save and name your workbook accordingly

36. Done

Further sample queries can be located at the following Microsoft article created by Christiaan Brinkhoff – Proactively monitor ARM-based Windows Virtual Desktop with Azure Log Analytics and Azure Monitor. This is an excellent article and was a great help when creating this blog post. Also, thanks to Travis Roberts for creating the Powershell script to speed up the entering of performance counters. If you’re getting started with WVD, Travis has created a great WVD course available on the Udemy website called Zero to Hero with Windows Virtual Desktop.