How to enable Azure VM System Identity

Reading Time: < 1 minute

A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control.

To enable system assigned identity within a Azure VM:

1) Click the VM within Azure
2) From the left pane, click identity

3) Change status to On and click save

4) Click yes to confirm

5) Once enabled, you’ll find an additional message appears confirming what this feature will enable:

‘This resource is registered with Azure Active Directory. You can control its access to services like Azure Resource Manager, Azure Key Vault, etc.’

Passed AZ-500 Microsoft Azure Security Technologies

Reading Time: 2 minutes

While most of you were away relaxing, i focused on preparing for my AZ-500 Microsoft Azure Security exam, and what a great way to end 2019, passing this exam was a great achievement.

A few have already asked me what i did to prepare so i would like to take this opportunity to blog about my experience.

First of all, i highly recommend you setup an Azure account if you don’t already have one. You can sign up for an account at Azure Free Account. The exam included labs so research and implement the various security features within the Azure portal.

So what did i do to prepare for my exam? Firstly, I can not stress enough that hands on experience and understanding all Azure security features is an important part for you to pass this exam.

Preparing for the exam:

1) Azure Updates – Keep up to date via the Microsoft Azure updates site

2) Azure Social Media accounts. I follow most Microsoft Azure twitter accounts. A great way to stay up to date with what’s going on with Microsoft Azure.

3) Research what Microsoft recently announced at events such as Microsoft Ignite. There are blog articles available from those who have attended the previous Microsoft Ignite events where new features are announced. I am looking forward to attend the event in London this month 🙂

4) Azure Security course available from (Microsoft AZ-500 Certification: Azure Security Technologies by Nick Colyer from Skylines Academy). A really good course and highly recommended.

5) Azure training material available at Plural Sight

6) If you don’t understand something, look it up. There are a ton of Microsoft you tube videos and articles out there which explain the features well. I have lost count, but i did go through a large number of Microsoft videos and articles. You really need to understand what you’re learning. If you’re watching a training video, pause the video and go look up the feature being explained and implement within your test Azure Portal if required.

8) View Azure Security Expert Series

More info on what you will be tested on can be located at Microsoft Azure AZ-500 Exam (The exam format was recently updated so keep an eye on this article)

Overall, i did spend a large number of hours preparing for this exam but the end result was well worth it. I spent about 3 weeks studying, and was working within the Azure Portal everyday. I really enjoyed preparing for this exam and i am sure you will too. All the best

How to configure Azure Bastion

Reading Time: 3 minutes

The Azure Bastion service is a great new fully platform managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address! So, you can basically connect to your virtual servers from the portal securely and internal to Azure. What a cool feature from Microsoft. The feature does require some pre-work before it can be used, such as an AzureBastionSubnet

At the time of writing this blog post, this feature was only available at the below regions:

  • West US
  • East US
  • East US 2
  • West Europe
  • South Central US
  • Australia East
  • Japan East

Below is a diagram demonstrating how Bastion works:

To try out this feature, I deployed a test VM in the East US 2 region

How to configure Azure Bastion:

1) Login to your Azure Portal
2) Click Bastions

3) Configure your Bastion service. As you can see from the screenshot below, the service is not available at all regions but Microsoft are working to push out this feature to all regions

4) If you have not created a AzureBastionSubnet with a prefix of at least /27, you will receive the below error. Ensure you have created a Subnet within your VNET.

5) Click create. It took approx. 5 minutes to deploy this service after clicking create

If you attempt to connect to your virtual server using Bastion whilst the service is still deploying, you will receive the below error

6) Now that we have deployed the service, lets connect to a VM located in the same VNET as the BastionSubnet. Because the Bastion service was not available within the UK region, I created a test VM in the East US 2 region.

7) Locate your VM, click Connect and select Bastion. Login with your credentials

Information: You may see a prompt to enable just-in-time access on this VM. This is a useful feature which is currently available as part of Security Center standard. If you have VM’s which are open to RDP, you can configure Just in Time so that RDP is always denied but opened for a small amount of time if an admin needs to logon to perform management tasks. Just In Time will automatically create an allow rule within your NSG/Azure Firewall when access is required. The rule will be removed when Just In Time access expires. A good feature you may want to look into at a later date.

8) Let’s continue with the demo. So once you have inputted your credentials, the VM will connect to the Bastion service

7) and we’re logged on securely!

How to enable Azure Security Defaults

Reading Time: < 1 minute

Microsoft have introduced a great new free feature for all new Azure tenants.

Security defaults in Azure Active Directory make it easier to be secure and help protect your organisation. Security defaults contain pre-configured security settings for common attacks.

One of the new features includes Multi Factor Authentication which can only be utilised using the Azure App. Conditional Access allows the use of any authentication method the administrator chooses to enable. See table below

The aim is to ensure that all organisations have a basic level of security enabled at no extra cost. You can turn on security defaults in the Azure portal.

Further details and things to watch out for before enabling Azure Security Defaults can be located here

To enable Azure Security Defaults:

  1. Logon in to the Azure portal at
  2. Click Azure Active Directory, or search using the search box
  3. Click properties located in the left pane
  4. Browse to the bottom of the page, and click the link Manage Security Defaults
  5. Click Yes to switch on Security Defaults

How to enable Azure VM Disk Encryption

Reading Time: 3 minutes

As part of enabling Azure Disk Encryption you will be prompted to connect to or create a new Azure Key Vault. We will go through the process of enabling Azure Encryption and allowing the server access to a Key Vault.

Ensure your VM is powered on. A reboot of the VM will be required after disk encryption. Finally, ensure you have a back up of your server.

ok, let’s go through the process. Below is a screenshot of a 2019 virtual server I built earlier

Click on the VM and then click disks located on the left hand pane

Click encryption

If you receive the error below, ensure the virtual server is powered on. I had the VM set to power down every day at 7pm. Forgot to power it back on but I guess it’s good to demonstrate what you’ll see if the VM was powered down
Now that the VM is powered on, lets drop down and encrypt one of the disks. In this demo, I will be encrypting the OS disk

In the screenshot below you’ll be prompted for Key Vault details. Click ‘Select a key vault and key for encryption’

Select your Key Vault and click select

If the key vault has not been enabled for disk encryption, you will receive the message below and prompted to enable key vault for disk encryption. Click the button labelled ‘Enable key vault for disk encryption’ and click save

Note: Clicking the ‘Enable key vault for disk encryption’ button above will enable a policy within your key vault. To locate the policy, click key vaults or search from the search menu, locate and click your key vault, click access policies within the left hand pane. The option ‘Azure Disk Encryption for volume encryption’ is enabled as shown in the screenshot below. You could also enable this manually.

Click yes to confirm disk encryption process

Reboot the server when encryption has completed