Create an Azure Log Analytics workspace and add a Virtual Machine

Reading Time: 4 minutes

This blog post will go through the process of creating an Azure Log Analytics workspace and connecting a test azure virtual server to the Log Analytics workspace. We will then setup the work space to collect System event logs from the test Azure VM.

1) Login to the Azure Portal

2) Search and select Log Analytics workspaces

3) Click Create Log Analytics workspace

4) Configure:
– Give your new Log Analytics workspace a name
– Select your subscription
– Select a Resource Group
– Select Location
– Pricing Tier (Only one pricing Tier exists as of the year 2018). At the time of writing this blog post, the one available Tier was named Pay-as-you-go (Per GB 2018)

5) Click OK

6) Now that you have created your Log Analytics workspace, let’s join a VM to this new work space

Note that adding servers to the work space will automatically deploy a monitoring extension (agent) to the server

7) Click your new Log Analytics workspace

8) From the left pane under Workspace Data Sources, click Virtual Machines. As you can see from the screenshot, you can also connect other resources to your workspace


Note: Workspaces work across different regions, so you could add servers to a workspace no matter what region they are located in.

9) As you can see from the right pane, I have two virtual servers and the Log Analytics Connection is showing as not connected

10) Click a VM you wish to add to this work space (Ensure the VM is powered on)

11) As you can see from the below screen shot, the server is not connected to the work space, but we have the option to connect.

12) Click Connect

13) Wait for the virtual server to connect (A monitoring agent (Extension) is being deployed to the virtual server)

14) Now that the machine is connected to your workspace, the status is displayed as below. If you wish to disconnect, click disconnect.



Note: Now that the extension agent is deployed, you will find that the monitoring agent has been deployed to the VM. Locate the VM under virtual machines and click extensions from the left pane. The screenshot below shows the MicrosoftMonitoringAgent has been provisioned successfully.

15) If we go back to our workspace, we’ll find the server is now showing as a connection of this workspace along with a green tick.

16) Now, let’s enable logging for this workspace. Note that these logs will apply for all resources attached to this resource, so if you have different logging requirements for different resources, create different work spaces. You could also complete this step straight after the Logs Analytics Workspace has been deployed.

17) Click on your Log Analytics Workspace, and click Advanced Settings from the left pane.

18) The screen below will appear

Note: If you wish to connect physical servers to your Log Analytics Workspace, you can do so by downloading the required agent.

19) Click Data

20) A few different options appear which may be of interest to you. For this demo let’s click Windows Event Logs. Click the plus icon (blue box) to the right of the screen

21) For this demo, we will monitor the system logs, type system into the text box, select system and click the plus icon located within the blue box.

22) All logs are selected by default. You can select the logs as per your requirements.

23) Click Save and OK

Hope this helps 🙂

How to enable Azure VM System Identity

Reading Time: < 1 minute

A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control.

To enable system assigned identity within a Azure VM:

1) Click the VM within Azure
2) From the left pane, click identity

3) Change status to On and click save

4) Click yes to confirm

5) Once enabled, you’ll find an additional message appears confirming what this feature will enable:

‘This resource is registered with Azure Active Directory. You can control its access to services like Azure Resource Manager, Azure Key Vault, etc.’

Passed AZ-500 Microsoft Azure Security Technologies

Reading Time: 2 minutes

While most of you were away relaxing, i focused on preparing for my AZ-500 Microsoft Azure Security exam, and what a great way to end 2019, passing this exam was a great achievement.

A few have already asked me what i did to prepare so i would like to take this opportunity to blog about my experience.

First of all, i highly recommend you setup an Azure account if you don’t already have one. You can sign up for an account at Azure Free Account. The exam included labs so research and implement the various security features within the Azure portal.

So what did i do to prepare for my exam? Firstly, I can not stress enough that hands on experience and understanding all Azure security features is an important part for you to pass this exam.

Preparing for the exam:

1) Azure Updates – Keep up to date via the Microsoft Azure updates site

2) Azure Social Media accounts. I follow most Microsoft Azure twitter accounts. A great way to stay up to date with what’s going on with Microsoft Azure.

3) Research what Microsoft recently announced at events such as Microsoft Ignite. There are blog articles available from those who have attended the previous Microsoft Ignite events where new features are announced. I am looking forward to attend the event in London this month 🙂

4) Azure Security course available from udemy.com (Microsoft AZ-500 Certification: Azure Security Technologies by Nick Colyer from Skylines Academy). A really good course and highly recommended.

5) Azure training material available at Plural Sight

6) If you don’t understand something, look it up. There are a ton of Microsoft you tube videos and articles out there which explain the features well. I have lost count, but i did go through a large number of Microsoft videos and articles. You really need to understand what you’re learning. If you’re watching a training video, pause the video and go look up the feature being explained and implement within your test Azure Portal if required.

8) View Azure Security Expert Series

More info on what you will be tested on can be located at Microsoft Azure AZ-500 Exam (The exam format was recently updated so keep an eye on this article)

Overall, i did spend a large number of hours preparing for this exam but the end result was well worth it. I spent about 3 weeks studying, and was working within the Azure Portal everyday. I really enjoyed preparing for this exam and i am sure you will too. All the best

How to configure Azure Bastion

Reading Time: 3 minutes

The Azure Bastion service is a great new fully platform managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address! So, you can basically connect to your virtual servers from the portal securely and internal to Azure. What a cool feature from Microsoft. The feature does require some pre-work before it can be used, such as an AzureBastionSubnet

At the time of writing this blog post, this feature was only available at the below regions:

  • West US
  • East US
  • East US 2
  • West Europe
  • South Central US
  • Australia East
  • Japan East

Below is a diagram demonstrating how Bastion works:

To try out this feature, I deployed a test VM in the East US 2 region

How to configure Azure Bastion:

1) Login to your Azure Portal
2) Click Bastions

3) Configure your Bastion service. As you can see from the screenshot below, the service is not available at all regions but Microsoft are working to push out this feature to all regions


4) If you have not created a AzureBastionSubnet with a prefix of at least /27, you will receive the below error. Ensure you have created a Subnet within your VNET.

5) Click create. It took approx. 5 minutes to deploy this service after clicking create

If you attempt to connect to your virtual server using Bastion whilst the service is still deploying, you will receive the below error

6) Now that we have deployed the service, lets connect to a VM located in the same VNET as the BastionSubnet. Because the Bastion service was not available within the UK region, I created a test VM in the East US 2 region.

7) Locate your VM, click Connect and select Bastion. Login with your credentials

Information: You may see a prompt to enable just-in-time access on this VM. This is a useful feature which is currently available as part of Security Center standard. If you have VM’s which are open to RDP, you can configure Just in Time so that RDP is always denied but opened for a small amount of time if an admin needs to logon to perform management tasks. Just In Time will automatically create an allow rule within your NSG/Azure Firewall when access is required. The rule will be removed when Just In Time access expires. A good feature you may want to look into at a later date.

8) Let’s continue with the demo. So once you have inputted your credentials, the VM will connect to the Bastion service

7) and we’re logged on securely!

How to enable Azure Security Defaults

Reading Time: < 1 minute

Microsoft have introduced a great new free feature for all new Azure tenants.

Security defaults in Azure Active Directory make it easier to be secure and help protect your organisation. Security defaults contain pre-configured security settings for common attacks.

One of the new features includes Multi Factor Authentication which can only be utilised using the Azure App. Conditional Access allows the use of any authentication method the administrator chooses to enable. See table below

The aim is to ensure that all organisations have a basic level of security enabled at no extra cost. You can turn on security defaults in the Azure portal.

Further details and things to watch out for before enabling Azure Security Defaults can be located here

To enable Azure Security Defaults:

  1. Logon in to the Azure portal at portal.azure.com
  2. Click Azure Active Directory, or search using the search box
  3. Click properties located in the left pane
  4. Browse to the bottom of the page, and click the link Manage Security Defaults
  5. Click Yes to switch on Security Defaults