Office365 DKIM and DMARC configuration

DKIM and DMARC are used to prevent spoofing of the domain name by spammers. Configuring it in Office365 is quite easy, but must be done manually if you use a custom domain (so not the standard .onmicrosoft.com). I assume, that the standard DNS configuration including the SPF record is already done, as they are set automatically or at least validated during the setup of a new domain.
To configure the DKIM and DMARC records, you just need to add a few DNS record and enable it in Exchange Online:

Step 1: Enable DKIM

Go to Exchange Admin Center and open dkim which you can find under protection. Select your domain and press “enable”:

Read more

Automatic data classification for Azure SQL Server

It is important, also for regulatory reasons, to know which data is stored and what kind of data it is. It can be financial data, personal data or any other type. For GDPR reasons, its especially important to mark personal data and have a documentation ready, which data is stored and why.
This can be a challenging and annoying task if you have to do this for an existing database with a few hundred tables. Fortunately, there ways to make life easier.

Built-in Data Discovery and Classification

The easiest way is to use the built-in data discovery and classification feature that comes with Azure SQL Databases. Just go to the ‘Advanced data security’ tab and enable the feature:

Read more

Azure AD and SQL Server Authentication

If you use Azure SQL Server and you care about security, then it definitely makes sense to give users access via their Azure Active Directory account. Azure AD supports multi-factor authentication, identity protection and a lot of other security features which makes it much more secure than using a connection string.

Admin Access

The first thing to configure is the Admin access via Azure AD. That’s easily doable via the Azure Portal:

  1. Navigate to your Azure SQL Server (not the Database!)
  2. Open the Active Directory Admin settings:
  3. Go to Set Admin and configure your user. I suggest to configure a group as it gives you more flexibility

Read more

Change device owner of an Azure AD joined device

If you join devices to Azure AD, then you can see that each device has an owner. The owner is the user who joined the device to the Azure AD which is sometimes the account of the administrator. That’s why one probably wants to change the owner which is unfortunately not possible via the Azure portal. But, as usual, you can easily do it via PowerShell.

The main commands you need are:

Get-AzureADDevice   # returns all device
Get-AzureADUser     # returns all users

# add new device owner
Add-AzureADDeviceRegisteredOwner -ObjectId [DeviceObjectId] -RefObjectId [NewOwnerObjectId]
#remove previous device owner
Remove-AzureADDeviceRegisteredOwner -ObjectId [DeviceObjectId] -OwnerId [PreviousOwnerObjectId]

I created a simple script which has device name and new owner as input and simply does the job:

Read more

Office 365 – Forward all mails sent to a (sub)domain

There are many reasons why someone wants to forward all incoming mails from a domain to a specific address. One use case is by sure testing. If you test an application, then you probably need a lot of mail addresses. To avoid creating all the mail addresses, you could use tools like postfix for it. But it also requires some setup and configuration.
I am Office 365 user and I love it and by sure, I want to solve this issue with Office 365. I tried it and it took some time, but then I found the right setup.

So, what I want to achieve is simple:
All mails sent to @tst.axr.at should be forwarded to a shared mailbox, where all testers have access (or to specific address).

Sounds simple and you can easily configure it in Office 365, but there are a few pitfalls, that’s why I created this blog post. So let’s go through it step by step.

Read more

WordPress Blog on Azure – full setup guide

You probably think about using Microsoft Azure to host your WordPress blog. Azure gives you great scalability features that are important if you want to scale up your website. There are also many other services that could be useful for your blog. I created a new WordPress blog in Azure and want to describe in this blog post, which steps I performed and what it needed to set it up to get a full up and running Azure blog.

Before creating the new WebApp required for the wordpress blog, I suggest to create the resource group at first. If you do this manually, then you can decide the location of the resource group, if you just create the web app and create the resource group during that step, the default location is US.

+ Create a resource – “Resource group” – set the properties and done

Read more

Get started with Azure key vault

Azure key vault is a service to store and manage keys, secrects and certificates that you can use for your applications. In this blog post I want to quickly show how to create a key vault and how to use it.
Key vault is a secure key management service that allows to manage keys, application secrets and certificates. The keys are stored in hardware security modules (FIPS 140-2 Level 2) and even Microsoft does not see them. Pretty cool stuff, so why should someone use Azure Key Vault?
A common problem is how to manage keys and secrets for your applications? Where to store them? And how to ensure that they have a defined lifetime? Azure key vault allows to achieve all these things. A few features are:

  • Save keys in Azure in a safe place
  • Keep encryption keys in hardware security modules (FIPS140-2 Level 2+)
  • Control keys from a single place
  • Control lifetime and renewal of keys
  • Let other AD users/groups manage access to secrets
  • Access keys from your applications
  • Automatically rotate keys

It especially helps you to solve the issue of storing keys/secrets for your applications. If you develop an application – where do you put e.g. storage keys or other secrets? Sometimes developers hardcode them into the code. Other developers store them in the configuration (e.g. app.config) and just a few use something like azure key vault.

Ok, but what is a key vault? A key vault is a container for keys and secrets that are managed together. If you develop an application, then it makes sense to create one key vault per application because the access control and also the billing is per key vault. If you have all keys/secrets stored in one key vault, then each user that has access to that key vault can read all keys/secrets that in the key vault. So you should definitely create one key vault per application. As a key vault itself is for free, this shouldn’t be a problem and helps you to secure your stuff. The pricing for key vault is pay per usage of keys (see: Key Vault Pricing Details).

The key vault allows you store:

  • Key: A cryptographic key (RSA 2048) that you can use to decrypt/sign with the key
  • Secret: A secret is a sequence of bytes unter 25KB – for example a connection string, PFX file, AES encryption key.

Read more

Let’s encrypt for Azure WebApps

This blog post is a quick walk-through and will show how to use let’s encrypt certificates with Azure WebApps. As prerequisites I assume that the following things are done:

  • App Service and WebApp is already up and running
  • App Service is at least B1 (pricing tier Basic 1)
  • A custom domain is already configured

There are 3 main steps that I will describe in this post:

  1. Add service account and application to Active Directory
  2. Add the let’s encrypt site extension
  3. Force https (optional)

Read more

Weekly Azure billing report per mail with Azure functions

I already blogged about Azure functions, the billing API and a few other things. In this blog post, I’ll combine some of my previous blog posts to build an Azure function that creates a weekly billing report of an Azure subscription. To build this solution, the following steps are required:

  1. Create an Azure function
  2. Configure the CRON schedule for the Azure function
  3. Read data from the Azure Billing API
  4. Create a HTML page with the billing data
  5. Send the report via email

To implement it, I’ll use Visual Studio 2017, C# and the AzureBillingAPI NuGet package that I created.

The final solution can be found on GitHub: https://github.com/codehollow/AzureBillingFunction

Read more

Create test data for Microsofts Recommendation API

Last month I wrote a blog post with a short introduction to Microsofts Recommendation API (Introduction to Microsofts Recommendation API). I wrote about the basics, how to start and how to work with this nice API which is part of the Microsoft Cognitive Services.
When I started to work with the recommendation API, I soon realized that the most important thing is – Data! Okay – no surprise – but how to get the data? Or how to create some test data if you just want to try it?
In my previous blog post, I mentioned that I used a tool to create my (test) recommendation data. The tool was a quick and dirty, self-hacked WCF application, but it worked and I had some data to start.

Then I decided to publish this tool, but a WCF application is not so sexy and state-of-the-art, so I decided to polish my rusty javascript knowledge. The result is by sure not a best practice web application nor has it a nice design, but it does the job! And here it is:
RecommendationDataCreator: http://recommendationdatacreator.azurewebsites.net/

Read more