All posts by Joachim Nässlander

With over 25 years in IT, an IT architect certification and a never ending quest for knowledge I work to spread knowledge to all visitors.

Are you compliant? Use Azure Security Center to make sure that you are!

The fact that Azure has been certified according to 70+ different standards makes little to no difference if you as a customer have no idea how to configure your environment to be compliant. If you need help there are blueprints available.

With the new functionality now in preview you can easily see if your Azure deployment is in line with the certification you’re striving for.

The overview page shows you directly how your deployment aligns with various standards. In my case I’m passing 11 out of 16 checks for PCI DSS 3.2. If I need to process credit card data I’d be dead in the water, but now I can quickly see what I’ve missed for example.

Azure Security Center overview – click “Regulatory Compliance overview (preview) in the middle column

Looking closer at our security posture at the moment I’ve drilled down a bit further, in this case selecting “Azure CIS” as the regulation I’d like to compare to. We can see a number of red areas where we obviously aren’t compliant. At this moment in time it doesn’t matter if you work in IT or not, if you see this you can easily figure out that you’re not.

An overview of how the security posture looks compared to “Azure CIS”. Not that good considering it’s all red…

The last step is to drill down into the areas that are red. This gives us detailed instructions on how to remediate the things we’re failing at. In the picture below we can see that we’ll need to enable disk encryption.

Applying disk encryption seems like a good idea, doesn’t it? Clicking the link will take you to the page giving you detailed instructions on how to do it.

This feature in the Security Center will be improved over time and will (probably) let you filter on the compliance standards you want to see, hence not checking the ones you don’t really care about.

You can find all the documention on Azure Security Center over at

How are you using Security Center today? Let me know in the comments!

Simplifying your life using the AZ-modules in powershell

As of December 2018 there’s a new kid in town helping you out with Azure. The old AzureRM modules will be replaced by the AZ modules to keep consistent with Core and Cloud Shell. The module will also keep your management / development environments consistent over Windows / Linux / Mac, hopefully making you a lot more efficient.

Installing the AZ modules

First step is actually uninstalling the AzureRM modules. Leaving you feeling all naked without any possibility to remotely manage Azure. But it’ll just be a few seconds if you’re quick enough.

Run Uninstall-AzureRM as Administrator and wait for it to complete. Once done you’ll run Install-Module Az and it’ll install the new modules.

If you have old scripts and don’t feel like rewrite them you can enable aliases for the old commands running Enable-AzureRmAlias. 

That’s it, you’re all updated and running the latest and greatest! To read more about the changes, check out GitHub!

Converting OVA / VMDK to VHD for use in Azure

Software required:


Virtualbox: (Or you could use which is less to install)

Azure PowerShell:

Azure Storage Explorer:

Install the software listed above. Azure Storage Explorer isn’t needed but makes it a lot easier to both upload and move files between storage accounts.

Converting the file

Rename the OVA-file to filename.TAR, unpack it with 7-zip so that you get the VMDK-file in a directory.

Start a command prompt (CMD.exe) and navigate to the “C:\Program Files\Oracle\Virtualbox” directory

Using vboxmanage.exe we’ll convert our file to VHD.

Once it’s done we’ll need to upload it to Azure.

Create a storage account in the portal

See for instructions.

Create a blob container

Using Azure Storage Explorer you can create a blob container.

Upload the VHD

Click the upload button and select “Upload Files”. Select one or more VHD-files to upload


Click “Upload” and wait for it to complete.

Deploying your virtual machine

For the script to work you will need an existing Resource Group containing a virtual network.

You will need to replace the variables with the settings for your deployment.

From storage explorer you can copy the storage account name and osDiskURI.

Click your storage account that you uploaded the files to:

The name of the storage account can be found at the bottom.

Click your blob container

The URL is found at the bottom and the URI is made up of URL + filename, in this example it’s azurevm.vhd. So the URI would be “”

The rest of the variables can be found in the portal.

Copy the below script to the editor of your choice. I prefer Notepad++ or PowerShell ISE.

$RGName                	= "resourcegroupname"
$storageAccName        	= "storageaccountname"
$ComputerName          	= "Computer name"
$osDiskName            	= "name-of-osdisk"
$osDiskUri 			= ""
$location              	= "West Europe"
$vmName                	= "vm name"
$vmSize 			= "Standard_A2"
$cred 				= Get-Credential
$vnetName			= "existing vnet name"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
$nicName="nic name"
$pip=New-AzureRmPublicIpAddress -Name $nicName -ResourceGroupName $rgName -Location $location -AllocationMethod Dynamic -Force
$nic=New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $rgName -Location $location -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $pip.Id -Force
$storageAcc = Get-AzureRmStorageAccount -ResourceGroupName $rgName -AccountName $storageAccName
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
$vm = Add-AzureRmVMNetworkInterface -VM $vmConfigget -Id $nic.Id
$vm = Set-AzureRmVMOSDisk -VM $vm -Name $osDiskName -VhdUri $osDiskUri -CreateOption attach -Linux
New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vm -Verbose


Edit the script with your parameters.

Use Add-AzureRMAccount to login to your subscription.

Run the script in PowerShell.

The script will only work for Linux virtual machines.

Once the script is done your vm is deployed to Azure.

Techorama 2017

Wow! That’s all I can say about Techorama 2017. Antwerp was a really nice city, the hotel was great and the conference was impeccably planned! I only had one session this year, but if they let me come back I’ll submit a few more next year.

Met some old friends, hi Jörgen, Sander and Aleksandar. And some new fun people, like Chrissy (from Canada), (with wife), Rob and Jakob to mention a few.

The session went ok apart from applying a policy effectively blocking two demos… At least it shows that policies are in effect immediately and that they work.

My presentation can be found at!AtuW9qIbRPwdpZtfe5wrdhG3xotxwg

Database connection error using MySql in Azure App Service

Well, if you’ve gone full speed ahead using the preview of MySql in Azure App Service you’ve noticed that it doesn’t work. WordPress gives you the “Error connecting to database” error.

To fix it you’ll need to add some application settings on your application.

Value: –default_password_lifetime=0

Click “Save” and you’re all done.


What is Azure Resource Manager anyway?

When we talk about Azure there’s always a lot of mentioning of “ARM” or “Classic”. “Oh, are you running in classic mode? You should migrate it to ARM instead”. If you have no idea what ARM is or what it can do for you, you usually just nod your head and your life continues anyway. But not knowing about ARM in the year 2016 could be bad. It makes your life easier! It makes your resources more secure! You can decide who can deploy what! Michael Jackson did a song called “Bad“! (Oh, sorry about that, couldn’t help myself.)

Azure Service Manager

The OLD way of deploying resources to Azure is usually referred to as “Classic”, the more technical name is “Azure Service Manager” or ASM for short. In ASM when you deployed for example a virtual machine it looked like this:

Azure Service Manager VM deployment
Azure Service Manager VM deployment

This deployment had a mandatory “Cloud Service” acting as a container for the VM. It could also have an external IP address with a load balancer. When running in ASM-mode you needed to add your co-workers as co-admins on your subscription. This gave them the same rights as the owner except removing the above mentioned owner of course. But they could effectively add / delete any kind of resources in the subscription. Sounds dangerous, right? Well, ARM to the rescue!

Azure Resource Manager

Azure Resource Manager, ARM, brings the power of resource providers. They do just that, provide resources. There are a bunch of different ones and you can list them and see their status for your subscription using PowerShell.

Registered providers in a subscription.
Registered providers in a subscription.

Of course you could unregister providers if you don’t want to be able to deploy resources from a specific provider. This effectively lets the subscription owner make sure that only allowed resource types are deployed. In the same fashion you can register providers if you want to deploy resources.


There are a bunch of different terms to keep track of to follow this discussion.

We have:

  1. Resource – This could be a VM, nic, vnet, public ip or another entity. A resource group can only be a member of one resource group. One.
  2. Resource group – A resource group is a container of resources. This could be resources of the same type or different types. They could belong to the same application, or not.
  3. Resource provider – The resource provider provides resources of a specified type. For example “Microsoft.Compute” provides computing resources and “Microsoft.Network” provides, you guessed it, networking resources.

The picture below show one resource group with different resources in the same resource group. This could be a web app for example, letting the developer deploy the application as one entity.


You could have the resources in different resource groups. For example if you have DBA:s managing your databases, the Windows or Linux-admins manage your virtual machines and your storage guys or gals manage storage.

Resource group with app or resources.
Resource group with app or resources.

How you decide to group your resources is totally up to you. When deciding you also must take into account if you’re going to have one or multiple subscriptions, and if you’re going to use Role Based Access Control (RBAC) to secure access to your resources or resource groups.

You can find more information about ARM at

Role Based Access Control (RBAC)

Another benefit of using ARM is that is supports RBAC right out of the box. This means that you can apply different roles on resources or resource groups, effectively managing who can do what to your resources. For example you could have one resource group containing virtual machines, where only a specific group of users would be able to delete these for example. Or imagine a web app where a defined set of developers would be able to deploy code to your application but not edit any other settings.

RBAC - assigning users or groups to different roles.
RBAC – assigning users or groups to different roles.

More reading on the subject of RBAC can be found at or

Conclusion (or executive summary)

Azure Resource Manager lets you create resources from different providers. Grouping these into resource groups will let you see the cost per group on your bill. You can also assign different roles to either single resources or to all resources in a resource group. If you would like to you can also assign different policies to different resource types, effectively blocking who can do what to which resource. The resources come from resource providers, these can be registered/unregistered which will remove the ability to create any kind of resource from that specific provider.




Getting Azure logs into your SIEM

When running different resources in Microsoft Azure, these resources together with Azure Resource Manager creates logfiles of different events. A resource could be a virtual machine, SQL database or storage account for example. These resources are provided by the resource manager which also creates events based on actions on these resources. An event could be write, delete or update for example.

The Azure Resource Manager

This video explains how the Azure Resource Group model works:

A short explanation of the resource provider can be found at and if you’re running workloads in classic mode you can find an explanation of the differences at

Enabling logging to storage account

To get the logfiles to your SIEM system you’ll need to enable logging to either a storage account or an event hub. A storage account is easier to manage and will let you use the Azure Log integrator. If you look at your resources, in the pictures I have a virtual machine and a web app, you can enable logging to a storage account.

Enabling diagnostics logging from a virtual machine to a storage account. Note the various levels of logging you can select.

Logging to a storage account from a web app.

Your workloads will start saving their logfiles to your storage account when you’ve saved the settings.

Getting the logs from Azure to your SIEM

That was the easy part. Now getting the logs from Azure storage to your SIEM requires some wizardry. Thank god for the Azure Log Integrator then, to the rescue!

Tom Shinder did a great job writing a guide getting started over at If you don’t like that one there another one:

Once you’ve configured your integration VM you’ll need to configure your SIEM. There’s a guide available for various systems available at


Running WordPress in Azure Webapp with Mysql

In August Microsoft launced the preview of Mysql in-app for Azure webapps. This means that you can enable Mysql in your webapp and you’ll get immediate access to a Mysql database within your application. Running WordPress, Joomla or any other PHP/Mysql-based CMS have never been easier. Please note that this is at the moment not for production workloads due to the single-instance database. Read the article for more information at

So how do you get it up and running?

Create a new webapp.


Name your webapp and if you don’t have one, create an App Service Plan.


Once deployment is finished we need to edit some settings.

Switch to PHP 5.7, and turn off ARR. Click Save.


The magic of turning on MySql is up next. Click “on” and if you’re just testing, don’t touch the logging settings. Click “Save”.


Now you’ll need to head over to and download the package. Save it on your computer and unzip the files. You’ll also need an FTP client. Assuming you’re running Windows you can grab Filezilla for free.

Edit your deployment credentials if you don’t know then.


Check the portal for your FTP hostname and enter the corresponding values in your FTP client.


When the upload is done you can use the brand new editor to change wp-config-sample.php.



You need to delete some code and paste in the following code:

$connectstr_dbhost = '';
 $connectstr_dbname = '';
 $connectstr_dbusername = '';
 $connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
 if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
 }$connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
 $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
 $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
 $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);

// ** MySQL settings - You can get this info from your web host ** //
 /** The name of the database for WordPress */
 define('DB_NAME', $connectstr_dbname);

/** MySQL database username */
 define('DB_USER', $connectstr_dbusername);

/** MySQL database password */
 define('DB_PASSWORD', $connectstr_dbpassword);

/** MySQL hostname : this contains the port number in this format host:port . Port is not 3306 when using this feature*/
 define('DB_HOST', $connectstr_dbhost);
Paste the code and save
Rename the file wp-config-sample.php to wp-config.php. This can be done in your FTP client.
Once done you can click your URL in the portal.
If you’ve done everything right so far you’ll see the WordPress installation guide.
Select your language.
Enter a username / password.
Once it’s done you can visit your site and you’re all done. Now you can apply a custom theme and fill your site with content.
Does it work? Well, this site runs in the exact same manner as the guide. So far, so good 🙂