Justin Verstijnen on justinverstijnen.nl

Microsoft Secure Score - Devices

Thu, 09 Apr 2026 00:00:00 +0000

On this page, I will describe how I implemented my current Microsoft Secure Score on the Devices pillar. This means altering mostly the options of Microsoft Defender and Intune.

Before we begin

I collected all the options of the Microsoft Device Secure Score on this page, and we will address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment.

Update your Kerberos configuration with Azure Virtual Desktop (RC4)

Thu, 09 Apr 2026 00:00:00 +0000

Microsoft released that the Kerberos protocol will be hardened by an update coming in April to June 2026 to increase security. This was released by Microsoft here:

https://techcommunity.microsoft.com/blog/fslogix-blog/action-required-windows-kerberos-hardening-rc4-may-affect-fslogix-profiles-on-sm/4506378

At first, they are not very specific about how to check what Kerberos encryption your environment uses and how to solve this before becoming a problem. I will do my best to explain this and show you how to solve it.

Microsoft already introduced Kerberos-related hardening changes in updates released since November 2022, which significantly reduced RC4 usage in many environments. However, administrators should still verify whether specific accounts, services or devices are explicitly or implicitly relying on RC4 before disabling it. In this guide, I will explain to you how to do this.

Getting started with Microsoft 365 Backup

Fri, 03 Apr 2026 00:00:00 +0000

Microsoft 365 Backup ensures that your data, accounts and email is safe and backed up into a separate storage space. A good and reliable back-up solution is crucial for any cloud service, even when having versioning and recycle bin options. Data in SharePoint or OneDrive stays data in one central place and any minor error is made within seconds.

In this guide, I will explain how Microsoft 365 Backup works and how you can start using it.

Microsoft Secure Score - Identity

Thu, 26 Mar 2026 00:00:00 +0000

On this page, I will describe how I implemented my current Microsoft Secure Score on the Identity pillar. This means altering mostly the options of Microsoft Entra ID.

Before we begin

I collected all the options of the Microsoft Entra ID Identity Secure Score on this page, and we will address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment.

I tested Azure Virtual Desktop RemoteAppV2

Wed, 25 Mar 2026 00:00:00 +0000

Microsoft announced RemoteAppV2 under some pretty enhancements on top of the older RemoteApp engine. This newer version has some improvements like:

Better multi monitor support
Better resizing/window experience
Visuals like window shadows

I cannot really show this in pictures, but if you test V2 alongside V1, you definitely notice these small visual enhancements. However, a wanted feature called “drag-and-drop” is still not possible on V2.

Source: https://learn.microsoft.com/en-us/azure/virtual-desktop/remoteapp-enhancements

How to enable RemoteAppV2

To enable RemoteAppV2, you need to set a registry key as long as the preview is running. Make sure you are compliant with the requirements as described on this page (client + hosts):

Getting started with GitHub Pages

Thu, 19 Mar 2026 00:00:00 +0000

With GitHub Pages, we can host some free websites for personal use. This is really great as we mostly already use GitHub to store our code and assets for websites. In this guide, I will explain some of the advantages of GitHub Pages, and how to get started by using the service.

Let’s dive into it!

Requirements

A GitHub account (free)
A domain name for your website, or you can use the default domain name of GitHub
- youraccount.github.io
A template website to upload to your domain name
Some basic knowledge about websites and DNS

What is GitHub Pages?

GitHub Pages allows you to host a static website directly from a GitHub repository. This can be done without managing a server, infrastructure, or hosting provider. The only thing you do is create a repository, upload a website, and optionally connect it to a domain name of your choice. We can compare this to Azure Static Web Apps if you are familiar with that.

Azure Virtual Desktop V6/V7 VMs imaging

Thu, 12 Mar 2026 00:00:00 +0000

When I first chose to use V6 or V7 machines with Azure Virtual Desktop, I ran into some boot controller errors about the boot controller not supporting SCSI images.

The VM size ‘Standard_E4as_v7’ cannot boot with OS image or disk. Please check that disk controller types supported by the OS image or disk is one of the supported disk controller types for the VM size ‘Standard_E4as_v7’. Please query sku api at https://aka.ms/azure-compute-skus to determine supported disk controller types for the VM size. (Code: InvalidParameter)
This size is not available because it does not support the SCSI disk controller type.

Because I really wanted to use higher version VMs, I went to research on how to solve this problem. I will describe the process from creating the initial imaging VM, to capture and installing new AVD hosts with our new image.

Get notifications when Entra ID break glass admins are used

Sun, 08 Mar 2026 00:00:00 +0000

As we want to secure our Break Glass Accounts as good as possible, we cloud want to get alerts when break glass admins are used to login. Maybe they are used on a daily basis, or are being attacked. When we configure notifications, we instantly know when the accounts are being used and can check why a login has taken place.

In this guide we will configure this without Microsoft Sentinel. If you already have a Sentinel workspace, the recommended action is to configure it there and to configure a automation rule/playbook.

How to properly secure Break Glass Accounts in your Entra ID

Sun, 01 Mar 2026 00:00:00 +0000

In our environment, we will do everything to secure it as much as possible. We give users only the permissions they need and only at given times, we enable Conditional Access to limit access to our data as much as possible.

But we also create Break Glass administrator accounts as our last resort, a method to login if everything else doesn’t work. Security wise, this sounds against all rules but we prefer a account to login in emergency situations over a complete tenant lockout.

Create HTTPS 301 redirects with Azure Front Door

Thu, 19 Feb 2026 00:00:00 +0000

In this post, I will explain how I redirect my domains and subdomains to websites and parts of my website. If you ever visited my tools page at https://justinverstijnen.nl/tools, you will see I have shortcuts to my tools themselves, although they are not directly linked to the instances.

In this post I will explain how this is done, how to setup Azure Front Door to do this and how to create your own redirects from the Azure Portal.

Everything you need to know about Azure Bastion

Sun, 15 Feb 2026 00:00:00 +0000

Azure Bastion is a great tool in Azure to ensure your virtual machines are accessible in a fast, safe and easy way. This is cool if you want to embrace Zero Trust into your servers management layer and so a secure way to access your servers in Azure.

In this guide I will explain more about Azure Bastion and I hope I can give you a good overview of the service, its features, pricing and some practice information.

I tried running Active Directory DNS on Azure Private DNS

Thu, 29 Jan 2026 00:00:00 +0000

In Azure we can configure private DNS zones for local domains. We can use this to resolve our resources in our virtual network by name instead of IP addresses, which can be helpful creating failover and redundancy. These could all help to achieve a higher availability for your end users. Especially because Private DNS Zones are free and globally redundant.

I thought of myself; “Will this also work for Active Directory?”. In that case, DNS would still resolve if suddenly our domain controllers are offline and users are working in a solution like Azure Virtual Desktop.

Upload multiple Github repositories into a single Azure Static Web App

Thu, 15 Jan 2026 00:00:00 +0000

In the past few weeks, I have been busy on scaling up my tools and the backend hosting of the tools. For the last year, I used multiple Static Web Apps on Azure for this, but this took a lot of time administering and creating them. I thought about a better and more scalable manner of hosting tools, minimizing the amount of hosts needed, uniforming URLs and shortcodes with Azure Front Door (guide coming up) andlinking multiple GitHub repositories into one for central management.

What is MTA-STS and how to use it to protect your email flow

Thu, 08 Jan 2026 00:00:00 +0000

MTA-STS is a standard for ensuring TLS is always used for email transmission. This increases security and data protection because emails cannot be read by a Man in the Middle. It works like this for inbound and outbound email to ensure security is applied to all of the messages processed by your emailing solution and domains.

In this guide I will explain how it works. Because it is a domain specific configuration, it can work with any service and is not bound to for example Exchange Online. In this guide we use Azure to host our MTA-STS policy. I present you 2 different options for you to choose, and of course only one is needed. You can also choose to use another solution, its it supports HTTPS and hosting a single TXT file, it should work.

Remove Microsoft Print to PDF and OneNote printers script

Mon, 29 Dec 2025 00:00:00 +0000

In this guide, I will show you how to delete the printers using a PowerShell script. This is compatible with Microsoft Intune and Group Policy and can be used on physical devices, Azure Virtual Desktop and Windows 365.

By default in Windows 11 with Microsoft 365 apps installed, we have two software printers installed. These are:

OneNote (Desktop)
Microsoft Print to PDF

However, some users don’t use them and they will annoyingly be as default printer sometimes, which we want to avoid. Most software have built-in options to save to PDF, so this is a bit redundant. Our real printers will be further down which causes their own problems for end users.

Automatically start Windows App at startup

Thu, 25 Dec 2025 00:00:00 +0000

In some cases we want to automatically start the Windows App for connections to AVD and Windows 365 at startup. We can achieve this through different ways which I will describe in this post.

Creating the Intune script

We can achieve this with Intune using a PowerShell script. As Intune doesn’t support login/startup scripts, we have to create a Platform script that creates a Scheduled Task in Windows for us. This is a great way, as this is visible at the client side and can be disabled pretty easily.

Azure Virtual Desktop FSLogix and Native Kerberos authentication

Tue, 16 Dec 2025 00:00:00 +0000

On this page I will describe how I built an environment with a pooled Azure Virtual Desktop hostpool with FSLogix and using the Entra Kerberos option for authentication. This new authentication option eliminates the unsafe need of storing the storage key in hosts’ registry like we did in my earlier AVD full Entra blog.

In this guide I will dive into how I configured an simple environment where I placed every configuration action in separate steps to keep it simple and clear to follow and also will give some describing information about some concepts and settings.

FSLogix and maximum Azure Files security

Sun, 14 Dec 2025 00:00:00 +0000

When using Azure Files and Windows 11 as operating system for Azure Virtual Desktop, we can leverage the highest SMB encryption/security available at the moment, which is AES-256. While we can change this pretty easily, the connection to the storage account will not work anymore by default.

In this guide I will show how I got this to work in combination with the newest Kerberos Authentication.

The Maximum Security preset in the Azure Portal

We can also run the SMB security on the Maximum security preset in the Azure Portal and still run FSLogix without problems. In the Azure Portal, go to the storage account and set the security of the File share to “Maximum security”:

Deploy Google Chrome Single Sign On with Intune

Thu, 11 Dec 2025 00:00:00 +0000

When deploying Google Chrome with Microsoft Intune, users still have to manually login with their credentials into Microsoft Online websites. Microsoft Edge has built-in Single Sign On (SSO) for users who already logged in with their Microsoft account to their computer.

However, there is a Chrome extension published by Microsoft themselves which allows users to also have this Single Sign On experience into Google Chrome.

On this page I will show how this extension works, what the advantages are and how we can deploy this with Microsoft Intune. I will share both a Configuration Policy and a PowerShell script option where you may choose which one to use.

Disable users' self service license trials

Thu, 04 Dec 2025 00:00:00 +0000

One day I came across an option in Microsoft 365 to disable the users’ self service trials. You must have seen it happening in your tenants, users with free licenses for Power Automate, Teams or Power BI. I will show you how to disable those and only let administrators buy and assign new licenses.

Why should you disable trial licenses?

You can disable self service trial licenses if you want to avoid users to use un-accepted apps. This could result in shadow-it happening in your environment.

Azure Virtual Desktop RDP Properties

Thu, 27 Nov 2025 00:00:00 +0000

In this post, we will be looking at the most popular different RDP Properties we can use in Azure Virtual Desktop.

I will be talking about local PC’s and remote PC’s alot, where the remote PC is of course the Azure Virtual Desktop host and the local PC is the device you can physically touch.

What are RDP properties?

RDP properties are specific settings to change your RDP experience. This can be to play sound on the remote or local PC, enable or disable printer redirection, enable or disable clipboard between computers and what to do if connection is lost.

ARM templates and Azure VM + Script deployment

Thu, 20 Nov 2025 00:00:00 +0000

In Azure we can deploy ARM templates (+ script afterwards) to deploy resources on a big scale. This is like an easier version Terraform and Bicep, but without the great need to test every change and to learn a whole new language and convention. Also with less features indeed.

In this post I will show some examples of deploying with ARM templates and also will show you how to deploy a PowerShell script to run directly after the deployment of an virtual machine. This further helps automating your tasks.

Windows Server Inventory Report Script

Thu, 13 Nov 2025 00:00:00 +0000

To help us IT identifying certain configurations on a server and possible misconfigurations I have made a PowerShell script which creates a complete overview of the current server configuration and exports it as a single HTML file.

In this post I will explain how to use it and how the script works.

An example of the output of the script.

Where to download this script?

For the fast pass, my script can be downloaded here:

Disable Windows Taskbar Widgets through Intune

Thu, 06 Nov 2025 00:00:00 +0000

Today a short guide on how to disable Windows Taskbar widgets through Intune. I mean this part of the Windows 11 taskbar:

Method 1: Settings Catalog

The easiest way to disable these widgets is through a Settings Catalog policy. Open up Microsoft Intune admin center and create a new policy through the Settings Catalog.

Search for “widget” and these options are available:

News and Interests: Disable Widgets on Lockscreen
News and Interests: Disable Widgets Board
Widgets: Allow Widgets

Using and configuring Windows Backup for Organizations in Intune

Sat, 01 Nov 2025 00:00:00 +0000

Microsoft just released a new feature, Windows Backup for Organizations, which is a revolution on top of the older Enterprise State Roaming.

Windows Backup for Organizations will help you and your users by saving different components of your Windows installation to make a the proces of a new installation or computer much easier. Especially when used with Windows Autopilot, this is a great addition to the whole Windows/Intune ecosystem.

In this guide I will dive into how it works, what is backed up and excluded and how to configure and use it.

Remove Pre-installed Windows Store Apps with Intune

Tue, 21 Oct 2025 00:00:00 +0000

Since the latest Windows 25H2 update, we have a great new feature. We can now remove pre-installed Windows Store Applications which we don’t want to ship with our devices. This helps us alot with both Windows 365 and Azure Virtual Desktop Personal deployments as with normal Intune-joined devices. The only downside is that Pooled Azure Virtual Desktop Deployments are not supported.

In this guide I will dive into this new setting and explain how to configure this and why this is a great update. The step-by-step guide shows how I have configured a policy that removes most of the non-productive apps from my PC.

Azure Compute Gallery and (AVD) VM images

Thu, 09 Oct 2025 00:00:00 +0000

Azure Compute Gallery is a great service in Azure to store, capture and maintain your VM images. This can be helpful when deploying multiple similar VMs. Use cases of this can be VM Scale Sets, webservers , containers or Azure Virtual Desktop session hosts.

In this blog post, I will tell more about Azure Compute Gallery, how to use it when imaging VMs and how it can help you storing and maintaining images for your VMs.

Solved - ADSync service stopped (Entra Connect Sync)

Mon, 06 Oct 2025 00:00:00 +0000

Sometimes, the ADSync service stops without further notice. You will see that the service has been stopped in the Services panel:

In this guide I will explain how I solved this problem using a simple PowerShell script.

The Check ADSync script

The PowerShell script that fixes this problem is on my GitHub page:

Download PowerShell script

The script simply checks if the service is running, if this is the case the script will be terminated. If the service is not running, the service will be started.

Customize Office apps installation for Azure Virtual Desktop

Tue, 30 Sep 2025 00:00:00 +0000

When deploying Microsoft Office apps to (pooled) Virtual Desktops, we mostly need to do some optimizations to the installation. We want to optimize performance on pooled and virtual machines, or maybe we want to enable shared computer activation because multiple users need the apps.

In this guide I will show you how to customize the installation of Office apps, primarily for Virtual Desktops, but can be used on any Windows machine.

Clean files on a schedule with Powershell script

Thu, 18 Sep 2025 00:00:00 +0000

Sometimes in IT, we have software or solutions that need to to save temporary files in your filesystem. Let’s say, a feed with logs or CSV files that are saved, logs or back-ups like the Bartender software. The software itself doesn’t have a solution to clean up those files and after 2 years, the size can be massive.

To let this files clean on schedule I have created a Powershell script which cleans those files in specific folders after they are not modified in *specfied* days . You can define the folders and number of days at the parameters section of the script.

Automatic Azure Boot diagnostics monitoring with Azure Policy

Thu, 11 Sep 2025 00:00:00 +0000

In Azure, we can configure Boot diagnostics to view the status of a virtual machine and connect to its serial console. However, this must be configured manually. The good part is that we can automate this process with Azure Policy. In this post I will explain step-by-step how to configure this and how to start using this in your own environment.

In short, Azure Policy is a compliance/governance tool in Azure with capabilities for automatically pushing your resources to be compliant with your stated policy. This means if we configure Azure Policy to automatically configure boot diagnostics and save the information to a storage account, this will be automatically done for all existing and new virtual machines.

How to completely hide language bar/selector Windows 11

Tue, 09 Sep 2025 00:00:00 +0000

One of the small things I experienced in one of the updates for Windows 11 (24H2) is that the language bar/selector get’s automatically visible on the Windows taskbar. In previous versions of Windows, this was only available when using multiple keyboard languages.

Because this can get very annoying, I researched on how to disable this button to clean up our taskbar and only use it for the applications and space we need.

Wordpress on Azure

Thu, 04 Sep 2025 00:00:00 +0000

Wordpress. Its maybe the best and easiest way to maintain a website. This can be run on any server. In Azure, we also have great and serverless possibilities to run Wordpress. In this guide I will show you how to do this, how to enhance the experience and what steps are needed to build the solution. I will also tell more about the theoretical stuff to get a better understanding of what we are doing.

New: Azure Service Groups

Mon, 01 Sep 2025 00:00:00 +0000

A new feature in Microsoft Azure rised up on the Microsoft pages; Service Groups. In this guide, we will dive a bit deeper into Service Groups and what we can do with them in practice.

At the time of writing, this feature is in public preview and anyone can use it now.

What are these new Service Groups in Azure?

Service Groups are a parralel type of group to group resources and separate permissions to them. In this manner we can assign multiple resources of different resource groups and put them into a overshadowing Service Group to apply permissions. This eliminates the need to move resources into specific resource groups with all broken links that comes with it.

In-Place upgrade to Windows Server 2025 on Azure

Thu, 28 Aug 2025 00:00:00 +0000

Once every 3 to 4 years you want to be on the last version of Windows Server because of new features and of course to have the latest security updates. These security updates are the most important these days.

When having your server hosted on Microsoft Azure, this proces can look a bit complicated but it is relatively easy to upgrade your Windows Server to the last version, and I will explain how to on this page.

Azure Image Builder voor AVD

Tue, 19 Aug 2025 00:00:00 +0000

Even uitzoeken en testen of dit interresant is.

UItgezocht, ziet er heel veel handwerk uit. Naar mijn inziens is het makkelijekr om een image weer op te starten dan customizations te doen en dan weer imagen.

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

Starting out with Universal Print

Tue, 19 Aug 2025 00:00:00 +0000

Universal Print is a Microsoft cloud solution which can replace your Windows based printservices. It can be used to deploy printers to endpoints, even to non-Windows devices in a cloud-only way.

Requirements

Around 30 minutes of your time
A license which includes Universal Printing
Basic knowledge of Intune and Windows

What is Universal Printing?

Universal Printing is a cloud based service of Microsoft for installing, managing and deploying printers to end users in a modern way. This service eliminates the need for having to manage your own print servers and enables us to deploy printers in a nice and easy way. This is mostly HTTPS-based.

Match AD users using Entra Connect Sync and MSGraph

Mon, 18 Aug 2025 00:00:00 +0000

Sometimes, it is necessary to match an existing local Active Directory (AD) user through Entra Connect with an existing Entra ID user (formerly known as Azure AD). This process ensures that the account in both environments is aligned and maintains the same underlying configurations and settings across systems.

What is soft-matching?

Most of the time the system itself will match the users automatically using soft-matching. Here the service will be matching users in both Entra ID and Active Directory by using known attributes like UserPrincipalName and ProxyAddresses.

Joining storage account to Active Directory (AD DS)

Thu, 14 Aug 2025 00:00:00 +0000

Joining a storage account to Active Directory can be a hard part of configuring Azure Virtual Desktop or other components to work. We must join the storage account so we can do our Kerberos authentication against the storage account.

In this guide I will write down the most easiest way with the least effort of performing this action.

Requirements

Around 30 minutes of your time
An Azure subscription with the storage account
An Active Directory (AD DS) to join the storage account with (on-premises/Azure)
Basic knowledge of Active Directory and PowerShell

Step 1: Prepare the Active Directory server

We must first prepare our server. This must be a domain-joined server, but preferably not a domain controller. Use a management server instead when possible. We must execute

Initial Installation script for Windows Azure VMs

Sun, 10 Aug 2025 00:00:00 +0000

When deploying Windows VMs in Azure, we get the default settings. This means we get a 12-hour clock, standard UTC/Zulu timezone and such. For users like us in the Netherlands we want to change this but not by hand.

For this purpose I built this script. It sets the timezone for Western Europe and sets the clock to 24-hour system. It also does some bonusses like responding to ping and disabling the IE Enhanced Security as it’s mostly server focussed. We don’t change the Windows language and this stays English.

Clean up old FSLogix profiles with Logic Apps

Thu, 07 Aug 2025 00:00:00 +0000

Today I have a Logic App for you to clean up orphaned FSLogix profiles with Logic Apps. As you know, storage in Azure costs money and we want to store as minimum as possible. But in most companies, old and orphaned FSLogix profiles will be forgotten to clean up so we have automate this.

In this guide I will show you how you can clean up FSLogix profiles from Azure Files by looking up the last modified date, and deleting the files after they exceeded the number of days.

Using FSLogix App Masking to hide applications on Virtual Desktops

Thu, 31 Jul 2025 00:00:00 +0000

In this blog post I will explain and demonstrate the pro’s and features of using FSLogix App Masking for Azure Virtual Desktop. This is a feature of FSLogix where we can hide certain applications and other components from our users while still having to maintain a single golden image.

In this guide I will give some extra explaination about this feature, how it works, how to implement it in a production environment and how to create those rules based on the logged on user. I hope to give a “one-post-fits-all” experience.

Installing Windows Updates through PowerShell (script)

Sun, 27 Jul 2025 00:00:00 +0000

Sometimes we want to install updates by hand because of the need for fast patching. But logging into every server and installing them manually is a hell of a task and takes a lot of time.

I have made a very simple script to install Windows Updates by hand using PowerShell including logging to exactly know which updates there were installed for monitoring later on.

The good part about this script/PowerShell module is that it does support both Windows Client and Windows Server installations.

Use Ephemeral OS Disks in Azure

Thu, 24 Jul 2025 00:00:00 +0000

In Azure, you have the option to create Ephemeral OS disks for your machine. This sounds really cool but what is it actually, what pro’s and cons are coming with them, what is the pricing and how do we use them? I will do my best to explain everything in this guide.

Requirements

Around 25 minutes of your time
An Azure subscription (if wanting to deploy)
Basic knowledge of Azure
Basic knowledge of servers and infrastructure

What are Ephemeral OS Disks?

Ephemeral OS Disks are disks in Azure where the data is stored directly on the hypervisor itself, rather than having a managed disk which could be resided at the very other end of a datacenter. Every cable and step between the disk and the virtual machine creates latency which will result in your machine being slower.

RDP Multipath - What is it and how to configure?

Wed, 16 Jul 2025 00:00:00 +0000

RDP Multipath is a new protocol for Azure Virtual Desktop and ensures the user always has a good and stable connection. It improves the connection by connecting via the best path and reduces random disconnections between session hosts and users.

Let’s take a look what RDP Multipath adds to your connections:

Green: The normal paths of connecting with RDP/Shortpath Purple: The paths added by RDP Multipath

This adds extra ways of connecting session hosts to the end device, selects the most reliable one and therefore adds stability and decreases latency.

Implement Certificate-based authentication for Entra ID scripts

Sun, 13 Jul 2025 00:00:00 +0000

When using Entra ID, we can automate a lot of different tasks. We can use a script processing server for this task but doing that normally means we have to save credentials or secrets in our scripts. Something we don’t want.

Today I will show how to implement certificate-based authentication for App Registrations instead of using a client secret (which still feels like a password).

Requirements

Around 20 minutes of your time
An Entra ID environment if you want to test this
A prepared Entra ID app registration
A server or workstation running Windows to do the connection to Entra ID
Some basic knowledge about Entra ID and certificates

How does these certificates work?

Certificate based authentication means that we can authenticate ourselves to Entra ID using a certificate instead of user credentials or a password in plain text. When using some automated scripts it needs permissions to perform its actions but this means storing some sort of authentication. We don’t want to store our credentials on the server as this decreases our security and a potential risk of compromise.

Use Azure Logic Apps to automatically start and stop VMs

Sun, 13 Jul 2025 00:00:00 +0000

With Azure Logic apps we can save some money on compute costs. Azure Logic apps are flow based tasks that can be run on schedule, or on a specific trigger like receiving a email message or Teams message. After the trigger has been started, we can choose what action to do. If you are familiar with Microsoft’s Power Automate, Logic Apps is almost exactly the same but then hosted in Azure.

How to implement Azure Firewall to secure your Azure environment

Thu, 10 Jul 2025 00:00:00 +0000

In this article, we are going to implement Azure Firewall in Azure. We are going to do this by building and architecting a new network and creating the basic rules to make everything work.

Requirements

Around 60 minutes of your time
An Azure subscription
Basic knowledge of Azure
Basic knowledge of Networking
Basic knowledge of Azure Firewall

Overview

Before creating all resources, it is great to plan before we build. I mean planning your network before building and having different overlaps or too much/less addresses available. In most cases, Azure recommends building a Hub-and-Spoke network, where we connect all spoke networks to a big hub.

What is Azure Firewall?

Thu, 03 Jul 2025 00:00:00 +0000

Azure Firewall is a cloud-native Firewall which can be implemented in your Azure network. It acts as a Layer 3, 4 and 7 Firewall and so has more administrative options than for example NSGs.

Requirements

Around 15 minutes of your time
Basic knowledge of Azure
Basic knowledge of networking and networking protocols

What is Azure Firewall?

Azure Firewall is an cloud based firewall to secure and your cloud networking environment. It acts as point of access, a sort of castledoor, and can allow or block certain traffic from the internet to your environment and from environment to the internet. The firewall can mostly work on layers 3, 4 and 7 of the OSI model.

Audit your Entra ID user role assignments

Tue, 01 Jul 2025 00:00:00 +0000

Today I have a relatively short blog post. I have created a script that exports all Entra ID user role assignments with Microsoft Graph. This can come in handy when auditing your users, but then realizing the portals doesn’t always show you the information in the most efficient way.

Therefore, I have created a script that only gets all Entra ID role assignments to users of every role and exports it to a nice and readable CSV file.

Disk cleaning script on Windows Azure VMs

Sat, 28 Jun 2025 00:00:00 +0000

On Windows Servers, a critical point is maintaining the disk space. If a disk fills up to the end, several errors can occur and impacting the end-users experience of your applications. Something we definitely not want.

To help reducing this chance, I have created a PowerShell script that cleans up your server using built in tools of Windows. In this post, I will explain what the script does, how to install it and how to use it.

Audit your privileged Entra ID applications

Wed, 25 Jun 2025 00:00:00 +0000

In Microsoft Entra ID it’s possible to create App registrations and Enterprise applications who can get high privileges if not managed and monitored regularly. We do our best with Identities to be secure, with security processes like MFA, access reviews and such, but most of the companies don’t care that much about the Enterprise applications.

In this post, I will try to convince you that this is as much as important as identities. For helping you to solve this I built a PowerShell script to get a complete overview of all the applications and their permissions.

Azure Default VM Outbound access deprecated

Thu, 19 Jun 2025 00:00:00 +0000

Starting on 30 September 2025, default outbound connectivity for Azure VMs will be retired. This means that after this date you have to configure a way for virtual machines to actually have connection to the internet. Otherwise, you will get an VM that runs but is only available through your internal network.

In this post I will do a deep dive into this new developement and explain what is needed and what this means for your existing environment and how to transition to the new situation after this 30 September 2025 date.

Enhance email security with SPF/DKIM/DMARC

Mon, 16 Jun 2025 00:00:00 +0000

When it comes to basic email security, we have 3 techniques that can enhance our email security and delivery by some basic initial configuration. Those are called SPF, DKIM and DMARC. This means, configure and mostly never touch again.

Microsoft announced that starting from May 5, 2025: SPF, DKIM and DMARC will become mandatory for inbound email delivery. Not configuring all three can result in your emails not being delivered correctly.

Pooled Azure Virtual Desktop with Azure AD cloud users only

Thu, 12 Jun 2025 00:00:00 +0000

This deployment option is superseded by the more easy and secure Entra Kerberos option, check out the updated deployment guide here: https://justinverstijnen.nl/azure-virtual-desktop-fslogix-and-native-kerberos-authentication/

Since the beginning of Azure Virtual Desktop, it is mandatory to run it with an Active Directory. This because when using pooled session hosts, there has to be some sort of NTFS permission for FSLogix to reach the users’ profile disks. This permission is done using NTFS with Kerberos authentication. Something Azure AD doesn’t support.

Microsoft Azure certifications for Developers

Wed, 11 Jun 2025 00:00:00 +0000

This page shows what Microsoft Azure certifications are available for Developer-minded people. I intend to focus as much on the developers as possible, although this is not my primary subject. I did some research and i didn’t find it very clear what to do, where to start etcetera.

The certification poster

Microsoft has an monthly updating certification poster available to have an overview for each solution category and the certifications of that category. You can find the poster here:

Introduction to Networks

Wed, 04 Jun 2025 00:00:00 +0000

This page is an introduction to Networks. We don’t need to know everything about it, but often face it in our work. In this guide I will give you a basic understanding of networks, IP addresses, VLANs, Segmenting etcetera. Basically everything you need to understand the process, and hopefully even more than that.

Requirements

Some basic networking knowledge
Some basic subnetting knowledge
Around 20 minutes of your time

Introduction to Networking

Networking is the process of connecting devices to share data and resources. It allows communication between users over local or global distances. Networks can range from small home setups to large corporate infrastructures. Key components include routers, switches, and protocols that manage data traffic. Effective networking ensures reliable, secure, and efficient information exchange. As technology advances, networking plays a critical role in enabling digital communication worldwide.

Creating Static Web Apps on Azure the easy way

Thu, 29 May 2025 00:00:00 +0000

Microsoft Azure has a service called the ‘Static Web Apps" (SWA) which are simple but yet effective webpages. They can host HTML pages with included CSS and can link with Azure Functions for doing more advanced tasks for you. In this guide we will explore the possibilities of Static Web Apps in Azure.

Requirements

Around 45 minutes of your time
An account for Github (recommended)
An Azure subscription to host your Static Web App
Some basic knowledge of Azure
A custom domain to link the web app to your domain

Introduction to Static Web Apps and Github

Before we dive into Static Web Apps and Github, I want to give a clear explaination of both the components that will help us achieving our goal, hosting a simple web app on Azure.

Test Azure Virtual Desktop connectivity and RTT

Thu, 22 May 2025 00:00:00 +0000

Sometimes, we need to check some basic connectivity from end user devices to a service like Azure Virtual Desktop. Most networks have a custom firewall equipped where we must allow certain traffic to flow to the internet.

Previously there was a tool from Microsoft available, the Azure Virtual Desktop experience estimator, but they have discontinued that. This tested the Round Trip Time (RTT) to a specific Azure region and is a calculation of what the end user will get.

Windows Search optimization on Azure Virtual Desktop

Thu, 15 May 2025 00:00:00 +0000

When using Windows 11 Multi Session images on Azure for Azure Virtual Desktop, Microsoft has disabled some features and changed the behaviour to optimize it for using with multiple users. One of the things that has been “lazy loading” is Windows Search. The first time after logging in it will be much slower than normal. The 2nd, 3rd and 4th time, it will be much faster.

In this video you will see that it takes around 5 seconds till I can begin searching for applications and Windows didnt respond to the first click. This is on a empty session host, so in practice this is much slower.

Create custom Azure Workbooks for detailed monitoring

Thu, 08 May 2025 00:00:00 +0000

Azure Workbooks are an excellent way to monitor your application and dependencies in a nice and customizable dashboard. Workbooks can contain technical information from multiple sources, like:

Metrics
Log Analytics Workspaces
Visualisations

They’re highly flexible and can be used for anything from a simple performance report to a full-on investigative analysis tool. A workbook can look like this:

Using the default Azure Workbooks

In Azure we can use the default workbooks in multiple resources that contain basic information about a resource and it’s performance. You can find those under the resource itself.

Disable DirectSend in Exchange Online

Sun, 04 May 2025 00:00:00 +0000

Microsoft has published a new command to completely disable the unsafe DirectSend protocol in your Microsoft 365 environment. In this guide I will explain what DirectSend is, why you should disable this and how we can achieve this.

What is DirectSend?

DirectSend (Microsoft 365) lets devices or applications (like printers, scanners, or internal apps) send email directly to users inside your organization without authentication. Instead of using authentication, it uses your MX record directly with port 25.

Setup a Minecraft server on Azure

Thu, 01 May 2025 00:00:00 +0000

Sometimes, we also want a step down from our work and want to fully enjoy a videogame. Especially when you really like games with open worlds, Minecraft is a great game. And what if I tell you we can setup a server for Minecraft on Azure so you can play it with your friends and have a 24/7 uptime this way.

Requirements

An Azure environment
Basic knowledge of Azure
Basic knowledge of Linux and SSH
Basic knowledge of networking and TCP/UDP
Experience with Minecraft to test the server
Around 45 minutes of your time

System requirements of a Minecraft server

For a typical Minecraft server, without Mods, the guidelines and system requirements are as stated below:

Monitor Azure Virtual Deskop logon speed

Thu, 24 Apr 2025 00:00:00 +0000

Sometimes we want to know why a Azure Virtual Desktop logon took longer than expected. Several actions happen at Windows logon, like FSLogix profile mounting, Group Policy processing and preparing the desktop. I found a script online that helps us monitor the sign-ins and logons and basically tells us why it took 2 minutes and what parts took a specific amount of seconds.

The script is not made by myself, the source of the script is: https://www.controlup.com/script-library-posts/analyze-logon-duration/

Skrepr Tech CI - PowerShell

Thu, 24 Apr 2025 00:00:00 +0000

Dit is mijn Collective Intelligence voor mei 2025 over PowerShell. Ik ga hier wat leuke dingen over laten zien, zie de inhoud voor handige links naar de kopteksten.

Aan het einde heb ik nog een leuke praktijkopdracht waarin we een PowerShell module gaan installeren en uitvoeren.

Ik heb mijn best gedaan om de uitleg zo simpel maar duidelijk te geven, ook voor onze niet-technische mensen.

Wat is PowerShell?

Powershell is een shell en script taal en sinds Windows 8/Server 2012 de onderliggende CLI van Windows. Eigenlijk alles in de grafische interface van Windows wordt door Powershell verwerkt, zoals te zien in onderstaande afbeelding:

Storage Account performance and pricing for Azure Virtual Desktop

Sun, 20 Apr 2025 00:00:00 +0000

Choosing the right performance tier of Azure Storage Accounts can be very complex. How much size and performance do we need? How many users will login to Azure Virtual Desktop and how many profile size do we want to assign them?

In this blog post I will explain everything about hosting your FSLogix profiles on Azure Virtual Desktop and the storage account performance including pricing. AFter that we will do some real world performance testing and a conclusion.

Deploy Resource Group locks automatically with Azure Policy

Thu, 17 Apr 2025 00:00:00 +0000

Locks in Azure are a great way to prevent accidental deletion or modify resources or resource groups. This helps further securing your environment and make it somewhat more “fool proof”.

Now with Azure Policy we can automatically deploy Locks to Resource Groups to secure them from deleting or read-only resources. In this guide I will explain how this can be done and how it works.

Note: Locks on Resource Groups can stop some automations. If you use read-only locks on a Azure Virtual Desktop resource group for example.

Monitor and reduce carbon emissions (CO2) in Azure

Thu, 10 Apr 2025 00:00:00 +0000

In Microsoft Azure, we have some options to monitor and reduce your organizations Carbon emissions (CO2) from services hosted in the cloud. When hosting servers on-premises, they need power, cooling and networking and those are also needed in the cloud. By migrating servers to the cloud doesn’t mean that those emissions do not count. Those emissions are generated on an other location.

In this guide, I will show some features of Microsoft Azure regarding monitoring and reducing carbon emissions.

Migrate servers with Azure Migrate in 7 steps

Thu, 03 Apr 2025 00:00:00 +0000

This page is about Azure Migrate and how you can migrate an on-premises server or multiple servers to Microsoft Azure. This process is not very easy, but it’s also not extremely difficult. Microsoft hasn’t made it as simple as just installing an agent on a VM, logging in, and clicking the migrate button. Instead, it is built in a more scalable way.

Requirements

A server to migrate to Microsoft Azure
Ability to install 1 or 2 additional servers
- Must be in the same network
Around 60 minutes of your time
Administrator access to all source servers
RDP access to all source servers is useful
Secure Boot must be disabled on the source servers
A target Azure Subscription with Owner access
1 server dedicated to Migration based on Windows Server 2016*
2 servers for Discovery and Migration based on Windows Server 2016*

*Windows Server 2016 is the only supported OS, please do not install other versions as this will not work.

AMC - Module 11: Infrastructure as Code (IaC) and DevOps

Thu, 27 Mar 2025 00:00:00 +0000

In this module, we cover Azure: Infrastructure as Code (IaC) and DevOps. This module focuses more on development on Azure, with less emphasis on automation and IT management. While IaC and DevOps might seem less exciting at first, they are essential for modern cloud-based application development and operations, helping streamline deployments, ensure consistency, and integrate continuous delivery pipelines.

Azure Portal, Azure Powershell and Azure CLI

There are multiple environments to manage Azure and its resources:

AMC - Module 10: Monitoring and Security

Thu, 20 Mar 2025 00:00:00 +0000

In this module, i want you to understand all the possibilities of Monitoring and some Security features of Microsoft Azure. We know that Security these days is a very hot topic and monitoring is not really unimportant either. Very valuable information for you, i hope :).

Azure Monitor

Azure Monitor is a service in Azure that enables monitoring. With it, you can monitor various resources and quickly identify potential issues during an outage. Azure Monitor supports almost all resources in Azure and can, for example, retrieve event logs and metrics from the guest operating system of virtual machines.

AMC - Module 9: Databases & AI

Thu, 13 Mar 2025 00:00:00 +0000

In this we will explore various possibilities of Databases and AI in Microsoft Azure.

Types of data and structures

Data in general can be stored in different ways for various purposes.

Relational: Relational data consists of rows and columns following a predefined schema. The schema is represented as a table, which is essentially a type of spreadsheet where the rows contain entities and the columns store properties. For example, in an online webshop, orders would be represented as rows (entities), while columns would contain data such as the order ID, customer address, timestamp, payment method, etc.
- Examples: SQL Server, MySQL, PostgreSQL
Non-relational: Non-relational data is less structured, such as a document or a JSON file. However, it is self-descriptive, meaning the file itself makes it clear how the data is stored.
- Examples: NoSQL, MongoDB, Gremlin, Cosmos DB
Unstructured: Unstructured data consists of various file types where the structure is not clearly defined.
- Examples:.docx, .xlsx, .jpg, .mp4 and other standalone files

Databases in Microsoft Azure

In Microsoft Azure, there are different ways to deploy a database where each type has it’s own charasteristics and requirements:

AMC - Module 8: Application Services and Containers

Thu, 06 Mar 2025 00:00:00 +0000

This module is about application services in Microsoft Azure. It mainly focuses on containers and containerized solutions but also explores other serverless solutions. These are solutions where, as a customer or consumer of Microsoft Azure, you do not need to manage a server.

Statefull vs. Stateless

We can categorize servers/VMs into two categories: Stateful and Stateless:

Stateful: Stateful servers are uniquely configured and have a specific role, for example:

AMC - Module 7: Virtual Machines and Scale Sets

Wed, 05 Mar 2025 00:00:00 +0000

This module explicitly covers virtual machines and virtual machines in combination with VMSS (Virtual Machine Scale Sets). Also we cover most of the VM family names, their breakdown, and advanced VM features.

Virtual Machines (VMs)

Virtual Machines are one of the most commonly used services in Microsoft Azure. This is because a customizable virtual machine allows for nearly unlimited possibilities, and most software requires a real desktop environment for installation.

Solved - FSLogix release 25.02 breaks Recycle Bin - Azure Virtual Desktop

Mon, 03 Mar 2025 00:00:00 +0000

This issue has been solved in the newest release of FSLogix 25.04: https://learn.microsoft.com/en-us/fslogix/overview-release-notes

Please use this newer version instead of version 25.02. This fixes the bug in this article without any change in policies and settings.

The problem/bug described

When testing the new FSLogix 25.02 version, I came across a very annoying problem/bug in this new version.

“The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?”

Save Azure costs on Virtual Machines with Start/Stop

Sun, 02 Mar 2025 00:00:00 +0000

With the Azure Start/Stop solution we can save costs in Microsoft Azure and save some environmental impact. In this guide I will explain how the solution works, how it can help your Azure solutions and how it must be deployed and configured.

Requirements

Around 45 minutes of your time
An Azure subscription
One or more Azure VMs to automatically start and stop
Basic knowledge of Azure
No fear of JSON configurations
Some drink of your choice

Introduction to the Start/Stop solution

The Start/Stop solution is a complete solution and collection of predefined resources built by Microsoft itself. It is purely focussed on starting VMs and stopping VMs based on some rules you can configure. The solution consists of some different resources and dependencies:

AMC - Module 6: Networking in Microsoft Azure

Fri, 28 Feb 2025 00:00:00 +0000

In Module 6, we will explore all the possibilities of Azure regarding networking, VPNs, load balancing methods, proxies, and gateways. This chapter also covers most the topics and solutions included in the AZ-700 exam, the Azure Networking certification.

Check out the AZ-700 Azure Networking Certification at: https://learn.microsoft.com/en-us/credentials/certifications/azure-network-engineer-associate/?practice-assessment-type=certification

Introduction to generic Networking

A network is described as a group of devices who communicate with each other. In Microsoft Azure, we have to create and design networks for our resources to communicatie with each other. We only use TCP/IP networking, which works with IP addresses, DHCP, routing etcetera.

Penetration testing Defender for Identity and Active Directory

Fri, 21 Feb 2025 00:00:00 +0000

In this guide, i will show how to do some popular Active Directory attacking tests and show how Defender for Identity (MDI) will alert you about the attacks.

Not everyting detected by Defender for Identity will be directly classified as potential attack. When implementing the solution, it will learn during the first 30 days what normal behaviour in the network is.

Requirements

At least one Microsoft Defender for Identity running
- For a step by step guide of this, refer this guide!
A domain controller (vm-jv-mdi)
A workstation (ws-jv-mdi)
Around 30 minutes of your time

Starting out

So i want to mention, that most of the attacks to Active Directory can be easily prevented if everybody locks their computer everytime they walk away from it and also use good enough authentication methods. Some other attacks cannot always be prevented but we can do the most of it detecting them and acting in a greatly manner.

Deep dive into IPv6 with Microsoft Azure

Mon, 17 Feb 2025 00:00:00 +0000

In Microsoft Azure, we can build servers and networks that use IPv6 for their connectivity. This is especially great for your webservers, where you want the highest level of availability for your users. This is achieved the best using both IPv4 and IPv6 protocols.

In this guide we do a deep dive into IPv6 in Microsoft Azure and i will show some practical examples of use of IPv6 in Azure.

How to monitor your Active Directory with Defender for Identity

Sat, 15 Feb 2025 00:00:00 +0000

When it comes to security, it is great to secure every perimeter. In the Zero Trust model, it has been stated that we have to verify everything, everytime, everywhere. So why consider not monitoring and defending your traditional Active Directory that is still in use because of some legacy applications?

Requirements

An Microsoft 365 tenant
A traditional Active Directory (AD DS) environment which meets the system requirements and is Server 2016+
A license that has Defender for Identity included, like;
- Enterprise Mobility & Security E5
- E5 or E5 security add-on
- Standalone Defender for Identity license
- F5 Security add-on with F1 or F3 license already in place
- Source: https://learn.microsoft.com/en-us/defender-for-identity/deploy/prerequisites#licensing-requirements
Around 60 minutes of your time
A drink of your choice

What is Microsoft Defender for Identity (MDI)?

Microsoft Defender for Identity (MDI for short) is a comprehensive security and monitoring tool which is part of the Microsoft XDR suite that defends your Windows Server-based Active Directory (AD DS). This does it by installing agents on every domain controller and so monitoring every authentication request.

The Basics and Benefits of IPv6

Fri, 14 Feb 2025 00:00:00 +0000

IPv6. We hear it a lot these days and it’s a very common network addressing protocol and the successor of the older IPv4, but will not necessarily take over IPv4 100% (yet). On this page I will describe the basics, some tips and the benefits.

Requirements

Around 15 minutes of your time
Basic networking knowledge is great

IP addressing with IPv4 and IPv6

When we speak of a network, we speak of a set connected devices (we call them clients/nodes) where each device has its own use. Also there are some fundamental components every network has:

Using Azure Update Manager to manage updates at scale

Sat, 08 Feb 2025 00:00:00 +0000

Azure Update Manager is a tool from Microsoft and is developed to automate, installing and documenting Windows updates or updates to Linux server on Azure. This all in a single pane of glass and without installing any additional software.

Requirements

Around 15 minutes of your time
An Azure subsciption
An Azure server or Azure Arc server

Supported systems

Azure Update Manager supports the following systems for assessments and installing updates, therefore managing them:

Active Directory FSMO roles

Tue, 04 Feb 2025 00:00:00 +0000

Active Directory Domain Controllers are assigned 5 different FSMO roles, which all have their own function. We can separate them over multiple servers to create more redundancy, but make sure to handle those all as servers. All roles neeed a 24/7 uptime for your environment to work properly.

In this guide, I will give a brief explaination of the roles, what their function is and how to move them to different servers to enhance availability and redundancy.

Get Device serial number on Windows 11 24H2 and up

Wed, 22 Jan 2025 00:00:00 +0000

With Windows 24H2 and the deprecation of WMIC, a easy command to find your devices’ serial number is gone. However, we can still look this up with Powershell.

Use the following command:

POWERSHELL

Get-WmiObject win32_bios | select SerialNumber

End of the page 🎉

10 ways to use tags in Microsoft Azure

Fri, 10 Jan 2025 00:00:00 +0000

When being introduced to Azure, I learned about tags very quickly. However, this is something you can use in practice but is no requirement to make stuff actually work. Now some years ahead in my Azure journey, I can recommend (at least) 10 ways to use them properly and to make them actually useful in your environment.

I will explain these ways in this article.

What are Tags in Azure?

Tags are a pair of editable values in Microsoft Azure. These are in this pair-convention:

Stop OneNote printer from being default printer in AVD

Fri, 10 Jan 2025 00:00:00 +0000

If you have the Office Apps installed with OneNote included, sometimes the OneNote printer will be installed as default:

This can be very annoying for our end users and ourselves as we want real printers to be the default printer. Today I will show you how to delete this printer for current and new session hosts permanently.

The issue itself

The issue is that OneNote automatically creates a printer queue in Windows at installation for users to send information to OneNote. This will be something they use sometimes, but a physical printer will be used much more often. The most annoying part is that the software printer for OneNote will be marked as default printer every day which is annoying for the end users.

How to upload PowerShell script to Gallery with Github Actions

Thu, 02 Jan 2025 00:00:00 +0000

When using the PowerShell Gallery to upload and publish your scripts and PowerShell modules to the world it’s recommended to use Github Actions for CI/CD to automatically update your live packages on the PowerShell Gallery. At first, this looked somewhat complex to me but it’s relatively easy.

On this page I will show how I’ve uploaded scripts from Github to the PowerShell Gallery with using a Github Action.

Requirements

Around 30 minutes of your time
Github account
Powershell Gallery account
A PowerShell script for testing to actually upload to the PowerShell Gallery

Introduction to PowerShell Gallery

In short, the PowerShell Gallery is a public repository which contains PowerShell scripts and modules which all PowerShell users can download and install. All of this using some simple commands:

Azure VPN Gateway Maintenance - How to configure

Wed, 01 Jan 2025 00:00:00 +0000

Most companies who use Microsoft Azure in a hybrid setup have a Site-to-Site VPN gateway between the network in Azure and on-premises. This connection becomes mission critical for this company as a disruption mostly means a disruption in work or processes.

But sometimes, Microsoft has to perform updates to these gateways to keep them up-to-date and secure. We can now define when this will be exactly, so we can configure the gateways to update only outside of business hours. In this guide I will explain how to configure this.

Create AD users with on demand script

Fri, 27 Dec 2024 00:00:00 +0000

Today I have a PowerShell script that creates users by asking the user what to fill in. This works by having a fully prepared “New-ADUser” command with all the properties filled in to have all users using the same attributes.

I will explain how this script works on this page.

The create AD users on demand script

For the fast pass, the script can be downloaded from my GitHub page:

AMC - Module 5: Storage in Azure

Sat, 21 Dec 2024 00:00:00 +0000

This module focuses purely on the various storage services that Azure offers and provides. Additionally, we will explore the different options available to increase redundancy and apply greater resilience.

The importance and types of storage

Storage fundamentally exists in three different types:

Structured: Structured data is information stored according to a specific structure or model, allowing queries to be written to retrieve data.
- Examples: Databases, Database tables
Semi-structured: Semi-structured data is not stored according to a strict schema, but each file contains a clear structure, making the data understandable.
- Examples: XML files, JSON files
Unstructured: Unstructured data consists of individual files, each containing its own data.
- Examples: Text files, Video files, Images, Emails

In this chapter, we will primarily focus on Unstructured data.

Managing Hyper-V server without Active Directory

Tue, 17 Dec 2024 00:00:00 +0000

When you use Hyper-V server, you want to manage this with the management tools. However, by default Hyper-V only allows connections from domain-joined machines by design because of security and trust reasons.

We can bypass this requirement by building these trust ourselves and so managing the server from a machine that isnt even in a domain but Entra ID Joined or in a workgroup.

Installing Hyper-V management tools

When you use Windows 11 Pro/Education/Enterprise, you have the option to install Hyper-V on your machine. This can be done through the features on demand window:

Set a domain alias for every user in Microsoft 365

Fri, 13 Dec 2024 00:00:00 +0000

Sometimes, we add a new domain to Microsoft 365 and we want to have a domain alias for multiple or every user.

Logging in Exchange Online Powershell

To configure a alias for every user, we need to login into Exchange Online Powershell:

POWERSHELL

Connect-ExchangeOnline

If you don’t have the module already installed on your computer, run the following command on an elevated window:

Microsoft Defender External Attack Surface Management (EASM)

Sun, 01 Dec 2024 00:00:00 +0000

Microsoft Defender External Attack Surface Management (EASM) is a security solution for an organization’s external attack surfaces. It operates by monitoring security and operational integrity across the following assets:

Websites
IP addresses
Domains
SSL certificates
Other digital assets

In addition to these components, EASM can also forward all relevant information and logs to SIEM solutions such as Microsoft Sentinel.

It is also possible to manually input company-specific data, such as all domain names and IP addresses associated with its services.

Azure Key Vault

Tue, 26 Nov 2024 00:00:00 +0000

Azure Key Vault is a type of vault used to store sensitive technical information, such as:

Certificates
Secrets
Keys

What sets Azure Key Vault apart from a traditional password manager is that it allows software to integrate with the vault. Instead of hardcoding a secret, the software can retrieve it from the vault. Additionally, it is possible to rotate a secret every month, enabling the application to use a different secret each month.

The MITRE ATTACK Framework

Mon, 25 Nov 2024 00:00:00 +0000

The MITRE ATTACK (ATT&CK) Framework is a framework which describes all stages and methods cyberattacks attacks are launched on companies in the last 15 years. The main purpose of the framework is to help Red and Blue security teams to harden their systems and to provide a library of known attacks to help mitigate them.

MITRE is the organization who is in charge of this community-driven framework and is a non-profit organization. ATT&CK stands for:

The Zero Trust-model

Mon, 25 Nov 2024 00:00:00 +0000

The Zero Trust model is a security model to enhance your security posture by using 3 basic principles, and segmenting aspects of your IT environment into pillars.

The 3 primary principles are:

Verify Explicitly
Least privileged access
Assume Breach

At first, those terms seem very unclear to me. To further clarify the principles, i have added some practice examples to further understand what they mean:


Principle	Outcomes
Verify Explicity	Ensure people are really who they say they are Audit every login attempt from specific users Audit login attempts Block access from non-approved countries
Least privileged access	Assign users only the permissions they need, not more Assign only the roles when they need them using PIM Use custom roles when default roles expose too much permissions
Assume breach	At every level, think about possible breaches Segment your network Password-based authentication only is too weak

The model is the best illustrated like this:

AMC - Module 4: Resiliency and Redundancy in Azure

Thu, 21 Nov 2024 00:00:00 +0000

This module is all about resiliency and redundancy in Microsoft Azure. Resiliency literally means flexibility. It refers to how resistant a solution is to certain issues and failures. We want to build our solutions redundant, because we don’t want outage in a system so a customer can’t do their work.

Areas to implement resilliency

The different layers where you can and should apply resiliency and how you can improve the area are:

How to Export Active Directory (AD) users fast and easy

Thu, 14 Nov 2024 00:00:00 +0000

Sometimes we need to export all of our AD users. The one time for applying changes, sometimes for monitoring the inventory but often for licensing purposes.

At this page I will show you how to export all your AD users fast and easy.

The Export AD users script:

For the fast pass, I uploaded the script to my Github page:

Download script from GitHub

How to export the AD users by hand

To export the users without using a script, navigate to your Active Directory management server and open up Powershell. We will do all the action the script above does, but then by hand and type in every command separately.

AMC - Module 3: Governance in Microsoft Azure

Thu, 07 Nov 2024 00:00:00 +0000

Introduction to Govenance in Azure

Governance in Azure refers to the enforcement of rules and the establishment of standards in solutions, naming conventions, technology, etc. This is achieved through the management and importance of Management Groups, Subscriptions, Resource Groups, Policies, RBAC, and Budgets.

In the cloud, Governance is crucial because processes and behaviors differ significantly from on-premises hardware. Additionally, certain services can be made publicly accessible, which requires an extra layer of security.

Configure DNSSEC and SMTP DANE Microsoft 365

Thu, 31 Oct 2024 00:00:00 +0000

Recently, Microsoft announced the general availability of 2 new security protocol when using Microsoft 365 and the service Exchange Online in particular. SMTP DANE and DNSSEC. What are these protocols, what is the added value and how can they help you secure your organization? Lets find out.

Domain Name System Security Extensions (DNSSEC)

DNSSEC is a feature where a client can validate the DNS records received by a DNS server to ensure a record is originated from the DNS server and not manipulated by a Man in the Middle attack.

AMC - Module 2: Identity in Azure

Thu, 24 Oct 2024 00:00:00 +0000

This Azure Master Class (AMC) chapter is all about Identity in Microsoft Azure. This means we discuss the following:

Users
Groups
Devices
Enterprise Applications
Service Principals
Authentication

What is identity?

For every service that a user accesses, it is necessary to have an identity. Access needs to be determined, and the service must know who the user is in order to open the correct environment.

Best practice is to always assign the least possible privileges. A person who performs 3 tasks does not need permissions for 200 tasks, but for the 3 tasks only. “Least privilege” is one of the 3 key principals of the Zero Trust model.

AMC - Module 1: Fundamentals of Cloud and Microsoft Azure

Thu, 17 Oct 2024 00:00:00 +0000

This chapter is about the term “Cloud” and the fundamentals of Microsoft Azure and Cloud Services in general.

What is “the Cloud”?

The Cloud is a widely used term to say, “That runs elsewhere on the internet.” There are many different definitions, but the National Institute of Standards and Technology (NIST) in the United States has identified five characteristics that a service/solution must meet to call itself a cloud service:

Microsoft Azure Master Class - Navigation page

Thu, 17 Oct 2024 00:00:00 +0000

Introduction to this Azure Master Class

Hey there! I have a new collection of blog posts here. A while ago (2023) I followed the Azure Master Class course of John Savill, and done some extra research into some of the components of Azure. I wrote those things down to learn from it and have some documentation. Firstly, this was for personal use but after founding this website and blog I decided to rework it and publish all the information because I think it can be very helpful.

Set correct language and timezone on Azure VM

Thu, 10 Oct 2024 00:00:00 +0000

By default, all Azure VMs are set to English language and UTC/Zulu timezone. This will work for a great portion of the Azure VM users but there are users in other parts of the world too. Like in the Netherlands, where I live we are 1 or 2 hours ahead of that timezone depending on the season.

Also, in the case of Azure Virtual Desktop, we want to present our users their native language as system language. For this case, I have made a script to correct those settings.

Automatic AVD/W365 Feed discovery for mobile apps

Wed, 09 Oct 2024 00:00:00 +0000

When using Azure Virtual Desktop (AVD) or Windows (W365), we sometimes use the mobile apps for Android, MacOS or iOS. But those apps rely on filling in a Feed Discovery URL instead of simply a Email address and a password.

Did you know we can automate this process? I will explain how to do this!

Fast path for URL: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

The problem explained

When downloading the apps for your mobile devices, we get this window after installing:

Azure Stack HCI - Host your Virtual Desktops locally

Thu, 03 Oct 2024 00:00:00 +0000

Introduction to Azure Stack HCI

Azure Stack HCI is a solution for Microsoft Azure to host Azure resources on your own hardware and location. This sounds traditional but can help to boost your Azure resources for your customer and/or use case.

For example, with Azure Stack HCI it is possible to host some Azure Virtual Desktop hosts in your own network to boost performance by decreasing latency. Also it is possible to use GPU enabled software on this.

How to solve DeletingCloudOnlyObjectNotAllowed error Entra Connect Sync

Mon, 30 Sep 2024 00:00:00 +0000

Now and then we come across a problem with Entra Connect Sync which states “DeletingCloudOnlyObjectNotAllowed”. This error looks like this:

This error will be shown if opening the Syncronization Service and email messages of this error will aso be sent to your tenant’s technical contact.

In this guide, I will explain the cause of this problem and the options to solve the issue.

Cause of this problem

The cause of this problem is mostly an object that is first created cloud-only and then created in Active Directory, or a user that was synced previously but is deselected or deleted. Entra Connect Sync will not match the users correctly, and a the ImmutableId of the user in Entra still exists. In short; it still wants to sync a user that not exists.

Solved - Microsoft 365 tenant dehydrated

Fri, 20 Sep 2024 00:00:00 +0000

Microsoft will sometimes “pause” tenants to reduce infrastructure costs. You will then get an error which contains “tenant dehydrated”. What this means and how to solve it, I will explain in this post.

What is “Tenant dehydrated”?

Microsoft sometimes will dehydrate Microsoft 365 tenants where things will not often change to the tenant. This closes some parts of the tenant for changing, even if you have Global Administrator permissions.

How to learn Azure - My learning resources

Tue, 10 Sep 2024 00:00:00 +0000

When starting to learn Microsoft Azure, the resources and information can be overwhelming. At this page I have summarized some resources which found out during my Azure journey and my advice on when to use what resource.

To give a quick overview of all the training resources I used throughout the years and give you different types and sorted the resources from beginning to end:

Text based
Video’s
Labs and Applied Skills

1. Starting out (Video and text-based)

When starting out, my advice is to first watch the following video of John Savill explaining Microsoft Azure and giving a real introduction.

Solved: August 2024 updates breaks GPO Item level targeting - user in group

Mon, 09 Sep 2024 00:00:00 +0000

If you are managing Windows Servers, Group Policies are a great way to distribute settings to your endpoints. However, a recent update of August 2024 in Windows Server 2022 and 2019 breaks user filtering in Group Policy (GPO) Item Level Targeting

The problem itself

When applying printers, registery settings or drive maps to users, we use Group Policy Item level targeting to filter users so only users with a group membership gets the policy applied.

Solved - Windows Store applications on FSLogix/Azure Virtual Desktop

Thu, 15 Aug 2024 00:00:00 +0000

By default, Microsoft Store applications are not supported when using FSLogix. The root cause is that Windows stores some metadata that is not roamed in the profile folder and cleared at every new logon. You will encounter this behaviour in every environment where you use FSLogix.

Now a long time I told our end users that there unfortunately is no solution possible to download apps and make them persistent across Azure Virtual Desktop sessions but someday I found a workaround to this problem. I will explain this at this page.

Migrate Group Policies to a new server or domain like a pro

Wed, 07 Aug 2024 00:00:00 +0000

Once in a while, we as IT administrators need to export and import our Group Policies of Windows Server to another server. Sometimes to copy a great policy you’ve built, or to migrate a customer to a new server.

By default, the only option Microsoft has built in into Group Policy Management (gpmc.msc) is the backup option. This creates some administrative tasks.

The Export and Import scripts

I have created two scripts with Powershell that fully exports and imports all Group Policy Objects (GPOs). This with 2 seperate scripts. These can be found and downloaded from my Github page:

Optimize Windows 11 for Azure Virtual Desktop (AVD)

Sun, 04 Aug 2024 00:00:00 +0000

When using Windows 11 on Azure Virtual Desktop (AVD) - without the right optimization - the experience can be a little laggy, stuttery and slow. Especially when you came from Windows 10 with the same settings. You definitely want to optimize some settings.

After that we will look into the official Virtual Desktop Optimization Toolkit (VDOT).

Introduction to the Group Policy template

Assuming you run your Azure Virtual Desktop environment by using the good old Active Directory (AD DS), you can manage the hosts with Group Policy.

Introduction to Azure roles and permissions (RBAC/IAM)

Tue, 30 Jul 2024 00:00:00 +0000

When managing a Microsoft Azure environment, permissions and roles with RBAC is one of the basic ways to improve your security. At one hand, you want to have the permissions to do basic tasks but at the other hand you want to restrict an user to be able to do only what he needs to. This is called, the principle of “least-privilege”.

In this guide, I want to you to understand the most of the basic knowledge of managing access controls in Azure without very complex stuff.

Get Windows Product Key with PowerShell

Sun, 28 Jul 2024 00:00:00 +0000

Sometimes we need to have the original installed Windows Product Key just for documentation purposes. We simple can do this with one command in PowerShell:

POWERSHELL

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform").BackupProductKeyDefault

Please note that I am not encouraging software abuse or pirating, just sharing a tip to make our IT life a bit easier. It happens that a server or computer gets installed and we forget to document the product key or just to match it with our known information.

Network security in Azure with NSG and ASG

Fri, 26 Jul 2024 00:00:00 +0000

When designing, managing and securing a network in Microsoft Azure we have lots of options to do this. We can leverage third-party appliances like Fortinet, Palo Alto, PFSense or Sophos XG Firewall but we can also use the somewhat limited built-in options; Network Security Groups (NSG for short) and Application Security Groups (ASG).

In this guide I will explain how Network Security Groups (NSG) and Application Security Groups (ASG) can be used to secure your environment.

Create a Catch all mailbox in Exchange Online

Thu, 11 Jul 2024 00:00:00 +0000

Sometimes a company wants to receive all email, even when addresses don’t really exist in Exchange. Now we call this a Catch all mailbox, where all inbound email is being catched that is not pointed to a known recipient. Think of a sort of *@domain.com.

In this guide I will explain how to configure this in Exchange Online and how to maintain this by limiting our administrative effort. I also created a full customizable PowerShell script for this task which you can find here:

Rename name-tags to resource groups and resources

Tue, 18 Jun 2024 00:00:00 +0000

When it comes to naming your Azure Resource Groups and resources, most of them are not renameable. This due to limitations on the platform and maybe some underlying technical limitations. However, it is possible to assign a renameable tag to a resource in Azure which can be changed or used to clarify its role. This looks like this:

How to add those renameable tags in the Azure Portal?

You can add this name tag by using a tag in Microsoft Azure. In the portal, go to your resource and go to tags. Here you can add a new tag:

Microsoft 365 create a shared mailbox with same alias

Thu, 06 Jun 2024 00:00:00 +0000

When using Microsoft 365 and using multiple custom domains, sometimes you are unable to create a shared mailbox that uses the same alias as an existing mailbox.

In this guide I will explain this problem and show how to still get the job done.

The problem of multiple shared mailboxes with same alias

Let’s say, we have a Microsoft 365 tenant with 3 domains;

domain1.com
domain2.com
domain3.com

When you already have a mailbox called “info@domain1.com” you are unable to create a “info@domain2.com” in the portal. The cause of this problem is that every mailbox has a underlying “alias” and that this alias is the same when created in the portal. I have tried this in the Microsoft 365 admin center, Exchange Online admin center and Powershell. I get the following error:

Migrate data to SharePoint/OneDrive with SPMT

Mon, 20 May 2024 00:00:00 +0000

When still managing on-premises environments, but shifting your focus to the cloud you sometimes need to do a migration. This page helps you to migrate to SharePoint or Onedrive according to your needs.

At the moment, SharePoint is a better option to store your files because it has the following benefits over a traditional SMB share:

Single permissions system (No SMB/NTFS permissions)
High available by default
No server infrastructure needed
Users can work at the same file simultaneously
Integration with Microsoft Teams

The Microsoft SharePoint Migration Tool

Microsoft has a tool available which is free and which can migrate your local data to SharePoint. The targets you can specify are:

Introduction to the Microsoft Cloud Security Benchmark (MCSB)

Tue, 16 Apr 2024 00:00:00 +0000

In the modern era like where we are today, security is a very important aspect of every system you manage. Bad security of 1 system can mess with all your systems.

So have a good overview of how secure your complete IT environment is, Microsoft released the Microsoft Cloud Security Benchmark, which is an collection of high-impact security recommendations you can use to secure your cloud services, even when utilizing a hybrid environment. When using Microsoft Defender for Cloud, this MCSB is included in the recommendations.

Using PowerShell remote sessions

Wed, 10 Apr 2024 00:00:00 +0000

PowerShell Remote Sessions can be a great way to administer your virtual machines, cluster-nodes or physical Windows-based devices. With a Powershell remote session you can execute powershell commands on a remote device.

It works the best with servers in a specific management subnet. I do not recommend to administer client devices with Powershell because this can be a huge security risk.

Requirements

Management computer/Priveleged Access Workstation
15-20 minutes of your time
Management server and endpoints are Active Directory joined

Starting out

Before we can use Powershell to administer remote computers, we need to enable two things:

Introduction to the Azure Well-Architected Framework

Tue, 02 Apr 2024 00:00:00 +0000

The Azure Well-Architected Framework is a framework to improve the quality of your Microsoft Azure Deployment. This does it by spanning 5 pillars so an architect can determine with IT decision makers how they can get the most Azure with the planned budget.

The 5 pillars of the Well-Architected Framework are:


Pillar	Target
Reliability	The ability to recover a system and/or contine to work
Security	Secure the environment in all spots
Cost Optimization	Maximize the value when minimizing the costs
Operational Excellence	The processes that keep a system running
Performance Efficiency	The ability to adapt to changes

How to enable Remote Group Policy update

Wed, 10 Jan 2024 00:00:00 +0000

Group Policy update to multiple computers

Sometimes you want to force a group policy update on multiple computers. Often when i am configuring Azure Virtual Desktop Session Hosts i need this option instead of logging into all hosts and executing the command manually.

There is a option in Group Policy management to force a group policy update to all computers in a OU:

Actually, this only works after you configured this on the remote computers. The good part is, there is a way to do this with Group Policy!

Cloud Adoption Framework Introduction (CAF)

Thu, 04 Jan 2024 00:00:00 +0000

More and more organizations are moving to the cloud. In order to do this succesful, we can use the Cloud Adoption Framework which is described by Microsoft.

The framework is a succesful order of processes and guidelines which companys can use to increase the success of adopting the cloud. The framework is described in the diagram below:

The CAF has the following steps:

Strategy: Define the project, define what you want to achieve and define the business outcomes.
Plan: Plan your migration, determine the plans and make sure the environment readiness is at a good level.
Ready (and migrate): Prepare your new cloud environment for planned changes and migrate your workloads to the cloud.
Optimize: After migrating to the cloud, optimize your environment by using the beste solutions possible and innovate at this level.
Secure: Improve the security of your workloads and plan your perodical security checks.
Manage: Manage operations for cloud and hybrid solutions.
Govern: Govern your environment and its workloads.

Intention of use

Increase the chance of your cloud success
Gives you a best practice of how to perform the migration by proven methodology
Ensures you don’t miss a crucial step

Intended users/audience

IT Decision makers
Company Management Teams
Companies who want to profit from cloud solutions
Companies that are planning to migrate to the cloud
Technicians and project managers for planning the migration

For more information, check out this page: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/

Dynamic group for access to Windows 365

Fri, 01 Dec 2023 00:00:00 +0000

When using Windows 365 in your organization, the deployment is very easy to do. When it comes to adding more users to the service, it can be much manual clicks to reach your goal. My advice is to leverage the Dynamic Group feature of Microsoft Entra.

Requirements

Azure AD/Entra ID/Microsoft Graph Powershell module
- https://learn.microsoft.com/nl-nl/powershell/module/azuread/?view=azureadps-2.0
10 minutes of your time

What are Dynamic Groups?

The Dynamic Groups feature of Microsoft Entra is a great tool for auto-managing members of a group based on a single rule or collection of rules. Some examples of using dynamic groups:

Dynamic Distribution Groups in Microsoft 365

Sat, 21 Oct 2023 00:00:00 +0000

Sometimes you want to have a distribution group with all your known mailboxes in it. For example an employees@justinverstijnen.nl or all@justinverstijnen.nl address to send a mail company wide. A normal distribution group is possible, but requires a lot of manual maintenance, like adding and removing users.

To apply a little more automation you can use the Dynamic Distribution Group feature of Exchange Online. This is a feature like the Dynamic groups feature of Microsoft Entra which automatically adds new user mailboxes after they are created to make sure every new employee is added automatically.

Change Evaluation version to Standard/Datacenter version

Wed, 03 May 2023 00:00:00 +0000

When you install a fresh Windows Server installation from a .iso file, it will be installing the OS as a Evaluation version. When you want to activate the installation with a key you need to rebuild the OS and set the edition to Standard.

Microsoft considers Standard and Standard Evaluation as different editions of Windows, because of this we have to change the edition before you can activate the installation. When you want to use the edition Datacenter, you can change the command to Datacenter which also works.

Bulk create Active Directory users with Powershell

Mon, 20 Mar 2023 00:00:00 +0000

When it comes to creating users for Active Directory, especially in new implementations, you want to minimize the time needed to create the accounts. This is possible by creating the AD users with Powershell.

Requirements

Minimal knowledge of Powershell
An Active Directory environment

Full script for creating AD users

Here is the full script including CSV that creates the ad users:

Show PowerShell script on Github

Search Results

Mon, 01 Jan 0001 00:00:00 +0000

Website information

Mon, 01 Jan 0001 00:00:00 +0000

Site built with Docsy v0.14.3

Build information

Netlify build information:

Attribute	Value
Netlify built	`false`
Deploy context	local