Azure Stack Operate
Hands-on lab step-by-step
July 2020
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.
© 2020 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
In this hands-on lab, you will perform common Azure Stack Hub operational tasks by using the Azure Stack Hub Development Kit. You will start by creating and publishing a custom Azure Marketplace item. Next, you will implement multi-tenant topology by provisioning another Azure Active Directory tenant and adding it to the existing Azure Stack Hub environment. Once that is completed, you will set up delegation by using the delegated provider model and Azure Stack Hub Role-Based Access Control (RBAC). You will conclude this lab by carrying out common Azure Stack Hub operational tasks, including log collection (via Privileged Endpoint) and infrastructure backup (by using the Azure Stack Hub administrator portal).
Contoso Finance is one of the largest banks in the United States with a significant amount of their revenue coming from their residential mortgage business. As part of Contoso’s shift to a cloud first strategy they are planning to migrate their loan web applications to a hybrid cloud solution.
As the result of a recent acquisition of a financial analytics company named Fabrikam, based in Houston, Texas, Contoso IT management team plans to integrate a number of Fabrikam’s internally developed applications to process and analyze the customer data being used by the Contoso’s customer facing mortgage application. Fabrikam has skilled development and infrastructure teams, with extensive Azure experience and its own Azure Active Directory tenant. Contoso is very interested in leveraging that experience and plans to offer the Fabrikam IT team sufficient level of autonomy when working on the integration tasks. That autonomy should include the ability of the Fabrikam IT team to offer to their users cloud resources required for application development, implementation, and maintenance. At the same time, Contoso wants to ensure proper governance and facilitate implementation of corporate standards via centralized control of the service catalog content and through automation.
During the planning stages, Contoso realized they would not be able to retain their customer data in US based Azure regions due to corporate compliance policies and regulatory issues. They have selected Azure Stack Hub as the deployment method to take advantage of Azure technologies while still maintaining compliance.
To help design a solution using Azure technologies, Contoso has engaged a Microsoft Cloud Partner and Service Provider FusionTomo (FT). FT is a full-service hosting provider in North America certified to deliver Azure services with connectivity solutions and partnerships to provide ExpressRoute and other telecom services. They have datacenters located in Denver, London, Las Vegas, Dallas and Hong Kong SAR.
Contoso has expressed to FT the need to embrace Microsoft Azure technologies as well as technologies that will help their organization with a more agile continuous integration and continuous deployment model for application deployment. Contoso also underscored the need for cooperation with Fabrikam’s integration teams, including the intent to delegate some of the infrastructure management tasks.
With these goals in mind, Contoso has challenged FT to help implement the hosted environment which must also accommodate requirements regarding integration work to be carried out by Fabrikam. In addition, as internal workloads are transitioned to the hosting environment, Contoso internal audit team must retain its ability to track all of the infrastructure changes. For compliance purposes, the delegation model that will provide Contoso and Fabrikam staff with insight into the hosted environment must comply with the principle of least privilege. To satisfy Contoso governance requirements, FT must document standard operating procedures that will be carried out within the hosted infrastructure.
Duration: 90 minutes
In this exercise, you will create and publish custom Azure Stack Hub Marketplace items by using the Marketplace Toolkit.
Note: Azure Marketplace Toolkit is part of the Azure Stack Hub Tools.
From the AzS-Host1 Azure VM, start a browser and navigate to http://aka.ms/azurestackmarketplaceitem.
When prompted, download the archive file Azure Stack Marketplace Item Generator and Sample.zip to the C:\Downloads folder (create the folder if needed).
Once the download completes, start File Explorer, select the View tab at the top, and select File name extensions.
In File Explorer, navigate to the C:\Downloads\Azure Stack Marketplace Item Generator and Sample folder, create a new folder named ContosoWebAppTemplate and copy the content of the SampleVMTemplate folder into it.
In File Explorer, navigate to the C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\Icons folder.
Right-click the Wide.png image and select Open with -> Paint.
In the Microsoft Paint window, select Resize.
In the Resize and Skew window, clear the Maintain aspect ratio checkbox, select the Pixels option, set the following image properties and select OK:
Horizontal: 533
Vertical: 324
Save the resulting image as C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\Icons\Screenshot.png. When prompted whether to continue, select OK and close Microsoft Paint.
Note: You are using sample images for the sake of simplicity. When creating and publishing custom Azure Stack Hub Marketplace solutions, you would create your own icons and screenshots that represent the characteristics of these solutions. Keep in mind that you must ensure that their sizes match those specified in the documentation available at https://github.com/Azure/portaldocs/blob/master/gallery-sdk/generated/index-gallery.md.
Delete the file C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\DeploymentTemplates\azuredeploy-101-simple-windows-vm.json.
Start Windows PowerShell ISE as administrator.
From the Administrator: Windows PowerShell ISE window, download into the C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\DeploymentTempates folder a sample template that provisions an Azure Stack Hub web app using the following cmdlet.
Invoke-WebRequest `
-Uri https://raw.githubusercontent.com/microsoft/MCW-Azure-Stack/master/Hands-on%20lab/resources.operations/ContosoWebAppTempate.json `
-OutFile 'C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\DeploymentTemplates\ContosoWebAppTemplate.json'In File Explorer, navigate to the C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\strings folder.
Open the file resources.resjson in Notepad, modify its content so it matches the following, save, and close the file:
{
"displayName": "Contoso WebApp",
"publisherDisplayName": "Contoso",
"summary": "Deploy a webapp",
"longSummary": "Deploy a Contoso webapp according to corporate standards",
"description": "<p>Contoso Azure Stack Marketplace item configured according to corporate standards.</p>",
"documentationLink": "Documentation"
}In File Explorer, navigate to the C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate folder.
Open the file manifest.json in Notepad, modify its content so it matches the following, save, and close the file:
{ "$schema": "https://gallery.azure.com/schemas/2014-09-01/manifest.json#",
"name": "ContosoWebApp",
"publisher": "Contoso",
"version": "1.0.0",
"displayName": "ms-resource:displayName",
"publisherDisplayName": "ms-resource:publisherDisplayName",
"publisherLegalName": "ms-resource:publisherDisplayName",
"summary": "ms-resource:summary",
"longSummary": "ms-resource:longSummary",
"description": "ms-resource:description",
"longDescription": "ms-resource:description",
"links": [
{ "displayName": "ms-resource:documentationLink", "uri": "http://go.microsoft.com/fwlink/?LinkId=532898" }
],
"artifacts": [
{
"name": "ContosoWebAppTemplate",
"type": "Template",
"path": "DeploymentTemplates\\ContosoWebAppTemplate.json",
"isDefault": true
}
],
"icons": {
"Small": "Icons\\Small.png",
"Medium": "Icons\\Medium.png",
"Large": "Icons\\Large.png",
"Wide": "Icons\\Wide.png"
},
"categories":[
"Custom",
"ContosoWebAppTemplate"
],
"uiDefinition": {
"path": "UIDefinition.json"
}
}Open the file UIDefinition.json in Notepad, review its content, and close the file without making any modifications:
{
"$schema": "https://gallery.azure.com/schemas/2015-02-12/UIDefinition.json#",
"createDefinition": {
"createBlade": {
"name": "DeployFromTemplateBlade",
"extension": "HubsExtension"
}
}
}Note: For more information regarding the format and content of the files used for publishing custom Azure Stack Marketplace items, refer to https://github.com/Azure/portaldocs/blob/master/gallery-sdk/generated/index-gallery.md.
From the Administrator: Windows PowerShell ISE window, generate a Marketplace item package file (Contoso.ContosoWebAppTemplate.1.0.0.azpkg) by running the following:
& 'C:\Downloads\Azure Stack Marketplace Item Generator and Sample\AzureGalleryPackageGenerator\AzureGalleryPackager.exe' package -m "C:\Downloads\Azure Stack Marketplace Item Generator and Sample\ContosoWebAppTemplate\manifest.json" -o "C:\Downloads"Navigate to the Azure Stack Hub administrator portal at https://adminportal.local.azurestack.external/ using the desktop icon.
When prompted, sign in with the Azure Active Directory credentials you provided when provisioning the Azure Stack Hub environment.
In the Azure Stack Hub administrator portal, select + Create a resource on the left.
On the New blade, select Data + Storage and then select Storage account - blob, file, table, queue.
On the Create storage account blade, specify the following settings then Select Review + create then Create. Wait until the storage account is provisioned.
Subscription: Consumption Subscription
Resource group: (Create new) marketplace-pkgs-RG.
Storage account name: A unique name consisting of between 3 and 24 lower case letters or digits.
Location: local
Performance: Standard
Account kind: Storage (general purpose v1)
Replication: Locally-redundant storage (LRS)
On the portal’s left navigation, select Resource groups.
On the Resource Groups blade in the list of resource groups, select marketplace-pkgs-RG.
On the marketplace-pkgs-RG blade, select the entry representing the newly created storage account.
On the storage account blade, select Blobs.
On the Blob service blade, select + Container.
In the dialog that appears, enter packages for the name and Blob (anonymous read access for blobs only) for the Access type.
In the list of containers, select packages.
On the packages blade, select Upload.
On the Upload blob blade that appears on the right, select the folder icon next to the Select a file text box.
In the File Explorer window that opens, navigate to the location containing the package that you noted in the previous task, select the Contoso.ContosoWebApp.1.0.0.azpkg file and select Open.
Back on the Upload blob blade, select Upload.
Note: Subsequent steps require Azure Stack PowerShell and tools installed. This was performed as part of Azure Stack Hub Before the Hands-on Lab setup guide).
From the Administrator: Windows PowerShell ISE window, sign in to the Azure Stack Hub as operator by running the following (make sure to replace the placeholder
Note: Azure Stack Hub still uses the AzureRM cmdlets and does not yet support the newer AzureAZ cmdlets.
Set-Location -Path '\AzureStack-Tools-master'
Add-AzureRMEnvironment -Name "AzureStackAdmin" -ArmEndpoint "https://adminmanagement.local.azurestack.external" `
-AzureKeyVaultDnsSuffix adminvault.local.azurestack.external `
-AzureKeyVaultServiceEndpointResourceId https://adminvault.local.azurestack.external
$AuthEndpoint = (Get-AzureRmEnvironment -Name "AzureStackAdmin").ActiveDirectoryAuthority.TrimEnd('/')
$AADTenantName = "<tenant_name>.onmicrosoft.com"
$TenantId = (Invoke-RestMethod "$($AuthEndpoint)/$($AADTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1]
Add-AzureRmAccount -EnvironmentName "AzureStackAdmin" -TenantId $TenantIdWhen prompted, sign in with your Azure Active Directory account that you provided when provisioning the Azure Stack Hub environment.
From the Administrator: Windows PowerShell ISE window, publish the package to Azure Stack Hub Marketplace by running the following (make sure to replace the placeholder
Add-AzsGalleryItem -GalleryItemUri `
https://<storageaccountname>.blob.local.azurestack.external/packages/Contoso.ContosoWebApp.1.0.0.azpkg -VerboseEnsure that the command completes successfully.
Switch back to the Azure Stack Hub administrator portal and select + Create a resource on the left navigation.
Note: Alternatively, you can use the Azure Stack Hub User portal at https://portal.local.azurestack.external/. The newly added Marketplace item should be available in both.
On the New blade, select the Custom category.
On the Custom blade, select See all and ensure that Contoso WebApp appears in the list of resource types to provision.
Note: It might take a few minutes for a newly added Marketplace item to appear.
On the Custom blade, select Contoso WebApp.
On the Contoso webapp blade, review the interface of the Contoso webapp blade to verify that it reflects the configuration you specified when creating the package.
On the Contoso webapp blade, select Create.
Step through the process of configuring the deployment but do not select Create.
Close all open windows.
Note: In general, in order to ensure that the new Azure Stack Hub Marketplace item is functional, you also need to satisfy all of the prerequisites for its deployment, such as OS images referenced by a VM template, are in place.
Duration: 30 minutes
In this exercise, you will implement Azure Stack Hub multi-tenancy.
From the AzS-Host1 Azure VM, start a web browser, navigate to the Azure portal at https://portal.azure.com, and sign in by using an account with the Global Admin privileges to the Azure AD tenant associated with the Azure Stack Hub environment.
In the Azure portal, select + Create a resource.
On the New blade, in the Search the Marketplace text box, type Azure Active Directory and, in the list of results, select Azure Active Directory.
On the Azure Active Directory blade, select Create.
On the Create directory blade, specify the following settings and select Create:
Organization name: Fabrikam
Initial domain name: Any valid, unique domain portion of the fully qualified DNS domain name in the onmicrosoft.com namespace.
Country or region: United States
Wait until the new directory is created and then use the link select here to manage your new directory to navigate to the Fabrikam Azure Active Directory blade.
On the Fabrikam - Overview blade, select Users under Manage on the left.
On the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
Note: Take a note of the user names (including the domain suffix) and their autogenerated passwords. You will need them in the subsequent tasks of this lab.
User name: fabrikamadmin1
Name: Fabrikam Admin1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: Global administrator
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Back on the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
User name: fabrikamuser1
Name: Fabrikam User1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Select the Directory + Subscription icon (to the right of the Cloud Shell icon).
In the Directory + Subscription pane, in the Switch directory section, select the entry representing the Azure Active Directory tenant associated with the Azure Stack Hub environment.
In the Azure portal, select the user name appearing in the upper right corner, select Sign out, and then close the web browser window.
Start Windows PowerShell ISE as administrator.
Note: Subsequent steps require Azure Stack PowerShell and tools installed. This was performed as part of Azure Stack Hub - Operations - Before the hands-on lab setup guide.
From the Administrator: Windows PowerShell ISE window, set the current directory to the location of the Azure Stack Hub Tools and import required PowerShell modules by running the following:
Set-Location -Path '\AzureStack-Tools-master'
Import-Module .\Connect\AzureStack.Connect.psm1
Import-Module .\Identity\AzureStack.Identity.psm1From the Administrator: Windows PowerShell ISE window, sign in to the Azure Stack Hub as operator by running the following (make sure to replace the placeholder
Add-AzureRMEnvironment -Name "AzureStackAdmin" -ArmEndpoint "https://adminmanagement.local.azurestack.external" `
-AzureKeyVaultDnsSuffix adminvault.local.azurestack.external `
-AzureKeyVaultServiceEndpointResourceId https://adminvault.local.azurestack.external
$AuthEndpoint = (Get-AzureRmEnvironment -Name "AzureStackAdmin").ActiveDirectoryAuthority.TrimEnd('/')
$AADTenantName = "<tenant_name>.onmicrosoft.com"
$TenantId = (Invoke-RestMethod "$($AuthEndpoint)/$($AADTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1]
Add-AzureRmAccount -EnvironmentName "AzureStackAdmin" -TenantId $TenantIdWhen prompted, sign in with your Azure Active Directory account that you provided when provisioning the Azure Stack Hub environment.
From the Administrator: Windows PowerShell ISE window, specify that you will accept identities from the newly created Azure Active Directory tenant by running the following (replace the placeholder <contoso> with the DNS name of the existing Azure AD tenant and the placeholder <fabrikam> with the DNS name of the newly created Azure AD tenant):
$adminARMEndpoint = "https://adminmanagement.local.azurestack.external"
$azureStackDirectoryTenant = "<contoso>.onmicrosoft.com"
$guestDirectoryTenantToBeOnboarded = "<fabrikam>.onmicrosoft.com"
$ResourceGroupName = "system.local"
$location = "local"
$SubscriptionName = "Default Provider Subscription"
Register-AzSGuestDirectoryTenant -AdminResourceManagerEndpoint $adminARMEndpoint `
-DirectoryTenantName $azureStackDirectoryTenant `
-GuestDirectoryTenantName $guestDirectoryTenantToBeOnboarded `
-Location $location `
-ResourceGroupName $ResourceGroupName `
-SubscriptionName $SubscriptionNameWhen prompted, sign in with your Azure Active Directory account that you provided when provisioning the Azure Stack Hub environment.
Verify that the operation was successful and close the Administrator: Windows PowerShell ISE window.
Start Windows PowerShell ISE as administrator.
From the Administrator: Windows PowerShell ISE window, set the current directory to the location of the Azure Stack Hub Tools and import required PowerShell modules by running the following:
Set-Location -Path '\AzureStack-Tools-master'
Import-Module .\Connect\AzureStack.Connect.psm1
Import-Module .\Identity\AzureStack.Identity.psm1From the Administrator: Windows PowerShell ISE window, register Azure Stack Hub with the newly created Azure Active Directory tenant by running the following (replace the placeholder <fabrikam> with the DNS name of the newly created Azure AD tenant):
$tenantARMEndpoint = "https://management.local.azurestack.external"
$guestDirectoryTenantName = "<fabrikam>.onmicrosoft.com"
Register-AzSWithMyDirectoryTenant `
-TenantResourceManagerEndpoint $tenantARMEndpoint `
-DirectoryTenantName $guestDirectoryTenantName `
-VerboseWhen prompted, sign in by using the FabrikamAdmin1 account you created in the first task of this exercise. In the Update your password window, change the password to something you’ll remember.
Verify that the operation was successful and close the Administrator: Windows PowerShell ISE window.
To verify that the multi-tenancy has been configured properly, start Internet Explorer with the InPrivate Browsing option, navigate to the Azure Stack Hub user portal at https://portal.local.azurestack.external/ and, when prompted, authenticate by using the FabrikamUser1 account you created in the first task of this exercise.In the Update your password window, change the password and make a note of it for this lab.
Note: Multi-tenancy provides the ability for users in the guest Azure Active Directory tenant to access the Azure Stack Hub user portal (and their respective subscriptions), but not the Azure Stack Hub administrator portal.
Close all open windows.
Duration: 90 minutes
In this exercise, you will implement Azure Stack Hub delegation in a multi-tenant environment
Note: Implementing delegation in a single tenant environment follows the same procedure as the one described in this exercise. The only difference is that you delegate to identities (users and groups) which reside exclusively in the same Azure Active Directory tenant.
From the AzS-Host1 Azure VM, start a web browser, navigate to the Azure portal at https://portal.azure.com, and sign in with the Azure Active Directory credentials you provided when provisioning the Azure Stack Hub environment.
In the Azure portal, select Azure Active Directory under the left navigation on the left.
On the Azure Active Directory blade of the tenant associated with the Azure Stack Hub environment, select Users under Manage on the left.
On the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
Note: Take note of the user names (including the domain suffix) and their autogenerated passwords. You will need them in the subsequent tasks of this lab.
User name: contosoazsdp1
Name: Contoso AzSDP1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Back on the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
User name: contosouser1
Name: Contoso User1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Leave the browser window open.
Start a web browser using in private/incognito mode, navigate to the Azure portal at https://portal.azure.com, and sign in with the FabrikamAdmin1 Azure Active Directory credentials you created in the previous exercise.
In the Azure portal, select Azure Active Directory in the left navigation.
On the Azure Active Directory blade of the Fabrikam Azure Active Directory tenant select Users.
On the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
User name: fabrikamazsdp1
Name: Fabrikam AzSDP1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Leave the browser in private/incognito mode window open.
Start a browser and navigate to the Azure Stack Hub administrator portal at https://adminportal.local.azurestack.external/.
When prompted, sign in with the Azure Active Directory credentials you provided when provisioning the Azure Stack Hub environment.
In the Azure Stack Hub administrator portal, select + Create a resource.
On the New blade, select Offers + Plans and then select Plan.
On the Basics tab of the New plan blade, specify the following settings:
Display name: DP-subscription-plan1
Resource name: dp-subscription-plan1
Description: Delegated provider plan containing Microsoft.Subscriptions.
Resource group: (Create new) dp-RG
Select the Services tab.
On the Services tab of the New plan blade, select the Microsoft.Subscriptions checkbox.
Select the Quotas tab.
On the Quotas tab of the New plan blade, in the Microsoft.Subscriptions drop down list, select delegatedProviderQuota.
Select Review + create and then select Create.
In the Azure Stack Hub administrator portal, select + Create a resource on the left.
On the New blade, select Offers + Plans and then select Offer.
On the Basics tab of the Create a new offer blade, specify the following settings:
Display name: Subscription-for-dp-offer1
Resource name: subscription-for-dp-offer1
Description: Offer for delegated providers containing Microsoft.Subscriptions services.
Resource group: dp-RG
Make this offer public?: No
Select the Base plans tab.
On the Base plans tab of the Create a new offer blade, select the DP-subscription-plan1 checkbox.
Do not include Add-on plans, select Review + create then select Create.
In the Azure Stack Hub administrator portal, select + Create a resource on the left.
On the New blade, select Offers + Plans and then select Subscription.
On the New user subscription blade, specify the following settings:
Display name: Contoso-DP-subscription1
User: UPN of the Contoso AzSDP1 user you created earlier in this exercise.
Offer: Subscription-for-dp-offer1
Directory tenant: The Azure Active Directory tenant associated with the Azure Stack Hub environment.
Select Create.
In the Azure Stack Hub administrator portal, select + Create a resource on the left.
On the New blade, select Offers + Plans and then select Subscription.
On the New user subscription blade, specify the following settings:
Display name: Fabrikam-DP-subscription1
User: UPN of the Fabrikam AzSDP1 user you created earlier in this exercise.
Offer: Subscription-for-dp-offer1
Directory tenant: The Fabrikam Azure Active Directory tenant which you associated with the Azure Stack Hub environment in the previous exercise.
Select Create.
In the Azure Stack Hub administrator portal, select + Create a resource on the left.
On the New blade, select Offers + Plans and then select Plan.
On the Basics tab of the New plan blade, specify the following settings:
Display name: DP-services-plan1
Resource name: dp-services1-plan
Description: Delegated provider plan containing services to be delegated to users.
Resource group: dp-RG
Select the Services tab.
On the Services tab of the New plan blade, select the Microsoft.Storage checkbox.
Select the Quotas tab.
On the Quotas blade, select Create new next to the Microsoft Storage drop-down list.
On the Create Storage quota blade that appears, specify the following settings:
Name: dp-storage-quota1
Capacity (GB): 200
Number of storage accounts: 1
Select OK. This will automatically set the Microsoft Storage drop-down list entry to dp-storage-quota1.
Select Review + create then select Create.
In the Azure Stack Hub administrator portal, select + Create a resource on the left.
On the New blade, select Offers + Plans and then select Offer.
On the Basics tab of the Create new offer blade, specify the following settings:
Display name: services-for-dp-offer1
Resource name: services-for-dp-offer1
Description: Offer for delegated providers containing Microsoft.Storage services.
Resource group: dp-RG
Make this offer public?: No
Select the Base plans tab.
On the Base plans tab of the Create a new offer blade, select the DP-services-plan1 checkbox.
Do not include Add-on plans, select Review + create, and then select Create.
In the Azure Stack Hub administrator portal, select All services on the left then select Offers.
On the Offers blade, select services-for-dp-offer1.
On the services-for-dp-offer1 blade, select Delegated providers under Settings on the left.
Select + Add.
On the Delegate offer blade, specify the following settings and select Delegate.
Name: Accept the default name.
Pick delegated provider subscription: Contoso-DP-subscription1.
Select + Add again.
On the Delegate offer blade, specify the following settings and select Delegate.
Name: Accept the default name.
Pick the delegated provider subscription: Fabrikam-DP-subscription1.
Note: This will allow Contoso users to create subscriptions based on the offer from the delegated provider.
Start a web browser with the InPrivate Browsing option, navigate to the Azure Stack Hub user portal at https://portal.local.azurestack.external/ and, when prompted, authenticate by using the Contoso AzSDP1 account you created in the first task of this exercise. In the Update your password window, change the password to something you’ll remember.
In the Azure Stack Hub user portal, select All services on the left then select Offers. Then select + Add.
On the Create a new offer blade, select Delegated offer.
On the Delegated offer blade, select the entry corresponding to the delegated offer based on services-for-dp-offer1.
On the Create a new offer blade, specify the following settings:
Display name: The name matching the Delegated offer entry.
Resource name: The name matching the Delegated offer entry.
Provider subscription: Contoso-DP-subscription1
Resource group: (Create new) Contoso-dp1-RG.
Select Create.
Back on the Offers blade, select the newly created offer.
Note: You might need to select Refresh.
On the blade of the newly created offer, select Change state and, in the drop-down list, select Public.
In the Azure Stack Hub user portal, select All services on the left.
In the list of services, select Subscriptions.
On the Subscriptions blade, select Contoso-DP-subscription1.
On the Contoso-DP-subscription1 blade, select Properties under Settings on the left.
On the properties blade, copy the value of the PORTAL URL to clipboard. You will need it in the next task of this exercise.
Note: Tenants need to subscribe to the offer from that URL.
Sign out from the Azure Stack Hub tenant portal and close the web browser window.
Note: This will allow Fabrikam users to create subscriptions based on the offer from the delegated provider.
Start a web browser with the InPrivate Browsing option, navigate to the Azure Stack Hub user portal at https://portal.local.azurestack.external/ and, when prompted, authenticate by using the Fabrikam AzSDP1 account you created in the first task of this exercise. In the Update your password window, change the password to something you’ll remember.
In the Azure Stack Hub user portal, select All services on the left then select Offers.
On the Offers blade, select + Add.
On the Create a new offer blade, select Delegated offer.
On the Delegated offer blade, select the entry corresponding to the delegated offer based on services-for-dp-offer1.
On the Create a new offer blade, specify the following settings:
Display name: The name matching the Delegated offer entry.
Resource name: The name matching the Delegated offer entry.
Provider subscription: Fabrikam-DP-subscription1
Resource group: The name of a new resource group Fabrikam-dp1-RG
Select Create.
Back on the Offers blade, select the newly created offer.
Note: You might need to select Refresh.
On the blade of the newly created offer, select Change state and, in the drop-down list, select Public.
In the Azure Stack Hub user portal, select All services.
In the list of services, select Subscriptions.
On the Subscriptions blade, select Fabrikam-DP-subscription1.
On the Fabrikam-DP-subscription1 blade, select Properties.
On the properties blade, copy the value of the PORTAL URL to clipboard. You will need it in the next task of this exercise,
Note: Tenants need to subscribe to the offer from that URL.
Sign out from the Azure Stack Hub tenant portal and close the web browser window.
Start a web browser with the InPrivate Browsing option, navigate to the Contoso delegated provider portal URL you identified earlier in this exercise, and, when prompted, authenticate by using the Contoso User1 account you created in the first task of this exercise. In the Update your password window, change the password to something you’ll remember.
Note: Make sure NOT to use the Azure Stack Hub user portal URL in this case.
In the Azure Stack Hub user portal, select Get a subscription on the dashboard.
On the Get a subscription blade, in the Display name text box, type Contoso-user1-subscription1.
Choose Select an offer.
On the Choose an offer blade, select the name of the Contoso delegated offer created earlier in this exercise and select Create.
In the message box Your subscription has been created. You must refresh the portal to start using your subscription, select Refresh.
Start a web browser with the InPrivate Browsing option, navigate to the Fabrikam delegated provider portal URL you identified earlier in this exercise, and, when prompted, authenticate by using the Fabrikam User1 account you created in the first task of this exercise. In the Update your password window, change the password to something you’ll remember.
Note: Make sure NOT to use the Azure Stack Hub user portal URL in this case.
In the Azure Stack Hub user portal, select Get a subscription on the dashboard.
On the Get a subscription blade, in the Display name text box, type Fabrikam-user1-subscription1.
Choose Select an offer.
On the Choose an offer blade, select the name of the Contoso delegated offer created earlier in this exercise.
Select Create.
In the message box Your subscription has been created. You must refresh the portal to start using your subscription, select Refresh.
Duration: 30 minutes
In this exercise, you will configure Role Based Access Control using a custom role.
From the AzS-Host1 Azure VM, start Windows PowerShell ISE as administrator.
From the Administrator: Windows PowerShell ISE window, sign in to the Azure Stack Hub as operator by running the following (make sure to replace the placeholder
Set-Location -Path '\AzureStack-Tools-master'
Add-AzureRMEnvironment -Name "AzureStackAdmin" -ArmEndpoint "https://adminmanagement.local.azurestack.external" `
-AzureKeyVaultDnsSuffix adminvault.local.azurestack.external `
-AzureKeyVaultServiceEndpointResourceId https://adminvault.local.azurestack.external
$AuthEndpoint = (Get-AzureRmEnvironment -Name "AzureStackAdmin").ActiveDirectoryAuthority.TrimEnd('/')
$AADTenantName = "<tenant_name>.onmicrosoft.com"
$TenantId = (Invoke-RestMethod "$($AuthEndpoint)/$($AADTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1]
Add-AzureRmAccount -EnvironmentName "AzureStackAdmin" -TenantId $TenantId
When prompted, sign in with your Azure Active Directory account that you provided when provisioning the Azure Stack Hub environment.
From the Administrator: Windows PowerShell ISE window, sign in to the Azure Stack Hub as operator by running the following:
$defaultProviderSubscriptionId = (Get-AzureRmSubscription -SubscriptionName 'Default Provider Subscription').Id
Set-AzureRmContext -SubscriptionId $defaultProviderSubscriptionId
$defaultProviderSubscriptionId Copy the value of the Default Provider Subscription ID displayed in the Administrator: Windows PowerShell ISE window into Clipboard.
Start File Explorer, create a file C:.json (create the folder **C:* if needed), add the following content to it, replace the placeholder <default_provider_subscription_id> with the value you copied into Clipboard, and save the file:
{
"Name":"Activity Log Reader (custom)",
"IsCustom":true,
"Description":"Grants permissions to read Activity Log",
"Actions": [
"Microsoft.Insights/eventtypes/*"
],
"NotActions":[
],
"AssignableScopes":[
"/subscriptions/<default_provider_subscription_id>"
]
}From the Administrator: Windows PowerShell ISE window, create a custom role definition by running:
New-AzureRmRoleDefinition -InputFile "C:\Downloads\CustomReaderRoleDefinition.json"From the AzS-Host1 Azure VM, start a web browser using in private/incognito mode, navigate to the Azure portal at https://portal.azure.com, and sign in with the FabrikamAdmin1 Azure Active Directory credentials you created earlier in this lab.
In the Azure portal, select Azure Active Directory.
On the Azure Active Directory blade of the Fabrikam Azure Active Directory tenant, select Users.
On the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
Note: Take a note of the user names (including the domain suffix) and their autogenerated passwords. You will need them in the subsequent tasks of this lab.
User name: fabrikamazsreader1
Name: Fabrikam AzSReader1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Sign out as FabrikamAdmin1 from the Azure portal and close the window of the web browser using in private/incognito mode.
From the AzS-Host1 Azure VM, start a web browser, navigate to the Azure portal at https://portal.azure.com, and sign in with the Azure Active Directory credentials you provided when provisioning the Azure Stack Hub environment.
In the Azure portal, select Azure Active Directory.
On the Azure Active Directory blade of the tenant associated with the Azure Stack Hub environment, select Users.
On the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
Note: Take a note of the user names (including the domain suffix) and their autogenerated passwords. You will need them in the subsequent tasks of this exercise.
User name: contosoazsreader1
Name: Contoso AzSReader1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Back on the Users - All users blade, select + New user.
On the New user blade, ensure that the Create user option is selected, specify the following settings, note the values of the full user name (including the domain suffix) and the randomly generated password, and select Create:
User name: contosoazslogreader1
Name: Contoso AzSLogReader1
First name: not set
Last name: not set
Password: Auto-generate password
Initial password: Show Password
Roles: User
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Back on the Users - All users blade, select + New guest user.
On the New user blade, ensure that the Invite user option is selected, specify the following settings, and select Invite:
Name: Fabrikam AzSReader1
User name: The UPN of the Fabrikam Operator1 user you created in the previous exercise.
First name: not set
Last name: not set
Personal message : Welcome to the Contoso Azure Stack Hub Azure Active Directory tenant.
Groups: not set
Roles: not set
Block sign in: No
Usage location: United States
Job title : not set
Department : not set
Start a web browser using in private/incognito mode and browse to the following URL (where <existing_tenant> represents the DNS name of the original Azure Active Directory tenant associated with your Azure Stack Hub subscription).
https://portal.azure.com/#@<existing_tenant>.onmicrosoft.comWhen prompted, sign in by using the credentials of the Fabrikam AzSReader1 account.
When prompted, grant the target Azure AD tenant requested permissions by selecting Accept. In the Update your password window, change the password to something you’ll remember.
Sign out as Fabrikam AzSReader1 from the Azure portal and close the window of the web browser using in private/incognito mode.
Navigate back to the Azure Active Directory blade of the tenant associated with the Azure Stack Hub environment and select Groups.
On the Groups - All groups blade, select + New group.
On the New Group blade, specify the following settings, and select Create:
Group type: Security
Group name: ContosoAzSReaders
Group description: Contoso Azure Stack Hub Readers
Membership type: Assigned
Owners: not set
Members: Contoso AzSReader1 and Fabrikam AzSReader1.
On the Groups - All groups blade, select + New group.
On the New Group blade, specify the following settings, and select Create:
Group type: Security
Group name: ContosoAzSReaders
Group description: Contoso Azure Stack Hub Readers
Membership type: Assigned
Owners: not set
Members: Contoso AzSReader1 and Fabrikam AzSReader1
Back on the Groups - All groups blade, select + New group.
On the New Group blade, specify the following settings, and select Create:
Group type: Security
Group name: ContosoAzSLogReaders
Group description: Contoso Azure Stack Hub Log Readers
Membership type: Assigned
Owners: not set
Members: Contoso AzSLogReader1
Start Internet Explorer and navigate to the Azure Stack Hub administrator portal at https://adminportal.local.azurestack.external.
When prompted, sign in with the Azure Active Directory credentials you provided when provisioning the Azure Stack Hub environment.
In the Azure Stack Hub administrator portal, select All services and then, in the list of services, select Subscriptions.
On the Subscriptions blade, select Default Provider Subscription.
On the Default Provider Subscription blade, select Access control (IAM) and then select + Add.
In the Add permissions pane, specify the following settings and then select Save:
Role: Activity Log Reader (custom)
Select: ContosoAzSLogReaders
Back on the Default Provider Subscription - Access control (IAM) blade and then select + Add.
In the Add permissions pane, specify the following settings and then select Save:
Role: Reader
Select: ContosoAzSReaders
Duration: 60 minutes
In this exercise, you establish a PowerShell Remoting session to the privileged endpoint.
Note: The share will be used to store diagnostics logs collected via the privileged endpoint.
From the AzS-Host1 Azure VM, start File Explorer.
In File Explorer, verify that the folder C:exists (if not, create it).
Right-click Logs and, in the right-click menu, select Properties.
In the Logs Properties window, select the Sharing tab and then select Advanced Sharing.
In the Advanced Sharing dialog box, select Share this folder and then select Permissions.
In the Permissions for Logs window, ensure that the Everyone entry is selected and then select Remove.
Select Add, in the Select Users, Computers, Service Accounts, or Groups dialog box, type CloudAdmins and select OK.
Ensure that the CloudAdmins entry is selected and select the Full Control checkbox in the Allow column.
Select OK.
Back in the Advanced Sharing dialog box, select OK.
Back in the Logs Properties window, select Close.
From the AzS-Host1 Azure VM, start Windows PowerShell ISE as administrator.
From the Administrator: Windows PowerShell ISE window, store in a variable the Azure Stack Hub admin credentials that you will use to access Privileged Endpoint by running the following:
$adminUserName = 'azurestack\CloudAdmin'
$adminPassword = 'demo@pass123' | ConvertTo-SecureString -Force -AsPlainText
$adminCredentials = New-Object PSCredential($adminUserName,$adminPassword)From the Administrator: Windows PowerShell ISE window, run the following to establish a PowerShell Remoting session to the privileged endpoint:
Enter-PSSession -ComputerName 'AzS-ERCS01' -ConfigurationName PrivilegedEndpoint -Credential $adminCredentialsVerify that the PowerShell Remoting session has been successfully established. The console pane in the Windows PowerShell ISE window should be displaying the prompt starting with the name of the infrastructure VM hosting the privileged endpoint enclosed in square brackets ([AzS-ERCS01]).
From the PowerShell Remoting session in the Administrator: Windows PowerShell ISE window, in the console pane, identify all available PowerShell functions and cmdlets by running the following:
Get-CommandFrom the PowerShell Remoting session, identify current Cloud Admin user accounts by running the following:
Get-CloudAdminUserListNote: The list should include only two accounts - AzureStackAdmin and CloudAdmin.
From the PowerShell Remoting session in the Administrator: Windows PowerShell ISE window, in the console pane, collect Azure Stack Hub storage logs by running the following:
Get-AzureStackLog -OutputSharePath '\\AzS-Host1\Logs' -OutputShareCredential $using:adminCredentials -FilterByRole StorageNote: On Azure Stack Hub Development Kit systems, it is possible to run Get-AzureStackLog directly from the ASDK host.
You have the option of filtering by role as well as specify the time window for which logs should be collected. For details, refer to https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-diagnostics.
Wait until the cmdlet completes and, in File Explorer, review the content of the C:folder.
Note: Disregard any error messages during the log collection.
From the PowerShell Remoting session, run the following to exit the session:
Exit-PSSessionDuration: 30 minutes
From the AzS-Host1 Azure VM, select Start, in the Start menu, expand the Windows Administrative Tools folder, and select Active Directory Administrative Center.
In Active Directory Administrative Center, select azurestack (local) and, in the main window pane, select the Users container.
In the Tasks pane, in the Users section, select New and then select User.
In the Create User window, specify the following settings and select OK:
Full name: AzS-BackupOperator
User UPN logon: AzS-BackupOperator@azurestack.local
User SamAccountName logon: azurestack-BackupOperator
Password: demo@pass123
Confirm password: demo@pass123
Password options: Password never expires
Note: In production scenarios (with Azure Stack Hub integrated systems) you would configure a backup share on a highly available file server. When using Azure Stack Hub Development Kit, you can use for this purpose the ASDK host.
On the AzS-Host1 Azure VM, start File Explorer.
In File Explorer, create a new folder C:.
Right-click Backup and, in the menu, select Properties.
In the Backup Properties window, select the Sharing tab and then select Advanced Sharing.
In the Advanced Sharing dialog box, select Share this folder and then select Permissions.
In the Permissions for Backup window, ensure that the Everyone entry is selected and then select Remove.
Select Add, in the Select Users, Computers, Service Accounts, or Groups dialog box, type AzS-BackupOperator and select OK.
Ensure that the AzS-BackupOperator entry is selected and select the Full Control checkbox in the Allow column.
Select Add, in the Select Users, Computers, Service Accounts, or Groups dialog box, select Locations.
In the Locations dialog box, select the entry representing the local computer (AzS-Host1) and select OK.
In the Enter the object names to select text box, type Administrators and select OK.
Ensure that the Administrators entry is selected and select the Full Control checkbox in the Allow column.
Select OK.
Back in the Advanced Sharing dialog box, select OK.
Back in the Backup Properties window, select the Security tab.
Select Edit.
In the Permissions for Backup dialog box, in the list of entries in the Groups or user names pane, select AzS-BackupOperator, in the Permissions for AzS-BackupOperator pane, select Full Control in the Allow column and then select OK.
Back in the Backup Properties window, select Close.
On the AzS-Host1 Azure VM, start Windows PowerShell ISE as administrator.
From the Administrator: Windows PowerShell ISE window, create a self-signed encryption certificate and store its public key in the C:directory by running the following:
$cert = New-SelfSignedCertificate `
-DnsName "AzSBackup.azurestack.local" `
-CertStoreLocation "cert:\LocalMachine\My"
New-Item -Path "C:\" -Name "Certs" -ItemType "Directory"
Export-Certificate `
-Cert $cert `
-FilePath c:\Certs\AzSIBackupCert.cerStart Internet Explorer and navigate to the Azure Stack Hub administrator portal at https://adminportal.local.azurestack.external/.
When prompted, sign in with the Azure Active Directory credentials you provided when provisioning the Azure Stack Hub environment.
In the Azure Stack Hub administrator portal, select All services.
In the ADMINISTRATION section, select Infrastructure backup.
On the Infrastructure backup blade, select Configure.
On the Backup controller settings blade, specify the following settings and select OK:
Backup storage location: **\AzS-Host1.azurestack.local*
Username: AzS-BackupOperator@azurestack.local
Password: demo@pass123
Confirm password: demo@pass123
Backup frequency in hours: 12
Retention period in days: 7
Certificate .cer file: Select the folder icon and upload the public key of the certificate (C:.cer) you generated in the previous task.
Back on the Infrastructure backup blade, select Disable automatic backup.
Duration: 10 minutes
In this final task you will clean up the Azure Resources that you have create for the hands-on lab. This task is optional.
If provisioned using the Azure Stack Hub Development Kit in an Azure VM, delete the resource group your Azure Stack Hub Host VM is running in.
If running on your own Development Kit, delete all the resource groups from the Azure Stack Hub portal that you created during the execution of this lab.
You should follow all steps provided after attending the Hands-on lab.