Browsed by
Category: Azure

Microsoft Operations Management Suite

Microsoft Operations Management Suite

The Microsoft Operations Management Suite (OMS), previously known as Azure Operational Insights, is a software as a service (SaaS) platform that allows an administrator to manage on-premises and cloud IT assets from a central portal. It was introduced in May 2015 as an evolution of System Center.

OMS provides flexible access to the management capabilities a company needs through four key service offerings:

  • Insight & Analytics – includes Azure Log Analytics and 2 additional solutions on OMS Portal (Service Map and Network Performance Monitor), that are not available in regular Log Analytics. This solution will bring these features:
    • Gain visibility across workloads, giving customers all the information needed on what’s happening in the environment
    • Includes log collection and search, application and server dependency mapping, as well as network health monitoring
    • Rights to use System Center Operations Manager*

    It can be used instead of System Center Operations Manager (you can install OMS agents on Windows and Linux machines in the cloud or on-premise), or it can be connected to SCOM to visualize its data and extend it with its own “solutions” (analog of Management Packs in SCOM), whereas Service Map functionality is an analog of “Distributed Applications” in SCOM.

  • Automation & Control – includes Azure Automation (with Desired State Configuration (DSC) and Automation Hybrid Worker functionality) and 2 additional solutions on OMS Portal (Change Tracking and Update Management). This solution will bring these features:
    • Enable consistent control and compliance across environments for both Azure, 3rd-party clouds and on-premises datacenters
    • Includes services to assist with process automation, desired state configuration, change tracking and update management
    • Rights to use System Center Service Manager, System Center Orchestrator, and System Center Configuration Manager*

    Note that, Azure Automation shares a big part of the code with System Center SMA (part of System Center Orchestrator). Change Tracking solutions in OMS has an overlapping functionality with System Center Service Manager, and OMS Update Management in some way overlaps with System Center Configuration Manager.

  • Security & Compliance – includes Azure Security Center and 2 additional solutions on OMS Portal (Antimalware Assessment and Security and Audit). This solution will bring these features:
    • Drive security across every area of the organization, delivering sophisticated threat intelligence capabilities, malware detection, and information on how systems may have been compromised
    • Includes advanced security and audit functionality and malware threat analysis
    • Azure Security Center availability for deep security management of Azure services
  • Protection & Recovery – includes Azure Backup and Azure Site Recovery which provides these features:
    • Ensure availability of important applications and data. Protection and Recovery helps you keep critical data protected through integrated cloud backup, and applications available while minimizing the impact of disruptions to the business
    • Includes both backup and site recovery services for an integrated experience
    • Rights to use System Center Virtual Machine Manager and System Center Data Protection Manager*
Note
*You will only receive System Center 2016 licenses for the period of OMS subscription if you purchase OMS SKUs with an annual commitment. And you won’t get System Center license if you decide to pay for OMS SKUs monthly without commitment or if you purchase OMS solutions through CSP.

In term of licensing, there are currently 6 OMS SKUs which are composed of one SKU for each solution described previously, and two plans:

  • OMS E1 – includes Insight & Analytics and Automation & Control
  • OMS E2 – full bundle, that includes all 4 OMS solutions with a discount

Additionally, all OMS solutions are licenses per node. Node equals to VM or physical (non-virtualized) host. It also requires Azure Storage for backups, log collection and DR data which are charged separately. Note that you can retrieve all details about OMS capabilities, pricing and licensing here.

Usually, there are 3 types of scenario for the implementation of OMS in customer environment:

  • OMS as a management solution instead of System Center suite:
    • Azure Log Analytics (OMS Insight & Analytics) as a comprehensive monitoring solution, that managed Windows & Linux machines on-premise and in the cloud, also including Office 365 monitoring and Windows Telemetry analysis. OMS Agent machines can be used to get monitoring data even from servers, not connected to the Internet
    • Azure Automation as a comprehensive automation solution. It can automate a lot of tasks in the cloud, and Automation Hybrid Worker extends its capabilities to the on-premise environment
    • Azure Security Center audits the security in the cloud and prevents breaches, while OMS Antimalware Assessment and, OMS Security and Audit analyze what’s happening in the on-premise environment
    • Azure Backup can backup VMs in Azure, and Azure Backup Server (which in fact is equal to System Center DPM, but lacks tape support) can be used to backup on-premise VMs (Hyper-V and VMware), Exchange databases, SQL Server databases, file servers, SharePoint farms and a state of Active Directory. In fact, Azure Backup Server can backup on-premise data to local disks and then copy important data to the cloud (which is equal to DPM approach)
    • Azure Site Recovery can be used to make a DR from on-premise Hyper-V and VMware hosts to Azure
  • OMS as an addition to System Center:
    • Existing SCOM analyses what’s happening on-premise, and Log Analytics analyzes what’s happening in the public cloud. SCOM agents send data to SCOM server, and SCOM server can be connected to OMS Workspace. You don’t need to install OMS agents on every server in your environment if you’have already installed SCOM agent.
    • Existing System Center Orchestrator and SMA automate and orchestrate on-premise environment, whereas Azure Automation automates tasks in the cloud
    • Existing DPM can leverage Azure Backup to store backups in the cloud
    • VMM managed Hyper-V-based private cloud and leverages Azure Site Recovery for Site-to-Site and Site-to-Azure DR scenarios
    • Existing System Center Configuration Manager and System Center Service Manager remains powerful tools to manage on-premise environments without real replacement solution from OMS. Though it’s worth to mention Microsoft Intune when it comes to speaking about System Center Configuration Manager in the cloud.
  • Part of management is delivered by OMS, part by System Center. A mix of 2 scenarios, described above. For example, SCOM is not installed because it is a small on-premise environment with cloud resources and OMS Insight & Analytics will be used to monitor the entire environment.

I hope this article helps you to have a better understanding of OMS, what it is composed of and what kind of licensing approach to chose. Next articles will describe more precisely how to add, configure and use these OMS solutions to your environment.

How To Change The Name of Your Azure Subscription

How To Change The Name of Your Azure Subscription

When you begin to have multiple subscriptions based on Pay-As-You-Go offer, it becomes a nightmare to manage it in Azure portal because by default they all have the same name. In order to change the name of your subscriptions and reflect why there are used for, connect to your Azure portal and go to subscriptions menu. Select the subscription you want to modify and click on Manage.

It will automatically redirect you to your Windows Azure subscriptions management page (you can also access it from here). Then you can edit subscription details to rename it as below.

Once it’s done, you will need to wait a few minutes to see the change in your Azure portal.

Deployment of Microsoft Intune – Part 4

Deployment of Microsoft Intune – Part 4

In the previous part of the series, we saw how to grant your users the rights to connect to Intune platform, to enroll their mobile devices, and to create configuration policies. Here we will see how to implement automatic deployment of company portal application during device enrollment and to configure custom OMA-URI settings for WP 8.1 devices.

In order to implement automatic deployment of company portal application during WP 8.1 device enrollment, we will use Support tool for Windows Intune trial management of window phone provided by Microsoft. Once you have downloaded and installed package, you can retrieve SSP.xap file which corresponds to Company Portal application.

The next step is to upload and register this application as Company Portal application in Microsoft Intune console.

Then when you enroll a WP 8.1 device like we saw in previous part of this series, it will ask if we want to automatically install Company Portal application.

But if have you deployed a configuration policy that allows devices to only listed applications, you will need to add an exception for this company portal application.

To add an application in this allow list, you need to add the windows store URL dedicated to the application. But in this case, company portal application include in the support tool package is not the same as the company portal app available on windows store. So to allow this application on your WP 8.1 mobile devices, you need to get the product id in the manifest file of the application. To access this file you need to uncompress SSP.xap file and locate WMAppManifext.xml. Then you need to open this file with your editor and to copy ProductID, in this case, the ID is 01914a77-09e7-4f01-88d1-099162777f9b.

Then you need to add an old URL for windows phone store built with product id (http://www.windowsphone.com/en-us/store/app/company-portal/01914a77-09e7-4f01-88d1-099162777f9b) in the allowed apps list to use company portal application on mobile devices.

If you use custom configuration policy based on OMA-URI, you can authorize company portal app on mobile devices by adding this rule.

Remind that you can retrieve the list of OMA-URI settings and parameters in Windows Phone 8.1 MDM Protocol documentation.

Deployment of Microsoft Intune – Part 3

Deployment of Microsoft Intune – Part 3

In the previous part of the series, we saw how to grant your users the rights to connect to Intune platform and more important to enroll their mobile devices. Here we will see how to configure settings and to manage applications through Microsoft Intune policies (only WP 8.1 devices on this part).

Considering that devices are managed by Microsoft Intune, we have to create specific policies for general settings, email configuration, certificate profiles, application management, etc. The creation of these policies could also be made before enrollment of devices.

To create these policies, you have to connect to your Microsoft Intune admin console (https://admin.manage.microsoft.com/) and go to Policy section.

Then you have to click on add, and chose the type of policy you want to create. We first create a general configuration policy (for WP 8.1 and later) to configure general settings.

Then, you can either wait for devices to run through their cycle update process or you can force compliance check on the device. Once the policy is loaded on the device, you can verify that all is correctly applied.

Now we need to create a policy to give users access to their corporate mailbox. In order to accomplish this, we will create an Email Profile. In this case, mailboxes are hosted on Office 365.

Once the policy is created, you have to deploy it to a group of users and not devices. After compliance update check, you will see the creation of configured mailbox on devices automatically configured with your parameters.

If you need to deploy additional specific parameters, you can create a custom policy based on OMA-URI settings described in Windows Phone 8.1 MDM protocol in this case. Moreover, several customers asked me to delete the possibility to unenroll devices from Workplace settings like we can see below.

In order to accomplish this, you have to study Windows Phone 8.1 MDM protocol documentation and find the parameter that corresponds to your need. In this case, the parameter that will be used is:

And now when your user wants to delete the device from Intune management, he will receive this message.

Finally, we will see how to deploy apps to Windows Phone 8.1 devices with Intune (I will not handle Trusted Certificate, SCEP Certificate, VPN and Wi-Fi profiles in this article). You have two options for deployment of apps on WP 8.1 devices, you can either install a Windows Phone app package, an external link to WP application in Windows Store or an external link to a website (like internal CRM for example). In this case, we will just create an external link to Twitter.

Once the app is created you have to deploy it. As it is External Link to Windows Phone Store, you cannot deploy it as required. If you want to manage an app as required, you have to download the XAP/APPX file and create a Windows Phone app package installer. I will show you in another article how to get the .appx file from Windows Store, in order to deploy it as mandatory on your devices.

Once the configuration is done on Microsoft Intune portal, users will retrieve the application as available in enterprise store application on devices.

In the next part, we will see how to implement automatic deployment of company portal application during device enrollment and to configure custom OMA-URI settings for WP 8.1 devices (Implementation of Microsoft Intune – Part 4).

Deployment of Microsoft Intune – Part 1

Deployment of Microsoft Intune – Part 1

The goal of this series will be to implement and configure Microsoft Intune as MDM (Mobile Device Management) solution for mobile devices (Android, iOS and Windows Phone) and PC.

In order to configure and use Microsoft Intune (or other Microsoft Cloud services like Office 365), you need first to synchronize your on-premises Active Directory with Azure Active Directory. To accomplish this, you have to create a Microsoft Intune account (trial in our case) directly on this web page.
You have to choose a domain name that must be unique and a domain account linked to this new Azure AD domain.

Once connected to your account portal, you will need to add your public domain name that will be used as UPN suffix.

Once your public domain is verified in the Microsoft Intune console, you will have to add the UPN suffix in your local Active Directory. To do this, just connect to a domain controller, right-click and choose Properties on Active Directory Domains and Trusts MMC.

Once UPN suffix is added, you will now need to change user login name of your users. You can do it manually but personally, I prefer to use this little tool called ADModify that will permit to manage that change much more easily.

Now you have your local and your cloud environment that is ready to be synchronized. To accomplish this, you have to download Microsoft Azure Active Directory Connect (download here). If you need more information about Azure AD Connect you can refer to my previous article. The configuration of AADC tool, the creation of our Intune trial account and the synchronization will be covered in this first part.

You need to install the synchronization tool on a Windows Server on your LAN with Internet connectivity (try to avoid DC).

This will be a fresh installation of the tool, but if you have DirSync installed you can use the same tool to upgrade it. You have the choice between using express settings (automatic creation of service account, groups, database, etc.) or customizing required components.

In our case, we will not use express settings to handle customization of some component like service account used to synchronize your on-premises AD with Microsoft Azure AD. The service account must be an Enterprise Administrator account for your local Active Directory.

Then, following your needs you have to choose User sign-in method. In our case, we will prefer Password Synchronization. If you need more details about this part, you can refer to my previous article.

This window will permit to synchronize your local Active Directory forest(s) to a single Azure Active Directory tenant.

In order to avoid duplicate records for the same user inside your Azure Active Directory, if you synchronize several forests for example. This screen can create a rule to identify and regroup them under a single object.

Here you have to choice to synchronize only a group of users. As we use this tool in a lab environment, I will specify to only synchronize my future Intune users.

Finally, we can choose to enable optional features. Some of the features are grayed out because they need prerequisites or additional configuration. For the moment, we will only active Password Writeback feature that is used to synchronize in both ways password of the user.

Make sure to export and backup the keys used to encrypt data in Azure ADSync to a file.

Finally, you can check that synchronization is occurring through the Synchronization Service Manager.

Back to your account portal, you can see users/groups that have been synchronized (logo) and when the last synchronization occurred.

In part 2, we will see how to configure Intune in order to enroll, customize and secure Windows Phone 8.1 devices.

Azure Active Directory Synchronization

Azure Active Directory Synchronization

In the case you need to work with Microsoft Cloud services like Office 365, Intune, Azure, you will have to synchronize your on-premises Active Directory objects (users, contacts, and groups) to Microsoft cloud services (Azure Active Directory). In order to accomplish this, you will have to choose between Same Sign On or Single Sign On.

  • Same Sign-On, will use synchronization tools (DirSync, AADSync and FIM) to synchronize your on-premises Active Directory objects and their associated password (requires Password Sync). It means that authentication requests and access rights will only be handled by Azure Active Directory without contacting your on-premises domain controllers.
  • Single Sign On, will also use synchronization tools but authentication requests and access right will be redirected to your on-premises AD FS infrastructure connected to local Active Directory. This scenario will be used if your organization requires SSO, MFA and other features. In addition, in term of infrastructure, you will need to implement high availability AD FS service on your DMZ with redundant links to avoid service interruption.

Since the beginning of Microsoft Azure services, we have to use DirSync to accomplish this synchronization (without Password Sync), and when Microsoft released a bunch of new tools to improve this process that bring a lot of confusion…

But rejoice yourself because there is a new product called Azure Active Directory Connect that replaces AADSync and DirSync. Azure AD Connect incorporates the components and functionality previously released as DirSync and AADSync. At some point in the future, support for DirSync and AADSync will end. Moreover, Azure Active Directory Sync will allow you to do the following:

  • Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2012 R2
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing and a very minimal set of user attributes (only 7)
  • Configuring multiple on-premises Exchange organizations to map to a single Active Directory tenant

You can download the tool here and find more information here.