Categoria: Azure

Posted on by

Azure App Service: Risolvere la saturazione dei socket (SNAT) tramite Auto-Heal

 

Vai sulla tua App Service nel portale Azure

Seleziona nel menu a sinistra “Diagnostica e risoluzione dei problemi”

Seleziona “Diagnostic Tools”

Seleziona “Auto-Heal”

Come impostare la regola di “Riparazione”

Una volta aperta la schermata di Auto-Heal, ti consiglio di configurarla così per gestire il problema dei socket saturati:

  1. Define Conditions: Scegli Request Count.

    • Esempio: 2000 richieste in un intervallo di 10 minuti (o un valore che reputi alto per il tuo traffico normale).

  2. Configure Actions: Seleziona Recycle.

  3. Override Title: Salva la regola.

In questo modo, Azure monitora il traffico e, se vede un picco anomalo (che spesso precede il blocco dei socket), riavvia il processo prima che l’app diventi irraggiungibile.

Posted on by

L’amministratore globale non ha accesso ad una sottoscrizione di Azure

L’amministratore globale non può usare la sottoscrizione Azure

In quanto amministratore globale di un tenant Microsoft avete accesso a tutte le risorse del tenant. Se acquistate una nuova sottoscrizione di Azure e carcate di creare una nuova risorsa all’interno della sottoscrizione, vi viene comunicato l’errore : “Le autorizzazioni non sono sufficienti per creare gruppi di risorse nella sottoscrizione”.

Problema

Il problema è che anche se siete amministratori del tenant, non siete a default anche proprietari della sottoscrizione.

Soluzione

Entrate nel portale di Azure e selezionate la sottoscrizione. Selezionate nel menu di sinistra “Controllo accesso (IAM)”. In alto spingete “Aggiungi ” -> “Aggiungi una assegnazione di Ruolo”.

Cercate il ruolo “Proprietario” che troverete nella tab “Ruoli di amministratore con privilegi”. Spingete in basso “Avanti”, selezionate l’utente e concludete la procedura.

Potrebbe essere necessario attendere 24 ore prima di poter usare la sottoscrizione Azure come proprietario, anche se il nuovo ruolo risulta già sull’utente

Posted on by

How to Deploy ASP.NET Core Web API on IIS Windows Server

(Tested on windows server 2012r2)

Install the .NET Core Hosting Bundle on Windows Server

The .NET Core Hosting bundle is an installer for the .NET Core Runtime and the ASP.NET Core Module. The bundle allows ASP.NET Core apps to run with IIS.

Current version:.NET Core Hosting Bundle installer (direct download)

(for this test we installed version .Net Core 8 on win 2012r2)

Visual Studio : Publish on Folder

After creating the ASP.NET Core application in Visual Studio, we can use the Visual Studio Publish Tool to deploy and run our app. For this project, choose to publish to a folder. Choose the folder and hit “Finish”.

In the next screen, where you see the settings for this deploy, click on “More Actions” and then on “Edit”.

Select :

  • Deployment Mode : Complete
  • Target Runtime : win-x64 (for our server)
  • File Publish Options : Delete all existing files prior to publish (flagged)
  • Database : Default Connection edit (if yuu need it)

Save this configuration, control it an Publish.

Copy the contents of the folder on the IIS server to the folder dedicated to the new site.

IIS and new site

Create the site on IIS. For the Application Pool you have to use default .NET CLR Version : v4.0.

Open your browser and call up the site. You receive the “page not found” error (404).

Remember that a site that hosts only calls web api. To verify that it works you can use the controller that Visual Studio sets by default when creating a site. Then type:

https://www.mynewapisite.com/WeatherForecast

and you will get a result. The site works!

Posted on by

Microsoft MFA : Attivato o Applicato

Multi Factor Authentication (MFA)

Microsoft raccomanda di usare la multi factor authentication per gli amministratori globali del tenant. Se non si esegue questa operazione, dopo 60 giorni dall’ultimo sollecito di Microsoft , il tenant viene disattivato.

Attenzione : non è sufficiente attivatre l’autenticazione a 2 fattori … bisogna anche usarla.

Attivato o Applicato

Il problema è che l’attivazione non è sufficiente. In effetti dopo aver attivato l’utente , questo deve anche effettuare un login con la MFA : a questo punto lo stato dell’utente passa da Attivato a d Applicato e lo stato è valido secondo Microsoft.

Non dovete avere Global Admin con MFA in stato Attivato ma esclusivamente in stato Applicato.

Posted on by

Tenant Microsoft 365 configuration

Posted on by

Microsoft-Office365 disabiliatare l’autenticazione a 2 fattori

Quando viene creato un nuovo Tenant Microsoft365, l’autenticazione a 2 fattori è attivata a default. Per disattivarla (o attivarla), entrate sul vostro tenant tramite il portale di Azure (https://portal.azure.com).

Selezionate “Azure Active Directory”-

Selezionate “Proprietà”

In basso trovate il link “Gestisci le impostazioni predefinite per la sicurezza” da cui arrivate a disabilitare/abilitare

Posted on by

Register a web application with Azure AD Portal App Registration to connect to a Microsoft 365 tenant

PowerShell Limits

Through Powershell it is possible to connect to a Microsoft 365 tenant to perform operations on users, groups and any other element of the tenant. When you use this tool, Powershell presents you with the mask for entering your account and password. You can write accounts and passwords directly in the Powershell script but it would be a serious security compromise.

Application

An alternative is to build a software that connects directly to the Tenant through customized keys present in the Tenant itself. In other words, it is necessary to communicate to the Tenant that there is a certain application that is authorized to access the Tenant. Furthermore, for each operation that you want to perform on the Tenant it is necessary to specify the appropriate permissions. To create these applications, we recommend that you follow the excellent tutorial “.Net Core console application for calling Microsoft Graph“.  This post proposes the images present in the previous tutorial only to specify how the application must be prepared on the Microsoft Tenant.

Register a web application with Azure AD Portal App Registration

Open a browser and navigate to the Azure Portal. Login using your account. Select the resource “Azure Active Directory”. On the left side menu, select “App regitstration”. Click New registration from the current page.

On the Register an application page, specify the following values:

  • Name = Name of your Application
  • Supported account types
  • Redirect URI
    • Type = Web
    • Value = https://localhost:8080   (*)

(*) The Redirect URI value must be unique within your domain. This value can be changed at a later time and does not need to point to a realy hosted URI.

It is now necessary to store 2 values that will be used in your application:

  • Application (client) ID
  • Directory (tenant) ID

Certificates & secrets

Click Certificates & secrets.

  1. Click New client secret.
  2. On the Add a client secret dialog, specify the following values:
    • Description = Your secret’s description
    • Expires = In 1 year (for example)
  3. Click Add.

After the screen has updated with the newly created client secret copy the VALUE of the client secret. This secret string is never shown again, so make sure you copy it now.

API permissions

Click API permissions.

  • Click Add a permission
  • On the Request API permissions panel select Microsoft Graph.

  • Select Application permissions.

Now you have to choose between the permissions to authorize your app. For example, to create an application to read alla information about Tenant’s users, in the “Select permissions” search box type “User”.Select User.Read.All from the filtered list. At the end, on the API permissions content blade, click Grant admin consent for the Tenant.

Summary of the data necessary for the application

Let’s see what data your application needs to connect and operate on the Microsoft Tenant.

  • applicationId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • applicationSecret = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • tenantId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • redirectUri = “https://localhost:8080”;
  • domain = “yourtenant.onmicrosoft.com”;

Permissions

  • User.Read.All : Read all users’ full profiles
  • User.ReadWrite.All : Read and write all users’ full profiles
  • Group.ReadWrite.All : Read and write all groups
  • Notes.ReadWrite.All : Read and write all OneNote notebooks

Documentation

Posted on by

How to check the execution of Microsoft Agent Backup

To check the outcome of Microsoft Azure Backup execution we can take advantage of the fact that, if the backup fails, some events are generated.

Prepare script to send email

Copy and paste the following code in a new file and modify it with your data (mail server, user, password, messages).

$SMTPServer = "YOUR SMTP SERVER"
$SMTPPort = "25"
$Username = "USERNAME TO ACCESS SERVER"
$Password = "PASSWORD"

$to = "Email recipient"
# $cc = "cc email recipient"
$subject = "Error Backup MyServer"
$body = "backup failed"
# $attachment = ""

$message = New-Object System.Net.Mail.MailMessage
$message.subject = $subject
$message.body = $body
$message.to.add($to)
# $message.cc.add($cc)
$message.from = $username
# $message.attachments.add($attachment)

$smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort);
$smtp.EnableSSL = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password);
$smtp.send($message)
write-host "Mail Sent"

Save it as file with extension .ps1

Creating a new Task

  1. Open the Task Scheduler : Control Panel -> Administrative Tools -> Task Scheduler
  2. Right-click the “Task Scheduler Library” branch, and select the New Folder option.
  3. Type a name for the folder. For example, MyTasks.
  4. Expand the “Task Scheduler Library” branch, and select the MyTasks folder.
  5. Click the Action menu.
  6. Select the Create Task option.

Task to check Azure Backup

  1. In the Name field you can write something like “Check Micrososft Agent Backup”.
  2. Click the Triggers tab.
  3. Click the New button.
  4. Use the “Begin the task” drop-down menu to select “On a Event”
  5. Click custom option under the Settings section.

  1. Click the Edit Event Filter… button.
  2. Go the XML tab and at the bottom of the menu press the edit query manually button.
  3. Copy and paste the below XML and OK the changes.
<QueryList>
<Query Id="0" Path="CloudBackup">
<Select Path="CloudBackup">*[System[(Level=1 or Level=2) and (EventID=5 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or EventID=14 or EventID=16 or EventID=18)]]</Select>
</Query>
</QueryList>
  1. Click the Actions tab.
  2. Click the New button.
  3. Browse on the previous powershel script
  4. Clicck OK to save the task

From now on, an email should be sent to you when the backup fails.