Currently, you can only manage WVD through PowerShell. Here you can see the most common commands to manage your enviroment.

You can only assign a user to a desktop pool or app pool, not both. Neither can a desktop pool contain apps (like it isn’t possible in RDS as well). By default, you create a desktop pool, let’s add an app pool now by running the commands below. Always start with this command, signing in, in the WVD-enviroment.

1
 Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

Add a new WVD App Group

Run these commands to add a new app group.

1
2
3
4
5
$myTenantName = "mytenantname" #If you don't know, try Get-RdsTenant

$hostpoolname = "myhostpoolname" #If you don't know, try Get-RdsHostPool

$rdsremoteappgroupname = "remoteappgroupname"

Get-RdsAppGroup $myTenantName $hostpoolname

New-RdsAppGroup -TenantName $myTenantName -HostPoolName $hostpoolname -Name $rdsremoteappgroupname -ResourceType RemoteApp

Find applications you can publish

If you want to find apps currently able to publish to your new app group, run this command. It will search on your session hosts for apps.

1
Get-RdsStartMenuApp -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname

Publish applications

For example, this is how you publish Internet Explorer and Registry Editor.

1
2
New-RdsRemoteApp -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -Name "Internet Explorer" -FilePath "C:\Program Files\internet explorer\iexplore.exe" -IconPath "C:\Program Files\internet explorer\iexplore.exe"

New-RdsRemoteApp -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -Name "Registry Editor" -AppAlias "registryeditor"

Add users to your new app group

Adding users is also very simple, just run this command.

1
Add-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -UserPrincipalName <upn>

If you want to publish more app groups, follow the steps above again. Remember, a user can only be a member of the App Group, or the Desktop Group. If you want to assign the user to the app group while being a member of the desktop group, remove it first with this command:

1
Remove-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -UserPrincipalName <upn>

The post How to manage Windows Virtual Desktop appeared first on Erjen Rijnders.

Index

1. Add RDS Tenant
2. Add Service Principal
3. Assign permissions
4. Deploy WVD through marketplace
5. Open HTML5 webclient
6. Add users to your desktop

I see a lot of people struggle deploying Windows Virtual desktop. Most people face this error message:

VM has reported a failure when processing extension 'dscextension'. Error message: \\\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service

This is because you need to create a service principal with the correct permissions. A normal user will work as well, but it’s failing too many times for people.
Following these steps should get you through the deployment.

Keep in mind that the user deploying your WVD VMs to your domain, also needs the Owner role on your Azure Subscription! Because it needs to be able to run some Powershell DSC commands.

NOTE: User ‘Cloudcrusader’ suggests in the comments that it should work with the ‘Virtual Machine Contributor’ role only as well.

Start fresh. Delete all WVD tenants created before. Check if a tenant still exists with Get-RdsTenant.

This post is not going to help you, configuring WVD with AAD DS. It should be possible though, someone was able to configure it succesfully using this post.

Remember, don’t use an MFA enabled account. It doesn’t work.

Also try: Get-RdsDiagnosticActivities. Others succeeded finding the root cause with that command

I have deployed WVD multiple times already, so that’s how I know this works. If it doesn’t work for you, let me know, maybe I can help you.

Run through step one of the Microsoft documentation:
https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

Add RDS tenant

Run these commands to add the RDS tenant.

1
2
3
4
# Don't change the deploymenturl

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

# Use any name for your tenant, get your ID from Azure portal > Azure Active Directory > Properties > Directory ID. To get your SubscriptionID, go to Azure Portal > All services > subscriptions > click the subscription where the VM's will reside and copy the subscription ID:

New-RdsTenant -Name YourTenantName -AadTenantId YourAzureADTenantID -AzureSubscriptionId YourSubscriptionID

Add Service Principal

Next, follow these steps. Never change the Default Tenant Group, as per the Microsoft docs.

1
2
3
4
5
6
7
8
9
10
11
12
13
$myTenantGroupName = "Default Tenant Group"

$myTenantName = "tenantname" #As you used in the previous step

$hostpoolname = "Hostpoolname"



# create the service principal:

$aadContext = Connect-AzureAD

$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"

$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId



# Don't change the URL below.

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" 

Set-RdsContext -TenantGroupName $myTenantGroupName

New-RdsHostPool -TenantName $myTenantName -name $hostpoolname

Assign permissions

Now below is the most important step, that’s where you assign the service principal permissions to the RDS environment. If you do this correctly, you can deploy the WVD template from the Azure Marketplace, without errors.

1
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

Go to the Azure Portal and open the app just created and create your own key:
Azure Portal > app registrations > Windows Virtual Desktop Svc Principal > Settings > Keys.
Create your own key and save the value During the next step, deploying Windows Virtual Desktop from the marketplace, in step 3 of that template you need this password.

Deploy WVD through marketplace

Next step is to follow this Microsoft doc:
https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace
You should be able to get passed the error as mentioned above, also with help from these screenshots below.

If you keep No selected below Specifiy domain or OU, it’s going to try joining the domain behind the @, used below AD domain join UPN. So in the example below it will use yourdomain.com. If your domain is ad.yourdomain.com, set Yes below the Specifiy domain or OU.

Finally, your deployment is succesful as you can see in the screenshot below. It took about 9 minutes for the DSCextension completed, per VM:

Open HTML5 webclient

Now go to the HTML5 client to open your desktop: https://rdweb.wvd.microsoft.com/webclient/index.html

Add users to your desktop

As a final step, add users to your desktop:

1
Add-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $appgroupname -UserPrincipalName upn

The post How-to deploy Windows Virtual Desktop in Azure appeared first on Erjen Rijnders.

Why Azure Sentinel

Azure Sentinel is the latest, security related, innovation from Microsoft. Microsoft calls it a “reinvented SIEM” solution. Well, it’s not really innovation, it’s more of a combination of all security products of Microsoft. We have Cloud App Security, Azure Advanced Threat Protection, Security Events, Windows Firewall, Windows Azure Firewall etc. etc.

Azure Sentinel has not only built-in AI (which we expect from nowadays products from Microsoft), but it transcends the AI, already available in the product itself (like the AI in Identity Protection), but it creates an extra AI layer, on top of the already existing AI infrastructure which makes it really cool. So the AI of Sentinel doesn’t have to know the underlaying AI technology, it just needs to combine the output of every separate AI and create valuable input. Microsoft already uses this technique for years and because of their experience, it’s now broadly available.

Azure Sentinel has not only built-in AI (which we expect from nowadays products from Microsoft), but it transcends the AI, already available in the product itself (like the AI in Identity Protection), but it creates an extra AI layer, on top of the already existing AI infrastructure which makes it really cool. So the AI of Sentinel doesn’t have to know the underlaying AI technology, it just needs to combine the output of every separate AI and create valuable input. Microsoft already uses this technique for years and because of their experience, it’s now broadly available.

Let’s have a look at Azure Sentinel. Go to the Azure Portal and search for “Azure Sentinel”. As you can see it’s still in preview.

You need to create a Log Analytics Workspace for Sentinel to work. As long as Sentinel is in preview, you won’t pay anything, except costs like storage which you will make creating a workspace.

Azure Sentinel – Data connectors

The first page you see is the “Getting started” page. Click on “Collect data” to start collecting data.

You will see an overview of all the data you connect. It’s already a nice list of services you can connect. If you are already full onboarded in Azure/Office 365, you will have many relevant products to connect!

Of course, we are going to connect “Azure Information Protection” first. You need to go to the “Azure Information Protection” tab Click “Azure Information Protection” and click “connect to your Azure Sentinel workspace”.

Click on the Azure Sentinel workspace, you need to reconfigure the AIP log so that it stores the AIP information in the Azure Sentinel workspace (if you don’t see any, you should go to Azure Information Protection” and enable logging there) and also check the deeper analytics checkbox to see sensitive information types as well.

Now connect everything you want to connect, like Azure AD. Cool thing is that if you connect Office 365, you can connect multiple tenants! So I expect that more data connectors are going to be multi-tenant which mean we really have the reinvented SIEM.

Azure Sentinel – Analytics

If you click in the Azure Sentinal tab on “Analytics”, you can create rules when you want to be alerted. For example you can create an alert when a virtual machine is created or updated. For more information, check the code example from Microsoft Docs as well.

1
2
3
4
5
AzureActivity

 | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment"

 | where ActivityStatus == "Succeeded"

| extend AccountCustomEntity = ResourceGroup

| extend IPCustomEntity = TenantId

You can create a lot of rules, but in my opinion it’s not that simple to configure the alerts you need. Especially if you need many specific rules. But this is still a preview version, I expect more options and simplifications in the general available version.

Azure Sentinel Cases

A case in Sentinel is automatically created, once an event is triggered. Soon I will update this with more data.

Azure Sentinel Overview page

In the “Overview” section, you have a nice dashboard of everything that is going on. See an example here below. It’s not much data yet, but this is from just a few hours. I will update this dashboard once I have more detailed information.

The post Azure Sentinel – The reinvented SIEM appeared first on Erjen Rijnders.

The solution is to add a registered app in Azure AD and connect to that app. Here is the PowerShell I used.

Note that running commands below on Server 2012 R2 or before will fail, it doesn’t support options that comes with Windows Server 2016. Stripping those options will fail the Azure AD login. Execute these commands on a Windows 10 or Server 2016 machine and copy the exported certificate to a Windows Server 2012 R2 machine. Also import the certificate in the Personal store of the “CurrentUser” on that specific machine.

First, login with administrator credentials:

Now Execute this PowerShell:

Now save the thumbprint, tenantID and appID.

You can get these values like this (use the same PowerShell session), executing these commands:

Next time login like this:

The post Azure AD login without credentials (unattended) appeared first on Erjen Rijnders.

So, in case when you have an applicant on a job offer, the person sends you its resumé somehow (by e-mail, sharing through OneDrive etc.) and you download it to the company share (SharePoint Online or locally). In all scenario’s you need to make sure that, whatever way the resumé is received, you catch it and set an expiration date.

Note: Every product to accomplish this have its caveats. You need to make sure that you align the job applications with the way you handle your sensitive data.

Depending on the license you have, you can use these products for achieving above:

1. 1. Azure Information Protection;
   2. Cloud App Security;
   3. AIP Scanner;
   4. Data Loss Prevention;
   5. Exchange Online Retention Policies
   6. Conclusion

Let’s see how these products can achieve this.

1. Azure Information Protection

First you need to configure a label with content expiration. Go to the “Azure Portal > Azure Information Protection > Labels > Protect”. Under “Content expiration”, set the content to expire “By days” or “By date”. When the content expires, you can no longer decrypt the content which makes it unreadable:

Now classify the document You can easily do this by right clicking a PDF or Word document and click “Classify and protect”:

Click the label you configured with “Content expiration”:

If you view the custom properties of the document, you can see it’s now classified as “Confidential”:

In my opinion, the problem with this approach is the chance on forgetting classifying a document. So, if you choose Azure Information Protection for achieving this, make sure no documents get through without classification and give your users clear instructions.

Another way with Azure Information Protection is the automatic labeling function. You can do this, based on document content. With PDF-files however (and any filetype other than docx, pptx, xlsx), you can only achieve this with the AIP scanner (check point 3). To configure automatic labeling, take the same steps as before but also configure a condition and create a regex policy or fill in predefined keywords:

2. Cloud App Security

Using Cloud App Security, you can automatically classify documents when they reside in a specific folder or when the document contains sensitive information. Personally, I would love the last one, but it’s currently not possible to scan PDF files with Cloud App Security so the first option is the only working option at the moment.

We will discuss both options however. First let’s see how it works when sensitive files are stored in a specific folder. Go to https://portal.cloudappsecurity.com/, click “Control > Policies > Create policy > File policy”:

Select as condition “Parent folder” and select the folder:

Apply a classification label beneath “Microsoft OneDrive for Business” and “Microsoft SharePoint Online”:

Create the policy, now all content in that folder will have automatically the content expiration activated. Of course, you need to configure content expiration for the label set. See step 1 for more details.

Let’s see how automatic labeling with Cloud App Security works. Create a File policy again and scroll down till the “Inspection method” part. We skip the conditions for now since we did that just before and it’s straight forward as well.

Select “Data Classification Service > Match if Any of the following occur > Choose inspection type… > Select a sensitive information type”:

Here you can select a sensitive information type, or you can add a custom information type. You need to know regular expressions, but it’s not too hard.

For adding a custom information type, click the + button on the right:

Once added, click “Done” and navigate to the bottom. Now again select the classification label you want to apply for “Microsoft OneDrive for Business” and “Microsoft SharePoint Online”:

All matched files are now automatically classified with “Confidential” (make sure you configure the content expiration again in Azure Information Protection).

Remember, it’s not working yet with PDF-files but will be available in future versions.

3. AIP Scanner

This is more or less the same as step 2, only the tool is different and it’s possible to scan PDF files. You still need to know regular expressions (or you need to choose predefined templates like “Credit Card Number”). the scanner uses the Office 365 data loss prevention (DLP) service. For configuration of the filetypes in DLP, see point 4.

The actual configuration of the AIP scanner is not covered in this post, since there are already many great posts how to do this.

4. Data Loss Prevention

DLP has great potential for achieving this task, especially because you can connect with Exchange Online which means you can scan e-mail attachments and restrict or encrypt the content when a condition matches.

However, one big flaw is that DLP cannot scan PDF files (yet), same goes for Cloud App Security. They both use the same core functionality, but I expect this possibility the coming months. Till then, we cannot use this functionality for scanning PDF files.

To create a custom classification type to use within a DLP policy, go to “https://protection.office.com > Classifications > Custom sensitive information types”:

Now click “Create” and add a Regular expression:

At this point, click “Finish” and add a DLP policy. Click on “Data loss prevention > Policy > Create a policy”. Walk through the steps, at the “Policy settings” tab click “Use advanced settings”:

Click “New rule” and within the “Conditions” tab, click “Content contains > Sensitive info types”:

Now select your just created custom policy. On the “Actions” tab, select “Block people from sharing and restrict access to shared content” and “Everyone. Only the content owner, the last modifier, and the site admin will continue to have access”:

Fill in the other desired settings and save the policy.

5. Exchange Online retention policies

With Exchange Online retention policies, you can achieve best of all worlds. You can just delete content matching a custom information type that you created with regex. So, it’s possible to apply this to Exchange, SharePoint and OneDrive!

Go to “https://protection.office.com > Data governance > Retention > Create”. Create a custom retention policy and add a “Sensitive info types”:

Make sure you delete the content after the period you define, from the data when it was labeled.

One caveat with this option is that you don’t have much conditions. You can only choose to which location you want to apply it (SharePoint Online, OneDrive or Exchange Online).

Conclusion

As you figured out by now, it’s impossible to use one tool for scanning your complete environment (if you both use on-premises file server and cloud-based file servers). Also, scanning PDF-files is apparently hard and even impossible to scan Exchange Online PDF files with a tool like Azure Information Protection, Data Loss Prevention or Cloud App Security. Fortunately, it’s possible with retention policies.

In the scenario where you only use SharePoint, OneDrive and Exchange Online and you also want to scan PDF-files, the best option would be using retention policies. Keep in mind that you do not have much options in conditions. In case you need more freedom in conditions and still need to scan PDF-files, you have to wait for this functionality to become available in AIP, DLP and MCAS.

You might have an on-premises file server as well, where you want to apply labels automatically, you need the AIP-scanner since it can scan PDF files.

If you have any questions, feel free to contact me or place a comment below.

The post GDPR: how to automatically delete sensitive content appeared first on Erjen Rijnders.

At first, this is officially not supported but it’s working flawlessly and since you make use of the e-mail header, it’ll always work.

Lets pick a label in Word, for example “Confidential”. I have configured that Outlook automatically takes over the label from the document as you can see in below screenshots:

Now we want to make sure that this e-mail is encrypted, without the need for the user to select the “Do Not Forward” button (which is also only available with the AIP client) and without the need for the AIP client to be installed.

Go to “Exchange admin center > mail flow > new rule > select Apply Office 365 Message Encryption and rights protection to messages…”

If you check the e-mail header from an e-mail where you selected “Confidential”, you will see that the sensitivity is set to “Confidential”:

So we have to make sure that OME is applied when an e-mail header matches “Confidential”.

the header name is called “msip_labels”

Configure it like this (make sure you configure multiple if you use multiple languages with AIP):

Now wait a few minutes (can take up to one hour before your changes are synced through the 220 thousand Exchange servers) and try it out! You should you receive the e-mail now as a protected e-mail:

Note that if you encrypt the e-mail, by default it will also encrypt Office documents. And because they are encrypted by OME, you cannot track the document (yet).

The post AIP label-based encryption appeared first on Erjen Rijnders.