Category: Random

Azure Secure Admin Workstation posts:

• Part 1 – VDI Environment
  • Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
• Part 2 – Firewalls and VNets
  • Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
• Part 3 – Session hosts and access
  • Adding our SAW VM to the HostPool, connecting and authenticating
• Part 4 – Configuring Entra SSO
  • Solving authentication and session establishment issues
  • Getting Entra SSO working!
• Public GitHub project:
  • zoak-solutions/AzureVirtualSAW (github.com)

---

Context and References

• After deploying a session host, was able to connect with the local administrator created with the VM, but not the Entra users in the group created.
• Got things working after reading these docs and applying the following:
  • Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access – Azure | Microsoft Learn
  • Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication – Azure | Microsoft Learn

Troubleshooting and Errors

• After not being able to sign in with an Entra user, took a look at:

Error: Unable to connect right now

• Likely related to the AVD VM’s ability to talk to required Entra endpoints
  • An easy way to validate this is to add a temporary allow all outbound TLS

• Testing and gaining familiarity with PowerShell!

We utilise the open GRC source tool, Eramba; some instances of which are the community edition which does not have an API interface. In some scenarios it is desirable make bulk updates/completions of reviews (and potentially update status of audits).

Doing this is slightly less trivial than expected… steps are:

• Generate a list of review ids and foreign keys (maps review objects to model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk]
• Update the relevant review objects with completion date, comments, completed status
• Create new reviews entries for next cycle
• Update the model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk] to reference the new, next review date
• Update the object status mapping for the updated reviews (expired and current statuses in this case)
• Validate your updated via the web interface
  • No clearing of cache of waiting for jobs is required

-- Generate a list of review ids and foreign keys (in this case the foreign keys are for the associated Assets being reviewed):

SELECT CONCAT_WS(',',Model,id,foreign_key) from reviews where planned_date = '2022-04-19' and model = 'Asset';

-- Update the relevant review objects as desired:

update reviews set actual_date = '2022-04-20',user_id = 2, description = 'No changes to store [components, customer, deployment etc, all same] added to ISMF Agenda ', completed = 1, modified = now(), edited = now()  where id in (select id from reviews where planned_date = '2022-04-19' and model = 'Asset');

-- Create new reviews (this is usually done by the app when completing the review via the web interface, review objects need a Model [Asset, SecurityPolicy, ThirdPartyRisk, Risk] (other models have audits):

INSERT INTO 
	reviews(model, foreign_key, planned_date, completed, created, modified, deleted)
VALUES
('Asset',115,'2023-04-19',0,now(),now(),0),
('Asset',116,'2023-04-19',0,now(),now(),0),
...;

-- Update the Asset object to reference the new, next review date (get asset ID from query used to get review id + foreign_key)
update asset set review = '2023-04-19', expired_reviews = 0 where id in (select foreign_key from reviews where planned_date = '2022-04-19' and model =  'Asset');

-- Eramba has object statuses, the list of available statuses is defined in the object_status_statuses table; the mapping of objects to statuses is in the table: object_status_object_statuses
-- Note there will be better, safer queries to do this..:

-- Check the results select query so we know what we are updating
select * from object_status_object_statuses where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired';

-- Update the object status mappings for relevant items, in this case there are two statuses that need to be updated, the expired status (now should be 0_ and the current status (now should be 1)

update object_status_object_statuses set status = 0 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired');

update object_status_object_statuses set status = 1 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'current_review');

I regularly like to make rough diagrams/plans by drawing on paper. As I have an iPad Pro with a stylus sitting next to me I have often thought there would be some benefits to being able to use a sketching diagram to:

• Stop losing/damaging paper sketches
• Easily undo mistakes
• Leverage things like copy and paste
• Infinite canvas
• Ability to zoom in and out

To this end I am trying: Concepts App • Infinite, Flexible Sketching

Starting with a SkillShare course Draw with Concepts app: Basic Digital Illustration for Beginners

SkillShare – Course

• Vector based app (infinite canvas + no pixilation)
• User interface
  • Supports pressure sensitive stylus + palm rejection
  • Projects -> Files
  • Top right tools, customizable change tools
    • Line thickness, Opacity, Smoothness (0 for pen tip)
    • Color palette (make your own palette)
    • Layers pallet (automatic will separate layers by tool, recommended)
      1. Coloring with pencil, drawing with pen easy with auto layers
      2. Duplicate layers, transparency, visibility etc.
    • Tools + Brushes
      • Can buy new via pro
    • Precision palette
      • Grid, Snap, Measure, Guide
    • Gestures
      • 2 finger tap – undo
• Workflow
  • Ran through a demo, drawing an images from a picture
    • Changing tools/brushes
    • Hold push + item select/select all layers

Other resources

• Concept app tutorials
  • 3 ways to draw a straight line
  • Create a floor plan
  • All tutorials

In a scenario where a VM is moved to different underlying hardware, it is generally a good idea to validate CPU, memory, disk IO and network.

CPU Benchmark

sysbench cpu --cpu-max-prime=20000 run

sysbench threads --num-threads=10 --thread-yields=0 --max-requests=100000000 --thread-locks=1 run

Memory Benchmark

sysbench memory --memory-block-size=1M --memory-total-size=100G run
sysbench memory --memory-total-size=10G run

File IO

sysbench fileio --file-total-size=5G prepare; sysbench fileio --file-total-size=5G --file-test-mode=rndrw --time=300 --max-requests=0 run
# Clean up
sysbench fileio --file-total-size=5G cleanup

Network latency, upload and download

wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py; ./speedtest.py; rm -f ./speedtest.py

If you want to have a single mailbox on Office 365 and be able to send as aliases of that mailbox, you will need to do some work around as it is not really support by Microsoft, see:

• https://techcommunity.microsoft.com/t5/Office-365/Sending-email-as-alias-in-office365/td-p/60802
• https://techcommunity.microsoft.com/t5/Office-365/Sending-an-email-as-an-alias/td-p/98103

1 – Create Distribution List

1. Create distribution group for the desired email address (ensuring is does not exist as an alias or otherwise in the tenant)
2. Add desired destination mailbox as a member
3. Open the Exchange Admin center
4. Select “recipients” (side navbar) -> Select “groups” (top) -> Select the distribution group you just created, click the pencil icon to edit
5. Select “group delegation” add your main mailbox user to the ‘Send As’ list
6. Wait for approx 30 mins for Office 365 to provision the distribution list and update contact lists
7. Optionally set up message rules in your mailbox to ensure emails to the distribution list email address are put into a specific folder

2 – Send As the distribution list via Outlook (Windows)

1. In your Outlook client, create a new message
2. If you cant see the From box, click ‘Options’, Click ‘From’
3. Click on the now display ‘From’ dropbox and select ‘Other email address’
4. Click on the ‘From…’ in the popup box
5. Click on the ‘Offline Global Address List’, select ‘All Distribution Lists’, select your desired From address.

3 – Exchange Online

1. Create new message
2. Click the ellipsis to the right of the send button
3. Right click on the from address, click remove
4. Start typing the address you want to send from, select it from the drop down autocompleter

Building a toy house module

Looks primarily at changing object shapes, introducing the move too and the 2-point arch tool. Using double click for repetition of push/pull tool also proved to be convenient. We then used the move tool to alter slopes of surfaces, including using the up key to match slope and then height of another surface.

Next up is the arc tool, which has 4 variants:

• Arc – Main point of this method determines where the center point of the arc will be
• 2 Point Arc – select two points that will be the width of the arc
• 3 Point Arc – Firts 2 points determine form, and the third point gives that exact length Ideal for irregularly shaped objects
• Pie

The week 3 assignment was creating a house to match a floor, wall and roof plan. Unfortunately it appears that the assignment specification had a couple of slight errors. This was a bit of a time waste and student from the previous course had reported it so it is a bit disappointing that the course writers have not noticed/corrected it: https://www.coursera.org/learn/3d-cad-fundamental/discussions/weeks/3/threads/QTxAZ5UGEeir3xJNYGdMZA

Again the first pass took a while and was quite difficult, but a complete redraw took only 5 mins. When drawing structures like this, with eves and and sloped roofs it is important to complete a room (minus the eves and roof thickness) to make slope matching easier.