By default, network policies are disabled for a subnet in a virtual network and you need to enable it manually, from the Azure Portal after the VNET creation, or you need to specify it in your script if you are deploying with PowerShell, Cli, Bicep or any other IaC.

To ensure that Network security policies are enabled, and force enable it, we can use an Azure Policy. The below Azure Policy checks if the Network security policies are enabled, and if not it automatically enables it. The result of this policy is:

• for new Virtual Networks, it automatically enables Network security policies to all subnets, even if you forgot to select it upon the creation
• for existing virtual Network subnets, it uses a remediation plan to evaluate and enable the Network security policies.

The Policy:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
      "notEquals": "Enabled"
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
            "value": "Enabled"
          }
        ]
      }
    }
  },
  "parameters": {}
}

To add the Policy to your Azure environment:

• Go to the Azure Policy Definitions blade (shortcut: Policy – Microsoft Azure )
• Add Policy Definition

• Provide a location (subscription) to save the policy object, and give a name and a category. Use the existing Network category.

• Paste the policy Json

• Select a Role Assignment. You need a role that will have editor access to the subnet. For my demo, I used the Network Contributor build-in role (4d97b98b-1d4f-4787-a291-c67834d212e7) for the action.
• Once the Policy is created, open it and you need to assign it to a scope (MG, Subscription, Resource Group)

• Assign the policy to the scope you want, like Management Group, Subscription, or Resource Group and one thing that needs attention is to create a remediation task and a Managed Identity.
• The remediation task is needed to remediate the existing resources and the Managed Identity for the modification action.

The Policy is in Audit only mode, in case you just need to audit if there are any subnets that don’t have privateEndpointNetworkPolicies enabled.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/virtualNetworks/subnets"
        },
        {
          "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
          "notEquals": "Enabled"
        }
      ]
    },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {}
}

You can get the Policy Json files at my Github repo: https://github.com/proximagr/automation#policy-audit—enable-network-policy-for-private-endpoints-blog-post

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Policy to enable network policies for private endpoints appeared first on Apostolidis Cloud Corner.

Azure Virtual Network Gateway provides the ability to connect to your Azure Virtual Network with Azure Client VPN (SSL) connections using your Azure AD or hybrid identity, with Multi Factor Authentication (MFA) and your Conditional Access policies.

We can have an Enterprise grade SSL VPN, with Active Directory authentication and Single Sign on (SSO) from your corporate laptops and apply all your conditional access policies, like MFA, Compliance devices, trused locations, etc.

How to create the VPN Gateway

Go to your Virtual Network’s subnets and create a Gateway subnet by clicking the “+ Gateway subnet”

Create a Virtual network gateway, by searching for the “Virtual network gateways” service and press Add.

Select “VPN”, “Route-based” and at the SKU select any size except the Basic. Basic SKU does not support Azure AD authentication.

Create a Public IP and leave all other settings default and create the Gateway.

After about 20 minutes the VPN Gateway is ready. In the meantime we will prepare the Azure AD and give concern to use the Azure AD with the Azure client VPN. Using a Global Admin account, go to the “Azure Active Directory” and copy the “Tenant ID” from the Overview blade, and keep it on a notepad.

Then copy the url and paste the below url to your browser’s address bar. You need to log in with a Global Admin non guest non Microsoft account.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

With a guest or Microsoft account, even if it is Global Admin, you will be propted to login with an admin account, meaning a member work account.

Once you login with a member work Global Admin account, you can accept the permissions to create the Azure VPN application

You can navigate to the Azure Active Directory / Enterprise Application and view / manage the Azure AD application.

Open the Azure VPN enterprise application and copy the “Application ID” to a notepad.

Go to the VPN Gateway, select the “Point to site configuration” and click the “Configure now”

Add the Address Pool that you want the VPN clients to have, for Tunnel type select “OpenVPN (SSL) as it is the only type that supports Azure AD authentication.

Then use the details that you have copied to the notepad, the Tenant ID and the Application ID, and add them to the required fields and press save.

• Tenant: https://login.microsoftonline.com/paste-your-tenant-id-here
• Audience: paste-the-azure-vpn-application-id-here
• Issuer: https://sts.windows.net/paste-your-tenant-id-here/

How to Download the VPN Client and Connect to the Gateway

Download the VPN client, using the button.

Extrack the downloadded zip file

And at the AzureVPN folder you will find the configuration xml.

Open the Microsoft Store and get the Azure VPN Client

Open the Azure VPN Client and at the lower left corner, press the + and Import the xml configuration file

accept all the settings and press save

The Azure VPN connection will appear at the Azure VPN client and also at the Windows 10 network connections, like any other VPN

Azure VPN Client:

Windows 10 Network Connections:

Once you press connect, it will prompt you to connect using the account(s) that you are already using at your Windows 10 machine, or use a different account

You will be prompted for MFA or any other conditional access policy you have applied, and the you will be connected.

Conditional Access & Multi-Factor Authentication (MFA)

You can add Conditional Access to the Azure client VPN connection. Go to Azure Active Directory / Security / Conditional Access and create a new Policy.

Select the “Azure VPN” at the “Cloud apps or actions” section

At the Access Controls / Grand section, you can require multi-factor authentication, or AD Joined device, or compliant device, or all of that

At the “Conditions” section you can controll the location that the policy will apply. Lets say, you can apply the MFA requirement at “Any location” and exclude the “Trusted locations”, in order to not require MFA when the device is at a trusted location, like your company’s network.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Client VPN with Azure AD auth & MFA | Step by step guide appeared first on Apostolidis Cloud Corner.

This is my third Azure Front Door Post. Already we created an Azure Front Door to scale and secure our web apps, and we used Web Application Firewall (WAF) rules to protect our web apps. At this post we will see how to add a custom domain name and our certificate to the Azure Front Door.

Azure Front Door provides ssl certificates and management for the .azurefd.net domain. But in most cases we will need to add our custom domain name and of cource our certificate.

To add a custom domain name and our certificate we need:

• The public certificate in PFX format
• Register the Azure Front Door Service Principal
• An Azure Key Vault
• Access to the Public DNS of our custom domain

Azure Key Vault

Azure Front Door imports custom certifiated only from Azure key Vault. So we need to create a Key Vault and provide access to the Azure Front Door Service Principal. First register the Azure Front Door Service Principal using this script: (I prefer cloud Shell)

New-AzADServicePrincipal -ApplicationId "ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"

Result:

Then search the Marketplace and create a key Vault

At the first page fill the name and region and go to the Next Page, Access Policy and press “+ Add Access Policy” to add a new access policy. At the certificate permissions select the get secret & get & list certificates and authorities. For principal select the “Microsoft.Azure.Frontdoor” and add.

Next at the Network Connectivity method select all networks, or if you select selected networks remember to allow the Azure Front Door Bckend IP Range, 147.243.0.0/16. For updated IP range check the https://www.microsoft.com/download/details.aspx?id=56519

Once the Key Vault is ready, open it, go to Certificatess -> Generate/Import

Slect Import and upload your certificate.

Edit the Front Door

Once the certificate is uploaded successfully, go to the Azure Front Door designer. At the Frontend/domains press the + to add the custom domain

Write your custom host name and the form will inform you to create a CNAME to point to the front door. You need to do this first to proceed.

After that enable the Custom Domain HTTPS and select use my own certificate

Select the KeyVault, the certificate and the version and press add adn then Save.

The process will start, it will check the certificate and it will import it to the Front Door.

Now, since we have the SSL termination at the Azure Front Door, we can forward the request unencripted to our backend, this is called SSL Offload. To do this update routing rule to accept HTTPS only requests, select for frontends the custom domain and for backend forwarding protocol HTTP only

Then go to the Web App and turn off the HTTPs Only.

We can now check our web app at the custom domain: https://myapp.funniest.gr

Don’t forget, we have locked our backend web apps with access restriction to allow only the Front Doors backend IP range 147.243.0.0/16

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Front Door add custom domain & certificate appeared first on Apostolidis Cloud Corner.

Create the WAF Rule

From the Azure Marketplace search for WAF and create a Web Application Firewall

At the “Create a WAF policy” wizard select “Global WAF (Front Door) for policy, provide the subscription and resource group, give a name for the policy and select if you want it to be created enabled or disabled.

At the next step select if the policy will prevent the action or just detect and report it. You can change this later too. You can provide a Redirect URL for rules that support redirection. The default status code is 403 but we can change it to e.g. 404. We can also add a custom response body.

The next step is the rule. We can select one or more predefined rule sets and then customize at will.

To customize, expand the rule set and select a rule. You can enable / disable the rule and you can change the action to Allow, Block, Lod or Redirect.

WAF Custom Rule

The next step is the custom rules. There’s a lot to customise here. First are the rule type settings. Select status of the rule, enabled or disabled. Select the Rule type between Match and Rate limit. If you select rate limit you will be prompt to set rate limit and threshold. The final rule tupe setting is to set the priority of the rule.

Next is the Conditions (If this) and the action (then that).
The condition can be Geolocation, IP address, Size or String. After selecting the Match Type the rest options are altered accordingly.

The action can be Allow traffic, Deny traffic, Log traffic only or Redirect traffic

For the demo I created a rule that will Deny all traffic from The Netherlands, because I can test it from an Azure VM located at the West Europe Region.

The next step is to associate the rule to the Front Door. After that assign Tags if needed and create the rule.

Once the Rule is ready, a “Front Door WAF policy” resource will be at the selected Resource Group.

Inside the Front Door, at the Web application firewall section, you can review the assigned rules.

The below diagram shows the current setup. The user cannot access the Azure Web Apps directly, only through the Front Door and the requests are filtered by WAF rules.

Test 1

From an Azure VM at West Europe Region, I tried to access the Front Door’s URL and we can see my custom 403 body text!

Test 2

From my Computer I tested a typical SQL Injection attack from https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) . Again my custom 403 page!

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Use Web Application Firewall (WAF) Rules with the Front Door to protect your app appeared first on Apostolidis Cloud Corner.

Remediate security recommendations in 1 click

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. Using advanced analytics, it helps you detect potentially malicious activity across your hybrid cloud workloads, and recommends potential remediation steps, which you can then evaluate, and take the necessary action.

One of the main features of Azure Security Center is that offers prioritized and actionable security recommendations so you can remediate security vulnerabilities before they can be exploited by attackers. To simplify remediation of security issues now allows you to remediate a recommendation on multiple resources with a single click.

• Quick access to 1-click fix
  The 1-click fix label is shown next to the recommendations that offer this faster remediation tool.
• Logging for transparency
  All remediation actions are logged in the activity log.

How to use 1-click remediation

Look for the “1-click Fix !” Label at the recommendations!

Once you click the “1-click Fix !” Label, the recommendation information page will pen. Select the affected resources and click Remediate

A final window will open that will inform you about the action that will be performed and what will affect. Check the information and if you agree click the final “Remediation” button

Current 1-click remediation availability

Remediation is available for the following recommendations in preview:

• Web Apps, Function Apps, and API Apps should only be accessible over HTTPS
• Remote debugging should be turned off for Function Apps, Web Apps, and API Apps
• CORS should not allow every resource to access your Function Apps, Web Apps, or API Apps
• Secure transfer to storage accounts should be enabled
• Transparent data encryption for Azure SQL Database should be enabled
• Monitoring agent should be installed on your virtual machines
• Diagnostic logs in Azure Key Vault and Azure Service Bus should be enabled
• Diagnostic logs in Service Bus should be enabled
• Vulnerability assessment should be enabled on your SQL servers
• Advanced data security should be enabled on your SQL servers
• Vulnerability assessment should be enabled on your SQL managed instances
• Advanced data security should be enabled on your SQL managed instances

Single click remediation is part of Azure Security Center’s free tier.

Read more at: Azure Security Center single click remediation

Sources:

Azure Security Center single click remediation

Azure Security Center—1-click remediation for security recommendations is now available

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post ASC | Remediate security recommendations in 1 click appeared first on Apostolidis Cloud Corner.

Azure Private Link is a new service, currently in Preview, that provides private connectivity from a virtual network or an on-premises network with Site-2-Site VPN to Azure platform as a service (PaaS) Microsoft services. Azure Private Link makes the networking a lot more simple improving the security and eliminating the need for public access.

image from: https://azure.microsoft.com/en-us/services/private-link/

Azure Private Link is a Service mapped to Azure Virtual Networks through a private endpoint. This means that all traffic is routed internally, using private IPs and connectivity, eliminating the exposure to threats. Using Private Link helps an organization to meed the compliance standards.

Azure Private Link is a Global service. It does not have regional restrictions. You can connect privately services from all the Azure Regions around the globe.

Lets Lab It!

Let’s see in practice how we can connect from an Azure VM and from our on-premises computer using VPN to an Azure SQL Database using private IPs. For the Lab I already have a Virtual Machine running Windows Server 2019 and an Azure SQL Database. The SQL Database is not connected to any networks.

Open the Azure Portal, press New and search for “Private Link”, select it and press “Create”

A nice “Getting started page” will open. Click the “Build a private connection to a service”

The “Create a private endpoint” wizard will open. Select a name for the Private Link and a Region and press Next to go to the second step.

At the second step, select to connect to the azure resource in my directory, and select the subscription where the Azure SQL Database resides. Then select the SQL Server.

At the third step, select the VIrtual Network that the Private Link will be created. I selected the network where my Virtual Machine resides. If you don’t have your own DNS server select Yes to create an Azure private DNS zone.

At the final step, review the settings and create the Private Link

After the resource creation, you can check the DNS for the Azure SQL Server Private IP Address!

And at the SQL Server, at the “Private endpoint connections” section you will see the new Private Link.

Open a Remote Desktop Connection to the Azure VM, and run a nslookup for the SQL Server name. In my case the command is:

PS C:\> nslookup plsqlsrv.database.windows.net
Server: UnKnown
Address: 168.63.129.16

Non-authoritative answer:
Name: plsqlsrv.privatelink.database.windows.net
Address: 10.0.2.5
Aliases: plsqlsrv.database.windows.net

And it returned the Private IP address of the SQL Server.

From my computer, i tried to connect to the Azure SQL Server, using the name plsqlsrv.database.windows.net and the connection failed since my Public IP Address is not allowed to access the server.

From the Azure VM I managed to connect successfully and of course internally!

After that, I added a Virtual Network Gateway to the Network and created a Point to Site VPN connection from my local computer to Azure. You can check my guide on how to do this: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/

In order to connect to the Azure SQL you need to either use a local DNS server to map the SQl Server name to the Azure SQL IP or add an entry to the local host file for testing.

Conclusion

Azure Private Link is in Preview and currently supports Azure SQL Database and Storage accounts. Additional services coming in preview in next 3-6 months:

• · Cosmos DB
• · App Service Vnet Integration + App Service Environment
• · Azure Kubernetes Service
• · Azure Key Vault
• · PostgreSQL
• · MySQL
• · Maria DB

Source:

https://azure.microsoft.com/en-us/services/private-link/

https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Private Link | Private connection to Azure PaaS appeared first on Apostolidis Cloud Corner.

Ευχαριστώ όλη την ομάδα που συνέβαλε για αυτήν την συνέντευξη & φυσικά Read more @netfax

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax appeared first on Apostolidis Cloud Corner.

Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.

There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.

For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.

Below we will walk through on how to deploy & manage the Microsoft Antimalware Extension Using the Azure Portal (Single VM), Using the Azure Security Center (Multiple VMs)and Using PowerShell for a Single VMand for Multiple VMs filtered by Resource Groups or Tags.

Deploy the Microsoft Antimalware Extension

Using the Azure Portal for single VM deployment

Go to the Azure VM’s blade, navigate to the Extensions section and press Add.

Select the Microsoft Antimalware extension and press Create

Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan  type and schedule.

Using the Azure Security Center for multi VM deployment

Go to the Azure Security Center, navigate to “Compute & Apps” and click “Install endpoint protection solution on virtual machines”

The Azure Security Center will check which VMs does not have Endpoint Protection and will check them all. Press “Install on # VMs” to select the extension

Select “Microsoft Antimalware” and press create

Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan  type and schedule.

Using the PowerShell for single and multi VM deployments

Single VM

Declare the variables

$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"

Get the latest major version

#view all versions for the West Europe location
Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version
#view the latest major version
((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#add the latest major version in a variable called "amversion"
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')

Set the Microsoft Antimalware Settings, exclusions and schedules

$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@

Enable the Microsoft Antimalware Extension at one Azure VM

Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

The whole scipt

Login-AzAccount
#variables
$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversion

Multi VM – All VMs in a Resource Group

To deploy the extension to multiple VMs use the “For Each-Object” loop, like this:

#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

The whole script

#Login-AzAccount
#variables
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

Using Tags instead of Resource Group to filter the VMs

Login-AzAccount
#variables (filter by tags)
$tagName = "Service"
$tagValue = "dev"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, excusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag
$tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue
foreach($tagRes in $tagResList) { 
    Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion
    }

After a successful deployment, at the VMs extensions, you will see an IaaS Antimalware extension with status “Provisioning succeeded”

Change the settings in an existing deployment

After the first deployment / installation, to change any settings of the WIndows Defender  / Forefront Endpoint Protection, we need to run the same PowerShell after changing the required settings at the “#Antimalware extension settings, exclusions and schedules” section

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/iaas-antimalware-windows

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure VM Antimalware Extension Management appeared first on Apostolidis Cloud Corner.