Viva Learning news and feature update

by Contributed | Mar 8, 2022 | Technology

This article is contributed. See the original author and article here.

As we celebrate the first year of Microsoft Viva, it’s exciting to see so many companies seeking to foster human connection, align on a sense of mission, ensure employee wellbeing, and retain their best people. These are areas of critical important for business of any size as we collectively navigate the new world of Hybrid Work.

Since Microsoft Viva Learning’s general availability in November 2021 we’ve seen how employee upskilling, growth, and learning is becoming a top priority for organizational leaders. If you missed it, make sure to watch our announcement at Ignite.

But as we look back with pride, we also look forward with excitement. And there’s plenty on the horizon to be excited about with Viva Learning! Below we have a set of partner announcements, early adopter evidence, and new resources to share.

Let’s get to the good stuff!

Partner Announcements

In addition to the Viva Learning partner integrations we’ve previously announced, we’re thrilled to add another big name to the list – Workday. With the planned integration of Viva Learning and Workday, we’ll deliver a personalized learning experience right in the flow of work with Viva and Microsoft 365. We expect this integration to be live in the coming months.  

“Together, Workday and Microsoft will empower employees with a simpler, more connected learning experience in their natural flow of work for greater engagement and productivity.” 

          -Stuart Bowness, Vice President, Software Development, Experience Design & Development, Workday

We’re also pleased to announce that our existing Learning Management System (LMS) integrations have reached a new milestone with learner record and assignment syncing. This means assignments and completion records from Cornerstone OnDemand, Saba Cloud, and SAP SuccessFactors now surface directly in Viva Learning. This builds on our existing content catalog integration which provides users the ability to search, discover, recommend, and share content hosted on their LMS right within Teams.

For detailed setup instructions to integrate your LMS with Viva Learning, visit the Viva Learning docs page.

Finally, we’re excited to share that our integrations with Edcast and OpenSesame are live in Viva Learning! This means you can now import content libraries from Edcast and OpenSesame into Viva Learning so users can search for, discover, share, and recommend their content throughout the platform.  

In addition to the dedicated integrations mentioned above, we’re also hard at work building our APIs to deliver an open and extensible Employee Experience platform with Viva. Expect more details on Viva Learning APIs in the coming months.  

Early adopter spotlight – Music Tribe 

Music Tribe is a multi-national leader for professional audio products and musical instruments with operations across the globe. Recognizing the importance of learning in attracting and retaining talent, Music Tribe decided to prioritize the growth and development of their Tribers’ (employees’) by seeking a personalized, social, and easy to use learning system.  

Music Tribe already uses Teams, so bringing learning to their users within their existing platform was a key decision point to deliver an engaging, inclusive, and inspiring learning experience aligned to their core values.  

By deploying Viva Learning and Go1 together, Music Tribe employees are now able to define their own learning journeys in a social and collaborative experience – seamlessly integrated into their flow of work.  

“As part of our Vision “We Empower. You Create”, we wanted to empower our Tribers (employees) by means of learning and self-improvement. We looked for tools that would aggregate content from different providers and deliver it to our Tribers in an easily accessible way. The Go1 + Viva Learning solution does exactly that, with Go1 bringing the content together and Viva Learning delivering it as a natural part of the workday. This tremendously helped our Tribers sourcing content while giving more time developing their learning pathways and making the most of their professional development on our Employee Experience platform,” 

          -Uli Behringer, Founder and CEO, Music Tribe 

“We are thrilled to deliver the world’s largest workplace online learning library to Music Tribe employees in the flow of their work, via Microsoft Viva Learning. With Go1 and Viva Learning together, Music Tribe’s employees are able to access relevant learning content from hundreds of different learning providers, all from the Microsoft tools like Teams that they use every day.” 

          -Andrew Barnes, CEO, Go1 

Data from Go1 shows that in less than a month from launch over 40% of Music Tribe employees engaged in learning content, well over the industry standard for levels of employee engagement in learning content. Read more about Music Tribe’s Viva Learning journey in Go1’s blog.   

New Viva Learning resources 

For a comprehensive product walkthrough, see our guide at aka.ms/VivaLearningDemo 

For setup and admin documentation, see our docs pages at aka.ms/VivaLearningDocs 

For the list of 125 free LinkedIn Learning courses included with Viva Learning, see this page 

For adoption guidance and best practices, see our new page at aka.ms/VivaLearningAdoption 

For overview and license and pricing, or to start a free trial, see aka.ms/VivaLearning 

Please add your questions and thoughts in the comments section and as always we will see you soon – learning in the flow of work! 

Protegendo o backend com Azure API Management

by Contributed | Mar 7, 2022 | Technology

This article is contributed. See the original author and article here.

Protegendo o backend com o Azure API Management

O Azure API Management é uma excelente opção para projetos que lidam com APIs. Estratégias como centralização, monitoria, gerenciamento e documentação são características que o APIM ajuda você a entregar. saiba mais.

No entanto muitas vezes esquecemos que nossos backends precisam estar protegidos de acessos externos. Pensando nisso vamos mostrar uma forma muito simples de proteger seu backend usando o recurso de private endpoint, VNETS e sub-redes. Assim podemos impedir chamadas públicas da internet no seu backend, porém permitindo que o APIM o acesse de forma simples e transparente.

O primeiro passo é entender a VNET, que é a representação virtual de uma rede de computadores, ela permite que os recursos do Azure se comuniquem com segurança entre si, com a Internet e com redes locais. Como em qualquer rede, ela pode ser segmentada em partes menores chamadas sub-redes. Essa segmentação nos ajuda a definir a quantidade de endereços disponíveis em cada sub-redes, evitando conflitos entre essas redes e diminuindo o tráfego delas. Observe o desenho abaixo:

Diagrama com uma VNET de CIDR 10.0.0.0/16 e duas sub-redes com CIDR 10.0.0.0/24 e 10.0.1.0/24.

É importante entender quais opções de conexão com uma VNET (Modos) o APIM oferece:

1. Off: Esse é o padrão sem rede virtual com os endpoints abertos para a internet.


2. Externa: O portal de desenvolvedor e o gateway podem ser acessados pela Internet pública, e o gateway pode acessar recursos dentro da rede virtual e da internet.


3. Interna: O portal de desenvolvedor e o gateway só podem ser acessados pela rede interna. e o gateway pode acessar recursos dentro da rede virtual e da internet.

Em um ambiente de produção essa arquitetura contaria com um firewall de borda, tal como um Application Gateway ou um Front Door, essas ferramentas aumentam a segurança do circuito oferecendo proteções automáticas contra os ataques comuns, por exemplo, SQL Injection, XSS Attack (cross-site scripting) entre outros. No entanto para fins de simplificação vamos ficar sem essa proteção.

A configuração de rede do APIM pode ser feita no menu lateral Virtual Networking, no portal de gerenciamento do Azure.

APIM com configuração externa na VNET vnet_apim e sub-rede SUBNET_APIM

Depois de configurar o APIM, devemos configurar o App Services. Nele vamos até o menu Networking e configuramos um private endpoint, é com esse recurso que associamos um App Services a uma VNET e uma sub-rede. Durante essa configuração é importante marcamos a opção que integra com um DNS privado, para garantir a resolução de nomes dentro da rede privada.

Portal do Azure, configuração do private endpoint do App Services

Agora podemos conferir que foi criado um private zone para o domínio azure.websites.net apontando para o IP privado do App Services, isso permite que o APIM acesse o App Services de forma transparente, assim como era antes da implementação da VNET.

Para realmente termos certeza de que nosso App Services está protegido, podemos tentar acessar seu endereço pelo navegador, algo como a imagem abaixo deve acontecer. Não vamos conseguir resolver esse DNS.

Acessando URL do APP Services pelo navegador, e recebendo um erro de resolução de DNS.

No entanto as APIs do APIM continuam funcionando com o mesmo endereço, já que o APIM está na mesma VNET que o App Services e o DNS privado resolve os nomes para endereços dessa VNET.

Tela do APIM com mesmo backend que não pode ser acessado pelo browser.

Usando a ferramenta de Teste do APIM podemos confirmar que o APIM consegue acessar o back-end.

Explorando a opção de Teste do APIM.

Conclusão

A implantação da Rede Virtual do Azure fornece segurança aprimorada, isolamento e permite que você coloque seu serviço de gerenciamento de API em uma rede protegida da Internet. Todos os acessos como portas e serviços podem ser controlados pelo NSG da VNET, dessa forma você garante que suas APIS serão acessadas apenas pelo endpoint de gateway do APIM. 

Referências

1. https://docs.microsoft.com/pt-br/azure/api-management/api-management-using-with-vnet


2. https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet


3. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

Build high confidence migration plans using Azure Migrate

by Contributed | Mar 6, 2022 | Technology

This article is contributed. See the original author and article here.

Build high confidence migration plans using Azure Migrate’s software inventory and agentless dependency analysis

Authored by Vikram Bansal, Senior PM, Azure Migrate

Migrating a large & complex IT environment from on-premises to the cloud can be quite daunting. Customers are often challenged with the problem of unknown where they may not have complete visibility of applications running on their servers or the dependencies between them, as they start planning their migration to cloud. This results not only in leaving behind dependent servers causing the application to break, but also adds up to the migration cost that the customers want to reduce. Azure Migrate aims at helping customers build a high-confidence migration plan with features like software inventory and agentless dependency analysis.

Software inventory provides the list of applications, roles and features running on Windows and Linux servers, discovered using Azure Migrate. Agentless dependency analysis helps you analyze the dependencies between the discovered servers which can be easily visualized with a map view in Azure Migrate project and can be used to group related servers for migration to Azure.

Today, we are announcing the public preview of at-scale, software inventory and agentless dependency analysis for Hyper-V virtual machines and bare-metal servers.

How to get started?

• To get started, create a new Azure Migrate project or use an existing one.


• Deploy and configure the Azure Migrate appliance for Hyper-V or for bare-metal servers.


• Enable software inventory by providing server credentials on the appliance and start discovery. For Hyper-V virtual machines, appliance lets you enter multiple credentials and will automatically map each server to the appropriate credential.

The credentials provided on the appliance are encrypted and stored on the appliance server locally and are never sent to Microsoft.

• As servers start getting discovered, you can view them in the Azure Portal.

Software inventory

• Using the credentials provided, the appliance gathers information on the installed applications, enabled roles and features on the on-premises Windows and Linux servers.


• Software inventory is completely agentless and does not require installing any agents on the servers.


• Software inventory is performed by directly connecting to the servers using the server credentials added on the appliance. The appliance gathers the information about the software inventory from Windows servers using PS remoting and from Linux servers using SSH connectivity.


• Azure Migrate directly connects to the servers to execute a list of queries and pull the required data once every 12 hours.


• A single Azure Migrate appliance can discover up to 5000 Hyper-V VMs or 1000 physical servers and perform software inventory across all of them.

Agentless dependency analysis

• Agentless dependency analysis feature helps in visualizing the dependencies between your servers and can be used to determine servers that should be migrated together.


• The dependency analysis is completely agentless and does not require installing any agents on the servers.


• You can enable dependency analysis on those servers where the prerequisite validation checks succeed during software inventory.


• Agentless dependency analysis is performed by directly connecting to the servers using the server credentials added on the appliance. The appliance gathers the dependency information from Windows servers using PS remoting and from Linux servers using SSH connection.


• Azure Migrate directly connects to the servers to execute a list of ‘ls’ and ‘netstat’ queries and pull the required data every 5 mins. The appliance aggregates the 5 min data points and sends it to Azure every 6 hours.


• Using the built-in dependency map view, you can easily visualize dependencies between servers. You can also download the dependency data including process, application, and port information in a CSV format for offline analysis.


• Dependency analysis can be performed concurrently on up to 1000 servers discovered from one appliance in a project. To analyze dependencies on more than 1000 servers from the same appliance, you can sequence the analysis in multiple batches of 1000.

Workflow and architecture

The architecture diagram below shows how software inventory and agentless dependency analysis works. The appliance:

1. discovers the Windows and Linux servers using the source details provided on configuration manager


2. collects software inventory (installed applications, roles and features) information from discovered servers


3. performs a validation of all prerequisites required to enable dependency analysis on a server. The validation is done when appliance performs software inventory. Users can enable dependency analysis only on those servers where the validation succeeds, so that they are less prone to hit errors after enabling the dependency analysis.


4. collects the dependency data from servers where dependency analysis was enabled from the portal.


5. periodically sends collected information to the Azure Migrate project via HTTPS port 443 over a secure encrypted connection.

Resources to get started

1. Tutorial on how to perform software inventory using Azure Migrate: Discovery and assessment.


2. Tutorial on how to perform agentless dependency analysis using Azure Migrate: Discovery and assessment.

Using secretless Azure Functions from within AKS

by Contributed | Mar 5, 2022 | Technology

This article is contributed. See the original author and article here.

I recently implemented a change in KEDA (currently evaluated as a potential pull request), consisting of leveraging managed identities in a more granular way, in order to adhere to the least privilege principle. While I was testing my changes, I wanted to use managed identities not only for KEDA itself but also for the Azure Functions I was using in my tests. I found out that although there are quite a few docs on the topic, none is targeting AKS:

https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-storage-queue-trigger?tabs=csharp#identity-based-connections

https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob#connecting-to-host-storage-with-an-identity-preview

You can find many articles showing how to grab a token from an HTTP triggered function, or using identity-based triggers, but in the context of a function hosted in Azure itself. It’s not rocket science to make this work in AKS but I thought it was a good idea to recap it here as I couldn’t find anything on that.

Quick intro to managed identities

Here is a quick reminder for those who would still not know about MI. The value proposition of MI is: no password in code (or config). MI are considered best practices because the credentials used by identities are entirely managed by Azure itself. Workloads can refer to identities without the need to store credentials anywhere. On top of this, you can manage authorization with Azure AD (single pane of glasses), unlike shared access signatures and alternate authorization methods.

AKS & MI

For MI to work in AKS, you need to enable them. You can find a comprehensive explanation on how to do this here. In a nutshell, MI works the following way in AKS:

An AzureIdentity and AzureIdentityBinding resource must be defined. They target a user-assigned identity, which is attached to the cluster’s VM scale set. The identity can be referred to by deployments through the aadpodbinding annotation. The function (or anything else) container makes a call to the MI system endpoint http://169…, that is intercepted by the NMI pod, which in turn, performs a call to Azure Active Directory to get an access token for the calling container.  The calling container can present the returned token to the Azure resource to gain access.

Using the right packages for the function

The packages you have to use depend on the Azure resource you interact with. In my example, I used storage account queues as well as service bus queues. To leverage MI from within the function, you must:

• use the Microsoft.Azure.WebJobs.Extensions.Storage >= 5.0.0


• use the Microsoft.Azure.WebJobs.Extensions.ServiceBus >= 5.0.0


• use the Microsoft.NET.Sdk.Functions >= 4.1.0

Note that the storage package is not really an option because Azure Functions need an Azure Storage account for the most part.

Passing the right settings to the function

Azure functions takes their configuration from the local settings and from their host’s configuration. When using Azure Functions hosted on Azure, we can simply use the function app settings. In AKS, this is slightly different as we have to pass the settings through a ConfigMap or a Secret. To target both the Azure Storage account and the Service Bus, you’ll have to define a secret like the following:

data:
  AzureWebJobsStorage__accountName: <base64 value of storage account name>
  ServiceBusConnection__fullyQualifiedNamespace: <base64 value of the service bus FQDN> 
  FUNCTIONS_WORKER_RUNTIME: <base64 value of the function language>
apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
---

data:
  AzureWebJobsStorage__accountName: <base64 value of the storage account name>
  ServiceBusConnection__fullyQualifiedNamespace: <base64 value of the service bus FQDN>
  FUNCTIONS_WORKER_RUNTIME: <base64 value of the function code>
apiVersion: v1
kind: Secret
metadata:
  name: misecret
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
  name: storageandbushandler
  annotations:
    aadpodidentity.k8s.io/Behavior: namespaced
spec:
  type: 0
  resourceID: /subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/storageandbushandler
  clientID: <client ID of the user-assigned identity>
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
  name: storageandbushandler-binding  
spec:
  azureIdentity: storageandbushandler
  selector: storageandbushandler
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busandstoragemessagehandlers
  labels:
    app: busandstoragemessagehandlers    
spec:
  selector:
    matchLabels:
      app: busandstoragemessagehandlers
  template:
    metadata:
      labels:
        app: busandstoragemessagehandlers
        aadpodidbinding: storageandbushandler
    spec:
      containers:
      - name: secretlessfunc
        image: stephaneey/secretlessfunc:dev
        imagePullPolicy: Always
        envFrom:
        - secretRef:
            name: misecret
---

[FunctionName("StorageQueue")]
        public void StorageQueue([QueueTrigger("myqueue-items", Connection = "AzureWebJobsStorage")]string myQueueItem, ILogger log)
        {
            log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");
        }

        [FunctionName("ServiceBusQueue")]
        public void ServiceBusQueue([ServiceBusTrigger("myqueue-items", Connection = "ServiceBusConnection")] string myQueueItem, ILogger log)
        {
            log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");
        }