Azure Boards – Organize and Plan All of Your Work

by Contributed | Dec 30, 2022 | Technology

This article is contributed. See the original author and article here.

In our daily work we constantly encounter what I like to call ‘The Time Thieves.’ These are the things that take away our ability to be proactive in our day-to-day job. They are the reasons we fall behind in our work and can’t always meet delivery dates. I’ve listed several of the time thieves that all of us can relate to:  

• Unknown dependencies


• Too much work (WIP)


• Neglected Work


• Conflicting priorities


• Unplanned work

We are all too familiar with these items listed above. While I wish I had a magic bullet, I don’t, but we’re going to look at some ways in which we can help alleviate these. There very much needs to be a cultural change within your organization, but we can use tooling to assist us with this in our projects going forwards. I am going to focus on Azure Boards, which is part of the more widely known tool, Azure DevOps.

Firstly, we cannot plan for and prioritize what we cannot see. When starting a new project, we need to define our definite of done (DoD). A definition of done is a confirmed set of conditions that a project must complete in order to be accepted by the end users. A DoD is often made up of acceptance criteria, that ensure we complete our tasks, delivering higher quality work and eliminating the need to ‘re-do’ our work.

For example:

Definition of Done:  In 3 months we will deploy the new website into Azure for the company global event.

Acceptance Criteria: The infrastructure is deployed using infrastructure as code (IaC) into Azure, with a resilient and scalable system in place, meeting our defined SLA. The website will be operational in time for end users to be able to register via the website and navigate all aspects successfully, also addressing all inclusion requirements for visibility.

While I just gave a high-level example, we now need to figure HOW we are going to achieve this in 3 months. This begins the planning phase where it is critical for all stakeholders to be involved. This includes, but not limited to: the operations team, the development team, the security team, project managers, etc. No one likes to get that email request or tap on the shoulder asking for a task to be done yesterday. We need everyone involved in this planning piece; it is crucial to the success of the project. This is a great time to bring in those subject matter experts who know what dependencies might exist, but this also allows for all of the teams to be involved and to prevent chasing them down and causing them to incur unplanned work.

We need to clearly define what we are trying to deliver, and we must delineate on what are the ‘must haves’ and the ‘nice to haves’ that can be fulfilled in the designated time frame. As a team, we are aware that we have 3 months to deliver our definition of done. We need to develop an agile methodology that sets milestones into our plan, providing checkpoints for the stakeholders.

Agile Methodology Planning

Now, we need to figure out HOW we get there. This is the planning phase where we need all stakeholders involved. We need to determine the ‘must haves’ and the ‘nice to haves’. As a team, we know that we have 3 months to achieve our definition of done, the planning part is key. We need to set some milestones in our planning as check in points for our stakeholders. From there we can fill in the tasks for each milestone.

Structure of work items and tasks

Defining the milestones and tasks do not require you to be a project manager, instead it’s something that ALL of your technical team should be involved in. Give them ownership in their tasks, this also allows for them to bring forward their existing work in progress and what other conflicting priorities might exist. Bring in those subject matter experts to help pick apart and identify known dependencies that exist (remember that time thief, unknown dependencies?), giving your teams the best chance of success. Nobody likes a surprise, give your team a head start by addressing the issues in the planning phase.

When planning, you often hear ‘I have too much work to do and can’t be involved.’ Find the time. Whether it’s a time block of 30 mins, or even 15, get those folks involved. Help them become vested in the project and more importantly, align your priorities. Carving out even just 30 mins in the beginning can save hours, days and weeks in delays later on. Prioritization and involvement of the tasks need to be planned out. We constantly have too much work because priorities in our companies and in projects are not set. Everything is always on fire, and everyone always wanted it done yesterday. This is where we see constant conflicts of interest amongst various teams in projects.

The time thief conflicting priorities exist because teams are not incentivized to help on your project, or they don’t see the value that it will drive.

Using the planning time to align priorities across teams will break down those silos. Take the time to understand each others deliverables and priorities. This is a great opportunity to uncover common ground, understand the other teams’ pain points and maybe how you can help each other better. How we incentivize our teams cause these silos within our organizations. The operational teams are expected to keep the lights on 24/7, probably even delivering against an SLA. The development teams are expected to push new features, which in the past has hurt the operational teams’ SLA. These are conflicting priorities. This is a great opportunity in this project to come together to find better ways of working and deliver value together. We’ve talked about these time thieves and how they stop us from delivering successful projects. Now let’s focus on Azure Boards, how the tool itself can up us organize and plan our projects.  

I LOVE Azure Boards because it is the key to organizing your project, it enables you to plan and track your work. It also improves communication within a project by providing visibility as to what is happening on the project, allowing your engineers to do their work, knowing what tasks are being worked on and who they are assigned to, as well as give visibility and full traceability of all the work being undertaken in a project.

Azure Boards allows you to organize your work using a triage and prioritization system. Remember those time thieves of ‘unplanned work’, ‘neglected work’ and ‘WIP’? Boards uses a Kanban style view to help you organize all the tasks in each milestone, also giving you the ability to triage incoming work and finding a place to tackle those tasks. Giving you the ability to prioritize all work items, with reporting that can visualize how the team is progressing on the project.

Azure Boards is part of Azure DevOps which has so many features and capabilities baked in. You can watch the video that myself and Nana from Techworld with Nana put together on Azure Boards. 

Azure Boards – The Features

Azure Boards allows teams to organize their projects by enabling an agile process. It uses a Kanban style view, that includes calendar views, configurable dashboards, and integrated reporting. These tools can be used from any small project and easily scales to use with much larger projects.

Project Delivery Analytics

Azure Boards enables your teams to track their work and track issues (such as tasks, bugs, dependency issues, etc) in a very easy to read format. The stakeholders can pull reports of how the project is progressing, it can also help the stakeholders to see how the teams tasks are prioritized.  Boards holds your engineers accountable for their work but also giving insight to where those time thieves are interfering in the project delivery. Making it easier to evolve your project delivery methods and adjust timings to reach those milestones.

Looking at our project we outlined above, we can set up a delivery plan in Azure Boards that displays a calendar view of when our deliverables are due as well assisting us in planning the timings required to reach our milestones.

Delivery Plan View

We can also track dependencies and add items to the backlog when they crop up, addressing unplanned work. For example, we notice a performance issue with the website. The development team is blaming the infrastructure team, but the infrastructure team does not see any performance issues. Instead of watching each team blame each other, we can the issues together, encouraging both teams to tackle the issue. In the end, they did find a dependency on the code and the scalability in the infrastructure. This dependency was marked and going forward both teams can work together to resolve these issues.

In Azure Boards we can setup Sprints, a set time (let’s say 2 weeks) where we deliver a specific part of our wider project. Several sprints make up a milestone (let’s assume 2 sprints per milestone in our existing project – assuming a milestone is a month long). Each engineer is responsible for creating and assigning their tasks for the sprint. This gives the engineers ownership of what is to be delivered, but also allows for them to plan around their existing priorities and other known dependencies that need to be addressed. Giving your engineers ownership over their tasks and priorities incentivizes them to deliver better quality work, but also addresses their many time thieves, giving them control over their work.  

Planning work is critical to project success, it enables organization and visibility from every single stakeholders, creating a culture within the teams that they are also involved in the project and not brought in when everything is on fire and due yesterday.

Azure Boards – Tracking Work and Deployments

Automation removes human error, let’s face it, as humans, we make a lot of mistakes. The website that we’re building in our example is deployed with infrastructure as code (IaC) into Azure. Whether we choose Bicep, Terraform or Ansible, is negligible, Azure DevOps can support deployment of any IaC tool into Azure. All of the work creating infrastructure deployments (writing the IaC), maintaining the infrastructure and on-going monitoring is managed as tasks in Azure Boards. The operations team can be proactive around maintenance, issues or any other items that crop up. Giving the engineers full traceability into their work, enabling them to recover faster from mistakes.

Azure Boards and GitHub

Let’s take a scenario where your development team stores all of their source code in GitHub. That’s okay! Azure DevOps and GitHub work seamlessly together. GitHub and Azure DevOps integrate to support using both platforms, even if the existing code resides in GitHub, the ability to use Azure Boards to plan and track your work can still be configured and managed from Azure Boards! You can also link any commits made to GitHub to your work items in Azure Boards, giving you full visibility of the work being undertaken.

Azure DevOps and Microsoft Teams

Communication is crucial for any project. Giving status updates, reporting issues, progress and everything else can be time consuming, but also time prohibitive as we often spend a lot of time in meetings. With Azure Boards and Microsoft Teams we can enable the two to communicate. You can set up a channel in Teams and configure what types of notifications you want to receive.

One example, a user reports an issue with our project. We can easily create a work item directly from the Teams channel based on that conversation with our colleague. We can also configure Teams to subscribe to certain types of work items in Boards, or monitor work item activity from our Teams channel.

Create a work item from a Teams channel

Traceability of how the work item was created

There are many ways to integrate the two tools, increasing visibility of project work and keeping an open line of communication with your stakeholders and other technical teams.

Azure Boards – In Summary

Azure Boards has so many features built into it.  Most importantly, it helps your team to get organized for any size project and implement better working practices. Let’s face it, Azure DevOps is just a tool, there needs to be a culture change that takes place to help your teams achieve more.

Watch the full Azure DevOps Zero to Hero video on YouTube. Good luck with your next project and tackle those time thieves!

Lesson Learned #262: Database Wait Stats and Log Analytics.

by Contributed | Dec 28, 2022 | Technology

This article is contributed. See the original author and article here.

Yesterday, we received a question from our customer that needs to know if it is possible to receive an email or alert about the main database wait stats usage for performance monitoring. Following, I would like to share an example how to do it. 

Once we have enabled in our database the option of diagnostics setting to capture the database wait statistics this information will be saved in a specific table AutoDiagnostics in the Category DatabaseWaitStatistics. 

Basically, we need to filter by the resource that we want to monitor and add some logic to calculate the delta. 

AzureDiagnostics
| where Category == "DatabaseWaitStatistics"
| where ResourceId =~ '/SUBSCRIPTIONS/XXXX-XXXX-XXX-XXX-D6C13FEF4316/RESOURCEGROUPS/ResourceGroupName/PROVIDERS/MICROSOFT.SQL/SERVERS/Servername/DATABASES/DatabaseName'
| where TimeGenerated >= ago(10m)
| project delta_wait_time_ms_d, wait_type_s
| summarize total_wait_time_in_ms = sum(delta_wait_time_ms_d) / 1000
    by wait_type_s
| sort by total_wait_time_in_ms desc
| extend Rank=row_rank(total_wait_time_in_ms)

Once we run this query we have:

With this Kusto Query already implemented, basically, we could create an alert using the button New alert rule:

and configure the alert and the details needed:

Enjoy!

Azure Marketplace new offers – December 27, 2022

by Contributed | Dec 27, 2022 | Technology

This article is contributed. See the original author and article here.

We continue to expand the Azure Marketplace ecosystem. For this volume, 103 new offers successfully met the onboarding criteria and went live. See details of the new offers below:

Get it now in our marketplace
	AnalyticVue: AnalyticVue delivers a secure, Azure-based platform that transforms raw K-12 data from multiple school district systems into unified insights to empower district administrators, curriculum administrators, principals, students, teachers, and parents.
	Arize AI: Get observable machine learning, model monitoring, performance management, and root cause analysis with Arize AI, an Azure-based platform that centralizes all your data sets across training, validation, and production.
	Auditmation Connection Node: Auditmation’s Connection Node allows you to seamlessly collect data from IT systems or perform IT compliance tests by connecting an organization’s Azure environment with the Auditmation audit and risk automation platform.
	AWS CLI on CentOS Stream 8: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on CentOS Stream 8. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	AWS CLI on Red Hat Enterprise Linux 9: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on Red Hat Enterprise Linux 9. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	AWS CLI on Red Hat Enterprise Linux 9.1: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on Red Hat Enterprise Linux 9.1. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	AWS CLI on Windows Server 2012 R2: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on Windows Server 2012 R2. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	AWS CLI on Windows Server 2016: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on Windows Server 2016. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	AWS CLI on Windows Server 2019: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on Windows Server 2019. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	AWS CLI on Windows Server 2022: AskforCloud has configured this virtual machine with the AWS Command Line Interface preinstalled on Windows Server 2022. The AWS CLI lets you manage your AWS services with functionality equivalent to the AWS Management Console.
	Azure CLI on Red Hat Enterprise Linux 9.1: AskforCloud has prepackaged this virtual image containing the Azure Command-Line Interface (CLI) on Red Hat Enterprise Linux 9.1. The Azure Command-Line Interface lets you manage Azure resources through a terminal or a script.
	BigDL PPML: Secure Big Data AI on Intel SGX: BigDL PPML from Intel provides a distributed privacy preserving machine learning (PPML) platform for end-to-end Big Data AI pipelines, giving you secure analysis on a trusted cluster environment running on Intel SGX and Microsoft Azure.
	CC1 – Compliance Cloud One: CC1 is a hybrid cloud solution that lets you capture audio, text, IM, video, screen shares, and other business data from Microsoft Teams for later analysis to facilitate compliance with governance and monitoring policies under multiple regulations.
	Docker Containers as a Service (CaaS): This preconfigured image from Stackhero includes Docker on Stackhero DC OS, a custom Linux distribution. Docker helps developers build, share, and run modern applications.
	Dropvault Board Rooms: Dropvault Board Rooms delivers an Azure-based solution to encrypt your board room discussions, enhancing privacy and security for document sharing, actions, voting, meetings, and other board-level activities.
	EasyDMARC: EasyDMARC delivers an AI-powered, all-in-one email security solution hosted on Microsoft Azure, providing you with tools to generate, analyze, and maintain SPF, DKIM, and DMARC records for your organization.
	eMIP: Available only in Romanian, the eMIP platform delivers a solution for implementing and managing Operational Program Human Capital (POCU) projects and business plans.
	Emissions.AI: Emissions.AI helps you analyze your data to identify opportunities to reduce emissions, fuel consumption, and costs across facilities. You’ll also be able to reduce operational inefficiencies and optimize energy consumption.
	EspoCRM: This preconfigured virtual machine image from VMLab delivers EspoCRM 7.2.7 with MySQL, Nginx, phpMyAdmin, and Docker on Ubuntu 22.04. EspoCRM is a web-based, open-source CRM platform.
	Grafana: This preconfigured image from Stackhero includes Grafana on Stackhero DC OS, a custom Linux distribution. Grafana delivers analytics and interactive visualizations through a web interface.
	HPE StoreOnce VSA 4.3.4: HPE StoreOnce delivers fast, efficient, and scalable storage for backup data through a virtual appliance hosted on Microsoft Azure. Reduce backup data storage costs with high-performance data de-duplication.
	InfluxDB: This preconfigured image from Stackhero provides InfluxDB on Stackhero DC OS, a custom Linux distribution. InfluxDB is designed to store time series data for real-time analytics.
	Kali Linux on Azure: AskforCloud has preconfigured this virtual machine image containing Kali Linux, a Debian-based distribution designed for advanced penetration testing and security auditing.
	Matomo: This preconfigured image from Stackhero provides Matomo on Stackhero DC OS, a custom Linux distribution. Matomo is an open-source analytics platform built on PHP and MySQL.
	Mercure-Hub: This preconfigured image from Stackhero provides Mercure-Hub on Stackhero DC OS, a custom Linux distribution. The Mercure-Hub server supports the Mercure protocol, allowing fast push updates to web browsers and other HTTP clients.
	Mosquitto (MQTT): This preconfigured image from Stackhero provides Mosquitto on Stackhero DC OS, a custom Linux distribution. Mosquitto is an open-source message broker implementing the MQTT protocol.
	Node.js: This preconfigured image from Stackhero provides Node.js on Stackhero DC OS, a custom Linux distribution. Node.js features a back-end JavaScript runtime environment to execute JavaScript outside a web browser.
	PHP: This preconfigured image from Stackhero provides PHP on Stackhero DC OS, a custom Linux distribution. Deploy your PHP app on a managed server for high performance and security.
	PowerShell 7.2 on Red Hat Enterprise Linux 9.1: AskforCloud has configured this virtual machine image containing Microsoft PowerShell 7.2 on Red Hat Enterprise Linux 9.1. PowerShell is a cross-platform task automation and configuration management solution.
	PowerShell 7.3 on Debian 10 Linux: AskforCloud has configured this virtual machine image containing Microsoft PowerShell 7.3 on Debian 10 Linux. PowerShell is a cross-platform task automation and configuration management solution.
	PowerShell 7.3 on Debian 11 Linux: AskforCloud has configured this virtual machine image containing Microsoft PowerShell 7.3 on Debian 11 Linux. PowerShell is a cross-platform task automation and configuration management solution.
	PowerShell 7.3 on Red Hat Enterprise Linux 9: AskforCloud has configured this virtual machine image containing Microsoft PowerShell 7.3 on Red Hat Enterprise Linux 9. PowerShell is a cross-platform task automation and configuration management solution.
	PowerShell 7.3 on Red Hat Enterprise Linux 9.1: AskforCloud has configured this virtual machine image containing Microsoft PowerShell 7.3 on Red Hat Enterprise Linux 9.1. PowerShell is a cross-platform task automation and configuration management solution.
	Product Delivery: Product Delivery from AnyLogic is a multi-method machine learning model for Microsoft Project Bonsai depicting a supply chain for a single product, from manufacturer to distributors.
	Prometheus: This preconfigured image from Stackhero provides Prometheus on Stackhero DC OS, a custom Linux distribution. Prometheus is an open-source monitoring and time series database.
	RADIUS Server – FreeRADIUS and daloRADIUS: Cloud Infrastructure Services has packaged this virtual machine containing FreeRADIUS and daloRADIUS on Ubuntu 20.04, supporting RADIUS authentication integrated with LDAP and Microsoft Azure Active Directory.
	Redis: This preconfigured image from Stackhero provides Redis on Stackhero DC OS, a custom Linux distribution. Redis is an in-memory data structure store that is used as a database, cache, and message broker.
	RStudio Server: Elm Computing has preconfigured this virtual machine image containing RStudio Server, an integrated development environment for R with popular R packages preinstalled.
	SingleStoreDB as a Service: SingleStoreDB as a Service from IBM is a fully managed elastic cloud database hosted on Microsoft Azure. With built-in high availability, the SingleStoreDB converged database delivers query performance, scalability, and resiliency.
	Stable Diffusion: Techlatest.net has preconfigured this virtual machine image with Stable Diffusion, a deep learning, text-to-image model used for generation of detailed images from text descriptions along with an intuitive web interface for easy AI image synthesis on Azure.
	ThousandEyes: ThousandEyes from Cisco gives you a real-time map of how your customers and employees experience critical apps and services across traditional SD-WAN, internet, and cloud provider networks. See beyond the edge and get visibility into dependencies.
	Ubuntu 22.04 LTS Minimal: Cloud Infrastructure Services has preconfigured this virtual machine image containing Ubuntu Minimal 22.04 LTS. Minimal images are designed for deployment at scale, optimized boot, and easier maintenance.
	WADE for Data Lakehouse: WADE automates data lakehouses and data flow orchestration to speed data preparation for machine learning (ML) and artificial intelligence. This end-to-end solution will accelerate your ML capabilities and data insight generation.
	We Transeth: We Transeth manages and implements business plans for entrepreneurs who want a software-as-a-service solution on Azure to manage their business and control data, budget, reports, and archives.
	White Hat Managed Security Services: White Hat IT Security’s managed services for medium and large enterprises provide managed detection and response (MDR) using Microsoft Sentinel and Microsoft 365 Defender, with optional connection to your Microsoft Sentinel environment.
	Workhera: Available only in Italian, Workhera provides apps for management of office and parking booking, employee engagement monitoring, and virtual badge access. Workhera integrates with Microsoft Active Directory single sign-on.
Go further with workshops, proofs of concept, and implementations
	Avanade Intelligent Manufacturing: 12-Week Implementation: Avanade will implement a minimum viable product (MVP) of its Intelligent Manufacturing solution, built on Azure Databricks Lakehouse, to enable you to gain insights and optimize operations.
	Azure Migration: Implementation: Cloud 9INE Consulting will migrate your on-premises environment to Azure. This strategic approach utilizes native Azure tools to modernize servers, virtual machines, databases, and web applications.
	Azure Virtual Desktop: 5-Day Implementation: Available only in German, primeline Solutions’ service includes the design, installation, and configuration of a complete solution on Azure Virtual Desktop, enabling your employees to securely access work from anywhere.
	Business Intelligence with Azure: 4-Week Implementation: Available only in Spanish, DATUM REDSOFT’s service helps you take advantage of your data by creating analytical dashboards with real-time business indicators using Microsoft Azure and Microsoft Power BI.
	Cloud Scale Analytics: ​Implementation: Veraqor will perform a complete development lifecycle to deliver a central data repository from several data sources, delivering multiple reports and dashboards built on Microsoft Power BI and Microsoft Azure.
	Data Management: 6-Day Assessment: Sparkle will identify the main pain points of data management within your organization and address issues such as data governance and technical architecture through a high-level roadmap for a solution built on Microsoft Azure.
	Data Modernization: 4-Week Implementation: Available only in Spanish, Nebulan’s database modernization service will improve the processing, reliability, performance, and cost of your data solution on Microsoft Azure. This offer includes an option to delegate backup administration.
	FleetExecuter Automated Guided Vehicle: 8-Week Implementation: MHP FleetExecuter from Porsche lets you manage your automated guided vehicle (AGV) fleet, inclusive of vehicle maker, communication protocol, and drive technologies, via a solution built on Microsoft Azure.
	Infrastructure, Application, and Database Migration: ​Implementation: Veraqor will deliver a fully functional solution built on Microsoft Azure, migrating and modernizing one of your app or database systems from on-premises.
	Infrastructure, Application, and Database Migration: Proof of Concept: Veraqor will design and set up a proof-of-concept migration of any app or database from one of your on-premises systems, delivering a lift-and-shift solution built on Microsoft Azure.
	Knowledge Mining on Azure: 2- to 3-Week Implementation: Information & Communication Technology will deploy a high-performing search service built on Microsoft Azure Cognitive Services to help you extract valuable information from massive sets of structured and unstructured data.
	Land Survey using Azure & Telescope: 6-Week Proof of Concept: Affine will deliver a proof of concept of its AI-based Land Survey, powered by Microsoft Azure and Affine’s Telescope, providing an end-to-end solution that converts any aerial data set into CAD site plans for the architecture, engineering, and construction (AEC) sector.
	Migration Carbon Emission Savings Calculator: 2-Week Implementation: Version 1 will deliver its Migration Carbon Emission Savings Calculator to enable you to plan, forecast, and implement your migration to Azure in a carbon-efficient and cost-saving manner. The tool compares on-premises environments to possible migration scenarios.
	Professional Services for Prisma CSPM Optimization: Palo Alto Networks will optimize your Prisma Cloud Security Posture Management (CSPM) integration on Microsoft Azure with tangible recommendations for SecOps team activities leading to enhanced playbooks, workflows, and processes.
	Unified SIEM and XDR to Modernize Security Operations: Information & Communication Technology (ICT) will assess, deploy, and configure Microsoft Sentinel and Microsoft Defender to enable you to achieve unified threat detection and response.
	Workshop Data Strategy: Available only in French, Talent Business Solutions’ workshop will guide you through recommended solutions to automate your management processes by using the Microsoft Power Platform and Azure-based solutions.
Contact our partners
365 CAD for Public Safety
365 JMS – Jail Management System
AiTat
Appsmith packaged by Bitnami
Ataccama ONE Data Catalog
Atech Cloud MSSP (MDR/XDR)
Atos Digital Enablement Platform
Azure for Data Analysis & BI in Healthcare: 6-Week Assessment
Azure Infrastructure and Database Migration:​ Assessment
Callbot Voxibot
Carbon
Cloud Discovery: Assessment
Cloudflare Access
Cloudflare Area1
Cloudflare Gateway
Cloudflare RBI
Cloudflare Tunnel
Connect Plans 360
Data Warehousing & Business Intelligence: 6-Week Assessment
Decentriq Media Data Clean Room
DrDoctor Digital Assessments
DriveTracer
DSharp Engine
EarthNET Data Management and Visualization
EcoStruxure for Retail
Future Seed
Gitea packaged by Bitnami
HAFN Cloud Connect: Assessment
ID Document & Biometric Verification
Infonova Digital Marketplace
IoT Platform: 4-Week Assessment
Jamf Protect for Microsoft Sentinel
Myriad
PiBi – Embedded Reports Portal
Sanctions Screening API
SecurityScorecard Ratings for Microsoft Sentinel
Signzy FY 23 Update
Thales FIDO2 Passwordless Authentication for Azure AD
Thinear Sonar
Trellis
Wokr

Software Installation Using Machine Configuration and Azure Policy

by Contributed | Dec 26, 2022 | Technology

This article is contributed. See the original author and article here.

I did a post a while ago on installing software onto virtual machines using policy state change events as the trigger. Now with the general availability of Azure Automanage Machine Configuration (formerly Azure Policy Guest Configuration) it’s time for a bit of an update to that post. In this guide I’ll again be installing PowerShell 7 – however I’ll use Machine Configuration and Azure Policy to handle the installation. Let’s get started….

Development Environment

To make sure I have all the tools to complete this process I need to install some pre-requisite software. This is so I can generate the package which the virtual machine will download to tell it how to install the software.

On my local machine I have installed:

• PowerShell 7.3.0


• The GuestConfiguration module – version 4.2.0


• The PSDscResources module – version 2.12.0.0


• An Azure Storage Account with a container which will host my configuration. The virtual machine needs to be able to contact this Storage Account so make sure it has connectivity.

The next steps show the process I use to create the configuration right through to running the remediation. I’ve uploaded the script to GitHub so you can follow it through and see what I have done.

Create the Configuration and MOF File

First step is to write a DSC configuration to install the software. I’m using the built in MSIPackage resource because it allows me to specify a URL which the software can be downloaded from. Note that DSC in Machine Configuration works a little bit differently – you can’t have credentials or reboots so be aware of those limitations. My configuration looks like below.

To generate the MOF file I just run the configuration by calling it: –

A MOF file is generated – the same as a normal DSC configuration and you can have a look to see what it contains.

Create the Configuration Package Artifacts

Now I use the GuestConfiguration module to create an artifact. This command packages together my MOF file, plus all the required modules into a zip file.

I just use the generated MOF file as an input and it will create the zip file for me. Notice that the type is ‘AuditAndSet’. This is telling the configuration that it can make changes to the virtual machine. The other option is ‘Audit’ which just checks the setting and reports the compliance state.

Upload the Package to a Storage Account

I must put the zip file into a storage account – I also need to generate a SAS URL which is going to be embedded into the policy. This is so the Machine Configuration agent knows where to get the package from.

Azure Policy Creation

All that is left to do is create the Azure Policy object which will check compliance for me – and allow me to commence remediation. The GuestConfiguration module has a command to generate this for me as demonstrated below.

A couple of things to note about some of the parameters in the image above:-

• PolicyID is a unique ID I generated using the New-Guid cmdlet – if you make changes or updates to the policy ensure this remains the same.


• Platform – ‘Windows’ in this case – if you want to do installs on Linux you need to write class-based DSC resources to do this (will cover in a future post).


• Mode is ‘ApplyAndAutoCorrect’ – this will configure the machine and correct drift as well.


• Tag – allows me to have some control over how the installation is targeted. This policy will only apply to machines which have a tag called “InstallPowerShell” with the value set to true.

The last line of the code above takes the generated policy and uploads it to Azure – by default it uploads it to the subscription but you can use any method you want to create the definition.

Assign the Policy

Before we assign the machine configuration policy we need to ensure that the prerequisite policy is installed – this is the same as in the previous blog.

The machines need to have a Managed Identity enabled so they can authenticate to the GuestConfiguration resource provider.

Assign the newly created policy to a scope of your choosing – we are now ready to test.

Testing the Deployment

I have my policy assigned to a resource group – the effect is going to be DeployIfNotExists however this works a little bit differently to a normal DINE policy. To show you how this works – I’ve assigned my policy to an empty resource group as below.

As expected I can see 100% compliance because there is nothing in that resource group.

Now I’m going to build a virtual machine in that resource group and wait for policy to take effect on it. The prerequisite policies set above will go through and enable a system assigned Managed Identity and install the policy agent for me.

My compliance is still showing 100% after this is done and this is the first trick we can use to control how this is deployed. Remember I specified a tag in my policy assignment – in order to make this policy apply to that virtual machine I need to add the tag to the server.

When I do that a sequence of events start – because the resource has been updated eventually the DeployIfNotExists policy will evaluate. However, unlike a normal DINE policy what Machine Configuration does is uses the metadata in the policy definition to create a Guest Assignment resource. The most important field on this object is the “assignmentType” and it is set to null by default. This means that the virtual machine will start evaluating the assignment but will only work in an audit mode.

Here is what the policy metadata looks like: –

And if I look at the Guest Assignment object in Azure (using the Resource Graph so we can view the properties) you can see that the assignmentType is null.

At this point the virtual machine will have received the assignment and downloaded the package from the storage account – and evaluated its compliance. It reports this back to the Guest Assignment object which Azure Policy is monitoring, and we can now see the non-compliant resource in the policy view.

And here is the compliance reason: –

The second “gate” we have to control the deployment is to run the proper DeployIfNotExists effect on the deployment and I can do this using a remediation task.

This will cause the deployment to happen as stated in the policy file – and you can see the major difference is that it will set that assignmentType value to “ApplyAndAutoCorrect”.

After that remediation task is run – I can check the Guest Assignment object in the Resource Graph and notice the difference.

The virtual machine will now download the new assignment details and see that the assignmentType has changed – the next time it runs it will now perform the correction if required. Once the software is installed the server will send a report back to the Guest Assignment service – and this will update the Guest Assignment object to compliant. Azure Policy will then check that object and report back the overall compliance.

Here is what the Guest Assignment resource looks like: –

And finally, the policy will also be compliant.

There are definitely a lot of moving parts involved with Machine Configuration and some limitations at this stage – however it is the way of the future so jump in and check it out.

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.