Automate Azure SQL Size using Azure Automation (Manual)

Recently a customer asked me how to save cost on their Azure SQL database without moving away from DTU based subscription model. In this case this customer knows exactly at what time their database is heavily utilized, and when it’s idling. So with a script its easy to automate.

In this manual we are going to size a SQL database from S4 to S3.

Step 1: In this first step we are going to add some modules to your Automation Account. Go to modules, and click on Browse gallery

From the Gallery search for az.accounts, click on it

Next make sure to Import the module

Now browse the Gallery again, this time search for az.sql and make sure to import this module as well.

STEP 2: This next step is important. We will need to create and assign a Run As Account when you’ve chosen not to create a run as account on the setup of your automation Account. Go to Run as Account, and click on Create Azure Run As Account

Click on Create

STEP 3: Now we will need to add some variables to your automation account. These variables will need to be filled with information about your Azure SQL Database and Server. Create the following variables, and make sure that you fill them.

  • Resourcegroup
  • Servername (without database.windows.net)
  • Database

STEP 4: Now go to runbooks, and create a new runbook!

Give your runbook a name, as type select PowerShell!

In the new opened window copy and paste the code from below. Adjust the variables $Edition and $PricingTier to your needs.

 $ResourceGroupName = Get-AutomationVariable -Name "Resourcegroup"
 $ServerName = Get-AutomationVariable -Name "Servername"
 $DatabaseName = Get-AutomationVariable -Name "Database"
 $Edition = "Standard"
 $PricingTier = "S4"

 
# Keep track of time
$StartDate=(GET-DATE)
 
 
 

# Log in to Azure with AZ (standard code)

Write-Verbose -Message 'Connecting to Azure'
  
# Name of the Azure Run As connection
$ConnectionName = 'AzureRunAsConnection'
try
{
    # Get the connection properties
    $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName      
   
    'Log in to Azure...'
    $null = Connect-AzAccount `
        -ServicePrincipal `
        -TenantId $ServicePrincipalConnection.TenantId `
        -ApplicationId $ServicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint 
}
catch 
{
    if (!$ServicePrincipalConnection)
    {
        # You forgot to turn on 'Create Azure Run As account' 
        $ErrorMessage = "Connection $ConnectionName not found."
        throw $ErrorMessage
    }
    else
    {
        # Something else went wrong
        Write-Error -Message $_.Exception.Message
        throw $_.Exception
    }
}

  

# Getting the database for testing and logging purposes

$MyAzureSqlDatabase = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $DatabaseName
if (!$MyAzureSqlDatabase)
{
    Write-Error "$($ServerName)\$($DatabaseName) not found in $($ResourceGroupName)"
    return
}
else
{
    Write-Output "Current pricing tier of $($ServerName)\$($DatabaseName): $($MyAzureSqlDatabase.Edition) - $($MyAzureSqlDatabase.CurrentServiceObjectiveName)"
}


# Set Pricing Tier Database

# Check for incompatible actions
if ($MyAzureSqlDatabase.Edition -eq $Edition -And $MyAzureSqlDatabase.CurrentServiceObjectiveName -eq $PricingTier)
{
    Write-Error "Cannot change pricing tier of $($ServerName)\$($DatabaseName) because the new pricing tier is equal to current pricing tier"
    return
}
else
{
    Write-Output "Changing pricing tier to $($Edition) - $($PricingTier)"
    $null = Set-AzSqlDatabase -DatabaseName $DatabaseName -ServerName $ServerName -ResourceGroupName $ResourceGroupName -Edition $Edition -RequestedServiceObjectiveName $PricingTier
}
 




# Show when finished

$Duration = NEW-TIMESPAN –Start $StartDate –End (GET-DATE)
Write-Output "Done in $([int]$Duration.TotalMinutes) minute(s) and $([int]$Duration.Seconds) second(s)"
 

Use the menu to Save your runbook, use the Test pane to review the output of your PowerShell script. When ready Publish your runbook!

STEP 5: Last step is to create a schedule. From your workbook go to Schedules, and Add an schedule.

Create a new schedule based on your requirements/needs.

Click create to finalize the process. Now go back to your SQL database. When the change is happening, you should see a update line like below that shows that the pricing tier is being updated!

How to re-enable inactive mailbox from litigation hold in exchange online using Power Shell(Manual)

When users leave the company you might want to retain the email for a longer period than the default 30 days. By enabling litigation hold you can retain mailboxes longer than 30 days, before you disable a user you can set the litigation hold to any value you would like. But at some point you might need the mailbox to be re-enabled for some reason. In this manual I am going to explain how to do it.

STEP 1: Open a new Power Shell window and type the following command

Import-Module ExchangeOnlineManagement
Continue reading “How to re-enable inactive mailbox from litigation hold in exchange online using Power Shell(Manual)”

Azure Automation: Run SQL command on Azure SQL (Manual)

How cool would it be to automate your daily SQL tasks using Azure Automation? Well, really cool off course! So lets start using Azure Automation! So go ahead, if you don’t have an automation account yet, create one by going to Automation Accounts.

Give your automation account an name, choose a subscription, resource group and a location and hit the create button!

Continue reading “Azure Automation: Run SQL command on Azure SQL (Manual)”

Microsoft announces Endpoint Data Loss Prevention (DLP) available in Preview

Microsoft has released its Data Loss Prevention tools for endpoint clients. Customers with Microsoft 365 subscriptions can now protect data on physical devices next to online services and apps.

This new feature it is possible to enable Microsoft 365 policies that have been configured for apps, to be active on computers as well. This is an extra service of Data Loss Prevention. It enables IT administrators to allow users what to do with sensitive data, and what to share. For example, IT administrators can block copying sensitive files to an external USB drive, or print the file.

Continue reading “Microsoft announces Endpoint Data Loss Prevention (DLP) available in Preview”

Retrieve hybrid Azure Active Directory join status

With the modern workplace getting more and more into the businesses, you might want to verify if your devices have been joined to both your local on-premises AD and Azure AD. Just one simple command is all you need to verify the status.

Wat is een hybride lid van Azure AD dat is gekoppeld aan het ...

On the (hybrid) domain joined device open up a command prompt as administrator, and run the following command:

dsregcmd /status

This should give you a result like below. The explanation for each value can be found below.

Continue reading “Retrieve hybrid Azure Active Directory join status”

How to use Azure Automation to maintain SQL indexes and statistics

When you migrate to Azure SQL, you might think that Azure does all SQL maintenance, including the maintenance of your database… But the truth is, you will need to setup some maintenance yourself for your databases. Microsoft doesn’t know what is best for your application or database. With this manual you should be able to setup basic database maintenance on Azure SQL.

Prerequisites

Manual

STEP 1: Login to your Azure SQL Database using SQL Management studio.

Continue reading “How to use Azure Automation to maintain SQL indexes and statistics”

Setup Azure File Share with AD authentication (Manual)

With the traditional file server coming to a end, it is time to move along with Azure File Share and AD authentication.

This image has an empty alt attribute; its file name is image-1.png

Pre-requisites:

STEP 1: First, let’s create a new storage account

Continue reading “Setup Azure File Share with AD authentication (Manual)”

How to install and setup AD Connect (Manual)

In this manual I am going to explain how to install and setup a connection between on-premise Active Directory and Azure AD.

Wat zijn Azure AD Connect en Connect Health? | Microsoft Docs

Pre-requisites:

STEP 1: First we will need to install AD connect. Run the setup wizard and follow the steps, this is an easy process. After installation the configuration wizard starts, and this is where it gets interesting.

STEP 2: Let’s go through the wizard, first agree with the license terms and click Continue. Feel free to actually read the license terms 🙂

Continue reading “How to install and setup AD Connect (Manual)”

Azure Shared disks now in Preview!

Microsoft had announced the limited preview of Azure Shared disks. With these announcement it will be possible to migrate clustered environments running Windows Server to Azure. This capability is designed to support SQL Server, Scale-Out File servers, RDS User Profile Disk and SAP ASCS/SCS servers running on Windows. Also Linux-based clustered file systems like GFS2 are supported.

The diagram above shows a 2 node cluster with a single shared disk. Just one node will receive write access, the other node will only receive read access. In case Azure Virtual Machine 1 goes down, write access will be transferred to Azure Virtual Machine 2. This scenario can be extended to more than 2 machines, but multiple shared disks can be attached as well, making it ideal for running parallel jobs or other multi machine tasks.

Disk types

Azure Shared Disks are only available on Premium SSD disks and only greater than P15 (256GiB) Microsoft has announced that Azure Ultra disk support will be released soon. The number of nodes that can be attached to a disk needs to be preset before mounting the disk to any node. Each disk type has its only limitation. The IOPS limit and bandwidth limit are not affected by this number. I would recommend to set this value has high as possible when deploying. In case a shared disk needs resizing to expand the number of nodes, it is required to un-mount the disk from all nodes.

Continue reading “Azure Shared disks now in Preview!”

Ethical hacking training at HBO Drechtsteden

Today I had the honors to do another workshop Ethical hacking together with Erik Loef. It is always good to share your knowledge, and help other people with their work, now and in the future. I hope that these students will embrace what they have learned, and that they will apply this newly obtained knowledge at their (future) employers.

No alternative text description for this image

OneDrive ADMX files (download)

When you want to migrate an older environment to Office 365 and OneDrive, you might miss the OneDrive GPO settings. Unfortunately Microsoft hasn’t release the download of the ADMX files. You will need to grab them manually from a recent Windows 10 machine, and import them in the right location.

Since I like to simplify things, I thought it might be convenient to create a prepared ADMX ZIP file with all necessary files, ready for extraction. So here is a link to download OneDrive ADMX files. Just simply extract the proper folders to the following location:

Local Domain Controller store:
C:\Windows\PolicyDefinitions\

Central Active Directory store:
\\<your domain>\sysvol\<your domain>\Policies\PolicyDefinitions\

Microsoft adds IPv6 support for Azure VNets (Preview)

Today I noticed a new checkbox in the Azure Portal. Microsoft has released IPv6 in the Public preview for Azure VNets. Virtual machines will be equipped with a dual-stack IP connectivity. Meaning both will be available. With the ending of IPv4 addresses it makes IPv6 mandatory for everybody.

The new checkbox in Azure

From the Azure portal you can now add IPv6 address to the address scope on the VNet level.

The following diagram shows how IPv6 works as a dual-stack next to IPv4

Continue reading “Microsoft adds IPv6 support for Azure VNets (Preview)”

Lock down Microsoft Team creation (Manual)

By default everyone may create a new team in Microsoft Teams. As an organisation admin you might want to control this, or release it a some point. With this manual you should be able to lock down team creation to users that are member of a Azure AD Security group.

STEP 1: First we will need to install the Preview version of the Azure Active Directory PowerShell module for Graph. Open a PowerShell window with Adminstrator privileges and run the following 2 commands:

Uninstall-Module AzureAD
Install-Module AzureADPreview

STEP 2: Now we will need to connect to Azure-AD to perform the necessary actions. Sign in with an admin account when prompted.

#Connect to AAD
$AzureAdCred = Get-Credential 
Connect-AzureAD -Credential $AzureAdCred

STEP 3: In Azure AD using the Azure portal (https://portal.azure.com), create a new security group.

STEP 4: Enter the name of your security group on the top line, and run the following script.

$GroupName = "Your Security Group Name"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 if(!$settingsObjectID)
 {
       $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
     $settingsCopy = $template.CreateDirectorySetting()
     New-AzureADDirectorySetting -DirectorySetting $settingsCopy
     $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 }
 $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
 $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
 if($GroupName)
 {
     $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
 }
  else {
 $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
 }
 Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
 (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

The result of the script should give you the updated settings. On the last line you should see EnableGroupCreation. If you want to reverse this setting. Just simply change the following line to True and run the entire script:

$AllowGroupCreation = “True”

If you want another security group, rerun the script with the new group name.

Find inactive mailboxes in Exchange Online

So you want to clean up unused (shared) mailboxes in your Exchange (Online) environment. How to find out which mailboxes have been inactive for a long time? The answer is yet simple again, with a cool Power Shell script.

Afbeeldingsresultaat voor exchange mailbox delete"

First we will connect to Exchange Online

$Credential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Continue reading “Find inactive mailboxes in Exchange Online”

Performance enhancement on Azure Premium SSD Disks

Microsoft has announced SSD bursting capabilities. This means that Premium SSD disks can achieve higher peak loads than the maximum IOPS with a new maximum of 3500 IOPS and a bandwidth up to 170 MiB/s. Together with this announcement Microsoft also announced new disk sizes (4, 8 & 16 GiB)

Explanation

With the new bursting disks you can achieve up to 30 times the provisioned bandwidth, which will give better performance for spiky workloads. Disk bursting is based on a credit system. You will receive bursting credits when traffic is below the provisioned limit. Let me try to explain it using a simple chart.

Continue reading “Performance enhancement on Azure Premium SSD Disks”

Change default email address Office 365 group (Manual)

Office 365 Groups are easy to create. However, changing the primary domain name when creating the group might not be that easy from the GUI. However, with Power Shell you can change this easily.

First we will need to open a Power Shell Window, and connect with Exchange Online.

$Credential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Next, we just need to change the 2 value’s below, and run it. After running, you don’t get a confirmation. It might take up to 30 minutes before changes are visible in all Office 365 and/or Azure portals.

Set-UnifiedGroup –Identity "Group name" –PrimarySmtpAddress primaryaddress@2azure.nl

Sources:
https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-unifiedgroup?view=exchange-ps

Credits: Martin van de Giessen

Convert AD domain users to Azure AD users (Manual)

With the move to the cloud there might be a time where you would like to remove the Active Directory link (AD Connect) and go for a cloud only strategy. With a few simple steps you can disconnect the AD connect sync from Azure AD.

When you look in your Office 365 environment you will notice that the sync status has different symbols. One for cloud only, and one for Active Directory. To disable the link, open a PowerShell window and run the following steps.

STEP 1: First make sure that you disable the AD Connect sync service by disabling the service, or set it to staging mode.

STEP 2: Connect to your Microsoft Office 365 environment using the following command, and login to the desired environment:

connect-msolservice

STEP 3: Now run the following command to disable the sync, confirm your actions, you cannot undo this change!

Continue reading “Convert AD domain users to Azure AD users (Manual)”

In memoriam – Nelleke den Boer

You might have noticed that it’s quiet on 2azure.nl. On the 19th of November my wife got very ill, with unknown brain damage she was hospitalized in the Erasmus University Medical Center. But despite all efforts she passed away on the 6th of December 2019 in the age of 29.

She was my soulmate in everything. Caring for me, for our children, and always interested in other people. Such a lovely wife. You are always in my heart.

Nelleke den Boer – Brouwer | 06-01-1990 – 06-12-2019

Update Exchange Online Global Address List (GAL)

There are situations where you would like to enforce an update of the Exchange Global Address list (GAL) in Office 365. With a few steps this can easily be done!

Requirements:

Exchange Online EXO V2 module, install using: Import-Module -Name ExchangeOnlineManagement

STEP 1: First we will need to make sure that our admin account has the correct permissions. Go to the Exchange Online Admin center, and then to permissions – admin roles and click on the + sign to add a new role

We will now create a new role group. Give it the name Address List Management and assign the role Address lists, and make sure to add the administrator account as a member. Click Save when ready.

Continue reading “Update Exchange Online Global Address List (GAL)”