Mastering Azure & Cloud
one post at a time

Credits and sources

Microsoft Learn

Intro

In this part of the blog series, I want to show you how to remediate or dismiss the recommendation that Microsoft provides. Most of the recommendations are something you will want to implement, but some recommendations might not fit your environment. There are multiple ways of dismissing the recommendation. Here I will show you two, one is to waive the recommendation, and the other is to disable the policy that provides the recommendation. I won’t show how I go about all recommendations in this post, but I will show you how to use the security posture to improve your Azure secure score.

Credits and sources

Microsoft Learn

TechTarget

https://www.techtarget.com/searchsecurity/definition/Cloud-Security-Posture-Management-CSPM

Intro

In this blog series, I want to focus on how Microsoft Defender for Cloud (MDFC) can help secure your Azure environment. MDFC is a collection of Defender products that provides security and visibility into your security posture in Azure. Still, many security features can also cover on-premises and other public clouds. MDFC offers free features and a range of paid features for your cloud workloads. I will go into each feature in this series to cover what it does and ensure you know if it is a paid feature. Any pricing mentioned in this series is from the Microsoft Azure pricing calculator, but there are other ways to buy the licenses, so you must find the best deal for your environment.

Credits and sources

Microsoft Learn

Intro

I want to look closely into the Azure Bastion service in this post. Azure Bastion is a service that provides secure remote access to Azure virtual machines. Bastion supports RDP and SSH for managing the virtual machines, and all traffic will use TLS for security. One of the key benefits of Bastion is that the need for a public IP address on your resources is removed. The public IP will be placed on Azure Bastion, and this service will then act as a proxy for access to the resource. Since your virtual machine doesn’t have a public IP address, you don’t have to worry about them being exposed externally, and port scanners won’t be able to detect them.

Intro

In this part of the series, I am creating the AVD session hosts so my users can start using the new Azure environment. A session host is a virtual machine that users can log in to and use their corporate software while having low latency to other resources placed in Azure.

The steps I will go through in this post are.

• Deploy a virtual machine
• Install the AVD components on the virtual machine. This deployment is a DSC resource that includes the AVD agent
• Join the virtual machine to Azure Active Directory
• FSLogix configurations on the session hosts
• Deployment and verification

Deploy a virtual machine

First, I will deploy a standard Windows virtual machine in Azure. I will use a Windows 11 multi-user operating system for this machine. Microsoft maintains this image, including Office 365 applications like Word, Excel, and Teams.

Intro

In this part of the series, I want to ensure that all permissions are given to the correct groups. I could provide access to individual users, but I try to stick to groups as they are easier to manage across an enterprise. I have identified the following permissions I need to grant to user groups.

• Azure AD Group to add to AVD Application groups
• Azure AD Group to add to “Virtual Machine User Login” RBAC role for the session hosts
• Azure AD Group to add to the “Storage File Data SMB Share Contributor” for the profile storage account

There are a few steps to get the storage account configured, and I will go through this process in depth.

Intro

I have now come to the part where I will start deploying AVD resources in my Azure environment. I am going to split the resources up into three parts. This first part will be the “backend,” meaning AVD workspace, host pool, and application groups. The next part will be on RBAC roles and security groups, and the last part will be on the session hosts.

Azure virtual desktop hostpool

First, I will create a host pool for AVD as a container for the session hosts.