Notice: Trying to get property 'post_excerpt' of non-object in /home/n3svtp4r09fz/technet.vn/wp-content/themes/darknews/single.php on line 43
Student lab manual
Lab scenario
Adatum Corporation hosts large amounts of unstructured and semi-structured data in its on-premises storage. Its maintenance becomes increasingly complex and costly. Some of the data is preserved for extensive amount of time to address data retention requirements. The Adatum Enterprise Architecture team is looking for inexpensive alternatives that would support tiered storage, while, at the same time allow for secure access that minimizes the possibility of data exfiltration. While the team is aware of practically unlimited capacity offered by Azure Storage, it is concerned about the usage of account keys, which grant unlimited access to the entire content of the corresponding storage accounts. While keys can be rotated in an orderly manner, such operation needs to be carried out with proper planning. In addition, access keys constitute exclusively an authorization mechanism, which limits the ability to properly audit their usage.
To address these shortcomings, the Architecture team decided to explore the use of shared access signatures. A shared access signature (SAS) provides secure delegated access to resources in a storage account while minimizing the possibility of unintended data exposure. SAS offers granular control over data access, including the ability to limit access to an individual storage object, such as a blob, restricting such access to a custom time window, as well as filtering network access to a designated IP address range. In addition, the Architecture team wants to evaluate the level of integration between Azure Storage and Azure Active Directory, hoping to address its audit requirements. The Architecture team also decided to determine suitability of Azure Files as an alternative to some of its on-premises file shares.
To accomplish these objectives, Adatum Corporation will test a range of authentication and authorization mechanisms for Azure Storage resources, including:
- Using shared access signatures on the account, container, and object-level
- Configuring access level for blobs
- Implementing Azure Active Directory based authorization
- Using storage account access keys
Objectives
After completing this lab, you will be able to:
- Implement authorization of Azure Storage blobs by leveraging shared access signatures
- Implement authorization of Azure Storage blobs by leveraging Azure Active Directory
- Implement authorization of Azure Storage file shares by leveraging access keys
Lab Files
- \\AZ303\AllFiles\Labs\06\azuredeploy30306suba.json
- \\AZ303\AllFiles\Labs\06\azuredeploy30306rga.json
- \\AZ303\AllFiles\Labs\06\azuredeploy30306rga.parameters.json
Exercise 0: Prepare the lab environment
The main tasks for this exercise are as follows:
- Deploy an Azure VM by using an Azure Resource Manager template
- Deploy Azure Bastion
Task 1: Deploy an Azure VM by using an Azure Resource Manager template
- From your lab computer, start a web browser, navigate to the Azure portal, and sign in by providing credentials of a user account with the Owner role in the subscription you will be using in this lab.
- In the Azure portal, open Cloud Shell pane by selecting on the toolbar icon directly to the right of the search textbox.
- If prompted to select either Bash or PowerShell, select PowerShell.Note: If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and select Create storage.
- In the toolbar of the Cloud Shell pane, select the Upload/Download files icon, in the drop-down menu select Upload, and upload the file \\AZ303\AllFiles\Labs\06\azuredeploy30306suba.json into the Cloud Shell home directory.
- From the Cloud Shell pane, run the following to create a resource groups (replace the
<Azure region>placeholder with the name of the Azure region that is available for deployment of Azure VMs in your subscription and which is closest to the location of your lab computer):$location = ‘<Azure region>’New-AzSubscriptionDeployment ` -Location $location ` -Name az30306subaDeployment ` -TemplateFile $HOME/azuredeploy30306suba.json ` -rgLocation $location ` -rgName ‘az30306a-labRG’Note: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/
- From the Cloud Shell pane, upload the Azure Resource Manager template \\AZ303\AllFiles\Labs\06\azuredeploy30306rga.json.
- From the Cloud Shell pane, upload the Azure Resource Manager parameter file \\AZ303\AllFilesLabs\06\azuredeploy30306rga.parameters.json.
- From the Cloud Shell pane, run the following to deploy a Azure VM running Windows Server 2019 that you will be using in this lab (replace the
<vm_Size>placeholder with the size of the Azure VM you intend to use for this deployment, such asStandard_D2s_v3):
| New-AzResourceGroupDeployment ` -Name az30306rgaDeployment ` -ResourceGroupName ‘az30306a-labRG’ ` -TemplateFile $HOME/azuredeploy30306rga.json ` -TemplateParameterFile $HOME/azuredeploy30306rga.parameters.json ` -vmSize <vm_Size> ` -AsJob |
Note: Do not wait for the deployment to complete but instead proceed to the next exercise. The deployment should take less than 5 minutes.
In the Azure portal, close the Cloud Shell pane.
Task 2: Deploy Azure Bastion
Note: Azure Bastion allows for connection to the Azure VMs without public endpoints which you deployed in the previous task of this exercise, while providing protection against brute force exploits that target operating system level credentials.
- In the browser window displaying the Azure portal, open another tab and, in the browser tab, navigate to the Azure portal.
- In the Azure portal, open Cloud Shell pane by selecting on the toolbar icon directly to the right of the search textbox.
- From the PowerShell session in the Cloud Shell pane, run the following to add a subnet named AzureBastionSubnet to the virtual network named az30306a-vnet you created earlier in this exercise:
| $resourceGroupName = ‘az30306a-labRG’ $vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupName -Name ‘az30306a-vnet’ $subnetConfig = Add-AzVirtualNetworkSubnetConfig ` -Name ‘AzureBastionSubnet’ ` -AddressPrefix 10.2.3.0/24 ` -VirtualNetwork $vnet $vnet | Set-AzVirtualNetwork |
4. Close the Cloud Shell pane.
5. In the Azure portal, search for and select Bastions and, from the Bastions blade, select + Create.
6.On the Basic tab of the Create a Bastion blade, specify the following settings and select Review + create
| Setting | Value |
|---|---|
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource group | az30306a-labRG |
| Name | az30306a-bastion |
| Region | the same Azure region to which you deployed the resources in the previous tasks of this exercise |
| Tier | Basic |
| Virtual network | az30306a-vnet |
| Subnet | AzureBastionSubnet (10.2.3.0/24) |
| Public IP address | Create new |
| Public IP name | az30306a-vnet-ip |
7. On the Review + create tab of the Create a Bastion blade, select Create:
Note: Wait for the deployment to complete before you proceed to the next task. The deployment might take about 5 minutes.
Exercise 1: Configure Azure Storage account authorization by using shared access signature.
The main tasks for this exercise are as follows:
- Create an Azure Storage account
- Install Storage Explorer
- Generate an account-level shared access signature
- Create a blob container by using Azure Storage Explorer
- Upload a file to a blob container by using AzCopy
- Access a blob by using a blob-level shared access signature
Task 1: Create an Azure Storage account
- In the Azure portal, search for and select Storage accounts and, on the Storage accounts blade, select + Create.
- On the Basics tab of the Create a storage account blade, specify the following settings (leave others with their default values) and select Next: Advanced >.
| Setting | Value |
|---|---|
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource group | the name of the new resource group az30306a-labRG |
| Storage account name | any globally unique name between 3 and 24 in length consisting of letters and digits |
| Location | the name of an Azure region where you can create an Azure Storage account |
| Performance | Standard: Recommended for most scenarios (general-purpose v2 account) |
| Redundancy | Locally redundant storage (LRS) |
- On the Advanced tab of the Create a storage account blade, review the available options, accept the defaults and Select Next: Networking >.
- On the Networking tab of the Create a storage account blade, review the available options, accept the default option Public endpoint (all networks) and select Next: Data protection >.
- On the Data protection tab of the Create storage account blade, review the available options, accept the defaults, and select Next: Tags >.
- Select Review + Create, wait for the validation process to complete and select Create.Note: Wait for the Storage account to be created. This should take about 2 minutes.
Task 2: Install Storage Explorer
Note: Ensure that the deployment of the Azure VM you initiated at the beginning of this lab has completed before you proceed.
- In the Azure portal, search for and select Virtual machines, and, on the Virtual machines blade, in the list of virtual machines, select az30306a-vm0.
- On the az30306a-vm0 blade, select Connect, in the drop-down menu, select Bastion, on the Bastion tab of the az30306a-vm0 | Connect blade, select Use Bastion.
- When prompted, provde the following credentials and select Connect:
| Setting | Value |
|---|---|
| User Name | Student |
| Password | Pa55w.rd1234 |
- Within the Remote Desktop session to az30306a-vm0, in the Server Manager window, select Local Server, select the On link next to the IE Enhanced Security Configuration label, and, in the IE Enhanced Security Configuration dialog box, select both Off options.
- Within the Remote Desktop session to az30306a-vm0, start Internet Explorer, navigate to the download page of Microsoft Edge, download Microsoft Edge installer and perform the installation.
- Within the Remote Desktop session to az30306a-vm0, in Microsoft Edge, navigate to the download page of Azure Storage Explorer
- Within the Remote Desktop session to az30306a-vm0, download and install Azure Storage Explorer with the default settings.
Task 3: Generate an account-level shared access signature
- Within the Remote Desktop session to az30306a-vm0, start Microsoft Edge, navigate to the Azure portal, and sign-in by providing credentials of the user account with the Owner role in the subscription you are using in this lab.
- Navigate to the blade of the newly created storage account, select Access keys and review the settings of the target blade.Note: Each storage account has two keys which you can independently regenerate. Knowledge of the storage account name and either of the two keys provides full access to the entire storage account.
- On the storage account blade, select Shared access signature and review the settings of the target blade.
- On the resulting blade, specify the following settings (leave others with their default values):
| Setting | Value |
|---|---|
| Allowed services | Blob |
| Allowed resource types | Service and Container |
| Allowed permissions | Read, List and Create |
| Blob versioning permissions | disabled |
| Start | 24 hours before the current time in your current time zone |
| End | 24 hours after the current time in your current time zone |
| Allowed protocols | HTTPS only |
| Signing key | key1 |
- Select Generate SAS and connection string.
- Copy the value of Blob service SAS URL into Clipboard.
Task 4: Create a blob container by using Azure Storage Explorer
- Within the Remote Desktop session to az30306a-vm0, start Azure Storage Explorer.
- In the Azure Storage Explorer window, on the Select Resource tab of the Connect to Azure Storage window, select Storage account or service.
- In the Azure Storage Explorer window, on the Select Connection Method tab of the Connect to Azure Storage window, select Shared access signature URL (SAS) and select Next.
- In the Azure Storage Explorer window, on the Enter Connection Info tab of the Connect to Azure Storage window, in the Display name text box, type az30306a-blobs, in the Service URL text box, paste the value you copied into Clipboard, and select Next.Note: If Ctrl-V paste doesn’t seem to work within the RDP session, try copying the Service URL into a Notepad on the SEA-Dev VM and then copying the value back into the RDP session.
- In the Azure Storage Explorer window, on the Summary tab of the Connect to Azure Storage window, select Connect.
- In the Azure Storage Explorer window, in the EXPLORER pane, navigate to the az30306a-blobs entry, expand it and note that you have access to Blob Container endpoint only.
- Right select the Blob Containers entry (nested in the az30306a-blobs entry), in the right-click menu, select Create Blob Container, and use the empty text box to set the container name to container1.
- Select container1 to open a new tab in the main window pane of the Storage Explorer window, on the container1 tab, select Upload, and in the drop-down list, select Upload Files.
- In the Upload Files window, select the ellipsis button next to the Selected files label, in the Choose files to upload window, select C:\Windows\system.ini, and select Open.
- Back in the Upload Files window, select Upload and note the error message displayed in the Activities list.Note: This is expected, since the shared access signature does not provide object-level permissions.
- Leave the Azure Storage Explorer window open.
Task 5: Upload a file to a blob container by using AzCopy
- Within the Remote Desktop session to az30306a-vm0, in the browser window, on the Shared access signature blade, specify the following settings (leave others with their default values):
| Setting | Value |
|---|---|
| Allowed services | Blob |
| Allowed resource types | Object |
| Allowed permissions | Read, Create |
| Blob versioning permissions | disabled |
| Start | 24 hours before the current time in your current time zone |
| End | 24 hours after the current time in your current time zone |
| Allowed protocols | HTTPS only |
| Signing key | key1 |
- Select Generate SAS and connection string.
- Copy the value of SAS token into Clipboard.
- In the Azure portal, open Cloud Shell pane by selecting on the toolbar icon directly to the right of the search textbox.
- If prompted to select either Bash or PowerShell, select PowerShell.
- From the Cloud Shell pane, run the following to create a file and add a line of text into it:
| New-Item -Path ‘./az30306ablob.html’ Set-Content ‘./az30306ablob.html’ ‘<h3>Hello from az30306ablob via SAS</h3>’ |
- From the Cloud Shell pane, run the following to upload the newly created file as a blob into container1 of the Azure Storage account you created earlier in this exercise (replace the
<sas_token>placeholder with the value of the shared access signature you copied to Clipboard earlier in this task)
| $storageAccountName = (Get-AzStorageAccount -ResourceGroupName ‘az30306a-labRG’)[0].StorageAccountName azcopy cp ‘./az30306ablob.html’ “https://$storageAccountName.blob.core.windows.net/container1/az30306ablob.html” |
- Review the output generated by azcopy and verify that the job completed successfully.
- Close the Cloud Shell pane.
- Within the Remote Desktop session to az30306a-vm0, in the browser window, on the storage account blade, in the Data storage section, select Containers.
- In the list of containers, select container1.
- On the container1 blade, verify that az30306ablob.html appears in the list of blobs.
Task 6: Access a blob by using a blob-level shared access signature
- Within the Remote Desktop session to az30306a-vm0, in the browser window, on the container1 blade, select Change access level, verify that is set to Private (no anonymous access), and select Cancel.Note: If you want to allow anonymous access, you can set the public access level to Blob (anonymous read access for blobs only) or Container (anonymous read access for containers and blobs).
- On the container1 blade, select az30306ablob.html.
- On the az30306ablob.html blade, select Generate SAS, review the available options without modifying them, and then select Generate SAS token and URL.
- Copy the value of the Blob SAS URL into Clipboard.
- Open a new tab in the browser window and navigate to the URL you copied into Clipboard in the previous step.
- Verify that the message Hello from az30306ablob via SAS appears in the browser window.
Exercise 2: Configure Azure Storage blob service authorization by using Azure Active Directory
The main tasks for this exercise are as follows:
- Create an Azure AD user
- Enable Azure Active Directory authorization for Azure Storage blob service
- Upload a file to a blob container by using AzCopy
Task 1: Create an Azure AD user
- Within the Remote Desktop session to az30306a-vm0, in the browser window, open PowerShell session within a Cloud Shell pane.
- From the Cloud Shell pane, run the following to explicitly authenticate to your Azure AD tenant:
| Connect |
- From the Cloud Shell pane, run the following to identify the Azure AD DNS domain name:
| $domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].Name |
- From the Cloud Shell pane, run the following to create a new Azure AD user
| $passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile $passwordProfile.Password = ‘Pa55w.rd1234’ $passwordProfile.ForceChangePasswordNextLogin = $false New-AzureADUser -AccountEnabled $true -DisplayName ‘az30306auser1’ -PasswordProfile $passwordProfile -MailNickName ‘az30306auser1’ -UserPrincipalName “az30306auser1@$domainName” |
- From the Cloud Shell pane, run the following to identify the user principal name of the newly created Azure AD user:
| (Get-AzureADUser -Filter “MailNickName eq ‘az30306auser1′”).UserPrincipalName |
- Note the user principal name. You will need it later in this exercise.
- Close the Cloud Shell pane.
Task 2: Enable Azure Active Directory authorization for Azure Storage blob service
- Within the Remote Desktop session to az30306a-vm0, in the browser window displaying the Azure portal, navigate back to the container1 blade.
- On the container1 blade, select Switch to Azure AD User Account.
- Note the error message indicating that you no longer have permissions to list data in the blob container. This is expected.Note: Despite having the Owner role in the subscription, you also need to be assigned either built-in or a custom role that provides access to the blob content of the storage account, such as Storage Blob Data Owner, Storage Blob Data Contributor, or Storage Blob Data Reader.
- In the Azure portal, navigate back to the blade of the storage account hosting container1, select Access control (IAM), select + Add, and, in the drop-down list, select Add role assignment.Note: Write down the name of the storage account. You will need it in the next task.
- On the Add role assignment blade, in the Role drop-down list, select Storage Blob Data Owner, ensure that the Assign access to drop-down list entry is set to User, group, or service principal, select both your user account and the user account you created in the previous task from the list displayed below the Select text box, and select Save.
- Navigate back to the container1 blade and verify that you can see the content of the container.
Task 3: Upload a file to a blob container by using AzCopy
- Within the Remote Desktop session to az30306a-vm0, start Windows PowerShell.
- From the Windows PowerShell prompt, run the following to download the azcopy.zip archive, extract its content, and switch to the location containing azcopy.exe:
| $url = ‘https://aka.ms/downloadazcopy-v10-windows’ $zipFile = ‘.\azcopy.zip’ Invoke-WebRequest -Uri $Url -OutFile $zipFile Expand-Archive -Path $zipFile -DestinationPath ‘.\’ Set-Location -Path ‘azcopy*’ |
- From the Windows PowerShell prompt, run the following to authenticate AzCopy by using the Azure AD user account you created in the first task of this exercise..
| .\azcopy.exe login |
- Note: You cannot use for this purpose a Microsoft account, which is the reason that Azure AD user account had to be created first.
- Follow instructions provided in the message generated by the command you run in the previous step to authenticate as the az30306auser1 user account. When prompted for credentials, provide the user principal name of the account you noted in the first task of this exercise and its password Pa55w.rd1234.
- Once you successfully authenticated, from the Windows PowerShell prompt, run the following to create a file you will upload to container1:
| New-Item -Path ‘./az30306bblob.html’ Set-Content ‘./az30306bblob.html’ ‘ Hello from az30306bblob via Azure AD ‘ |
- From the the Windows PowerShell prompt, run the following to upload the newly created file as a blob into container1 of the Azure Storage account you created in the previous exercise (replace the
<storage_account_name>placeholder with the value of the storage account you noted in the previous task):.
| Invoke-WebRequest -Uri ‘https://.blob.core.windows.net/container1/az30306bblob.html’ |
- Review the output generated by azcopy and verify that the job completed successfully.
- From the Windows PowerShell prompt and run the following to verify that you do not have access to the uploaded blob outside of the security context provided by the AzCopy utility (replace the
<storage_account_name>placeholder with the value of the storage account you noted in the previous task):
| Invoke-WebRequest -Uri ‘https://.blob.core.windows.net/container1/az30306bblob.html’ |
- Within the Remote Desktop session to az30306a-vm0, in the browser window, navigate back to container1.
- On the container1 blade, verify that az30306bblob.html appears in the list of blobs.
- On the container1 blade, select Change access level, set the public access level to Blob (anonymous read access for blobs only) and select OK.
- Switch back to the Windows PowerShell prompt and re-run the following command to verify that now you can access the uploaded blob anonymously (replace the
<storage_account_name>placeholder with the value of the storage account you noted in the previous task):
| Invoke-WebRequest -Uri ‘https://.blob.core.windows.net/container1/az30306bblob.html’ |
Exercise 3: Implement Azure Files.
The main tasks for this exercise are as follows:
- Create an Azure Storage file share
- Map a drive to an Azure Storage file share from Windows
- Remove Azure resources deployed in the lab
Task 1: Create an Azure Storage file share
- Within the Remote Desktop session to az30306a-vm0, in the browser window displaying the Azure portal, navigate back to the blade of the storage account you created in the first exercise of this lab and, in the Data storage section, select File shares.
- Select + File share and create a file share with the following settings:
| Setting | Value |
|---|---|
| Name | az30306a-share |
| Quota | 1024 |
Task 2: Map a drive to an Azure Storage file share from Windows
- Select the newly created file share and select Connect.
- On the Connect blade, ensure that the Windows tab is selected, and select Copy to clipboard.Note: Azure Storage file share mapping uses the storage account name and one of two storage account keys as the equivalents of user name and password, respectively in order to gain access to the target share.
- Within the Remote Desktop session to az30306a-vm0, open a PowerShell session and at the PowerShell prompt, paste and execute the script you copied.
- Verify that the script completed successfully.
- Start File Explorer, navigate to Z: drive and verify that the mapping was successful.
- In File Explorer, create a folder named Folder1 and a text file inside the folder named File1.txt.
- Switch back to the browser window displaying the Azure portal, on the az30306a-share blade, select Refresh, and verify that Folder1 appears in the list of folders.
- Select Folder1 and verify that File1.txt appears in the list of files.
Task 3: Remove Azure resources deployed in the lab
- Within the Remote Desktop session to az30306a-vm0, in the browser window displaying the Azure portal, start a PowerShell session within the Cloud Shell pane.
- From the Cloud Shell pane, run the following to list the resource group you created in this exercise:Get-
| AzResourceGroup -Name ‘az30306*’ |
- Note: Verify that the output contains only the resource group you created in this lab. This group will be deleted in this task.
- From the Cloud Shell pane, run the following to delete the resource group you created in this lab
| Get-AzResourceGroup -Name ‘az30306*’ | Remove-AzResourceGroup -Force -AsJob |
- Close the Cloud Shell pane.
- In the Azure portal, navigate to the Users blade of the Azure Active Directory tenant associated with your Azure subscription.
- In the list of user accounts, select the entry representing the az30306auser1 user account, select the ellipsis icon in the toolbar, select Delete user and select Yes when prompted to confirm.