Microsoft MVP for the 5th time in a row

I’m delighted to announce that I have been awarded Microsoft Most Valuable Professional (MVP) 2018-2019 for the 5th consecutive year:

Microsoft MVP 2018-2019 | Roman Levchenko

I would like to thank my family for ongoing support and everyone of you who have supported me in any form during the last year. So, needless to say, I couldn’t have done the following without all of you:

# my first book was published

# a couple of technical reviews of the well-known books (details later)

# books translations and localizations for Microsoft Russia

# publications at the official Microsoft Blog

# social activities (sharing, forums and etc.)

# speaking at local events

# multiple blog posts (thanks for your reading and comments!)

P.S. I’d like to paste a new photo here…but my Award Kit is on it’s way :). And, as it’s a 5th award, I’m expecting a special accompanying “5 years” ring.  Stay tuned.

Adding an Azure Subscription in VMM

Since VMM 2012 R2 (update rollup 6), you can add Azure subscription to VMM and perform basic actions on Azure IaaS VMs.Both VMM 2012 R2 and VMM 2016 support only classic Azure VMs and you may find that even Management Portal button in the VMM console still points to an old Azure portal (manage.windowsazure.com) which is no longer available.

VMM 2016 doesn’t bring any new changes to this feature and provides the same functionality for Azure VMs management through VMM console. However, VMM 1801 (the latest version available in semi-annual channel)  introduced a support for ARM-based VMs and region specific Azure subscriptions.

So, you can manage both classic VMs and ARM-based VMs using Azure AD Authentication or management certificates in VMM 1801. In this article, we will cover how to manage classic Azure VMs from VMM 2012 R2/2016, and then we briefly discuss new changes in VMM 1801 release.

What do you need?

  •  The console computer where this feature will be installed must have connectivity to the Internet in order to connect to the Azure Subscription
  • An active Azure subscription. For example, I’m using the one which goes with my MSDN subscription. You can also use a free Azure subscription.
  • You must be at least a Service Administrator for the Microsoft Azure Subscription being added. For example, I’m an owner of my subscription and no actions needed.
  • Microsoft Azure Subscription must have a Management Certificate associated with it in order to allow VMM to use the service management API in Microsoft Azure (will complete this later in this post)
  • The certificate needs to be present in the Current User \ Personal store of the computer running the VMM console. (will complete this later in this post)
  • The Management Certificate that is associated with the Azure Subscription must be present in the local certificate store on the computer that the wizard is being run on (will complete this later in this post)

How to do it?

  • On the VMM Server, open PowerShell with administrative privileges, and run the following to request a new self-signed certificate and add it to Personal store :
#This password will be used for PFX file
$pass= ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force 

#New self-signed certificate
$cert = New-SelfSignedCertificate -FriendlyName rlevchenko.com  -Subject rlevchenko.com -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom -KeyExportPolicy ExportableEncrypted -KeyLength 4096 -KeySpec KeyExchange

#Export PFX (if you plan to connect from another machine, import this PFX to the Personal store on your computer)
Export-PfxCertificate -Cert $cert  -FilePath C:\Cert\AzuretoVMM.pfx -Password $pass

#Export CER file which will be uploaded to Azure
Export-Certificate  -Cert $cert  -Type CERT -FilePath C:\Cert\RLVMM.cer
  • In the Azure Portal, go to Subscriptions –> Management Certificates and select C:\Cert\RLVMM.cer to upload. Once uploaded, copy your subscription ID as shown in the picture:

add azure subscription_1

  • Switch back to the VMM Console, navigate to VMs and Services and right click on Azure Subscriptions and select Add Subscription; type a display name of the subscription, paste Subscription ID and select the certificate that has been already added to the Personal store (VMM console automatically discovers all eligible certificates). If no certificates are shown, check certificates and their thumbprints in the Personal store (certmgr.msc)

add azure subscription_2

Note: Certificates and subscription setting information is stored in the Registry under HKEY_CURRENT_USER and is per login specific. This means that subscriptions that are added are visible on a per-machine, per-login basis.

  • Verify that new subscription has been added. If you have classic VMs running under the subscription, you will see a list of such VMs in the VMM.

As you can see in the following screenshot, actions are limited to Start, Stop, Shut Down, Restart and Connect via RDP

image

Note: Public and Internal IP addresses as well as VM size and other information is shown on the details pane

  • Repeat the same steps to add another subscription if needed.

What’s new in VMM 1801?

Unlike VMM 2012R2/2016, VMM 1801 supports management of Azure subscriptions and ARM-based VMs (which are the default in Azure now) through Azure Active Directory and region-specific Azure subscriptions. (namely Germany, China,  US Government Azure regions). VMM 1801 has also updated Azure Subscription wizard and now you can select between two authentication types: certificate-based or Azure AD-based. If Azure AD is selected, you don’t need to create and upload the certificate to Azure. Otherwise, use the steps above to integrate VMM 1801 with Azure using management certificate authentication.

To enable Azure AD-based authentication, you need to create AD Application using Azure Portal. Use the following step to create the AD Application:

  • Click on Azure Active Directory, go to App Registrations and click on New Application Request, then type an app name (for example, VMM1801) and sign-on URL (I used “fake” – https://rllab.com/vmm1801 and it works. You can change it later)
  • Go back to App Registration, switch to All Apps and copy the Application ID of the app you have just created.
  • In the Application properties, click on Settings, and then Keys; provide key description and duration, and click on Save; copy the key value

add azure subscription_5

  • In the Azure Portal, go to Properties of Azure AD and copy the Directory ID
  • Assign application to Classic Virtual Machine Contributor and Virtual Machine Contributor roles (Subscription – Access Control (IAM) – Add)
  • Open VMM Console and press Add Subscription, paste Subscription ID, Application ID, Directory ID and Key Value to the corresponding fields as shown in the screenshot:

add azure subscription_4

Note: Using Select Azure cloud drop-down list you can choose Azure reqion (Public, China, Germany or Government)

Once subscription is added to VMM, you can manage both classic and ARM based VMs in VMM 1801:

add azure subscription_6

Note: you might have noticed that instead of Shutdown action VMM 1801 offers Stop and Deallocate which is more preferable for Azure VMs. Also, MS fixed Management Portal button and now it’s linked to portal.azure.com 🙂

That’s it. I hope this post will be helpful for someone Улыбка.