I have created a Dynamic Group in Azure AD (not the first time btw). First I created it so it contained about 600 users. I have added an extra rule last friday so that the group would again be empty because nobody in our tenant is compliant with the last rule I added.
However there is 1 user that is still a member of this group. When I use the Validate Preview functionality this user is said to not be compliant with the group rules, but still there he is. This has been longer than 24 hours now. I even updated the rule today to force Azure to re-evaluate the group, but nothing helps.
Here below is the rule. I've modified it a little bit for privacy purposes ofc
(user.employeeId -ne null) -and (user.accountEnabled -eq true)
-and (user.mail -ne null) -and (user.companyName -notin ["value1","value2","value"])
-and (user.extensionAttribute10 -ne "value") -and (user.extensionAttribute8 -eq "True")
I tried the microsoft troubleshooting, but in essence it just says to look for syntax errors or to re-evaluate the group by adding a whitespace behind the rule (I've modified it a little so that's essentially the same)
The issue is resolved. I changed the value of extensionAttribute10 so that the user would also trigger that rule as not compliant, and after syncing the Azure AD Connect I changed it back. It seems that did the trick.
Related
I have used the following powershell script to delete a database:
Remove-AzureRmSqlDatabase -ServerName $server -ResourceGroupName $rgname -DatabaseName $dbname
(first setting the variables)
and have tried using the Azure Portal
The port indicates a success in deletion, as does the activity logs, however
the resource is not being deleted?
Screenshot of activity log:
The deletes (on a number of occasions after the db comes back) show successful, however there is an audit policy that seems to be doing something.
There are no Locks on the resrouce group.
UPDATE:
I have deleted from SSMS, and is not showing there or in the portal anymore..
(will wait to see if it comes back, as it did when deleting via portal and powershell)
UPDATE 2:
Database is now back, so this is the database having been deleted 3 ways, portal, powershell and via SSMS.
It turns out the web application uses EF migrations which is recreating the database.
Note: The bigger issue is that the database is created on a much higher, and much more expensive tier.
Do you happen to have a rogue policy somewhere? It seems something is running a Policy Effect: deployIfNotExist on the resource. Without access to your environment, there's not much I could recommend.
Check the documentation here: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#audit
I need to use the command Get-AzureRMResource and return resources created after a particular date . Is it possible to filter the resources w.r.t creation date. Can someone please help?
The Get-AzureRMResource could not get the creation date of Azure RM Resources. It seems there is no other way to get the creation date except the Activity log.
But still it can return only the items created on past 90 days.
For this issue, you could try to Archive the Azure Activity Log, this option is useful if you would like to retain your Activity Log longer than 90 days (with full control over the retention policy) for audit, static analysis, or backup.
Update:
If you want to get resources created after a particular date, try the command below, it returns the resources created after 11/20/2018 1:57:19 AM.
Get-AzureRmResourceGroupDeployment -ResourceGroupName "<ResourceGroupName>" | Where-Object {$_.Timestamp -gt '11/20/2018 1:57:19 AM'}
This information is available via ARM, but you have to call the API directly rather than the PS Get-AzureRMResource (or Get-AzResource) cmdlets.
See Deleting all resources in an Azure Resource Group with age more than x days.
Essentially, you need to add the $expand=createdTime to your query parameters, ie.:
GET
https://management.azure.com/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resourcegroups?api-version=2019-08-01&%24expand=createdTime
Like #kwill suggested, this site can also help run the command interactively via your browser and return these results for you:
https://learn.microsoft.com/en-us/rest/api/resources/resources/list#code-try-0
Steps below:
Click on the try it now button
Enter your subscription ID
For a key value name use: $expand
For the key value value use: createdTime
Then run the query and it should produce a JSON file for you
Example
I am trying to delete a Dynamic Data Masking Rule on Azure SQLDatabase form the portal, the portal says that the Rule got deleted successfully, but when i refresh the page, the rule is still there. Couple of my colleagues also ran into the same issue.
Is this a bug/quirk from the portal, or are we doing something wrong? Is there any other way to get this working (portal, powershell, cli)?
Thanks.
I am not able to reproduce the behavior with Dynamic Masking Rules on the portal but as a workaround you can try using PowerShell to remove the rule:
Remove-AzureRmSqlDatabaseDataMaskingRule -ResourceGroupName "ResourceGroup01"
-ServerName "Server01" -DatabaseName "Database01" -SchemaName "dbo"
-TableName "table1" -ColumnName "column1"
If you continue to encounter this issue, please open a support ticket with all the details (subscription, server, database) and we can investigate why this is happening. The mask should be successfully removed when you delete it - there aren't any known bugs in this area.
I want to get ahold of the diagnostic settings for all network security groups. I was hoping the powershell cmdlet Find-AzureRmResource would work, but it seems like you can't search for sub-resources on sub-providers without specifying the parent resource.
I would have hoped something like this would work:
Find-AzureRmResource -ResourceType Microsoft.Network/networkSecurityGroups -ExtensionResourceType Microsoft.Insights/diagnosticSettings
However, this just returns the network security groups, and I think it is completely ignoring the ExtensionResourceType parameter. Here is an example of a resource ID for the diagnostic settings on an NSG:
/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Network/networkSecurityGroups/{nsg-name}/providers/microsoft.insights/diagnosticSettings/service
I noticed that the Find-AzureRmResource cmdlet has an -ODataQuery parameter, so I wonder if I could get it to work if I knew what to pass to this parameter?
I did find that I can get the equivalent list like this, but it is really slow (when you have hundreds of NGSs) because it queries the diagnostic settings individually instead of returning them all in one shot:
Find-AzureRmResource -ResourceType Microsoft.Network/networkSecurityGroups | Get-AzureRmDiagnosticSetting
There is no single API call to retrieve all the diagnostic settings on all NSGs. If you have all the ARM resource ids for all NSGs, you will need to make multiple calls to Get-AzureRmDiagnosticSetting.
https://learn.microsoft.com/en-us/powershell/resourcemanager/azurerm.insights/v2.2.0/get-azurermdiagnosticsetting
The old silverlight portal used to show the start datetime of each role instance so I could see when it last cycled.
As far as I can see this information is not surfaced in the HTML5 portal.
Is there a way to programmatically access this information via powershell or the REST API?
I can't find a way to see each role instance's uptime, but it looks like this will give you the time it's been since a service was last modified (i.e. with Swap VIPs, Uploading a Package, etc). This and a good old fashioned ping (to make sure it's still alive) should help you know how long your services have been "stable".
[DateTime]::Now - (Get-AzureService |
Where-Object { $_.Label -eq 'MyService' } |
Select-Object -ExpandProperty DateModified)