Category: Azure

Change OS disk on server using Managed disk in Azure

Recently a new capability was released for Azure Virtual Machines using Managed disks.

We have been missing the possibility to change OS disk of VMs using Managed disks. Until now that has only been possible for Unmanaged disks. Before release of this feature we have been forced to recreate the Virtual Machine if we want to use the snapshot and managed disk.

This feature come in handy while performing updates and or changes to OS or applications and where you might want to rollback to previous state on existing VM.

As of today Azure backup only supports restore to a new VM. With this capability we can hope to see a change for this in the feature. But as for now we can use Powershell to change OS disk of VM and restore a older version of that OS disk on existing VM.

In the exemple below we are:

  • Initiating a Snapshot
  • Creating a Managed disk from snapshot using the same name as the original disk but adds creation date.
  • Stop the VM – The server must be stop deallocated state.
  • Swap OS disk of existing VM
  • Start the VM

How to join a Windows 10 computer to your Azure Active Directory


Some of the benefits of having your Windows 10 devices in your Azure AD is that your users can join the computer to your Azure AD without any extra administrator privileges, assuming you have configured this in your Azure AD. They can also login to the computer without the need of being connected to a specific company network the first time, as long as they have internet connection. You can also manage your Windows 10 devices wherever it may be in the world.

Windows 10 Subscription Activation for Hybrid Azure AD Joined devices

In a migration phase to Windows 10 we wanted to be able to benefit from the fairly new Windows 10 Subscription Activation method for the existing environment. One of the requirements for us was that we could do this with Hybrid Azure AD Joined devices. With this post I will try to guide you through the settings and steps for the setup to work properly.

In this scenario the environment looked like this from the beginning:


Domain functional level: Windows Server 2012 R2
Windows 7 machines ready to be upgraded to Windows 10
All Windows clients domain-joined to an on-premise domain
An active Office 365 tenant existed
Azure AD Connect was configured with password synchronization only
An active Azure AD Premium P1 subscription existed


Now when we got the background information about the environment, lets start listing the things we needed to do before we successfully could make the Windows 10 Subscription Activation work for the new Windows 10 devices.

  1. Configure a service connection point
  2. Enable device writeback in Azure AD Connect
  3. Sync computers accounts via Azure AD Connect
  4. Create a GPO so domain joined computers automatically and silently register as devices with Azure Active directory
  5. Upgrade existing computer or install a new one with Windows 10 Pro 1709 and on-premise domain-join the device
  6. Verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center
  7. Assign a Windows 10 E3/E5 license to a user in Office 365 Admin Center
  8. Log onto the computer with the user you assigned the license to
  9. Confirm that the Windows 10 Pro 1709 computer steps up to Enterprise


Now I will describe most of the steps in more detail so it’s easier for you to understand what needs to be done.


To configure a service connection point, follow the steps below:

In newer versions of Azure AD Connect and when running Express settings, this SCP is created automatically here:

You can also retrieve the setting with PowerShell:

In this case, it had not been created, probably because older version of Azure AD Connect was installed that did not perform this. Run the commands below as admin from the Microsoft Azure Active Directory Module for Windows PowerShell on the Azure AD Connect server which also needs to have RSAT-ADDS installed to create the SCP. Make sure you have 1.1.166 of the module installed.

Verify that the SCP has been created with the retrieve PowerShell command above.

To enable device writeback in Azure AD Connect and sync computer accounts, follow the steps below:

This is done from the Azure AD Connect server.

To create the GPO for domain joined computers to automatically and silently register as devices with Azure Active directory, follow the steps below:

To verify that the Windows 10 computer register as a Hybrid Azure AD Joined device in Azure Active Directory admin center, follow the steps below:

You should also see msDS-Device records in the RegisteredDevices OU in Active Directory.

To assign a Windows 10 E3 or E5 license to a user in Office 365 Admin Center, follow the steps below:

In your Office 365 admin portal, find the user who should log onto the Windows 10 Pro computer and activate the Windows 10 Enterprise license that you bought beforehand. This license can be purchased as a separate license or via Microsoft 365 E3 or E5 license bundle.

To verify that the computer has been activated through Windows 10 Subscription Activation, follow the steps below:

After logging onto the Windows 10 Pro computer, verify that the Enterprise version has been activated.


Please note that you need to have a Windows 10 Pro license activated to get this to work. If you have a Windows 7 Pro licensed computer today and you have bought the Windows 10 E3/E5 or Microsoft 365 E3/E5 license you can upgrade your existing Windows 7 Pro computer to Windows 10 Pro by using your existing Windows 7 Pro key. This will give you a valid Windows 10 Pro license that can be used in this scenario.

A good to know command in this hybrid scenario is dsregcmd.exe /status. It will give you the status of your local computer, like if the device is Azure joined or if the user is in Azure.

If you have any questions, feel free to email me at

You can find Microsofts documentation here.

Azure Archive Storage – Manage access tier on all blobs in a container

Last week Archive blob storage went into general availability. If you haven’t checked it out you can find some info here Announcing general availability of Azure Archive Storage

After some testing we realized that you cant change the access tier for an entire container or storage account from the portal. The access tier had to be set blob by blob as shown in the picture.

Here is an easy way to set the access tier with Powershell on all blobs in a specific container. This can be helpful if you have a lot of blobs that could take benefit from the new Archive access tier.

After successfully running the code above we could see that all our blobs had change access tier to ”Archive”.

Our example is very simple and with some imagination you can take it further and for example change the access tiers of certain files with certain properties.

NetScaler HA heartbeats in Azure

When using NetScaler with multiple NICs in Azure, heartbeats will not be seen on other interfaces other than the one NSIP is configured on.

To resolve this, disable heartbeats on the other interfaces (in my case, NSIP is on 0/1 and disabling on 1/1 and 1/2):


Devices i Azure AD – varför det är viktigt

Devices i Azure AD – varför är det viktigt? I princip alla organisationer vi arbetar med har ett traditionellt on-premise Active Directory. Många av dessa börjar nu använda Office 365 och Azure, ofta börjar det med Exchange Online för mail och växer sedan till att börja använda Skype, OneDrive, Teams eller någon av de andra tjänsterna Office 365 erbjuder. I botten av allt detta är ett Azure AD, detta är något alla får eftersom så fort du skapar en Office 365 tenant får du också ett Azure AD som är användarkatalogen. Vare sig du sedan editerar användarna i Office 365 admin portalen ( eller Azure AD admin portalen ( så är det grund och botten ditt Azure AD du ändrar i.

Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)

I wrote a blog post for NetScaler active/passive HA in Azure with multiple NICs two days ago, and I’ve been trying to figure out if this was the best way to do it. In the other post, I was using IPPattern in NetScaler to set the vServers to a /31 – which does work but that’s just because of how the underlying Azure infrastrucuture works (where machines outside of the VM – for example Azure LB – can only access the IP that has been assigned to the VM).

There is another way of doing this, which doesn’t require you to use a /31. The key is in configuring DSR (Direct Server Return) in Azure LB (also known as Floating IP). This will make it possible to use the same VIP on the NetScalers as the Frontend IP of the Azure LB – which saves IP-addresses and is easier to configure. This is the way Citrix has documented it and this is how their HA template does it.

NetScaler Active/Passive HA in Azure with multiple NICs/IPs


I’ve found out that there’s a much easier way of doing the below in Azure – take a look at the updated blog post:

Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)


There are a lot of information out there about setting up NetScaler HA in Azure. One way is using a single NIC and a single IP for all traffic – which allows for active/passive but causes other limitations. Another way is to use multiple NICs/IPs and use active/active. Both cases uses Azure LB to provide high availability.

Azure AD Conditional Access – säkra upp access till Azure och Office 365

Azure och Office 365 erbjuder det Microsoft kallar mobile-first, cloud-first vilket innebär att användarna kan vara produktiva var de än är, med vilken device de vill och när de vill. Det går dock emot många säkerhetsaspekter att skydda företagets resurser.

Som standard i Office 365 kan en användare logga in varsomhelst ifrån med namn och lösenord men i många organisationer är det inte säkert nog. Azure AD Conditional Access försöker råda bot på det genom att säkra upp accessen till Azure och Office 365 genom att sätta ett villkor och en policy på hur access tillåts. Ett exempel är att man vid vissa villkor ställa krav på MFA (Multi Factor Authentication) eller att den enhet användaren loggar in i från är AD joinad eller till och med godkänd i MDM-lösningen eller alla dessa.

Azure Automation – Running scripts locally on VM through runbooks

I was tasked to create a powershell script to run on a schedule on a Azure VM. Normally this would be running as a scheduled task on the VM but seeing as we’re working with AzureVM and schedule tasks are legacy I wanted to explore the possibilities of running the schedule and script in Azure to keep the VM clean and the configuration scalable.

After some research the best option would be running the powershell script as a CustomScriptExtension on the VM, and the schedule would be handled by a Process Automation Runbook (using Automation Accounts).

What I ended up with is the script below. It’s fairly easy to configure and contains almost all the required configuration in the parameters.