Episode 177 – Friends Should Let Friends Buy Microsoft 365 Business Premium

Episode 177 – Friends Should Let Friends Buy Microsoft 365 Business Premium

In Episode 177, Ben and Scott break down the changes in Microsoft 365 Business Premium and how it compares against Office 365 Enterprise Plans including the Office 365 E3.

- [Ben] Welcome to episode 177 of the Microsoft cloud IT pro podcast recorded live on May eight 2020. This is a show about Microsoft 365 with Azure from the perspective of IT pros and its users where we discuss the topic or recent news and how it relates to you. In this episode, Scott and Ben take a more detailed look at the recently renamed and improved Microsoft 365 business plans and discuss with these updates, should friends now let friends by business? Everybody now his kids and dogs and all sorts of things or people or animals making noise in the background to their meetings.

- [Scot] Yeah, I think we're all getting better at it though, so maybe for those who haven't been doing the remote thing now that they've had a couple of weeks to not necessarily settle in to it, but experience it and recognizing that for some of us it's going to be coming for a long time. I think especially for technology companies, I mean Facebook announced that through the rest of 2020 just go for it.

- [Ben] Really, I missed that.

- [Scot] Yep, yep, go forth and do it. Amazon is at least October, Microsoft still has their campus effectively shut down. So it's gonna be a thing for a while and I think for us, like in this segment and this area, we're going to continue to experience it.

- [Ben] Yeah, although to be fair, I've been experiencing it for like 10 years now.

- [Scot] Yes.

- [Ben] My kids literally don't know what it's like for me to have to leave the house for work. They get upset when I have to leave to go to work. They're like, "Why do you have to leave?" Some people do these everyday guys.

- [Scot] You've done it again.

- [Ben] Yes. They just don't know what it's like to have daddy actually leave every day to go to work.

- [Scot] Man, you know, they'll have to figure out their own lives at some point, you know, let them grow up in flutter and all those things.

- [Ben] What it is. Yes, they'll realize it. Maybe, who knows? Maybe everybody will work for home for the rest of their lives. I think you are gonna see a lot more people or companies staying open to remote work 'cause this is forced everybody to figure it out. I know there's some people I've talked to that they're like, "This just does not work for us. "We're not as productive." All of that, we need to be at the same spot. But I think there's a lot of companies that are also realizing, "Hey, this isn't as unproductive "or as bad or as prohibitive to our daily activities "as we thought it was."

- [Scot] Yeah, interestingly, I also think lots of folks are gonna have to figure out the burnout factor and really starting it and mass in this time is a different thing then all of a sudden a company you phasing into remote work or just easing your way into it and figuring out what that balance is for, what is productivity at home? I think a lot of folks who are potentially looking at their teams and saying, "Well, we can't work remotely," oh, that's not attitude 'cause you're gonna have to figure out a way to do that in a lot of cases. And also by saying you can't, you're automatically throwing up a barrier to being successful there, but being able to align those times and boundaries between work and home life and recognizing that, yeah, this other thing is going on in the outside.

- [Ben] Yeah, it's interesting and there's definitely a difference between being forced to work remotely and like you said, having that gradual roll and have it being an option. I would say there's more challenges with the way it happened this way. Well, it has opened up a lot of eyes. It also is a lot more challenging when you do it this way. Than if it, like you said, it's a gradual roll in a gradual rollout, you start with options and just do it a little bit at a time. Doing it this way definitely has brought a whole set of challenges.

- [Scot] So one of the little things that gets me, is I have an established place to do work every day. I have my desk, it has my monitors, there's a nice warning ring on the desk where my coffee cup goes. There's a place for the keyboard, a place for my mouse, microphone, all those kinds of things. And my wife potentially transitioning to a remote role as a teacher. She's kind of settled on just one or two different places in the house to work in. And I've offered, like last night she's been working on an extra class and trying to do all these recordings for her students and things so she can put them up. So she came into the office and was sitting at my desk, which I'm normally on a laptop, but then it's just in clamshell plugged into all these monitors and she brought her laptop stand-in. She brought her keyboard in, brought her mouse in and she sat, stood up, it's a standing desk. So she stood up at the desk and I said all we gotta do is pull that little USBC cable out of my laptop and we can put it into yours and you could at least have the keyboard. And if you don't want the keyboard, keep using your keyboard 'cause that's all Bluetooth, that's fine. I get, you don't wanna use somebody else's mouse 'cause everybody's kind of partial to things like that, but you can totally use your keyboard and just all of a sudden have these screens like go ahead, have the 34-inch monitor and things like that. And she looked at me like I was crazy just like I couldn't be productive like that. I'm like, I couldn't be productive on a single screen.

- [Ben] Yeah, it's everybody figuring out how they work best. As IT professionals in the cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Teams Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and complex massive metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend. ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real-world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business-friendly way of tracking Azure infrastructure costs and it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro. So we have an interesting topic. This topic today, speaking of working came up probably about a month ago now. I think this has been out and I saw some articles about it and we kind of put some notes together and were like, "We should record this at some point in time." So today is your lucky day Scot.

- [Scot] Every day is my lucky day when I get to talk to you, Ben.

- [Ben] Aw, that's so sweet. That was a little weird. Now you got me all thrown off. It's been a long week. So we recorded an episode a while back. I don't even remember which episode it was where we said, "Friends do not let friends by business "when it comes to office 365," and we had a whole list of reasons why. About a month ago, Microsoft made some announcements that we talked about, about renaming the business 365 skews. And as a part of that, one of the, I would say new skews with some added features to it is you can now get Microsoft 365 business premium, which includes Windows 10, office 365... well no, that'd be Microsoft 365 business standard, I believe it's one of the Microsoft 365 business skews as well as essentially EMS. You're getting Azure active directory premium. So you get all three of those for $20 a month, which is the exact same price as a office 365 E3 plan. So a lot of people have been asking, "Why would I buy office 365 E3 for $20 "when I can get Microsoft 365 E3 "or Microsoft 365 business premium for $20 a month?" Why would I not get that one with all these other features, Windows 10, Azure active directory premium, it's essentially all the EMS stuff. Although we're gonna talk about, it's not all of that. So do friends still not let friends buy business or have they changed this enough that Microsoft 365 business premium is actually a very solid option now where you're not quite as handicapped as maybe you were before. So we figured we'd dive in, discuss that. There was also a blog article that came out around securing remote work, tying into our intro to using Microsoft 365 business premium.

- [Scot] And then that article really piggybacks and the concepts there piggyback kinda whole cons the licensing construct where they added Azure AD premium P1 to those licenses. So having access to conditional access I think ups the game and changes it a little bit. 'Cause that's one of those differentiators between those two skews.

- [Ben] It really is. And before it was always an Add-on and now all of a sudden it has come bundled. So we decided this episode, we're just gonna talk about Microsoft 365 business premium and where it actually does make some sense now. I think my opinion, we'll see what Scott thinks. As well as scenarios where frankly it still doesn't make sense even though there's more features to it as opposed to like the E3 plan.

- [Scot] Yeah, let's get into it.

- [Ben] Alright, so where do you wanna kick it off? How do you wanna kick it off?

- [Scot] So I tend to look at it from one of those clear differentiators between those business plans and the enterprise plans is the number of users that you can bring into those skews. So having a hard cap on the number of users, like if I was gonna build out a decision tree to say, should I even look at this product, is it for me? How many people do I need to license? Is it more than or less than 300? Because if I have more than 300 users who are gonna require these features, then it's still not the thing for me. I'm gonna have to go build a licensing bundle or hopefully find a suite of products like any three or any five that has it all built-in or I can do the base bundle, the SKU pack plus the Add-ons, things like that. So like I said, if I was gonna build the tree, that's where I would start, number of users regardless of functionality they need or anything else. That's your biggest probably upfront question that you need to answer.

- [Ben] Yup, I would agree. That's always my first question and well there are some feature differences that is that hard line in the sand of which way do you go, is gonna be your user account. If you're less than 300 you have a choice to make. If you're more than 300 there's like not a decision there. You just have to go with one of the E plans.

- [Scot] Yeah, you're just gonna go another way. And then from there, you might try to rationalize down cost or Add-ons or things like that as you go ahead and standing up the service. And I think what you could do is then maybe you could get into that feature comparison of if I'm into the whole office 365 E3 versus Microsoft 365 business premium. Then you might wanna decide what features are important to bring over for you along the way.

- [Ben] Yup and I think one of those, and I mentioned EMS at the beginning and that is not, it is just Azure AD premium plan one that's included in business. So for me, I think that's the next decision tree probably that plays into effect, although there's a couple here but one of his is going to be, do I need that full EMS suite where it comes to like the mobile application management, the Intune with the mobile device management, some of those extra features that are in the EMS suite that are licensed as EMS but aren't licensed as part of Azure AD premium P1 because Microsoft 365 business premium is only going to be Azure AD P1, not the rest of those EMS features that are included in office 365 E3 or in Microsoft 365 E3. I think that's probably the next biggest one in my opinion. I say probably, because it could come down to a few other ones.

- [Scot] So now that comes to another weird decision of do you need full-blown MDM? Like do you need full Intune for your devices? Like what does that look like for you? Or are you doing like Knox or something like that today or AirWatch and you wanna look to going to Intune or do you need MDM light and can you leverage built-in MDM capabilities? So there's always... 'Cause that exists as well. There's full-blown MDM with Intune and then there's, it used to be what they used to call it, it used to be called office 365 mobile device management. But now I think it's all just mobile device management for Microsoft 365 which is inclusive of some of the office 365 stuff where you get MDM light in it today anyway until potentially they go ahead and take that away.

- [Ben] Yeah.

- [Scot] So I think that's something to think about there too. 'Cause especially if I'm just doing maybe, I've always thought MDMs is a weird conversation to have, do you need MDM or you do you need MAM? So is it the data in the application that's really important or is it the whole device and kind of the surrounding ecosystem that's important. And certainly, if you're looking potentially, I think at that small business segment, like if you're looking at the 365 business premium, you're less than 300 users, I would bet for lots of folks that not having access to Intune isn't the end of the world 'cause I can still do my conditional access 'cause P1 is giving me access to that in Azure AD premium P1 and I can still do device management light and particularly application management. So being able to still have those application controls where I can have you come in, I can't ensure that you can only sign in to your device with your corporate identity. But I can make sure that you can only sign into outlook with your corporate identity and when you sign into outlook that you can't take any screenshots and that you can't be out on a jailbroken device. So have I protected your data there or not? It's always weird line to walk. But I think if you're a smaller business, like if you're in that 365 business premium skew, you're probably not looking for full-blown MDM anyway. You might want the features, but I guarantee you don't want the operational overhead of keeping it up.

- [Ben] Right, although you can't do my licensing matrix is failing me. You can't do the mobile application management with just Azure AD premium P one can you, isn't that still part of EMS? You can do conditional access, but not actually like the mayhem, selective wipe stuff or don't allow copy and paste between applications, that type of stuff.

- [Scot] Right, yeah. I think you're right there, but if I can stop you from logging into the app if you're on a, like an unregistered device or whatever it is.

- [Ben] Right, that goes a long ways.

- [Scot] You've got to weigh that out and decide where that's important to you organizationally.

- [Ben] Yeah, so yeah, figuring out where that is and truth be told, even the mobile application management versus the mobile device management, I'm shocked how many people like conditional access in some of that mobile application management. If you do that right, you really don't need a lot of the mobile device management as much. Even bigger companies, I'm surprised how many people just do the MAM and it's way easier to manage. So another one that comes out, especially if you're a small business when you are weighing Microsoft 365 business premium versus office 365 is Windows 10 pro and licensing that. If you've already bought a bunch of faxed copies of Windows 10 pro, you don't care about licensing Windows 10 pro, the office 365 E3 is gonna be fine. But one of the nice things about business is it does have a Windows 10 pro license. So if you want to do all of your cloud licensing, if you want to even look a little bit at like I think the Windows virtual desktop is included now in the Microsoft 365 business premium. if you be... Tripping over my own words that, but as well as, and this was when I learned the other day, is the licensing office applications, so Word, Excel, PowerPoint, desktop on a virtual desktop interface. I can't remember. Is that the CSA license or SCA? The shared, essentially the shared application license.

- [Scot] Yeah, whatever acronym they have going for it these days.

- [Ben] Yes, that is the only business plan that's included in this that Microsoft 365 business premium. So even though office applications are included in some of the lower business 365 plans, the only one that includes the shared application access is gonna be that business premium. So if you are looking for that virtual desktop interface, maybe looking at Windows virtual desktop, you want the shared applications, there's a lot of that. The Windows 10 for even desktop devices, all of that's in that Microsoft 365 business plan too. So if you need all of that, you're under 300 users, you don't need EMS. In that scenario Microsoft 365 business is a solid option as well.

- [Scot] Yeah, it starts to become more and more compelling. It does.

- [Ben] And I have one more compelling feature that they snuck out there. You can now add voice. This also used to be a big one. I heard this be a differentiating factor for one of my clients at one point in time was you used to not be able to do Skype or Cloud Voice, the whole cloud PBX, PSTN calling, all of that on a business plan that was only available on enterprise plans. Voice can now be added to Microsoft 365 business premium and I believe even some of the lower skews. So if you are a small business and you want to do voice calling, you can just license business plans as well now and not worry about the enterprise plan just to get voice.

- [Scot] So is that voice plan, is that different than business voice? 'Cause they've renamed all this stuff, right? Where say you have Microsoft 365 business voice, which is that's in the office 365 E3, the F1, it's in the Microsoft 365 E3, the Microsoft 365 business but not business premium.

- [Ben] I did not realize they renamed that one.

- [Scot] Well, I will make sure to put the article to, what is Microsoft 365 business voice.

- [Ben] Business voice that is, I was just looking up phone system, call trends for multilevel auto attendance call queues includes, okay, so Microsoft 365 business voice, they combined two plans into this. Microsoft 365 business voices is $20 a user a month. What you used to have, and you may still have, you may still be able to buy these separately because certain plans include certain features already. Cloud Voice, which was all of the auto-attendant, call queues, call transfer, voicemail, all of that. That was an $8 a month Add-on to just get the Cloud Voice functionality and then for $12 a user a month, you got those domestic calling plans or you could do domestic and international for 24 but it started $12 a month domestic calling plans. So you have your $12 a month for domestic calling. You had $8 a month for Cloud Voice. to get the features and the PSTN calling they took these and Microsoft 365 business voice now combines is $20 a month, which is your eight and 12 for your Cloud Voice and your domestic calling. And it includes both of those in one bundle.

- [Scot] Not confusing at all.

- [Ben] Not confusing at all. And I'd have to look into this 'cause I again, I missed this one. But when you get into the office 365 set of things like your Microsoft 365 E5 in your office 365 E5 already include the $8 a month Cloud Voice Add-on or all those entitlements. So if you're on one of those business E5 plans, you only need to license domestic calling.

- [Scot] Yeah, it's getting weird. And now you can't even search for Cloud Voice anymore 'cause it's all been subsumed by business voice. So you gotta be like, go search for the old phone system stuff and then hope you land on the right article. Although, but it's weird.

- [Ben] So are you looking at the business voice article?

- [Scot] Yeah.

- [Ben] It says down at the bottom, business voice requires the Microsoft 365 and that includes Teams. It's an Add-on subscription for up to 300 users that cannot be used standalone business voice, blah blah, blah, blah.

- [Scot] Yeah, yeah. It still aligns to those licensing limitations with those skews.

- [Ben] It aligns to the small business ones. But that means Cloud Voice should still exist for those enterprise skews.

- [Scot] Good luck figuring out where that's all written down now.

- [Ben] So as you're going, this is what happens when we stumble across random articles in the middle of the podcast. Oh, see options for enterprise. There's a little link. It's hiding. Voice and video calling with Microsoft Teams.

- [Scot] Yeah, it takes you into all the Teams stuff and 'cause now calling plans and all the documentation for phone system and calling plans and set up falls under Teams.

- [Ben] Oh, it's phone system. So it's not Cloud Voice. So if you're looking for the enterprise stuff, look for phone system for $8 and then calling plan pricing for your domestic and international. Outlook ends are a great way to improve productivity and save time in the workplace. And Sperry software has all the Add-ons you'll ever need. The save as PDF Add-on is a best seller. And it is great for project backups, legal discovery, and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com. S-P-E-R-R-Y S-O-F-T-W-A-R-E.com. and see for yourself how great save as PDF is. Listeners can get 20% off their order today by entering the code "cloudIT." That's cloud IT, C-L-O-U-D I-T, all one word at checkout. Sperry software work in email, not on email. So we all got that straight now, right? Microsoft 365 phones system is only for business plans. Office 365 requires a phone system and a calling plan. Did I say that right?

- No.

- No.

- [Scot] 365 business voice?

- [Ben] Yes.

- [Scot] Is for Microsoft--

- [Ben] Only for business plans.

- [Scot] Microsoft 365 business plans. Well, but not just the business plans 'cause you can also do it with office 365 E3s and F1s. So thanks Microsoft. Even though it still has that licensing limitation at 300 I don't know how that works.

- [Ben] That's bizarre.

- [Scot] It's clearly called out in the licensing. If your organization has fewer than 300 people and you have office 365 E1, E3 or F1, you can also do it. You can also do it with the A1 and A3. So you can do it with the education plans.

- [Ben] Which I mean it does kind of make sense because reality is the pricing didn't change. If you go buy that for $20 or if you go buy phone system and domestic calling for $8 and $12 respectively. Either way, at least they kept that consistent. You're gonna be paying $20 a month to add some type of phone capability and to anything lower than a business or enterprise E5 plan.

- [Scot] There you go. The documentation might not be consistent, but the pricing is, oh, wow.

- [Ben] So that is another, again, that used to be a differentiator between the two and a reason not to go buy business is if you ever looking at phone systems now or shortly, what was the date on that? You can put them onto both. I know they announced it was coming. I think it's already there.

- [Scot] I mean it looks like it's already there. I haven't spot up a business tenant in a couple of weeks, but maybe that'll be the thing to do. We'll go spin up a business tenant and see if it can be added.

- [Ben] Yeah, it looks like it's all there. The data I saw was around pricing. So pricing includes or pricing includes required communication and taxes and fees until June 30th, 2021. I don't know if that means your prices are gonna go up a little bit for taxes and fees on June 30th. I don't know if there's something that's being waived because of COVID right now and that's why those prices include taxes and fees until June 30th. Not exactly sure what's going on there. But yeah, June 30th will appear as a separate charge only in the US starting on June 30th. So there's some goofiness going on there, but that shouldn't be too much.

- [Scot] Alright, cool. So there's some things that are similar and there's some things that are more than similar. Almost to the same between them. But when you're going through that rationalization exercise of saying, so I've got less users, I'm within that 300 boundary. So now I've gone down this difficult road of trying figure it out. What is business actually missing when you compare it to like an office 365 E3?

- [Ben] So there are a couple things that it is missing in terms of just like functional specs when it comes to certain services. So exchange online is one of the biggest ones that you're gonna notice some differences. An argument could be made whether you actually need this or not, but smaller exchange mailboxes. So your business 365 plans are essentially running exchange online plan one where your enterprise plans are gonna be exchange online plan two at least when it comes to like E3 and E5. So that means that you have a 50 gig mailbox instead of a hundred gig mailbox for business premium versus office 365 E3. However, archiving the business 365 premium does appear to include like a 100-gigabyte expanding archive. So as you archive it'll grow. So there could be an argument made for why do we need a hundred gigabytes if I can just archive everything, 50 gigabytes and archiving more frequently is probably adequate.

- [Scot] That depends on how you access that mailbox and what it looks like. Like do I access that from mobile devices? How hard is it for me to work with the archive from mobile? Like there're weird limitations there and then I believe you probably know better than me, but the office 365 enterprise archives, those are still billed as unlimited archives, right? Ever-expanding?

- [Ben] Yeah. But they all start. So I think there's similar to the business ones because they all start at a hundred gigs and the business premium ones based on what I think I saw was those ever expand to, it's still an unlimited.

- [Scot] Gotcha.

- [Ben] At least up at that premium level. And then some of the e-Discovery. So when I started looking through like a feature by feature breakdown using service descriptions, O365sd.com.

- [Scot] There actually is a great one out there 'cause they do have, so one of the things they didn't used to do was have to plan options or it was never always a great way to do it to get the business plans and the E-plans all together on the same page.

- [Ben] Yep.

- [Scot] And now they do. So again, this is another link I'll put in the show notes. You can go to office 365 plan options and it breaks down the whole family. So it's inclusive of everything in business. So Microsoft 365 business basic, apps for business, business standard and then all of the office 365 enterprise as well as education skews, which is super awesome to see.

- [Ben] Perfect, yeah. So things like advanced e-Discovery are only in those enterprise plans. There's probably some small businesses that would use it. Do you think like lawyer, some law firms that are probably, there's a lot of law firms that are probably less than 300 users that may have a need for advanced e-Discovery just due to their line of work. Some of that stuff isn't going to get included with your office 365 plans or your business premium plans, so I can't remember. The other one I was gonna look at was... Do you have that chart in front of you? Data loss prevention is one that also tends to... No, that when I did look at. That one as included in everything. Data lost prevention is, e-Discovery is not or advanced e-Discovery. The business premium plans do include in-place holds and in place e-Discovery just not some of those more advanced features. So really go take a look at those service descriptions. Don't look at this at a super high level, but.

- [Scot] Yeah, you have to avoid the marketing and the pricing pages and do all of that at a lower level. They actually used to provide Excel spreadsheets for these where you could do kind of pivots and filters and sorts. I've always found it helpful to go and make my own for those. So it is possible to still copy and paste the tables and things just directly out of the HTML or the markdown, the on rendered markdown that's so free and get hub and put that into Excel and be able to do those pivots based on how you want them. 'Cause there's gonna be a lot of noise in there that you can just kind of cut the noise out and get it to be what it needs to be.

- [Ben] Right, so the first thing I do, I copy and paste all those into Excel and I create a table and then I filter on the skew I'm looking for all the nos. So just show me everything under business premium that is set to "no" because that means that's not included and then it makes it a lot easier to start from there when you're comparing what's a no in that column versus a yes in one of my enterprise columns.

- [Scot] Yup, just go ahead and delete the skews you don't want and you get to where you need to be.

- [Ben] Exactly.

- [Scot] It's a little rough, right? I think you're in a potentially a little bit of a handicap position may be coming in as a small business and somebody like you or I saying, well your best bet is to copy and paste from HTML site into a spreadsheet and figure it out. Versus being an enterprise where you know if you're buying thousands and thousands of seats, you're gonna have a salesperson at Microsoft who's very keen to sell those to you and they're helping you figure that out.

- [Ben] Or you have a finance guy that really likes Excel and if you say, "Hey, "can you go build me some really fancy Excel spreadsheet?" They'll like go hide in their cubicle for hours to create an incredible Excel spreadsheet for you.

- [Scot] No more cubicle Ben.

- [Ben] No offense to anybody that's in finance and really likes their Excel spreadsheets. But yeah, we didn't even get into our last blog article about securing everything. Your practical guide to securing remote work.

- [Scot] I think securities, maybe that's when we can hold off on and have as a conversation at another time 'cause it does, I think it goes out a little outside the boundaries of what I put it in there about what we were originally gonna talk about. 'Cause we'll get into kind of specifics thereof some things that you may or may not want to consider turning on. Like what are must-haves versus not must-haves. If you have access to these types of features. Like if you've got the licensing, you're definitely gonna want to turn some things on. Like full stop, they should just be on by default. Microsoft might not turn them on by default for you but they'll certainly be very vocal and I think you and I would be too about, "Hey let's light up the things that really makes sense."

- [Ben] Yes, absolutely. So, to be continued next week 'cause we don't have a topic pick for next week yet, we will talk about securing in which features you should turn on and off and how you can take advantage of these new skews. And the security offerings they're in.

- [Scot] Yeah, perfect, absolutely.

- [Ben] All right, well, let us go enjoy the rest of the sunny day from the confines of our house.

- [Scot] Yes, this is the way.

- [Ben] We will talk to you next week about that security article.

- [Scot] Thanks, Ben.

- [Ben] All right, thanks, Scott. If you enjoyed the podcast, go leave us a five-star rating in iTunes. It helps to get the word out so more IT pros can learn about office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)

Episode 176 – April Showers Bring May Microsoft 365 Updates

Episode 176 – April Showers Bring May Microsoft 365 Updates

In Episode 176, Ben and Scott dive into the April announcements around feature updates to Microsoft Teams, Microsoft Threat Protection, and Azure Active Directory.

- Welcome to Episode 176 of the Microsoft Cloud IT Pro Podcast, recorded live on May 1, 2020. This is the show about Microsoft 365 and Azure from the perspective of IT pros and end users. Where we discuss a topic or recent news and how it relates to you. In this episode, Scott and Ben discuss some of the recent news from the month of April, including some upcoming conferences, Azure AD Security, and Microsoft Teams.

- I feel like April was never going to end.

- Well, it has, I mean, it's still might not have, but officially on the calendar it has. In our brains and collective consciousness it may have not.

- Yes, but the good news is, at least here in Florida, we are slowly starting to open back up. The question is, are you going to go out and do anything, now that it's opened back up?

- Well, we chose to open on our day of highest deaths. So my personal approach is to stay home a little bit while longer.

- You've already had it, you're immune.

- We'll see, I'm thinking about paying the 120 bucks to get the test, just to find out.

- Are you just to find out if you had it or not?

- Yeah, some of the labs are starting to get it. So Quest has one.

- Got it, interesting.

- And less little antibody test.

- I saw the mall, town center is going to open Monday, I think is what I saw. So yeah, stores, restaurants, I think they said are gonna open, but they have to be at 20% capacity. I think it was or 25% capacity.

- Yep, 25 here.

- So, we'll see. We haven't gone out and done a whole lot. We've started to see a few more people. I'm getting kind of stir-crazy and I don't know, like, I feel like we've flattened the curve and we don't need to talk about this too long 'cause we have other topics to talk about. But it's like at what point in time do you just have to start going out? Because obviously vaccines are gonna be a long way off. It feel like the curve is starting to flatten out. So I'm kind of getting close to that approach of, "All right, it's time to start getting out, "seeing some people doing some normal activities again." So yeah, my two cents.

- Slowly but surely, like get back out, see family, things like that, where you can and where it makes sense.

- And that's what we did. My wife's family came over the other day and they didn't even come inside. We actually just sat outside at the picnic tables, in the park next to our house. And it was her sister's birthday, so it was fun. It was fun to see them, we hadn't seen them in like a month. So all good, but there's some other events coming up now too, that are free. So there's some silver lining in all of this. There are some free events coming up that people can participate in.

- Nice, what type of free events are coming?

- Yes, what type of free events? So as an IT pro and as an IT pro-ish podcast, one may or may not appeal to a bunch of our audience, but Build, I have never been to a Build. This year I'm going to Build Scott, virtually because it's free and it's virtual. So that is one of the events coming up. I think you registered for it the other day. I registered for it last night. So I am going to try to keep some of the sessions. Sometimes there's some interesting things that come out of Build, especially around late Visual Studio Code or some of the PowerShell or source control stuff that I use with my PowerShell. There's always stuff that comes out around Azure and things that, well, we may not go Build applications. They still can be applicable to IT pros in terms of how you manage what developers may try to do to your environment based on new capabilities being released. So even though I'm not a developer, I still try to keep track of some of those developer-ish type conferences.

- Yeah, so I think there's some exciting things that they have planned this year, if anything, just in the delivery model that they're going to use for it. So not only is registration open and certainly you should go register because it is a free event. I think there's some constraints there for a lot of us. Like one of the things I love about, you know, going to conferences, isn't just the networking. Like that's certainly valuable. But if you are going to go to sessions, you're there and it's much easier to go and not be distracted by work. So I think lots of people are gonna be potentially competing for work over May 19 and 20 while this goes on, but it's gonna be a 48-hour event and it's gonna be running for 48 hours straight, which means you're going to have coverage in geographies, which would typically feel like they would have to miss out on an event like this, just due to time of day. So if you think about folks over in Australia, and APAC, and certainly Europe and things like that, everybody is going to be able to get in on the fun.

- Yeah, it should be good. And there's another one coming up that will be short. Let me think, it'll be the day after this recording goes live. Office 365 Nashville is doing a virtual one. So Daniel Glenn is kinda spearheading that one and that one is going to be on May 8. So this episode should come out May 7. I think registration will still be open, but it's a free virtual event that you can go sign up for. I'm actually speaking at that one because it was virtual and enabled me to speak at that one. So that one's coming up, we'll put a link in that one, if you wanna go register there. And then there's also one that Joel Oleson is doing. I can't remember the name of it right now, but we'll put it in the show notes.

- Yeah, My 365 something or on there.

- Yeah, it was gonna be like the virtual Olympics and then they ran into like some trademark issues because apparently Olympics is trademarked. Imagine that, who saw that one coming? Marathon, Virtual Marathon, I think is what it is. But it's another Microsoft 365 free Virtual Marathon. I think that one's like 36 hours straight. And I've seen like, he's trying to get 900 live sessions over the course of 36 hours.

- That's gonna be quite a bit.

- Yes, we will find the link for that and put that in the show notes as well.

- Outlook add-ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the add-ins you'll ever need. The Save As PDF add-in is a best seller and is great for project backups, legal discovery, and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at SperrySoftware.com. S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com and see for yourself how great Save As PDF is. Listeners can get 20% off their order today by entering the code cloudIT. That's cloudIT, C-L-O-U-D-I-T all one word at checkout. Sperry Software, work in email, not on email.

- Those are all the events I have. Do you have any other ones that I didn't think of?

- No, we did just have the Virtual Azure Global Bootcamp, which passed. But lots of these sessions for that were recorded. So if anybody did miss the 2020 Azure Virtual Bootcamp, just hop on YouTube and search around for some of those videos and things that came out from all the wonderful speakers who put their time into it.

- All right, sounds good. Yeah, we didn't do much here because it was all virtual. So who knows if they do kind of an in person one later this year, maybe we'll try to jump on, maybe we'll just have to wait for round two and come back to it in 2021.

- It'll still be there.

- Yep, it will, hopefully I'll in person again. So there was also some news that came out these past few weeks, different things around Azure, some office 365 stuff, some Azure AD stuff, some that spans all of them like Windows Virtual Desktop. So we decided we'd just dive into some of these news articles that have our news announcements that have come out over the last few days. Take your pick. Which one would you like to start with?

- Let's see, I always like the identity stuff. I think they've done some good things there for customers, especially as some of the licensing has opened up like bringing Azure AD Premium P1 to the Microsoft 365 business here and things like that. And they're starting to open up the platform more and more for all customers. Which is always nice to see, especially in these times when everyone is working at home or remotely, or if anything, just on the go more than they are. I think that whole Zero Trust Model around identity and securing your identities and gating your access to all these resources, is super important. So one of the things they've done there is they've extended the ability to use Azure AD single sign-on for an unlimited number of cloud apps at no extra cost. And that's across every SKUs. So now in the past, you would have been limited in the number of cloud apps that you could add to a user. And then also the number that you could potentially perform SSO against your Azure Active Directory with. So this is using SSO with Azure AD, whether you're federated or unfederated. And like I said, it's available across all of the pricing tiers or SKUs of Azure AD, even Azure Active Directory free.

- Perfect, 'cause this used to be, I think the limit used to be 10, right? I think it was 10 apps.

- 10 apps, yeah but you were even limited within SKUs by how many apps you could have and some could have 10 cloud apps, but not SSO. And others could have 10 cloud apps with SSO. So now it's just open across the board, which is much nicer. I mean, it's more consumable. So you make those things more readily available and hopefully people actually use them. You know, that would be the next step is going out and getting folks to light up that feature and actually turn some of that stuff on.

- Well, and this is, like apps that are not native Office 365 apps to it. If you're doing third party apps or developing your own apps, this applies to those apps. Before it was like all the included apps were kind of excluded from those limits. They were all considered bundled in, but this is other apps that you set up SSL with, set up SAML authentication with, whatever he might be doing.

- I mean, it's interesting, like you talked about the Azure AD Premium coming to business and some of that, well, I get that some of these features cost Microsoft more money to let users use because of resources and whatever, by giving these to everybody, it's also helping Microsoft. Because the more people that roll this type of stuff out, the more secure the Cloud platform is gonna be. Because if everybody on Office 365 and Azure AD is using MFA, it's going to help Microsoft from a security perspective, protect their own platform by kind of minimizing those, their footprint, minimizing the security risks that are enabled by rolling these out to everybody and including them with all the plans.

- I also think it makes some of the security services more valuable. So if you look at the way Microsoft approaches machine learning for a couple of their different security products, if you think about risk-based sign-on with conditional access through identity protection, and even some of the features may be inside security products, like the Microsoft Threat Protection Suite or Azure Sentinel, things like that. They rely on signals. And the more signals there are, the better those services are going to become for everybody. In some cases yes, it's probably a little bit of loss on the money side, but it's potentially a gain in the features that you can offer in some of those other super sweet products that kind of build on top of everything that's there and make those true differentiators kind of across the market.

- Yeah, which there was another security. We'll keep moving on through the news. There was another security feature that there was a change to this past week. And that was the Microsoft Threat Protection is now gonna automatically be turned on for any eligible license holders effective June 1 of 2020. So approximately exactly one month from the day we're recording this. If you are licensed for Microsoft Threat Protection, which is, this isn't gonna be your lower SKU. So this is going to be Microsoft 365 E5, Microsoft 365 E5 Security, Windows 10 Enterprise E5, EMS E5, Office 365 E5. Are you getting the pattern here?

- Yes.

- And then some of those other plans like Microsoft Defender, Advanced Threat Protection, Azure Advanced Threat Protection, Cloud App Security, and then Office 365 Advanced Threat Protection Plan two.

- Some of those are interesting though, the E5s, they make total sense, but some of those like, Azure ATP was just a sub-SKUs of... 'Cause MTP is more of an overall, an overarching licensing suite that helps you bring alignment with unified reporting and some other things in there. But Azure ATP or Cloud App Security MCAS that Microsoft CASB, those were both just individual parts of that suite. Now they're saying, "Hey, if you purchase one part "of the suite, we'll give you the rest of it." So now they're saying if you have Cloud App Security and that's all you've done, you're gonna go ahead and enable some other features. Like you'll get features in Office 365 and ATP and an Azure ATP without having to do anything. Which simplifies that whole licensing thing.

- I was gonna say, just reading through this list, really reading through that list as I was listening to myself, say it out loud, I'm like, "Their naming and their licensing is getting "completely out of control." The fact that you have Microsoft Defender Advanced Threat Protection, Azure Advanced Threat Protection, Office 365 Advanced Threat Protection Plan two, it is getting really hard to keep track of all of these SKUs and what's in these SKUs, and how these SKUs impact other SKUs, and all of that.

- Yeah, did you see the one about Planner going away and being renamed, Tasks, but it's gonna be renamed six other things along the way.

- I didn't see the six other things, but I did see that that is gonna be Tasks now.

- Yes, so as we roll out the Tasks experience on Teams, desktop clients, the app will initially appear as Planner to users. The name will then temporarily change to Tasks by Planner and To-Do, and later on, it will be renamed to Tasks. I think it's the first time I've ever seen. I've ever seen an announcement that of all the product renames in one place.

- Which I don't know why it wasn't Tasks originally because you know what the URL for Planner is, don't you?

- Yes.

- It's tasks.office.com. I mean, Tasks would have probably made sense right out of the gate. I don't know, but now people are gonna be, "Did you add it to Tasks?" And it's going to be, "Well, which Tasks? "My Outlook Tasks, which then go to To-Do, "which To-Do also pulls from Planner, "which is now gonna be Tasks." Or you have your Tasks in OneNote, like I get naming things after what they do. But if you're gonna name something after what it does, you can't have five or six or seven or eight things that all do the same thing and name them all the same thing.

- A task is a task, is a task, is a task, except when it's not a task.

- And that's only when it's in the Task app or one of the several Task apps.

- Nice and easy, right?

- That add-in 'cause I know, that add-in that I talked to you about earlier, it just crashed again. I've been having problems with Edge on macOS. Anybody else who's has had problems with the... I'm running the Canary Belt. That's probably my problem.

- Yeah, Canary's had some weirdness going on lately.

- Yes, especially in macOS. But that being said, I just lost all of my notes 'cause not only does Canary crash, it will not allow me to reopen it until I restart my computer.

- It's a feature.

- Something like that. So yes, guy will pull up some more links, but I am flying blind right now in terms of what I was gonna talk about. So Microsoft Defender Advanced Threat Protection, that announcement was made. What is Microsoft Defender Advanced Threat Protection? We talked about it's gonna be turned on, but we haven't actually mentioned what it is.

- I'll be darned if I know at this point. It's gotten kinda crazy out there with some of that stuff, especially when you consider some of the Defenders Threat Protection capabilities and how they integrate maybe with Intune and device management, and what you can push down on that side. That is a product that I too am waiting for clarity in.

- You would like to know what it does? So I have it running on my Mac 'cause they do have like the whole antivirus endpoint.

- Well, you have the EV component running on your Mac, but really it's more about that Cloud-based management and kind of all the other things that go into it.

- Yes, all of that as well. I lost all my articles, I'm trying to pull these all up while I'm talking. So yes, but it is going to be enabled. It's going to be on and it does, like you said, it varies. So there's a whole Microsoft... Well, then you have Windows Defender Advanced Threat protection too that ties into it. That's based on your SKU of Windows that you're running. There are a whole bunch of that go into it. We'll just put links in the show notes about Microsoft Defender Advanced Threat Protection and let you guys go check out all of the capabilities that are not going to be enabled by default. Because I think SafeLink, Safe Attachments, they all fall under that umbrella too, don't they?

- They should, as far as I know. But who actually actually knows at that point?

- Maybe we should try to find somebody from the Microsoft Defender Advanced Threat Protection team to explain it all to us.

- We should. We've had MIP folks before it, because for MTP and kind of that overall fish in there, 'cause it is interesting where it's been going. And once you do get in there and light all those products up, some of the new things that have happened over in security.office.com, particularly when it comes to like incident hunting, they are really cool.

- Yeah, we should, so if anybody that's listening is from that team or know somebody on that team that they can put us in touch with too, we'll go out and see if we can dig up somebody. But yeah, if somebody knows and wants to send them our way or make an introduction, we'll get them on the show and we'll talk about it.

- Just that easy.

- As IT professionals in the Cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Team's Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and a complex, massive metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure. Whether it's by product, business unit, team or otherwise. It's a flexible, intuitive, and business-friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro.

- So Teams, Teams has had an endless stream of new announcements and features. I feel like everybody started using it and all of a sudden they wanted all these features, Microsoft, it's like they prioritize a bunch of features all of a sudden.

- Huh? How did that happen?

- I don't know. I don't know why.

- When you have 44% usage growth in one month and then in the next calendar month, you go up another 70% over what was your new 100%. It gets interesting fast.

- Yes, and all of a sudden, like UserVoice. It's like, "Hey, this UserVoice went from, "like 100 votes to 10,000 votes "because all of a sudden everybody's using it "and wants these features." I don't know if there's actually a feature that did that, but it wouldn't surprise me.

- So good news, drum roll, you now get more than four by four in a Teams meeting. You get, I mean not four by four. Won't four by four be nice? You to get more than two by two. You now get three by three. We went from seeing four users at once, Scott to seeing nine.

- Yeah, you did and you can still pin people too. So when you go into those classrooms or you know, if you're a teacher out there and things like that, you can still just right-click and pin and get the big face in front of you. So you can do "The Brady Bunch" view of the world or you can go to a number nine. Coming to a tenant near you. I mean, Brandy it's not the, what can you do on Zoom? Can you do 50?

- Sorry, three by three.

- What can you do on Zoom? I think you can do 50 on one screen in Zoom.

- It goes up...

- Significantly higher.

- It goes up quite a bit, yeah.

- But I did see Microsoft is planning to bring more. I won't lie, I thought they were gonna go up higher than just two by two to three by three. I thought they said they were gonna try to do it so you could see everybody at once. But right now you can put 250 people in a Teams meeting. Can you imagine 250 people looking at all of them at once? It'd be like little thumbnails on most people's monitors.

- It would be like a Zoom meeting. That's what it would be like.

- Yeah, they also increased another feature. In that article was, they increased the number of participants that can take place in a live meeting. So live meetings we used to have a limit of 10,000 people for live meeting. They have doubled that to now allowing you to have 20,000 participants in a Team's live meeting.

- Yes, they have. Limits continue to rise there. It's an interesting one.

- Well, because that takes a lot of resources. Like I thought they were hurting for resources, unless they've kind of gotten a little bit of a handle on that. I was surprised to see that big of a jump in the live meeting attendees

- Resource availability has actually gotten quite a bit better. So not just for Teams things, but I'm even seeing in Azure, some of the restrictions are starting to be lifted, which is very nice.

- Yes, absolutely. It's nice to be able to start using some of this stuff to its full potential again.

- It's like all of a sudden I can create Azure SQL databases. I finally found one of my articles again.

- What else was there? Simultaneous people raising hands is coming. So you're gonna be able to raise hand. Well, before we do raise hands, just on the limit thing, that is a temporary raise.

- Was that a temporary one?

- Yes. The defaults will raise until July 1st.

- Yes.

- And then in August they're going to officially make some changes. So they call out the 20,000 number, but they might settle on something else, you know, after that, if they see that there's huge uptake to the 20,000 number and all that.

- Yeah, it'll be interesting to see once all of this is done, how it changes companies views on remote-work. Or if people tend to work remotely more, if everybody's gonna be so tired of working remotely, everybody's gonna wanna go the office. Shall be interesting.

- I don't know, do you want to go to the office? I don't feel like I do. I'm good staying right where I am.

- I've been right where I am for the last, like 12 years anyways. So hasn't changed a whole lot for me. Background effect was interesting. This one just makes me laugh 'cause they announced background effects which you used to be able to blur, now you can add pictures and I think it was the, like they did this well, they really seating they're like, "We're not gonna allow you "to put your own custom pictures in, for governance reasons." Obviously, you never know what certain people may upload as a background image. I think that day they released this, all these articles came out about how you could just go into a certain directory on your computer and add your own custom images and have them in Teams. It took less than eight hours from when it was live to when, even though they didn't give you the option to do it in the browser, they made it really easy to do by just going to a certain path in your file system, on your C-Drive and adding pictures there.

- Yeah, I've been having a bunch of fun with that one. Made my wife's the envy of all her friends at school.

- Have you seen the articles about people that took, like a screenshot or a picture of them sitting in their office and then they put that as their background picture and they're not actually at the meeting. It's just their picture.

- Yeah, that's a thing that has happened as well. You give somebody a tool and they will absolutely take advantage of it.

- That, they will. Call recording, I mean there's a bunch we'll link to the show notes. There were some updates around devices, a few meeting control changes. Most of the other ones were small. You can do things like put system audio now into a live meeting. So if you wanna play a video and feed that audio back into your live meeting to send it out to everybody, you can do that. But I think that kind of hits some of the big Team's announcements that came out in the month of April.

- Yeah, that'll probably wrap up most of them, like you said, a lot of that stuff just roadmap anyway. So it'll be filtering out. The nice thing is they've been filtering out much quicker, like you brought up.

- Any other news topics you want to cover today before we wrap up.

- Well, since we're talking about end users things, I think a good one to talk about might be some impacts to how end users interact with Azure AD. So there's a couple new experiences that are coming. So all of the new "My URLs" of Azure AD have lit up. So if you've ever pushed out things like My Apps to your users, there's gonna be a new URL and effectively a new UI coming to that. So my applications.microsoft.com is live today and ready to go. So it's kind of like My Apps, but it lets you group your applications by workspaces. They've simplified access management requests. So things that might come through privileged identity management are now gonna be consolidated and available at myaccess.microsoft.com. Sign in information is consolidated at My Sign-ins. That one's actually been out there and kicking around a while. And there's also the new, myworkaccount.microsoft.com, which brings forward kind of what would have been your account portal inside of M365 or O365. So you roll that out, that's all the new look and feel. And then you've also got the new MFA, SSPR consolidated signing experience and things like that. So if you have some downtime and you're at a help desk or you know, you're working with your end user community, and now's a good time to update some of your documentation because now that the URLs are all out there and all live, you can go ahead and get up to date screenshots and everything you might need.

- Yeah, these are nice. The, My Applications one, there's My Groups where I can do groups and...

- So My Applications is an interesting one. That's a UI that's going to be surfaced in two places. So it's going to be at myapplications.microsoft.com. And then you can also go into office.com into the app launcher and you could get to all your apps there. So the UI there is going to stay almost the same as it is today. But when you go into All Applications, you're gonna have access to that same grouping concept with the workspaces.

- Got it, well, it looks like when you go start doing the groups that actually takes you over to your, it's a URL under youraccount.activedirectory.windowsazure.com

- Makes total sense, right?

- Yeah, it's kind of like the number of admin portals.

- Just a few of those.

- I forgot how many different Office 365 tenants I'm a member of, because on that My Applications tool lets you go, you can do a drop down and look at all of the organizations. So you can jump to see all of your apps between all the different tenants you're a part of. My list got rather long.

- It does creep up.

- How many you are in, you go through and look at it and you're like, "Oh, they never actually removed me. "I'm still a guest in their tenants somewhere, or?" Those are some good URLs to know about to bookmark.

- I have quite a few of those kicking around.

- Well, since we had a longer one last week, should we wrap this one up sort of on time?

- All right, just for giggles let's do it.

- Let's do it. We can go back and do some more real work.

- Yes, it's Arm Template Friday.

- All right, I'm going to go play with Azure. I've been playing with Azure more. I've been playing with Windows Virtual Desktop and domain controllers and IS so I'm going to go back and play in Azure some more this afternoon.

- All right, sounds like a plan.

- All right, go enjoy your afternoon, don't work too hard and we will talk to you again next week, Scott.

- Thanks Ben.

- If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)

Episode 175 – File Shares for Clients in the Cloud with Azure Files

Episode 175 – File Shares for Clients in the Cloud with Azure Files

In Episode 175, Ben and Scott talk about using Azure Files as a remote file share in the cloud for client devices and the things you’ll want to think about to get everything up and running.

- Welcome to Episode 175 of the Microsoft Cloud IT Pro Podcast recorded live on April 24, 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users, where we discuss the topic or recent news and how it relates to you. In this episode, Ben and Scott discuss Azure file shares for client devices, domain controllers, Azure AD networking and other cloud services and how they all fit together.

- The thunder is never done, all the tornadoes rolling through. It was nasty last night.

- You know what? I did not hear a thing. I may or may not have been up until like, 2:30 the night before working on stuff and then I crawled in bed at like 12:30 last night. I was so tired, I passed out and I woke up when one of my kids came in our bedroom at some time, 4:00 a.m. and my wife was like, "Did the thunder wake them up?" I was like, "Was it thundering?" I never heard a thing.

- Man, corona times have not been kind to my sleep schedule. It's turned into like, aah, let's watch a movie and then the movies over and it's aah, maybe I would like just one TV show or let me read this book for a little while or whatever it happens to be. So I think last night, I was up until... Last night, I was late, it was 3:00 a.m., hence, my coffee brewing slowly this morning. So I heard that whole storm all through and the whole thing. I was sitting in my kitchen, it was awesome coming through, it was a good one. I like a good storm.

- So I woke up and I was actually bummed it didn't wake me up 'cause I'm the same way, I love a good thunderstorm, especially at night. For whatever reason, those night thunderstorms and the lightning lights up the whole house and the thunder just rolls. I don't know, it's cathartic for some strange reason, as long as there's not a tornado blowing my house down.

- Yeah, well, there's that whole thing, but it was definitely a good thunder and lightning storm and it was tornadoes and stuff farther to the north, but not so much for us. So, it was just a good rain event.

- Yes, I will say not growing up in Jacksonville, I have been impressed with the geographic surrounding of Jacksonville and how it seems to deter most storms from hitting us. Like we never really seem to get tornadoes or really bad storms from the west because of the river and because we're sitting just down low enough. I think the Gulf of Mexico messes up a lot of them and then the way Jacksonville's kind of set in on the coast if you're going up the Florida coast and up in the Georgia and South Carolina, it seems to deter any hurricanes from really having a direct hit on Jacksonville.

- Yes, it is the farthest point west on the East Coast. Like when you think about that dip in, so it's not just Florida to Georgia and all that, like pull out a map and look all the way up, it is the farthest point west, from Maine all the way down to us.

- What about the Keys? Don't the Keys loop back into the west?

- They do, but they're sitting actually like--

- They're just sitting in the middle of the ocean.

- They are, right? But they're all the way down at that eastern tip of Florida is, think about like going down to Miami and you're pretty much a straight line down to the Keys from there. So they are still farther east than we are, but as a chain of islands, they stretch pretty far over, but at that point, they're underwater anyway .

- Got it.

- So as a landmass with too big bodies of water like you talked about, between the ocean and the river, being a pretty substantial river, but at least nice and wide, it's good enough to pick up a lot of the weather that comes through here.

- I remember that growing up in Michigan too. I mean, like Michigan is significantly bigger than the river but Michigan was spared at least a lot of the bad thunderstorms and tornadoes and all of that because of like Michigan. They would hit Wisconsin, the lake would break it all up before it hit Michigan. I went and spent a week in Wisconsin. It was like tornadoes every day. Don't go to Wisconsin.

- Don't go to--

- Sorry to anybody that's from Wisconsin that's listening. I much prefer Michigan to Wisconsin.

- You're gonna start a fight or something.

- Probably. I have some good stories about Wisconsin and Michigan, but we don't need to talk about those today.

- As IT professionals in the cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Teams Azure costs, they don't always realize how much work is involved in obtaining that information, sifting through cluttered CSVs and a complex mess of metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend. ShareGate Overcast lets you group resources into meaningful cost tabs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs and it's only available in ShareGates Overcast. Find out more on sharegate.com/itpro.

- Should we talk about what I was staying up late playing with today?

- Yeah, it sounds like you were staying up late doing things that I was not. While I was watching, crappy movies and contributing to Netflix viewing hours, you were doing real work, supposedly.

- Well, so supposedly 'cause it all started with a client question which led to me playing with this, with my own domain and Azure tenants 'cause I don't wanna break anything. So, to set this up, Azure Files with... So Azure Files has been able to do SMB for a while. You can use the like storage account name and the private key to actually map a network drive to Azure Files, all of this. They have recently and I think it's still certain aspects of this are still in preview.

- Yes, they are.

- They rolled out the ability to do Azure Files over SMB, leveraging either Active Directory or Active Directory Domain Services to authenticate users to the file shares, rather than using a storage name and a key so that all of those NTFS type permissions can be used or supported through a mapped Azure file share. But there are a ton of restrictions and requirements and prerequisites around doing that, which could lead to the question that we were actually debating before we started recording of should you actually do this and if you do this, what all do you need to think about? Because this has led me down a massive rabbit hole of VNets and DNS and AD and AD DS and all of that.

- Yes and you're leveraging preview services, which is even, well preview functionality I guess, which makes it even more interesting. So, when you initially came and you had asked me the question of, okay, I'm trying to stand up a file share and I'm doing the domain authentication thing and it's really a pain and in the back of my head, I'm thinking isn't that relatively new and probably in preview and my first question back would be, well, why do the preview functionality, right? Especially, if it's for a customer. Like typically, we don't wanna take customers into preview stuff, even if it's public preview, because if we just consider Azure life cycle, there's no guarantee that a preview service ever actually goes GA'd. So obviously, Azure Files is GA'd and all that kind of stuff and it's sitting there ready to go, but Microsoft could look at this feature where they're doing SMB file shares with AD, with Azure AD rather, and with on-prem AD and they can say like, "Yeah, I don't wanna do on-prem AD anymore, "I'm only gonna do AD "because that's an easier scenario to support."

- Well, but it's not just AAD, it's AAD DS. It doesn't support AAD.

- Yeah.

- Remember? We gotta clarify these two.

- I get my storage confused because there actually are parts of storage, like blobs and containers which do support Azure Active Directory for role based access controls and things. So you can totally do AAD authentication there. Anybody who thinks Azure Storage isn't a confusing service being that it's a storage account, but it's not just a storage, it's blobs, its files, it's tables, its queues, its disks, it's--

- Right, it's got sub services.

- It's static websites, it's like 10 other different things, it's amazing.

- Azure Files are gonna be like the Teams of Office 365 or everything's just gonna get sucked into the storage fortex.

- Well, if you think about it, storage is kind of important, right? In the grand scheme of things and the overall fabric because what is Azure? It's a bunch of hosts who are running hypervisors and it's a bunch of file servers that are pulling configuration off of storage controllers and things like that, right? So, at the end of the day, storage is what makes--

- Storage is important.

- It makes the world go round.

- Which is digressing. So, this whole storage authentication thing, I'm not gonna say it's just Azure AD DS. Should I go through the prerequisites and what I found and then we can keep talking through this scenario?

- Sure, just to lay out the scenario, what you're trying to do is you're trying to stand up a file share in Azure that is available to clients, not to other servers that exist out there.

- Yeah, so you're not going to a server.

- But to individual clients and you require per user authentication from each of those clients to the file share, right? Okay.

- Right. So, scenario being client does not want to use SharePoint or OneDrive because they don't want to deal with the whole sync thing and files and demand thing and having to access the browser and maybe not being able to sync all their files based on hard drive sizes and all that. They like traditional file shares on-premises, but they want to be in the cloud, they wanna be able to work from anywhere. So, said client wants to be able to go to Starbucks or go home or be in the office and be able to map to their network drive the same way they would if they're on-premises and they're not a huge client, so they actually don't have a current VPN to get to their on-premises server from off premises. They can't VPN into their office. Internet connection is okay, but it's not like a large enterprise network that has Cisco, has VPN, has all of that stood up. So they were like, well, what if we just move everything to the cloud and we can map this network drive from anywhere using our traditional AD usernames for securing all of this across all of our users?

- I always love when customers come up with their technical solution, right? Like they have a business problem they're trying to solve. The technology that solves that problem really shouldn't matter as long as it aligns to the business outcome. So, what is the process, the workflow or the outcome that we're trying to solve and then you can backfill technology around that. They're going backwards. They're coming to you with the technology and saying, "Hey, make this work." And then--

- Yes, because I had spent some time with them. We looked at SharePoint for maybe six or seven months and ultimately the decision was, we don't wanna use SharePoint. We want to use Azure Files. So, I was tasked with figuring out can this be possible, does this work, especially given some of these new features combined with preview? So for this all to work, you do still require Azure AD, but it also requires either an on-premises AD server or Azure Active Directory DS or Domain Services. So you have to have one of those two synced with your Azure AD and have your users synced in both places and then you can go configure this file share for either Active Directory authentication or Azure Active Directory DS authentication, but it's still also using Azure AD in the background.

- Correct.

- And the problem we started running into, well, the first problem we ran into is SMB 3.0, which Azure File uses, goes over port 445.

- It does.

- Almost every ISP block's port 445.

- They do, true story.

- So, first problem was okay, we need VPN for it, which we can talk about that more later and then we got VPN setup, we started testing this and there's a bunch of prerequisites. Your machines either have to be Hybrid Azure AD joined or they have to be AD joined, but once you get all this set up and configured, when you go to authenticate to map your network drive, your computer, even though it's using Azure AD synced with AD Domain Services or AD, it like, reaches out, but then it's like, oh, I also still have to use Domain Services or Azure AD. So it requires access to both Azure AD using new UPN and Azure AD, but then it like takes a side route and goes and has to ping to your domain server or your Azure Active Directory Domain Services server to actually do the verification for your map network drive, which means that if you're at home or if you're somewhere not in your local network or anywhere for that matter, you have to be able to properly authenticate against either a domain controller or Azure AD Domain Services wherever you are, which means that it has to either go over that same VPN that you can use to bypass the port 445 rule or it just has to be a publicly available domain controller, which we all know is a bad idea.

- Yeah, almost kind of like gives you the sense of that as you talk through it and the requirements, that while it works with clients like Mac and Windows, like it works with Windows 10 and generic SMB mounts and totally doable with a Mac and things like that. It's almost like they're not meant to be used that way.

- Yeah, yeah.

- Back to that shoehorning functionality .

- Yes, exactly. But, what fun would life be if I didn't try to shoehorn in some functionality that wasn't meant to be using preview features?

- Oh boy.

- I like to live life on the edge.

- Yes, it's a fun world you live in. So you have a number of problems or technical blockers that you need to solve along the way there. You need to configure identity in the cloud. So, some type of probably replication and resiliency on the domain side of things.

- Because the first question there is, do you do a server, running Active Directory in the cloud and replicate or do you use Azure AD DS? You need something in the cloud.

- Yes, so there's that piece and that's certainly its own can of worms and decision matrix right there. And then, you also need a VPN, as you said. So, where does that VPN endpoint leave and how are your clients going to connect to that VPN? I'd imagine maybe one of the first inclinations is, you might think in the back of your head, well, I have clients, let me connect the clients through Point-to-Site VPNs and just hook them straight up to the gateway. There's some limitations to Point-to-Site VPNs depending on the size of your customer. There are limits to the number of connections that you can have going in at any given time, which could be a limiting factor for you there. And then once you're into the VPN, there's all the routing and network security and other things that need to come into play for that client to not only talk to the DC itself, but to be able to get back to Azure Files and do all that fun stuff.

- Yes. I think you covered the biggest ones that I've encountered so far.

- Yeah, those would be most of them. So let's break some of down 'cause I think it's an interesting conversation just based on some of the paths you went down and some of the things potentially broke and we can probably talk through why they broke or why they work that way and maybe we'll leave like the whole decision about should you attach clients to Azure Files up in the air.

- So, first problem was domain controller, do I go the Azure AD DS route or do I put another server up in Azure that's just a server 2016, I think server 2019 is out there, stand it up as another domain controller and do domain replication from on-premises to the cloud.

- Yap, well, I might ask myself another question first. So, is your customer going to have more than one 128 connections at any given time, like, are there more than 128 clients that need to connect to this file share?

- And that would be a no. This is like 10 or 12 users connecting occasionally because most of the time they're in the office, which also brought up that Azure File Sync, could come into this at some point in time. They want to be able to connect to the cloud as their backup option.

- Got you.

- If they're not in the office. Something like when this whole last month happened and all of a sudden, nobody can get to their file shares unless they're in the office because they have no VPN.

- Gotcha, gotcha. All right, so that makes more sense. That's all good. Once we get through this whole thing, I might spin it on you and ask you why you didn't go another way with it 'cause I'm coming up with some other ideas as we talk through it.

- We'll see, that's good 'cause I could use... I always like more ideas. All right, so connections, we aren't a problem.

- So we need a VPN and we know we're going to be under the limits for Point-to-Site VPNs and standing all that. So we're good there, so we know we're gonna need a VNet and we're at least gonna need a VPN to connect to. And now, like you said, we need to figure out what domain or directory service are we going to leverage. Are we gonna leverage Azure Active Directory Domain Services, which is AD DS, but it's a projection of your Azure AD into a pair of managed domain controllers. So DCs that you don't RDP into, but you do have access to hook up with things like, a doc and all your tooling that you use today to manage Active Directory. So that's one path you can go down. So don't pay for servers, but pay for the service and the projection and the resiliency and SLA and everything comes with that or stand up your own and manage your own.

- Yap, which standing up and managing your own is definitely cheaper. I looked that Azure AD DS and I think it starts around $140 a month. It's a set fixed price 'cause obviously, this isn't a service that you can spin up and spin down, it's just always running. So it starts at 140 and goes up from there based on... I can't even remember, I think it was based on number of users and there's some functionality that's included in different levels, but it's not cheap considering you can stand up a whole server for like 50 or 60 bucks and AD is not a process intensive service on a Windows Server, but you are left with managing a Windows Server and you don't necessarily have HA.

- Well, you do have HA, so they are redundant pairs.

- Well, not in the DS, not if there's you spin up you own server, unless you spin up two servers.

- Not if you spin up your own. All right, yeah, so if you do AD DS, it is a redundant pair, but if you do your own server, then it's on you to figure all that out and then come up with your resiliency model, are you going to use single instance VMs with premium disk to get some type of SLA at least at the VM level? Are you gonna do availability sets? Are you gonna do zones? What does that look like and how many do you actually need?

- Yep, exactly. And then you're doing all your own patching and server management and if that server crashes and all that.

- Yeah, you're living in IS land for sure.

- Yap, so I asked about... And then I was talking to you a little bit the other day and I said okay, so what does that migration path look like? Let's say I have AD on-prem, I want to go all cloud only. So I'm doing AD on-prem Hybrid with Azure AD to sync all my users up, but now I'm getting rid of all my on-prem servers. So maybe I just wanna go Azure AD DS and deprovision my on-prem AD. Is that a migration path or what does that look like to go cloud only with Azure AD and Azure AD DS and then deep provision that Hybrid Azure AD Connect service and my on-prem AD server.

- Yes, it doesn't eliminate the VPN problem and having to connect to the DCs 'cause you still have that client authentication issue to get over.

- Right, and you still need your VPN for your port 445 going into another topic. So, there's no way to get around this VPN issue.

- You do, so all that stuff stays. Really what you've done is you shifted your... At that point, you've shifted your DCs from on-prem to Azure just inside of IaaS. But you've still got the hookups and the conductivity and all the other things that come in. So I'd be worried about a couple things in there in general, by saying my DCs are only gonna live on the cloud. Since you said your users are theoretically in normal times in the office, the majority of the time, I would want them talking to the most network close authentication service that they could. And then maybe if they were going into something like Windows Virtual Desktop or something like that up in Azure, then okay, there's your kind of file share, and you're all set and ready to go and you've got your DCs up in Azure. But if you really wanted to get rid of them, you would do AD Connect. So you would do your hybrid identity, and do all your projections from on-prem to AD. And you could configure AD DS at any point in here, 'cause that's just a projection from your Azure AD. And then once all your identities are there, and all the things that you need to do, 'cause all AD Connect is gonna do is synchronize users groups, and kind of some limited in the grand scheme of things metadata up, it's not synchronizing your computers that are showing to the domain. So that's a whole nother issue that you'd have to solve. But you could take AD Connect, and then once everything's up there users and groups, just rip AD Connect down, get everything, all the synchronization going into the new domain, rejoin all the computers to the new domain that lives up in Azure, 'cause they've got to get back in there, right? You're probably still gonna wanna manage them with GPOs and things like that. So all that gets in place and then stand down the on-prem DCs. Now I think one of the issues there is AD DS was not a real replica of your on-prem domain. So it's not all the same FSMO roles and everything else. If you don't catch everything, there's potential that you leave something behind, you'd almost want, like if this is really for backup, maybe a redundant pair of read only DCs or something like that up in Azure, that are ready to go that somebody could hook up to through that VPN on a Point-to-Site perspective. And they'd authenticate to the most network close DC. Or if they were on-prem, they'd still be able to authenticate to the one that's there. Best of both worlds maybe.

- Yeah, so it's not really a migration from AD to AD DS. It's more of a let's go have all three of them running. And then let's just remove one and make sure that you manually copied, rebuilt, did everything in Azure AD DS that you had in your on-prem DS.

- Yap, you've just got to be very cognizant of the limitations of AD DS as a projection from Azure AD, it's not the same exact type of thing. So yes, it lets you join computers and servers to domain. Yes, it has GPOs. But it doesn't have all the functionality that you're gonna get in your on-prem AD. And especially when I think about client management, you're probably doing GPOs that rely on things like ADMX templates. Maybe you're managing Office client installs, or I'm sorry, Microsoft 365 Apps for enterprise 'cause you haven't moved--

- I just wanted to say, I was trying to figure out how to get you to say that this episode.

- I had to say it twice this week in a presentation and it feels really dirty, like what, just Office Pro Plus people.

- That's a mouthful.

- It is. But you still have management that you need to do there. So then do you look downstream of saying, well do I move over to cloud policy or some other type of service, which, arguably--

- Like what it's been up into, right?

- Right, there's all these options out there. But all you wanted was a file share. And now all of a sudden, you have this technical implementation and the spread of things that operationally is turning into a little bit of a nightmare, who's gonna maintain all this stuff and keep it patched and up to date and ready to go and write all the guides for what do we do when the VPN is down and everything else that comes along the way. So that's kind of AD DS, I think when you weigh the two out in a lot of scenarios, AD DS has a place. It's quite often the path of least resistance when I think about like friction and time to implementation to just stand up new DCs, As you said, they're often cheaper to run, they can run on lower cost hardware and lower cost VM sizes, you might wanna upsize them while you're kind of configuring everything the first time and then scale them down a little bit later once everything's up and running. But it tends to be a known path, where AD DS can still have some pain points, especially if you haven't worked with it before. And you haven't really taken the time to dig through all the documentation and the FAQs and things like that.

- Yeah, I feel like going through all of this as I was digging around with it and playing with it. AD DS serves a purpose a lot more when you're gonna keep all your existing on-prem domain controllers. And Azure AD DS is simply a way to extend your Active Directory to the cloud in order to do just LDAP authentication against a cloud service without standing up another VM in the cloud.

- Yep, that seems to be what I'm seeing. I've actually used it. I've seen it used in some creative ways. And I had a customer that we ended up going down the AD DS path for, just based on how they were set up. So they were a customer who had a number of disconnected domains on-prem, that didn't have trusts or anything like that in place. So they couldn't stand up AD Connect once and have everything routed through from all these domains, user at Contoso, user at Fabrikam, all those kinds of things into AD at the same time, but relying on some of that functionality that you have where you can do the disconnected domain sync now. And you can bring all those disparate domains for those M&A scenarios into Azure AD. And what they were able to do was they were able to take six different disparate domains and user namespaces, all those use your UPNs, get them all sinking into Azure AD, which was something they didn't have access to, they couldn't put them all in the same resource domain or user domain or things on-prem. And then they were running a lot of their shared services in Azure. So every server that they stood up in Azure was joined to that AD DS instance, it wasn't joined back to company ones AD or company twos AD or company threes. And that way, if I was a user from company one, or company three, or company five, I could log into the servers in Azure to do operations and management, and run my applications. And I was able to authenticate through and do all the things that I needed to do, 'cause servers still need, like this classic auth, Kerberos or NTLM, and all that good stuff. There are use cases for it. I think you just need to understand what your use cases are. If you're just looking at AD DS and saying, alright, this is gonna be a rip and replace, replacement for my existing Domain Services. Quite often, I don't think that's exactly the case today. Give it time and it'll probably get there. It's just not there today.

- And we don't currently know when it'll get there because it has been a slow deployment or rollout.

- It has some quirks to it. I've seen AD DS deployments where you go and you stand it up the first time and you go to do your sync. And it doesn't matter if you have five users in your Azure AD or you have 25,000. You'll just hit the sync button, and you might come back like 48 hours later, and it hasn't started sinking yet. And then you go, oh, what do I do? How do I fix that? The answer is you don't, you call support and hang on the phone.

- And wait a long time. Interesting.

- All right, so you go down that path and I think you weigh the two out, you probably look at DCs.

- Yep, and that's kind of, as I've played with it, and looked at it. And as we talked about it the other day, and even based on what I've seen, you have pretty much convinced me that if we go down this route, that is the way to go in this particular case, which lead to question two. But based on time, we should probably do question two next time, or should we keep going have a really long episode? Let's keep going, it's corona times.

- Okay, yeah, nobody's listening. Nobody's driving anywhere to listen to the podcast, our numbers have actually dropped. It's kind of interesting. And I've seen that side tangent, kind of across the board. I'm in a few different podcasts groups and all of that and people are saying, overall podcast numbers seem to have declined because nobody's commuting anymore. And that's what everybody listen to podcasts.

- Yeah, I'm finding as a rabbit podcast listener. I mean, I subscribed to a lot of podcasts and listen to a lot of things. I'm just falling behind. It's the drain of the times that catches up with you. So where I might have gone and been done with work and just tried to decompress for 30 minutes. Now it's turned into kids are at home, everybody's at home, things are going on, and all of a sudden there's that other Zoom invite for like a happy hour and you haven't talked to people in weeks 'cause you're quarantined and you like, aah I gotta get like, your self isolating or whatever it is, you just have all these other competing things going on. And I am falling behind on all sorts of things which I intend to listen to at some point. It's just gonna take me a while to get there.

- Yep.

- Outlook Add-ins are a great way to improve productivity and save time in the workplace and Sperry Software has all the Add-ins you'll ever need. The Save as PDF add-in is a best seller and is great for project backups, legal discovery and more. This Add-ins saves the email and attachments as PDF files. It's easy to download, easy to install and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, sperrysoftware.com and see for yourself how great say this PDF is. Listeners can get 20% off their order today by entering the code Cloud IT. That's Cloud IT, C-L-O-U-D-I-T all one word at checkout. Sperry software work in email, not on email.

- Okay, so after that side topic, after that brief commercial on podcast listenership, tidbit of random information. So let's just say for argument's sake, we've decided we're gonna put our DC in the cloud, Azure, it's a server we're doing IS we're gonna stand up a brand new domain controller up there. Now I have all my machines that are still on-prem. And I am going to, again, for argument's sake, because we wanna shift to this whole cloud only model, we are going to eventually will replicate AD for now, but eventually that on-premises domain controller is gonna get depreciated, removed. So our only domain controller is gonna be in the cloud, but I still want to be able to join machines to it. I still need to authenticate against it for something like, Azure file shares and the scenario we talked about. Now I have a whole other set of problems or challenges, I won't call them problems, challenges or things to think about because I have to be able to connect to it to go into my computer, my settings, join domain, and then actually reach out to that domain controller, especially in the case which my own tenant is in this case where I wanted my domain to sync up to Azure AD properly. So my UPN suffix is intelligent.com, which is also my website, which also has public DNS records. So DNS resolution can be a little challenging because I need intelligent.com to resolve to my internal domain controllers, as well as to my external domain controllers if I wanna hit my website, and all of that, going over this VPN connection to it hit my DC.

- Yes.

- Does that make sense?

- It does. Basically, if you wanna be able to authenticate to the DC, you have to be hooked up to the network. And that means you need all the routing and game resolution and other things in place.

- Yes. So I am partway through that. I think I might have it figured out, but we had to record a podcast. So I'll go back to it today. But essentially, same type of thing. I'm using the same VPN gateway because I needed that VPN gateway anyways, for my Azure file shares over SMB. And what I was struggling with last night was to get all of my DNS settings set up properly. So I could join a Windows 10 machine that's running as a VM on my laptop, connected over VPN to join this domain controller sitting up in Azure and the leverage the DNS in Azure so that I actually hit that instead of going out and trying to hit my public website when I tried to join the domain. So my DC up there has, oh and stop this all off. Don't ask the story behind this. I have two virtual networks that I have peered in Azure AD. And my domain controller sits in one virtual network and my VPN gateways sits in another virtual network. So I'm connecting to VPN, connecting to the virtual network in Azure, going over the peering connection between one virtual network to the other virtual network in order to hit my domain controller sitting in said network.

- Yap, so you got a hub spoke.

- Because I like to make things complicated.

- You're trying to make your 12th person entity the largest enterprise in the world.

- Well, this is just my personal, this is a one person entity. This is me right now.

- You and all the voices in your head that told you this would be a good idea to go down this path. Yeah, some interesting things start to happen along the way there I think, as you discovered, particularly with name resolution, when you have a VNet in Azure, there's kinda three DNS models that you can go with, you can do Azure provided DNS, which gives you resolution within the VNet itself. So I stand up VM one and VM two. And I can ping VM one and VM two, and they'll resolve by name, and all those kinds of things, I can do and I slick ups and CM, and I can actually pull their private IPS and I'm all good. Sometimes you don't wanna do that. And you wanna do, bring your own DNS. So you do BYOD DNS, and you take your VNet, and you set your VNet settings to say, no, this is my DNS server. That way, when clients query the VNet for DNS, it's going to point them back to your domain controller, and go like, oh, why are we doing this VNet level, because remember that's where all your network configuration is driven from, you really don't make changes to the NICs on VMs in Azure, you make changes to the configuration of the virtual NIC outside and then that's projected down to your virtual machine, or your virtual machine gets its configuration from there. So you've got to have that resolution end-to-end. So peering is kind of interesting, because you've also got peering with a VPN gateway. So you now you need to allow gateway transit on one end, but not the other end. And you need to make sure that your potential routing and things are in place, you might need UDR at some point, depending on how else you wanna shift traffic around in there. You get all that up and running, I bet your primary VNet, you were going in and saying like, "Oh, this is great. "I'm gonna set it to my custom DNS." And if you stood up VM one next to DC one, they would totally resolve and they do what they need to do. But you introduced that VNet peer. Which then makes resolution a little bit weirder 'cause your client, so you're hooked up on that Point-to-Site VPN or Site-to-Site whatever you're using. So your client now, where is it pulling its DNS from, it's pulling its DNS from the same VNet as the VPN gateway, which most of us I think, would just leave in Azure provided DNS by default. Because it's just a hub, right? It's sitting there doing what it needs to do, let it do it.

- Right, which is what I did.

- Yap, you might see the VM on the other side, but it's gonna resolve as the internal name with the cloud at .net, and all that, and not as the proper NetBIOS name that you're gonna need to join the network. So probably some more configuration to do where now you take the peered network and the peered network that or the hub rather, is also needs to have its DNS configuration updated, so that it pulls its DNS from the DC over in the spoke.

- Yeah, and that was the hint that we found for anybody that finds themselves in a wonky scenario such as myself. I was going out and pinging it and I was like, well, when I do an NsLookup, and I'm looking for my domain controller, it's coming back with this internal.cloudapp.net, not my domain and you were like, I bet your DNS was wonky in that VNet that you have your gateway in. And low and behold, it was.

- Yep, so that's one option is go down that path. The other option is, if you're just doing this for POC, you can't use a host file because of the whole SRV record thing the server records, but you can use an LMHOST file to go ahead and point to your DCs. It's a pain in the proverbial rear end to set it up. But you can do it. I think the other thing to think about is identity is really a core service. It's typically, maybe when you just look at kinda your topological design and you're thinking about how to approach that with your customer, your identity, your firewall, your logging and management. Those are all core services, right or shared services. They're not really application or kind of segment specific. So something like your DC may not actually be living in a spoke in your final configuration, it might be closer in the hub anyway, which will make things a little bit easier.

- Yes, in theory, had I done this properly, and I didn't already have some of these VNets configured and I was paying attention to what I was doing at 2:00 a.m. the other night, I would have just put my gateway in the same VNet with my domain controller instead of in a separate one. And at this point in time now, it's just can I actually do this? Realistically, I should probably just go delete my gateway and go standard up in my other VNet and save myself some hours. But again, I get into this and I look at this as learning and figuring this out. And how does this all work together? And can I get it to work? Not necessarily, is this the way I should do it?

- Absolutely, I'm not saying you shouldn't try things out.

- Yes, but I've wholeheartedly agree with you.

- I just wanna make sure we have the conversation in case somebody actually does end up listening to this and they go, "Oh, that's people are going down some crazy path." Or somebody looks at it and they're like, "Hey, they sound like they know what they're talking about. "Maybe I should go do that." I always like to talk about the other ways you can do it too.

- Yes, don't do it the way I did it unless you have a very specific reason other than it was 2:00 a.m. and I created my gateway in the wrong subnet and I wanted to experiment with is.

- Alright, so DC up, client connects and VPNs there. Theoretically, you can just hook up to files now.

- Theoretically, I think, oh, so Azure Files now gets really weird. Should I talk about Azure Files in the security there?

- Absolutely.

- So as they rolled all this out now, we can connect, we're gonna assume that you can... So first thing you should do with Azure Files is once you get all of this figured out, go connect with the storage account in the key to make sure you can actually connect that your routing is going properly. Because at this point in time, assuming you're connected to VPN, you have your network set up right. Download the VPN client to, this is another thing. There's a VPN client that does an executable that goes sets up the whole network and the routing and everything in your Windows 10 machines. Don't touch that until your network is all configured. Because what that executable is doing is downloading a configuration file making a bunch of changes. If you change your network, your VPN client doesn't get that change. And you actually have to just disconnect, remove that VPN connection, go download it again, go set it up again, and get all those network changes. So we're gonna assume all of that took place. I can connect with a storage account name and key. But now I wanna connect using my username instead of that storage account key so I can leverage all the normal NTFS file permissions and permission folders in this Azure file share differently and all of that stuff. So first, the machine you do all this from has to be domain joined and there's some certain PowerShell scripts, you have to go run to actually set up your file share in Azure to be able to authenticate against AD. And those do have to be run from a domain controller, so you go run those scripts. Now your Azure Files are set to authenticate with an AD server. And there are a couple levels of permissions that you need to set and the documentation does walk through all this, but you have to set the RBAC permissions on the file share itself. There are three permissions in RBAC for SMB, specifically, an SMB, I think it's an SMB file reader, an SMB file contributor, and an SMB... It's like, it's not advanced contributor, it's something else, but it's another level up from contributor. So the first thing you have to do is go in set these RBAC permissions. This is gonna look against Azure AD for these RBAC permissions, which is why you have to have everything synchronized together. That does not give you access to the file shares that just gives you that RBAC permission to leverage the Azure service. Now you can go mount it, again with that primary key and your storage account name, and then right click in Windows and go into the properties in security, and then start setting the security on the shares and the folders and the files looking back against your domain controller. So there's both of those permissions that have to be set. And then once all of that is done, assuming whatever client you're connecting to, can connect to both Azure AD and to your domain controller. You can go in and do a typical net use, point it to the Azure file share, you can do a slash you and throw in your UPN from Azure AD, or you can just do the net use and it'll prompt you for a username and password. Type all that in and in theory, you have a map to network drive that's using your typical permissions coming from a domain controller.

- Mm-hmm, in theory.

- In theory, again, taking all those prerequisites and everything we just talked about being configured perfectly for that to even work.

- Yes.

- And there you have it. And there was something else I had to do. I'd have to dig through it. But I did also have to create a private endpoint for my Azure Files. And I can't remember at what point in time they hit that and why I had to do that.

- Why would you want, why?

- 'Cause it's a private endpoint that points to a private IP for my... maybe I didn't need this. This may have been one of my testings. When I was trying to play with everything. I don't think I actually need this.

- So I don't think you would off the top of my head, you could connect across the public endpoint and do things that way. The private endpoint would arguably be more secure for you, especially 'cause your VPNing in, that way your VPNing in. And when they go to connect to the file share, they're actually connecting through the private endpoint. And they're routing straight into the storage service. And even though the public FQDN is still there, nobody can connect to it that way, they can only come through the private endpoint.

- I think this was when all of my testing was going on to try to figure out how all these configurations worked. I think I created this. And yeah, as we're talking about it, looking at it, I don't think I actually need it anymore.

- Hey, look, you simplified things, while making it--

- I simplified things or get rid of a private endpoint connected to a storage account. That yes, that in theory would all work and that would provide you a way to actually be anywhere as long as you connected to the VPN first, you could go mount these file shares as a user instead of using that primary storage key. And then one thing, this client had talked about is, they're like, well, when I'm on-premises, then can I speed up my connection? Because now inevitably, you're going over the internet, you're connecting to a file share. And if you're pulling 100 meg, 200 meg files back and forth over a VPN connection to an Azure file share. It's not gonna be nearly as quick.

- Especially a Point-to-Site connection.

- Yes, especially Point-to-Site connection. It's not gonna be nearly as quick if you're just pulling it off your local server. So then they were like, "What can we do like the Azure File Synced?" So you can have a cached copy locally in the office and use this as kind of a backup emergency option. If we wanna get to those files from externally. And also if you're doing Azure File Sync, it does give you some of that DR type scenario where our office catches fire, we lose our server. And now we, again we have this backup option, we have all of our files up in Azure Files where we can get to them, restore them, do all that if the need arises.

- Mm hmm, it would be there. And it would all be very nifty. Lots of moving parts.

- Yes, that is the biggest thing I took away from this is, this is not, I come from the Office 365 said, this is not stand up an Azure or a SharePoint site and do a sync. There's a lot of moving parts, a lot of routing, a lot of networking. There's a lot of stuff to figure out and take into consideration if you wanna go this route. So you said you had one other thing too, that you were gonna throw out there as why didn't you just do this? What is your thoughts on this whole configuration setup other than SharePoint a lot easier.

- SharePoint would have been easier, you should have just convinced them to go that way. And if SharePoint wasn't there thing, there's lots of other file storage services out there. Like, I don't know, Box or Dropbox. Pick one of those--

- ShareFile or yes.

- Yeah, if files is your thing, and per user authentication is your thing. And you want it to be resilient and live in the cloud. Here you go. There's the right tool for the right job.

- Right, we had an episode a while back about that. About picking the right tools, specifically when it comes to cloud storage.

- Yeah, so I think one of the other things to maybe think about is, you're doing this as a one off scenario. And you're doing it for the time when those users need to be away from the office and kinda have that remote connectivity through. I think another thing to think about would be what if you didn't have the VPN, and you didn't have that whole client setup piece, and maybe you didn't do Azure Files. You just went with a traditional set of DCs and a replicated file share that lived in the cloud. So say you did like DFSR or something like that over a Site-to-Site VPN connection from the office, you have your clients rather than coming across a VPN and dealing with that headache, maybe just stand up like Windows Virtual Desktop or RDS services, and something like that, and have them connect to that service when they need to. So okay, you need to go to the cloud, your remote, here's your desktop in the cloud, it can talk to all the things you need to talk to, without all those routing issues and everything else that you've kind of run into along the way with ports and protocols. 'Cause then it's just a 443 connection. And anybody can do that. And you'd have more control over sizing, latency, performance, I think you'd have some better client controls there 'cause you'd already have the DCS and Azure, you'd still have AD, but it might let you even move away from Azure Files, which you might not need in this scenario and just have, like you said, like a regular file share running up there, and maybe make it a little bit better like that customer unset file share on their DC say, "Hey, we're gonna Azure, we can make it better." But you really don't need a path service like we can live IaaS and it's a known quantity.

- What if you just did Windows Virtual Desktop, so same thing you're talking about Windows Virtual Desktop, DC sitting in Azure, again, now, you're not dealing with VPN, you're not dealing with network 'cause you're all sitting on the internal Azure network. And you just did Azure file shares with Windows Virtual Desktop and a DC and Azure, because like you said, now you're not dealing with port 445. Everything is in the same VNet, you don't have any routing issues. You can join your Windows Virtual Desktop to your domain, Azure file shares should work, significantly easier. And you could also go that route. You're not gonna have the latency there. Because again, you're going over all that internal networks at this point in time.

- Yeah, I mean, it depends on how you're gonna use it, right? Do you need that per user authentications, probably the biggest thing in there. And just based on the path you're going down with per user authentication and the way it is today being a preview back to that lifecycle thing, it might be easier to go with known quantity, and say, this is gonna be supported and ready to go. Especially, I'd imagine you're looking at something like this for a customer because of the time that we're in. They're coming up with some specific needs based on what's going on today. And we don't know how long what's going on today is gonna go on. And sometimes that roadmap for Azure Files is a little murky. So you might have some other options in there that potentially simplify things or maybe give you some other costs levers or controls.

- Yep, and we did start going down that path, or at least having some of those initial conversations about maybe you do leverage Windows Virtual Desktop for everything because at that point in time, now every computer in the office is essentially just a thin client. It's a terminal, can even be an iPad. With those nifty new keyboards and mice that are hopefully coming today via UPS. And your office computer could just be pretty much anything at this point in time, because you're just connecting to Windows Virtual Desktop and doing everything in the cloud.

- I think it depends on how you look at it. I was maybe thinking of it more as your file share scenario where it's a backup. So maybe you have a limited size host pool. But because it lives in Azure, it can scale when it needs to. So it's not a problem that it's only I forgot maybe one available desktop post sitting there. Because it's gonna be able to scale from one to 12 on demand as users are coming in and out versus having 12 or however many you need running all the time. And then it truly is that backup scenario.

- Yeah, and that's kind of one of those key differentiators is I think this might start as a backup and then turn into maybe this is our everyday functionality, or everyday scenario, we'll just kinda have to see where this goes. But it has been a very interesting exercise on my part to figure all this out.

- Yeah, is always fun to play with new stuff. Welcome to Azure.

- Yes, thanks. I've actually been doing a little bit more Azure stuff. I have a couple other projects that are tied all into Azure IaaS, it's bringing me back to my roots as a system admin and dealing with servers and racks. Only some of it's a little bit more abstract now.

- It's all just in a JSON file someplace.

- Yes, I did not have like these predefined Azure DNS things before to figure out crazy VPN routes and VNet peerings.

- Yeah, but now you've done it--

- It can't work over a peer.

- You'll never forget.

- That's the theory. That's the hope, the plan. All that. All right, well, thanks for this extended episode.

- Yeah, no, thank you. It's fun.

- It was. And we have lots more stuff that we can talk about. We actually have like three or four topics today. So we've got lots more fun stuff coming in the future. So go enjoy your cloudy day while you sit inside in social isolation. Don't work too hard. Go take a walk in the beach. Have you gotten out there yet? Have you gone out and taken a walk on the beach?

- I have not gone to the beach yet. It's been a week. We're going out on the boat this weekend. So that's plan.

- Nice. That sounds nice and relaxing.

- Yeah, all right, man. Well, until next week.

- All right, enjoy.

- If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out, so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show. Feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)

Episode 174 – Azure Web App for Containers

Episode 174 – Azure Web App for Containers

In Episode 174, Ben and Scott dive into Azure App Service for Linux and Azure Web App for Containers as a hosting option for microservices and more.

- [Ben] Welcome to episode 174 of the Microsoft cloud IT Pro podcast recorded live on April, 16, 2020. This is the show about Microsoft 365 and Azure from the perspective of IT Pros and end users. Where we discuss the topic or recent news and how it relates to you. In this episode, we talk about Azure services for Linux and Azure Web Apps for containers as a hosting option for microservices.

- [Scott] You've made it to another Friday.

- [Ben] Is that what day it is?

- [Scott] It is, as Rebecca Black, do you remember that song Friday?

- [Ben] Oh no, please, please

- [Scott] Yes, no.

- [Ben] No, no!!!

- [Scott] I asked her, Well hold on. As she taught us, Friday is the day that comes after Thursday, right? Yesterday was Thursday, Thursday, today it is Friday, Friday partying, boom.

- [Ben] But that would assume that I knew that yesterday was Thursday.

- [Scott] Yeah, well, I'm just telling you like, "Hey, Rebecca Black could help you get through COVID-19."

- [Ben] No, it hurts.

- [Scott] Just to throw, Just to throw that out there for you.

- [Ben] Well, we're almost through it, we have our escape plan now right? As of yesterday?

- [Scott] Yeah.

- [Ben] Although there's no timeline on our escape plan, it's just a plan. This is how we're going to escape at some point on time.

- [Scott] Well It's phased and it's gated. It's very devopsy. They got that going for them,

- [Ben] Yes.

- [Scott] But, you know beaches are reopening today. We got that going for us.

- [Ben] They are. But only for a few hours right? Cause I saw they're opening today at five but then it was like five to 8 p.m. And then 8 a.m. to 11 a.m.

- [Scott] Yes, yeah.

- [Ben] Which means--

- [Scott] Six hours a day.

- [Ben] They are essentially trying to avoid people going out and hanging out all day because let's face it in Jacksonville nobody goes to the beach from eight till eleven, unless you're gonna go for a walk or run or something like that. And same thing from five to eight. It's hey, you can go take a walk, you can go take a run, you can go exercise, but you're not gonna go lay out and party at the beach all day.

- [Scott] Yeah, no, it's one of those I go kinda like two ways about it. Cause you know people are gonna abuse it.

- [Ben] Right.

- [Scott] No matter what. There's gonna be lawn chairs and things out there now people have to patrol it and all those kinds of things but I am genuinely looking forward to just going back to the beach and being able to like stick my feet in the ocean again. Like that's one of the advantages of living here.

- [Ben] Right.

- [Scott] And being close to all of that, so... Yeah, I'm sad I can't take a lawn chair with me, but I'm not gonna be one of those people. But I am totally gonna go stick my feet in the ocean.

- [Ben] Oh did they say no lawn chairs too?

- [Scott] Yeah, they don't want you, like you said, congregating or any kind of chance of that going on.

- [Ben] I missed that part. It was interesting though because of the--

- [Scott] It was in like the Sheriff's webcast about it.

- [Ben] Okay.

- [Scott] So it's not in the official thing but they did call it out in the Sheriff's one so I think they're gonna be kinda going by and talking to people.

- [Ben] So did you read the whole article, this made me laugh. Primarily because it's so interesting to me. I have family in other states and everybody has their different definition of essential activities when they put these stay at home orders in place. It's like, hey you can only go on the beach for essential activities. And in Florida, based on governor, the governor's executive order, essential activities include, participating in recreational activities consistent with social distancing guidelines such as walking, biking, hiking, fishing, running, swimming, taking care of pets and surfing.

- [Ben] So if you're in Florida, surfing, swimming, I mean I get some of it's exercise based but then you look at places like Michigan where they're not even allowed to do any residential or commercial construction projects. Those are considered nonessential. In Florida surfing is essential.

- [Scott] As it should be. I have a weather reporting app. So I don't surf but I go out and go paddle boarding, and the weather reporting app follows all the cameras up and down the beaches and the inner coastal here just so, sometimes it's not about even like wind speed or tide or things like that, it's really just about how calm it is out there cause there's some parts of the inner coastal and things that are--

- [Ben] Do you ever go paddle boarding in like six foot waves?

- [Scott] You know sometimes I would, but my paddle boards and inflatables so just so its a little bit more implorable for me to get around. And it needs to be like really calm and really flat in the ocean, just to kinda keep the stability needed. It's not a paddle board that you wouldn't necessarily surf in on

- [Ben] Got it.

- [Scott] You know if I went out and bought like an eleven foot board that was a hard deck, then I could do some different things, but, yeah. I'm looking forward to having the ability to have just at least one extra option for something to do.

- [Ben] Yeah. No I get it, like, I totally wish we lived closer and who knows. If this goes on much longer we may just drive out there some morning just to let the kids go run around and walk on the beach for a little bit. Because we are starting to get a little stir crazy.

- [Scott] Just bring your bikes, you park at my house, you make the kids ride their bikes to the beach and then make them ride back and they're all good and tired, you know.

- [Ben] Oh, except then they fall asleep in the car on the way home, and then they don't want to take a nap.

- [Scott] Well it just means you get to drive the car around longer. It needs to be run anyway, you know, it's not like you're going out every day anymore.

- [Ben] We were talking the other day, we couldn't even remember the last time we put gas in the car.

- [Scott] It's been a while so I had to run an errand yesterday or at least I thought I had to run an errand, where I was just gonna go pick up my dog's medication, like flea and tick stuff right, we were in and out.

- [Ben] Yep.

- [Scott] And so I was walking out of the house and my wife said, oh don't worry about it. I've got to go out later to pick up groceries so I'll go do it. And I thought to myself, you know, I'm already like halfway out the door. I put my keys in my pocket you know, I got like my wallet in my pocket, this hasn't happened in a long time, this is oh exciting. So I kinda stood there in the garage with the garage door open, looking at my car and I said, all right well I'm just gonna start it up, cause it's gotta be started anyway. And then that turned into, well I should really just drive it around the neighborhood. So one friend I used to like lazy roll, just kinda like basically around the long block which you know takes like 10 minutes to drive around the neighborhood and do all that. And I was like yeah, I got to drive a car today. That was crazy.

- [Ben] Did you put your seat back, roll down your windows and crank up your music too?

- [Scott] No, I really should have though. You know everybody likes to see that Malibu rolling through.

- [Ben] You know you gotta show it off. Oh here is your new quote Scott, this came from Michigan's governor. Speaking of quotes from governors, ''It is better to be six feet apart right now than six feet under.''

- [Scott] Yes. True statement, your outlook on things, yes, that is absolutely true.

- [Ben] All things that make us laugh. Yeah I have all kinds of those. I will say the memes out of all this have been great. So, with all of that, all that said, should we talk about other stuff, like cloudy, cloudy stuff

- [Scott] Yeah.

- [Ben] Since its, is it cloudy today? It supposed to be raining this week. That's the only downside of the beaches opening it's supposed to rain all weekend.

- [Scott] I will make do.

- [Ben] All right, take an umbrella.

- [Ben] Outlook Add-Ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the Add-Ins you'll ever need. The save as PDF Add-In is the a best seller and is great for project back ups, legal discovery and more. This Add-In saves the email and attachment as PDF files. It's easy to download, easy to install and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, s-p-e-r-r-y-s-o-f-t-w-a-r-e.com and see for yourself how great save as PDF is. Listeners can get 20% off their order today by entering the code cloudIT. That's cloudit, C-L-O-U-D-I-T, all one word at checkout. Sperry Software work in email not on email.

- [Ben] So Azure Web Apps, its something you said you have been working on recently. And you said we should talk about it.

- [Scott] Yes, that is in fact true. So I have been doing a fun little project at work. It's a little bit of a transformational project of taking an existing series of microservices that are all hosted in Azure Kubernetes service today. And seeing if we can't break those microservices out, and potentially host them in another hosting container or another provider that's gonna allow us to run those Web Apps. And do it with the same performance characteristics and monitoring kinda operational insights we need, but at a much cheaper cost. So if you think about something like AKS, you know you stand up a cluster and typically you want some kind of a HA because it's a cluster, so you gonna want multiple things like multiple nodes in a node pool. You've got an AKS, the way it works is you spin up a cluster, you get a cluster master. The cluster master is a VM but Microsoft doesn't charge you for it, it's part of the management plans so the master is, the maser is free. But you do pay for the underlying compute. So for every node that you spin up in a node pool, then you're gonna pay for each one of those nodes. So, you know you take two DS2 RD2SV3's you know, that cost whatever they cost, 70, 80 dollars a month US,

- [Scott] And okay, well actually no, those are more those are like the DS1's.

- [Ben] D2, aren't those like 140?

- [Scott] Yeah, yeah, they're like 140 right.

- [Ben] The v3's are--

- [Scott] So you spin up two of those and that's 280 dollars and those VM's need to be on all the time, right? So the master talks to them and you want that HA and that's kinda like you're baseline and where you wanna be at. And that's before you start talking about other services you might consume on the side. So like in the case of microservices, they talk to an Azure SQL Database, so there's consumption there. There's storage consumption for diagnostics, there's all the things that you need to spin up with, you know, log analytics and Azure Monitor for containers and all these other things. So there's been some releases over the last year or so in Azure Web Apps that potentially give us a way to host those microservices, natively within Azure Web Apps, and gain some efficiencies. Performance characteristics, we want to keep the same so, you know so we should keep doing load testing, and make sure we're bassline for Latency and average response time, things like that. But from a cost perspective with Azure Web Apps, your unit of compute is your App Service plan. An App Service plan can host multiple Web Apps inside it. So if I can find a good App Service plan tier to host all these microservices in, and keep the performance bassline the same, it should theoretically, be a little bit cheaper, better, faster to operate and stand up along the way. You know there's some things that you are gonna get with Web Apps. Like you're gonna be potentially fixed in storage size. Your App Service Plan determines whether you can use custom domains, and SSL and things like that along the way. But you know if you can find a way to land in a like Linux Web App in a standard service tier, the standards service tier starts at about $70 a month and you know, you can scale up to 10 instances within those. And even if you go to like the premium tier, you get into the premium tier at least here in the US and like east US and east US too, it's 73 bucks a month to start the premium tier. And things like that can scale up to thirty instances, they support auto scale, customer domains, SSL. You can do, kinda all the things you need to do within there potentially to stand up those workloads and get them to where they need to be.

- [Ben] Got it.

- [Scott] So in this case, like we looked and we said okay what's a good like target service plan size, just based on performance characteristics of existing apps cause we were actually kinda leaving a bunch of compute on the table inside those existing AKS nodes. They were kinda sized up a little bit further than they needed to be. But even if we had downsized them, cost would have been a thing particularly when factored in storage and everything else. So we just started out kinda simple and said hey, can we run it in a standard plan like, could I run it in an S1, if I severely restricted the RAM, like an S1 app service plan is one core and 1.75 gigs of RAM. But again it's only 70 bucks a month so if I can run it inside of that for the Core Compute, 280 versus 70, all of a sudden I've got a bunch of flexibility and I can dos some other things there.

- [Ben] Right, because now your Web Apps are naturally highly available. You're not having to go make sure you have two VM's and configure all that for your high availability. It's all just built right into the app service.

- [Scott] It's supported within the App Service, yeah. So there's this concept of instances that you can run. So effectively kinda how many scale units, or you know, what is your horizontal scale look like within the App Service. So by default you usually run with one instance but you can go in and change that configuration and say, I always wanna run with two instances or three instances. And then maybe have things like auto scale rules based on CPU or some other metric that you're gonna target auto scale. And in the case of these service plans right, being able to scale to 10 instances or you know, 30, 50, you know, depending on your service tier.

- [Ben] How do the resources compare then when you're talking like VM's? Because obviously you can also go out and get a VM that has a gig of RAM and a single core. It is really cheap. But then those resources are also having to go to the underlying OS. When you do this in the Web Apps, are you getting essentially the same amount of resources, figure you're still getting like a core and a gig of RAM, but then it's dedicated 100% to your Web Application and to those microservices. It's now having to share those resources with some underlying OS.

- [Scott] Well I mean there's an underlying OS. So you're picking whether you're on Windows or Linux, you're just saying you don't want to have to worry about patching the underlying VM there. So kinda the way it works in Azure Web Apps, have you ever heard of ACU's?

- [Ben] Ah, yes.

- [Scott] All right so an ACU is an Azure Compute Unit, just for those that aren't familiar with it. And they're meant to be a way to bassline or compare CPU performance across these different size and series, right. So when I come out and I say, okay a D2S_v3, and you got what the heck is a D2SV3 and how do I compare that to DS1V2,

- [Ben] Yep

- [Scott] Well you would potentially do that through something like ACU's along the way. They start at A0, actually it's a little bit easier to start at like the A1 kinda family. So A1's are one core to one vCPU, so it's a one to one relationship. And the ACU, the Azure Compute Unit is 100. So now you got like a nice solid whole number that you can work off of there. So when you go to kick your App Service Plan and what your unit of compute is, like if I went in and selected an S2, in the standard series. Well an S2, a line core, so it's tow cores and it's 3.5 gigs of RAM. Then you go like what does that really equate to in CPU performance cause two cores in a D series versus an A series, they're actually gonna have kinda some different metrics to them.

- [Scott] So then I can walk in and I can say, okay, well an S2 is 200 total ACU. It's an A series Compute equivalent, like I know where I have landed in there and I can start to figure out what I'm getting for my money, with the features that are offered to me. Right if I go into the premium tier where I can do like Isolated Networking and some other things, you know, those are gonna be like DV2 series equivalents and you start to get into, all the way up to like, 8X metrics, like you can do like 840 total CPU. Like 420 gigs of memory and in a P3v2. So it gives you a little bit of a bassline and kind of a way to figure it out. So if you looked at say in this case, the node pool, you knew you were running IS or Apache or whatever it is on a VM, and you know what kind of VM you're on, now you can play with it a little bit and see like hey, would I actually be able to step down from a D series to an A series? Which potentially has some significant savings for me? You know, am I really CPU bound or am I memory constrained, dis-constrained? What's the constraint for my application as you stand it up?

- [Ben] Got it, okay so, you have all of that. You've figured out how those resources are laid, how are you going to go from one to the other. But now you actually have to move those microservices, or those containers. What do you have to think about then as you take these microservices that maybe you're running in AKS, and you wanna push them into one of these app service plans, is it just like a lift and shift or is there some reconfiguration that has to go on there? Cause, I honestly completely miss this and I had no idea you could actually run microservices in app service plans now.

- [Scott] So specifically containers, right, we're talking about taking container applications that are already containerized.

- [Scott] And being able to bring them over, so in the case of AKS running the Docker container runtime or kinda move in out ready. You know we should be able to natively come over to a service like Web Apps for containers running on Linux which already has sudoku for runtime as well, and stand a container up the same way. So you could always do microservice hosting, right, just deploy your Web App as the run times or kinda the server side static frameworks, whatever you had going on. In your Azure Web Apps that was fine. But the nice thing here is, we just lifting a container and getting it to where it needs to be. So there's a couple of things like in this particular case that ended up being kinda interesting. So, if you think about standing up a, something like an AKS cluster, so it's a container orchestrator, so it's bringing things to you like service discovery. There's certainly networking components to it. So if I'm deploying a microservice on a cluster, how does traffic from the outside hit an IP? And how does it know to hit that IP and then be routed all the way to that backend service, specifically to you know, microservice A versus microservice B. So that all happens with other service load balancers you might deploy. And typically you need, you want some kind of ingress controller where maybe you can have more play within the routing of that traffic. You might not always want, like, just a standard kinda load balancer service in there. So for this one, it was an existing implementation of traffic so it's just a kinda of way for us to stand up websites and do the routing and things like that within that cluster. But that meant that traffic was going away when we came over to the other side. So in AKS the way everything was set up is there was a root URL. So, you know there was msclouditpropodcast.com and that was kinda the homepage.

- [Scott] And then the API's were all stored in virtual directories, virtual routes underneath there. So you would have like Slash API 1's, Slash API 2's, Slash API 3. So everything was in the same canonical and fully qualified domain name. And when went to Azure Web Apps, well that changed a little bit. Because we can't run multiple containers in, we can't run like a whole container group in Azure Web Apps.

- [Ben] Got it.

- [Scott] Inside the same Web App. So, what was, you know, five or six containers that were all effectively the same website, from a routing perspective. Actually became, five or six separate websites on the other side. So there was some reconfiguration that needed to be done there, right. Like things like, okay, so you know a dynamic configuration for which API end point we talk to, where there was only one URL, now there needed to be, you know one distinct like environment variable that we could set for each API so that you could still talk to the right place and grab the right thing. But the really cool thing there is because its all just containers right, so we can go change the code , we can spin it up, we can create a container image and we can spin that up very quickly within Azure Web Apps. And it turns out that with Azure Web Apps it's potentially even a little bit easier for us to do the deployment. So something like that dynamic configuration where it was all running inside either a native Kubernetes deployment or in this case, everything was being deployed with Helm and Helm charts and you know, you're setting dynamic values for environment variables and things like that. In Azure Web Apps you've got just native just, app settings like there's configuration per Web App. And all you have to do is go set those keys within the app service within the Web App configuration. And they're automatically projected as environment variables within the Web Apps. Within the containers that are running within the Web App and within that runtime. It was super sleek and super kind of turnkey just to spin up a container and run it was a very quick thing to. It felt nice and easy and way easier than potentially, you know depending on your feelings on it, muck with a bunch of YAML to do like the existing Kubernetes and Helm deployments for going through.

- [Ben] As IT professionals in the Cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or team's Azure costs, they' don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSV's and a complex mess of metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure. Whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro.

- [Ben] Got it so really from that migration standpoint than from moving from one to the other, there's not a whole lot that has to change in your containers other than kinda how those different API's talk to each other. How those different containers would talk to each other. Other than that, a lot of it it's just, more or less a lift and shift of containers into the App service.

- [Scott] Yeah it's really saying hey, can we validate this, like from just a very much like raw proof of concept side. Like do these things work, yes or no. And then what kinds of efficiencies can we light up along the way? So for something like Web Apps on containers, so in this particular case, if you think about kinda container lifetime right, you have a, something like a Docker file that builds the container. So you build that container and then you wanna push that container image to a registry. And then you wanna be able to pull from that registry based on a container name and a tag and things like that. So we were using Azure Container Registry, or ACR, as our container registry. So it's a Docker compatible container registry supports like Docker Push, Docker Pull, things like that along the way. So it's a nice private registry so you don't have to go to Docker Help or anything like that. We looked at ACR and kinda the way existing builds were going on today. So existing builds were happening on build agents as part of like a continuous deployment, like a CI and CD pipeline. And to do those builds, you need to have the Docker daemon, not just the Docker Client, but you need to have like the full Docker runtime to be able to do a Docker build. So that means that you need a Linux server stood up or if you're doing Windows containers, you know you need that compatibility. But you effectively need a unite of compute to do your build for you. So if we looked at, like the CI, CD deployment side that meant we always had to make sure we were picking the right build agent. Did it have the right version of Docker on it? Was it bootstrapped the right way and doing the right things to be able to execute builds based on our Docker files? And it was just like an extra piece that you needed in there so, being that everything is in ACR, we actually wanted to see if we could light up some new options there. So one of the things that happened inside ACR is it has a future called ACR build tasks. So what you can do is you can send a Docker file, basically kinda like, think about like, maybe zip it up in like Atar, or gzip and you can send it up to ACR. And ACR will do your build for you. So the unit of compute is built into ACR itself. I don't need that separate build agent to run Docker build and then do a push to the registry for me. So it kinda simplifies things right. What was potentially two different steps and two different commands and having to worry about logging into a registry and things like that, now in that CI, CD pipeline it's just running an Azure CLI command and making sure that I'm authenticated to the CLI through a service principal or user that has access to that registry. Which is really kinda cool. So why is it good that I can do things, like do this ACR Build Task, or this ACR task directly inside of ACR? Or if you think about one off builds, like one of my struggles with Docker has always been, am I on a computer that has all the tooling installed that I need? Do I already have the Docker Client? Do I already have the Docker daemon? Am I in an environment where I can actually do a Docker build? And sometimes the answer is no, right. You don't know, you might be at like a customer's environment and on like a laptop that they provided for you and you can't even install Docker on it, right. So not a lot is locked down. Well the cool thing about ACR Build tasks is it's the unit for compute and its doing the Docker build for me just based on my Docker files. That means that I can perform Docker builds, from places where I don't have access to the Docker daemon. So for me, that means that I can go in into this environment if you think about just Azure, I can fire up Cloud Shell now, and all I need to do is have access to that Docker file from Cloud Shell so I can still do something like a git clone, and clone that Docker file out of that repository it lives in. And then I can just send that file to ACR build task. There is no way I could build a container natively inside a Cloud Shell, cause Cloud Shell is already running in a container, right. You know its like too many levels of virtualization removed.

- [Ben] Its container inception.

- [Scott] Yeah, so all of a sudden you've gained this really cool new ability. And it has simplified that pipeline, potentially right. What was two distinct actions, a build and a push, now it's just becomes a single action which is a build task for me. And I'm off to the races and ready to go. Which is really, really kinda cool. Like it really simplified overall environment deployment. Cause now from a deployment perspective in the past, you would to like to stand up say, like a new Dev environment for a developer, they had to have all that tooling locally. Now that everything's is 100% Azure native including the Docker builds, now we were able to go to those developers and we can just give them a Bash script and they can go into Cloud Shell and run a Bash script and come back in 10 minutes and everything is just kinda done for them.

- [Ben] Nifty. So you could do all of this now from a Chromebook?

- [Scott] Yeah, oh yeah. Yeah, no I've been living in like,

- [Ben] An iPad.

- [Scott] Just a web browser and yeah it's all been going swimmingly. I been really impressed with it. There's certainly somethings that have changed along the way. I think that particularly like operationally. So it wasn't so much can we do, it's yeah it can be done and certainly there's that cost component to it. But can you continue to run the service and the, in the way that you need to run it. So if you think about kinda of AKS PaaS service. But ultimately you get a lot of insight there right? You can dig pretty deep under those VM's and things like Azure Monitor containers with the dependency agents, like they're giving you some pretty raw numbers that then you can then assume in tooling that maybe you're already familiar with like, Grafana or Prometheus for doing dashboards and kinda optics for operations. By going to kinda of 100% Azure native services, some of that changed. So potentially like telemetry that you get out of that Web App for container, well because it's running in Azure Web Apps if you haven't instrumented the container, so it's talking to something else like app insights. Which in this case it wasn't instrumented for that. You know rather than saying, okay lets make another big code change and implement app insights across the board, lets see what we can get out of native Azure metrics. So metrics through like Azure Monitor, are just based on the existing resource providers, so in this case, Microsoft websites. So what are the metrics that I can get out of Microsoft websites? And now that I don't have Grafana or Prometheus for my dashboard, you know what can we do with maybe building out Azure dashboards or using things like workbooks to get those visualizations back to were they need to be. And so you know the security team and the operations team can understand where things lay out for these applications in their updated architecture. And kind of what that looks like. That might change things a little bit, you might be locked in to say, you might be look at, like CPU time as a metric from a virtual machine. Well in Azure Web Apps you know you can do an aggregation across like average CPU usage. Effectively the same thing. But it might look a little bit different you might have to figure out just what is that difference and does it fit my need, and is it really there and ready to go for me.

- [Ben] Got it. Very cool. More stuff to play with. I don't have time to play with all this stuff.

- [Scott] Yeah it was really sleek as just kinda of a validation exercise, to say, hey do these things work? And can we figure out where the pain points are gonna be, or you know potentially where those rough edges are gonna be with that service, you know, app service on containers are on the way. So we certainly ran into things, like we had a container which was just a .net core. But output was one of the microservices, but that was just through like it's initial build process it was ready to come up on port 8080 internally. And then you know you're just doing port mapping at the service level in AKS to say like, no it's really 443 mapping to 8080 on this container and blah blah blah. So we had some things to get over like that and there was another .net core, another .net core API that was misbehaving a little bit in Azure Web App. So it turns out that Azure Web Apps when it goes to start your container , one of the ways it figures out container health for a website is just by effectively doing pings into it. So by pinging your website just on port 80. So for some of these API's just based on routing, cause they were at /API/1, /API/2, things like that. If you just went to /API/1, just like the root homepage or root route of the API, we weren't actually returning any responses so things like Azure Web Apps would die. And it would just fail to container. It would say I can't start it, because the website is not up. It's like hold on, the websites there, you just need to look in this other place. Or we needed to, in some case, like some cases like shut off availability checks just to get the apps up an running. And then over time we can fix those errors and kinda get them to where they need to be. And do that more transformational remediation. So from a lift and shift, or just a straight up like re-host prospective going from AKS to Web Apps for containers, super minimal change. Like if I hadn't had to change those environment variables, they wouldn't have been a reason to change anything along the way. Right, it would have been just a straight one to one. And then potentially these other more transformational changes pick up and are like hey, lets make that API run the right way so that we can keep availability checks on cause that's kind of an important thing.

- [Ben] Right. Very cool.

- [Scott] Yes.

- [Ben] Some thing of an exercise.

- [Scott] It was definitely different. It was something to do that was potentially a little bit different from virtual machines and tag in into some new stuff. And potentially solve some pain points. Like, honestly, like I walked away, and I was, at the end of it I was like, this ACR build tasks thing, I can use this all the time in my workflow now. Even for demo's and webinars and things like that. Where now I don't need to worry about, you know was my hyper VVM for Ubuntu up to date and ready to go. Cause I always had to have a separate VM to do that. You know you can't do it inside of a WSL1 today, like you can't do that Docker build cause again you don't have the Daemon there. So it just simplified like a bunch of things and I just thought that was like one of the coolest features cause it's gonna make my life a lot easier for demonstrations and webinars and everything else being a little selfish.

- [Ben] Yeah, definitely. Alright, sounds good. Well thanks for that episode.

- [Scott] Yeah, no worries.

- [Ben] Another from Azure one. So go enjoy your weekend now. Go get out to the beach. Get some fresh air.

- [Scott] Yeah, it is one of my goals.

- [Ben] Alright, sounds good. Well enjoy, good talking to you. And will talk to you again next week.

- [Scott] Thanks.

- [Ben] If you enjoyed the podcast go leave us a five star rating in iTunes. It helps to get the word out so more IT pro's can learn about Office 365 and Azure. If you have any questions you want us to address on this show or feedback about this show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)