Category Archives: Azure

Document Protection with Azure Information Protection Ad-hoc permissions

Document protection is a key step in achieving the security standards and policies in an Organization. We can achieve this with AIP by defining policies globally or by giving custom permissions to the document owners.

User Defined Permissions with the label :

Steps to configure in AIP

Navigate to Azure Portal

Search for Azure Information Protection Service and select the label in which we want to configure the user defined permission.

In this case, I selected the ‘Restricted’ label and under protection settings, select the protection action type as ‘set user-defined permissions’. Save the policy after the configuration changes.



Test the functionality:

Open any office application and select the label ‘Restricted’. We see the below prompt for user-defined permissions


Similarly, open a new email in Outlook and select the label ‘Restricted’. The moment you select the label, Do Not Forward protection is applied to the email.


Global Policies in AIP for Document Protection:

unlike the custom permissions, we can configure global policies which are mapped to the labels defined as per the taxonomy. These configurations, gives different protection settings with the option of different user roles for different Groups/Domains

This way, we can impose rights restrictions, based on the recipients domain. In this scenario, I am configuring protection settings in such a way that co-owner role will be assigned to my domain and viewer role will be assigned to external domains like Gmail and yahoo. That way, if I send any attachment which is labelled as ‘Restricted’ , all members within my Organization can read/write/edit, authenticated users  (in O365) can review it  and users in Gmail and Yahoo can only just view


Test the Functionality:

Label a word document to ‘Restricted’.


Attaching to an Email: We see that recommendation to classify an email too as ‘Restricted’

I am sending it to an user within my domain and to an user in Gmail and we can see the prompt from the policy.








Creating Classification Labels and Policies in Azure Information Protection

Information Rights Management is a subset of Digital Rights Management technologies which prevents sensitive information from the risk of accidental, unauthorized modification, deletion and misuse

Azure Information Protection ( AIP ) is a Service offered by Microsoft which gives the features and functionalities of Information Rights Management. With AIP, an organization can classify, label  and protect the sensitive information, which enables them to  have visibility over the different types of Sensitive data across the locations

Steps to Configure Policies in Azure Portal

Before we configure the Global polices, it is always recommended to get the Taxonomy crisp and clear. Do not create too many labels and sub-labels

Here in this example, I am keeping the taxonomy straight forward

Restricted – For highly sensitive content

Confidential – For Sensitive content

Internal – For the content within the Organization

Public – For all other content

Steps to configure Labels and Policies in Azure Portal 

Login to Azure Portal 

Search for Azure Information Protection



Add new label 


Give a name to the label and add description. Navigate to Protect and add the users/members for consuming the permissions

Protection Settings: Select Azure Key/HYOK  as per the organization structure, give file expiration settings and add permissions based on the AD group or individual recipient addresses. Set the permissions(co-owner, co-author, reviewer, viewer etc.) as appropriate



I created four labels as Internal, Public, Confidential & Restricted



Create a policy to map this label

Select the policies under classifications and hit on ‘ Add a new Policy’


Give a name to the policy and select the label from the drop down list to which this policy to be applied.


Now, as we created labels and polices in Azure portal, let us verify if these are getting reflected in the clients machines.

Prerequisites for installing AIP Agent in Clients:

  1. Azure Active Directory : Make sure the on-premise identities are in sync with Azure identities. Azure AD Connect is used to sync the identities. If the users are in O365, they can directly download the office apps from
  2. Supported client platforms: Windows 7 (SP1), Windows 8, Windows8.1, Windows10 with .Net Framework 4.6.2
  3. Office Applications: Office 365 Pro plus, Office Professional Plus  2019/2016/2013(SP1)/2010(SP2)
  4. Connectivity to Azure Services over internet: Make sure that the URL’s are allowed and necessary ports are open as per Network Prerequisites
  5. Download AIP client from here


Installing AIP client





Sign into Office apps with the Organization account which is enabled with AIP License and as you open them, you see the labels appearing in the apps






Now, the labels when selected, the policies configured for each label will be applied to the content and the sender of the email or author of the document will have visibility on the content life cycle











Disaster Recovery with Microsoft ASR ( Hyper-V to Azure)

Every Organization needs a Strategy for planned and unplanned Outages to keep their workloads, apps, services, data running all the time. This strategy should really assure them to achieve the continuity of services

What is ASR : Disaster recovery Solution Provided by Microsoft Azure

Azure Portal Used for this Demo : Classic

Using Microsoft ASR ( Azure Site Recovery), one can achieve the BCDR ( Business Continuity and Disaster Recovery) in a very simple way which is far more efficient compared to the traditional disaster recovery methods

The traditional way to have a disaster recovery plan is to have a on-premise secondary site which has the equal compute and can take the work loads in case of a disaster and replicate the data between primary and secondary sites.

Advantages of having Azure Site recovery :

  1. Simple BCDR Strategy
  2. Flexibility in Replication
  3. Easy Recovery
  4. Eliminate Secondary DataCenters
  5. Integrate with existing BCDR strategies

Replication is the key in any Disaster Recovery plan and ASR does this in a very sophisticated way

What can I replicate ?

  1. On-Premises Physical Servers (Both  Hyper-V and VMWare)
  2. On-Premises VMWare Virtual Machines
  3. On-Premises Hyper-V Virtual Machines
  4. On-Premises Hyper-V Hosts in VMM Cloud

Note : We can configure only the orchestration between On-premises Linux, On-Premise Hyper-V Hosts in VMM Cloud with SAN-Storage replication.

Now, I am going to show you the configuration of Azure Site Recovery between Hyper-V Virtual Machines and Azure Cloud

Prerequisites for Azure :

  1. Azure Account
  2. Azure Storage Account
  3. Azure Site Recovery Vault
  4. Azure Virtual Network

Prerequisites for Hyper-V

  1. Server running with Windows Server 2012 R2 with Hyper-V role installed
  2. At least 2 Virtual Machines running with this Hyper-V
  3. Hyper-V host connected to internet

Note : If Hyper-V host cannot face internet, configure the proxy server which will allow the below url’s

  • *
  • *
  • *
  • *
  • *

Step :1

Create Azure Vault

Sign into with azure account

  1. Expand Dataservices -> Recovery Services and click Site recovery Vault
  2. Click create new -> Quick Create and give the details of region and subscription
  3. Click Create Vault



Create Hyper-V Site

Click on the Newly created Vault and select the highlighted pane


Select the recovery model as said below

select recovery site

steps for creating site

  1. Create Hyper-V Site 

click on “Create Hyper-V Site”

Create Hyper-V SiteHyper-V Site

2. Prepare Hyper-V Server  ( These steps are to be performed in Hyper-V Host )

A sample Virtual Machine, VM1 is created in Hyper-V host for this demo

Download the Provider and  registration key to Hyper-V Host

Provider 1.PNG

Browse the Vault credentials which were downloaded

Vault Settings


Come back to Azure Portal (

Create a Storage account 

Storage Account

Create Azure Network AccountNetwork Account

Go back to the Azure Vault and create a Protection Group 

Protection Group

Replication settings

Select the Protection Group and add Virtual Machines to the Protection Group

Add VM2

Once we add the Virtual Machine, it is replicated to Azure 

VM2 Replication Status


Select the Virtual Machine and click on ” Test Failover”

Test Failover.png

Select the VM and review the configuration settings and change the Microsoft Azure Network to the network which we created

VM configurations

Select the Virtual Network for the failover

Failover network selection

VM Replication Status

VM replication

Disk Replication Status

Disk replicatioon

Backup Workloads to Windows Azure Backup Server

Microsoft  has come up with a new component in Azure called Microsoft Azure backup Server which can backup  not only the data but also the work loads of different Applications like SQL, Exchange, Sharepoint etc

This new component Microsoft Azure backup server inherits the functionality of System Center Data protection Manager for workload backup but it neither provide protection on tape nor can integrate with System Center

Prerequisites for Installing Microsoft Azure Backup Server:

  1. The server in which Microsoft Azure backup server is to be installed should be joined to domain
  2. The server should be connected to internet
  3. The server should meet the requirements of .Net 3.5, .Net 4.0, and Windows Management Framework 4.0. (Windows Management Framework can be downloaded here)

Steps for preparing Microsoft Azure backup Server

  1. Create a backup Vault in Azure Portal
  2. Download the Vault Credentials
  3. Use Vault Credentials to authenticate with Azure Backup Service
  4. Download Microsoft Azure Backup Server
  5. Install Azure Backup Server

Methods to backup :

Disks ( D2D) Disk to Disk

Azure ( D2D2C) Disk to Disk to Cloud

Deployment Scenarios : We can deploy Azure backup Server in 

  1. An Azure Virtual Machine
  2. A Windows Virtual Machine in VMWare
  3. A Hyper-V Virtual Machine
  4. A Physical Stand Alone server.


  1. Microsoft Azure Backup server cannot be installed on a machine which has the SCDPM or SCDPM RA agent installed.
  2. Microsoft Azure Backup server cannot be installed on a machine that has Microsoft Azure Backup agent installed and registered with an Azure Backup vault.

Creating a Backup Vault  in Azure Portal :

Sign in to Azure Management Portal (


Navigate to New > Data Services > Recovery Services > Backup Vault and choose Quick Create


What is the vault credential file?

The on-premises server (Windows client or Windows Server or Data Protection Manager server) needs to be authenticated with a backup vault before it can back up data to Azure. The authentication is achieved using “vault credentials”.

The vault credential is used only during the registration workflow. It is the user’s responsibility to ensure that the vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be used to register other machines against the same vault. However, as the backup data is encrypted using a passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this concern, vault credentials are set to expire in 48hrs. You can download the vault credentials of a backup vault any number of times – but only the latest vault credential file is applicable during the registration workflow.

Download Vault Credentials 

  1. Sign in to Azure Management Portal
  2. Click on Recovery Services , select the backup vault created and select the cloud icon2
  3. Save the Vault Credentials in a location which is accessible by Azure Backup Server

Download Azure Backup Server:



Install the Azure Backup Server as per your infrastructure requirements

Installing a new Active Directory Forest in Azure Virtual Network

Step by Step Procedure to install a new Active Directory Forest in Microsoft Azure Portal

Technical Description:

We are all aware of implementing an Active Directory Infrastructure in On-Premise environment, and we know how to join them to the domain.

We can achieve this scenario in Microsoft Azure by following some additional steps which are different from On-premise implementation

How does this differ from On-Premise:

  1. Create a Virtual Network in Azure
  2. Create A VM in Azure Portal
  3. Set a static IP address by power shell command (Get-AzureVM -ServiceName AzureDC1 -Name AzureDC1 | Set-AzureStaticVNetIP -IPAddress <> | Update-AzureVM)
  4. Attach a Virtual Disk to newly Created VM
  5. Install Windows Server Active Directory ( This step is same as on-prem)
  6. Set DNS address on the Virtual Network properties
  7. Reset DNS server for Azure Virtual Network
  8. Create a VM and join to the domain

Considerations :

Azure network is not connected to On premise Network. For connecting Azure Network to On premise, we have to set up a Site-Site VPN in Azure portal.

  1. Creating Virtual Network in Azure Portal 

Sign in to Azure portal


Navigate to New-> Network services-> Virtual network-> Custom Create


Virtual Network Details : Enter a name for your Virtual network

Region : Choose a region which is closest

DNS and VPN : Leave DNS server blank and dont select VPN option either

Virtual Network Address Spaces :

Subnet name : Enter a name for your Subnet

Starting IP :

CIDR:/24 (256)

2. Create a VM in Azure Portal :

We have to create 2 VM’s. One VM is for AD and other VM is to join to the domain.

Navigate to New->Compute-Virtual Machine->From Gallery


Choose windows server 2012 Data Center image


Create a cloud Service and Select the virtual network which was created earlier

Map it to storage account and select the availability set if created earlier. Or else create them


Reserve a static IP address for VM that will run the DC role. To reserve a static IP address, download the Microsoft Web Platform Installer and install Azure PowerShell and run the Set-AzureStaticVNetIP cmdlet. For example:

‘Get-AzureVM -ServiceName AzureDC1 -Name AzureDC1 | Set-AzureStaticVNetIP -IPAddress | Update-AzureVM

4. Attach a Virtual Disk to the Newly Created VM 



5. Install Windows Server Active Directory

This is same as we do in On-prem.  Add Active Directory Domain Services from the roles and proceed for the next steps. Be sure that the Sysvol location should be changed from default C drive to the other drive which we added before

6. Set DNS address on the Virtual Network properties 9

7.Reset DNS server for Azure Virtual Network

Reset the DNS forwarder setting on the new DC/DNS server.

  1. In Server Manager, click Tools > DNS.
  2. In DNS Manager, right-click the name of the DNS server and click Properties.
  3. On the Forwarders tab, click the IP address of the forwarder and click Edit. Select the IP address and click Delete.
  4. Click OK to close the editor and Ok again to close the DNS server properties.
  5. Restart the DC and join with Domain Credentials

8. Create a New VM and join to the domain.

Create a new VM from the gallery and select the Cloud service and Virtual Network which were created.

Go to the server manager and change the VM from workgroup to the domain. Enter the domain credentials to join the VM to the domain