I wish to create a storage account CUSTOM role for my client.

In that role I wish the Azure Identity (Users in On-Prem AD groups, Managed identity for webAPP, on-prem synced Service Accounts) to only Create/Add/Delete/Update (CRUD) without being able to see or self-rotate the Admin Key or SAS key for following.

1. BLOB / Containers / Files


2. FilesShare


3. Table


4. Queue/Messages.

Current Method : [Auditing using KeyVault and Access Policies]

Above is required as we want better Auditing directly from Storage account, rather than using current 2 step process method :

Step 1 : Identity can go to key vault and get the Admin key [KV will Audit who accessed it]

Step 2 : The identity can use the key to do CRUD on Storage Account.

Requirement : (AD AUDIT on Storage Account:)

So to enable AD access directly on Storage Account. I followed the steps :

• I was able to see the Operation Actions available using following command

$type = 'Microsoft.Storage'
Get-AzProviderOperation | where Operation -Like '$type/*' | ft Operation OperationName Description

• I created a custom role definition by picking whats important for each type i. blob,files,tables,queue. i can share the actions i picked if you need it.




• After that I noticed that client was able to CRUD

Blob/Containers,
Queue/Messages

• But was NOT able to create the

FileShare
Tables.

• Error the clients get on Portal Screen says that the user needs following ACTION:

'Microsoft.Storage/storageAccounts/listKeys/action'

• I cannot apply the above ACTION as it also allows them to generate the SAS Key and see Admin Key.

Please if you can resolve too much power in one ACTION Operation. and make FireShare and Tables in line with how BLOB and Queue works behind the scene in Azure Product.

Potential fix :

So IMHO need 3 Actions to make it in line as blob & queue i.e

1. Let them CRUD FileShare & Tables just like Blob & Queue using AD assignment to the Custom ROLE




2. Second ACTION to let them genrate SAS key




3. Third ACTION to see ADMIN keys

please help as I need to enable my users and comply with Regulatory requirements directly on Storage account rather than 2 step process involving Key Vault.

Related:

FYI - you cannot assign Custom Role containing 'DataActions' at Management Group level.

https://feedback.azure.com/forums/911473-azure-management-groups/suggestions/39394078-custom-role-dataactions-is-not-supported-for-a

When a VM hits its global VM-wide IOPS or bandwidth limit and throttling kicks in, provide a facility for creating an alert based on this situation.

Currently, the methods to detect I/O throttling rely on collecting guest OS statistics and comparing them to the limits specified by Azure. It would be a real benefit to determine at the hypervisor level when I/O throttling has taken place and record this in customer-visible metrics. These metrics are already internally visible to Microsoft support, so the data is collected-- just not presented.

At a minimum, the disastrous situation where whole-VM I/O throttling has taken place should be able to generate an alert.

A good resource for describing I/O throttling is here:

https://docs.microsoft.com/en-us/archive/blogs/xiangwu/azure-vm-storage-performance-and-throttling-demystify

A good quote from that article:

In order to prevent the blocking issues and to improve
the performance, we need to:

Prevent VM level throttling at all cost.

I completely agree with this. Throttling often is not merely a slowdown, but instead causes VMs to hang, crash, or cease servicing requests. This creates significant availability issues that are hard to detect by other means since Azure heartbeats continue even while the business services are dead.

Beyond this basic alert on "your server may be dead" from global VM IO throttling, it would be great if we could also get individual disk alerts when throttling kicks in, or even (ideally) when some percentage of the maximum is reached for some defined period of time.

We are trying to connect to the azure sql SSISDB from azure data factory.

We have the following configuration -

A customized integration runtime attached to a vnet with two public static ips and the azure sql db which we are trying to access is also attached to the same vnet.

We ran an Execute SSIS Package activity which connects to azure sql and it ran successfully. Now that we want to use Stored Procedure activity to execute a sproc on the azure sql ssis db and for that we are trying to create a linked service for the database and while doing so I could see that it only connects to AutoResolveIntegrationRuntime and since we have disabled the Allow Azure Services button on azure sql, linked service is not able to connect saying clientip dont have access to the sql server.

Is there anyway to make database linked service to use the customized integration runtime since that it is already part of the same vnet as of the azure sql ? Or else is there anyway to access the azure sql db attached to vnet from the database linked service ?

Need the requirement of this feature to support our scenario

The Azure VM Backup and Azure Site Recovery processes both rely on freezing the filesystems of the Linux guests to provide a consistent point in time for snapshots to be made. This ensures that each independently snapshotted managed disk contains the same point in time as the others.

Due to issues with the handling of the freeze process by the guest OS, sometimes this freeze process cannot be reversed and the virtual machine hangs. (https://github.com/Azure/azure-linux-extensions/issues/95) This failure to unfreeze appears potentially related to how kswapd handles itself when it's using filesystem swap and the filesystem containing the swap file is frozen.

This begs the question, if swap is configured onto the Azure resource disk, which is not a managed disk, why does this filesystem need to be frozen at all? This disk isn't part of the backup (or site recovery) so why risk the stability of the host by freezing it?

Enhancement request: skip freezing the filesystems on the Azure resource disk to improve system stability.

When the /var filesystem fills up due to agent logs not rotating, Bad Things happen to the server. In many cases this is due to the Azure Host Agent failing to properly housekeep. Worse, when /var fills the Azure Host Agent can't even report the usage of /var back to Azure Log Analytics.

There are existing issues open for these problems for the software that exists on GitHub:

https://github.com/Azure/azure-linux-extensions/issues/618 (LinuxDiagnostic)

https://github.com/microsoft/OMS-Agent-for-Linux/issues/1111 (LAD logrotate file invalid)

https://github.com/microsoft/OMS-Agent-for-Linux/issues/932 (Old ZIP files filling up /var)

Azure Site Recovery is conspicuously absent from GitHub, so this feedback item is to track an equivalent need for log rotation and /var housekeeping for the Azure Site Recovery agent.

Due to the probable long time taken please add an error message prompt when customer fails to complete HTTPS domain validation which is handled by Digicert and they have their requirement when doing validation.

E.g. my customer encountered an error after he waited for quite some time without error prompt(stuck in domain validation phase)with the need of raising a support ticket to understand what happened from backend:

"The call to DigiCert failed with Error code rfc5280commonnametoolong and Message Common name must be less than 64 characters in order to be compliant with industry standards"

https://dev.digicert.com/errors/

Please consider to add this error message, thanks!

Website:
https://ex-ponent.com

Business Address
222 Somerset St W #402
Ottawa, ON
K2P 2G3
Phone:
(613) 747-2458

Owner name
Benoit Poliquin

Business Email
benoit@ex-ponent.com

Keywords
financial advisor, wealth management, financial planner, retirement planning, pension planning, investment management, portfolio review, individual pension plan

Business Description
We help business owners and professionals move from active business or professional income to retirement investment. Our turnkey personalized approach will enable you to plan, manage and implement your financial future. Our services include financial planning, investment management, portfolio review and individual pension plans.

Business Hours
Sunday: Closed Monday: 8:30 am–6:00 pm Tuesday: 8:30 am–6:00 pm Wednesday: 8:30 am–6:00 pm Thursday: 8:30 am–6:00 pm Friday: 8:30 am–6:00 pm Saturday: Closed

Social links
https://www.facebook.com/exponentinvestmentmanagement
https://ca.linkedin.com/company/exponent-investment-management
https://www.instagram.com/exponentim

We are a government customer with a GCC-Mid (L2) Azure Active Directory tenant. That means that it is a GCC tenant that runs on Azure Public infrastructure so that it can provide identity services to Office 365 GCC. We have our Azure Public subscriptions linked to that tenant within https://portal.azure.com/. Everything works fine EXCEPT being able to register an on-premise data gateway within our tenant and allowing our Logic Apps in Azure Public to connect to that on-premise data gateway. This is because the gateway is registered in an Azure Government region so that Power BI GCC can leverage it. That all makes sense for a customer who uses Office 365 GCC, but it doesn't work when we ALSO want to use Logic Apps in Azure Public in subscriptions that are linked to the same tenant. For now the workaround would be to create a 2nd AAD tenant in Azure Public, but that is not a great solution because it introduces additional management overhead of a second identity provider when all of our identity is centered already in the GCC-Mid (L2) tenant.

Is there any way this can be simplified for the government customers who want to leverage Azure Public as much as possible?