In the previous part, we established an on-premises identity foundation. The on-premises setup consists of a virtual network with Windows and Linux VMs joined to an on-premises Active Directory domain hosted on two domain controllers. In this part, we will create a VPN Gateway in Azure and a StrongSwan IPsec gateway on-premises and establish the Site-to-Site VPN tunnel — the foundation of our hybrid lab. Implementing a Site-to-Site (S2S) tunnel is simple — so rather than walking through the steps procedurally, I want to focus on what each component is actually doing. ...

Does APIM support zero downtime deployment? — To answer this question, multiple factors need to be ascertained, like, What is the SKU? Have you opted for Availability zones? etc. In fact, the question needs to be qualified further. What do you mean by zero downtime deployment? In the case of APIM, there are infrastructure changes and then there are gateway configuration changes like API specifications and policies. So, the answer depends on — SKU, AZ, “what” kind of changes ...

Photo by Matt Halls on Unsplash Photo by Matt Halls on Unsplash Introduction I have been using the DefaultAzureCredential class for a long time without understanding how it works. So, I jotted down my notes and learnings in this write-up for future me — and maybe you will find it useful too. TokenCredential TokenCredential is the abstract base class representing a source of authentication tokens for Azure services. Many classes derive from TokenCredential but the most interesting ones are DefaultAzureCredential and ChainedTokenCredential. ...

Recently, while setting up a Function App to use User Assigned Managed Identity (UAMI) to authenticate to its AzureWebJobsStorage I encountered SyncTriggerfailure. I checked whether the UAMI had necessary RBAC roles to work on AzureWebJobsStorage — it had. So, I wasn’t sure what the issue was. Analyzing further, I realized I had skipped a few mandatory variable settings to enable UAMI based authentication to AzureWebJobsStorage (setting the environment variable AzureWebJobsStorage__accountName alone does not suffice) ...

In the previous parts, we created a primary and secondary domain controller and tested the domain join from Windows client VM. In this part, we will domain-join a Linux VM to the domain controllers we created. The main purpose is to introduce a non-Windows system into the domain to test Kerberos authentication against Active Directory. We will — Provision a new Linux VM Assign the DC IP Install Linux Kerberos client tool Join the domain Validation ...

Previously, we created a domain controller (DC), joined a test virtual machine to the newly created domain and verified the authentication of a test user from client VM. In this part, we will build redundancy into our environment by introducing a second domain controller. Active Directory (AD) is designed for multi-master replication, meaning multiple domain controllers hold a copy of the directory database. Adding a second DC provides: High Availability — authentication continues if one DC fails Load Distribution — clients can authenticate against different DCs Replication Redundancy — AD database changes replicate automatically In this part, we will: ...

In the first part, we laid the foundation for the hybrid cloud environment. Now we have a virtual network with VM running Windows Server 2022 Evaluation. In this part, we will focus on adding the Identity plane to the hybrid cloud environment by introducing a domain controller and creating an Active Directory structure. We will create a client VM, domain join it and make sure a domain user is able to login ...

Introduction In this series, I will take you through building an on-premises / Azure hybrid environment, with the on-premises network running entirely on a single machine. We will set up an on-premises Active Directory forest, create OUs and users, deploy domain controllers, join Windows and Linux VMs to the domain, and establish hybrid connectivity to Azure using an S2S VPN tunnel. I want to clarify right at the outset that on-premises identity is not a mandatory starting point for a hybrid cloud environment. But I have chosen to build it from the ground up starting with the identity plane (on-premises Active Directory) . ...

This guide outlines the process for assigning application roles to a Managed Identity (MI) in Entra ID. It covers observed behaviors, inherent limitations, and the necessary steps required when an MI must authenticate with another application (such as an API in APIM) using role-based access control (RBAC). Scenario In a typical architecture, a Logic App utilizes a Managed Identity (either System-Assigned or User-Assigned) to communicate with downstream resources. When that Logic App needs to call an API exposed via APIM, the following requirements usually apply: ...

Symptom Symptom Calling Azure Table Storage REST API returns: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. Even though Authorization header looks valid Root Cause The request is missing x-ms-version header Azure Storage requires this header to determine the API version used for request validation. Without it, the service may reject the request with a misleading authentication error. ...