Unlike WAF v2 , the v1 product does not have custom rules for blocking IP , so you will need to do this at the IIS Level still

When the WAF forwards the request it tags on “x-forwarded-for” to the HTTP header and leaves the c-ip ( client IP ) the same

By Default IIS will check IP Address Domain and Restrictions list on the site and block the c-ip ( client IP ) using this list. 

Enabling Proxy Mode ( In IIS 8 and up ) means it will also adhere to the x-forwarded-for , but you will need to add the Subnet of the WAF ( as it picks a different IP each time ) to the allow list as well or the Health probe won’t be able to make sure the site is UP

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Login to Azure Active Directory. Locate Usage & insights , under Monitoring

Select “Users registerd for Multi-Factor Authentication”

 

 

Can also be done in powershell : https://dirteam.com/sander/2020/05/14/todo-optimize-the-azure-multi-factor-authentication-methods-used-throughout-your-organization/

Monitoring with PowerShell: Monitoring the used MFA type for O365/Azure.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  1. Setup an Azure subscription if you haven’t got this already, this will be used for Billing. The storage is under a 1$/Month for 1 GB space 
  2. Create a Storage Container in the right Azure Region with the correct redundancy ( Local Redundancy Storage in Cheaper ) . Use General Purpose V2!
  3. Create a Blob Container in this Storage Resource
  4. Use Storage Explorer to upload files here

  5. Upload what file you would like to deploy
  6. Right click on the file and choose “Get Shared Access Signatue”

I set a 100 Year Expiry , and leave access as Read Only

It will give you URI and query string

Copy the URI ONLY up to the file name ( nothing after e.g. the example below )  and put in $BlobUri

Copy the FULL Query String and put in $Sas

Change the Output Path which will need to exist with a trailing \, this example I have used the Users Desktop

#Variables ( Use the Azure Storage Explorer to get the URI ( Shared Access Signature ) of the file and copy the first part up to the file name in BlobURI and the Query String to the Sas) 
#You will need a new Sas for each file

$BlobUri = 'https://xxxxx.blob.core.windows.net/xxxxx/1.jpg'
$Sas = '?sp=XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
#Output Path with \ on the end
$OutputPath = 'C:\Users\' + $env:UserName + '\Desktop\'



#Gets full Uri
$FullUri = "$BlobUri$Sas"
#Downloads file to outpath with correct file type and file found in BlobURI
(New-Object System.Net.WebClient).DownloadFile($FullUri, $OutputPath + ($BlobUri -split '/')[-1])

Deploy this powershell file via Device Config Scripts

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If you are looking to Migrate a classic VM in Azure to ARM , you will need to change your Endpoint port forwards via a Load Balancer

Go to the Azure portal: http://portal.azure.com

Click “NEW” -> write “Load Balancer” in search field -> Click “Load Balancer”

After you have clicked the “Load Balancer”, click the “Create” button.

Then fill out the configuration blade as shown below:

Azure will take a few minutes to create the Load Balancer.

 

Once created, your resource group will look like this:

Step 2: Configure Load Balancer Backend Pool

In order to connect our newly created load balancer to our virtual machines, we need to create a so-called “Backend Pool”.

To do so click on your load balancer to open its configuration blade.

Click on the item called “Backend Pool” in the menu to the left:

Then click the “Add” button:

 

 

Fill out the “Add backend pool” configuration blade as shown below:


Now click on “+ Add a target network IP configuration”:

 

 

…and select the IP configuration for your virtual machine:

 

 

Finally, click the “OK” button to save the Backend Pool.

Now repeat this step;  but this time choose VM1 instead of VM0.

All in all, this will give us two backend pools pointing to VM0 and VM1 respectively:

It will take Azure 1-2 minutes to create the Backend Pools

Step 3: Configure NAT rules

Now our load balancer is connected to our virtual machine and we now need to configure rules for redirecting network traffic.

Start by clicking “Inbound NAT Rules” in the menu to the left:

Then click the “Add” button:

Fill out the “Add inbound NAT rule” configuration blade as shown below:

 

Now repeat this step, but this time choose VM1 instead of VM0 .

We will now end up with two Inbound NAT Rules: one with port 8088 associated to VM0 and one with port 8089 associates to VM1 :

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  1. Server to install MAP onto ( this will install a SQL instance as well ). This server will need to be on constantly for 7 days
  2. V-Mware Login to ESX if they have this ( If they have Hyper-V ignore ) 
  3. An Account to Query your Domain and Computer accounts and OU where your servers list
  4. Administrator Logining to All servers for WMI Pooling as well as machines not on the domain such as Linux Machines ( Root ) 
  5. SQL Logins for SQL Servers
  6. If logins cannot be given or SSH does is not allowed below will need to be prepared for each machine
    1. Machine OS
    2. Physical and Virtual CPU Count
    3. Memory
    4. Number of Disks with Size and Free Space
    5. Rough Monthly Network Throughput
    6. Any High Disk I/O Operations

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Error

that determining the Current Master Multi-Factor Authentication Server. the user interface will close

Things to check 

  1. Make sure the server can access via IE

2. Make sure you have a valid Subscription in Azure

If you have been using a Trial this might of expired , you need to be at least on a pay as you go subscription. You need to manually change this

3. Make sure you have a Multi-Factor Auth Provider in your Azure Login

Login to https://manage.windowsazure.com/

New Portal 

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/Providers/fromProviders//hasMFALicense/

Just follow the steps

  1. Jump into C:\Program Files\Multi-Factor Authentication Server\Data
  2. Unhide the all folders and files
  3. Rename the LicenseKey to Licensekey.old
  4. Re Open Program
  5. skip the wizard and configure components manually so I choose to check the box and choose next.

image

Go back to the Azure Portal and select manage multifactor provider:

image

Then under download settings you have the option to generate an activation code:

image

Enter the activation details in the MFA server tool and click activate:

image

After activation I choosed to use the default group, you can create your own groups if you want:

image

 

You can check the status via https://pfweb.phonefactor.net/framefactory

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)