Using Resource Groups and Tagging in Azure Government

Azure Government is moving closer and closer to having the next generation portal and full Azure Resource Manager support.  Recent updates now make it possible to better organize and classify resources for lifecycle management, security and identification.  Below I would like to highlight some of these features and some best practices you can start using today.

Azure Resource Groups

Azure Resource Groups provide a mechanism to group together a collection of Azure Resources.  This enables administrators to manage the lifecycle as a single entity, assign tags (more on that in a moment), and apply role based access control.   Since Azure Resource Groups are not part of the original Azure classic environment, you will not see these exposed in the classic portal environment, however you will see them in the new portal.  The interesting thing is that when you create any resource in Azure, no matter if it is a classic resource or an upcoming Azure Resource Manager resource, they will always be placed in an Azure Resource Group. 

If you are creating classic resources using the classic portal or classic Azure PowerShell commands you will not have an option to choose what Azure Resource Group the resources are assigned to.  They will instead be assigned to default resource groups based upon the region and type of resource being created.   If you utilize the new portal or Azure Resource Manager PowerShell commands to create classic resources you have the ability to specify either an exiting resource group or to create a new resource group for your new resource.  

Best practice:  Always group resources together in a resource group if they share the same lifecycle or are resources related to a single solution.  This will enable easier management of the resources and provide role based access control and  group tagging for the resources.

If you already have a bunch of existing Azure classic resources you may wish to start moving them into Azure Resource Groups based upon the best practice noted above.   This will require you to utilize the new Azure Resource Manager PowerShell commands or the new portal.  

Best practice: Ensure you have a solid enterprise naming convention in place for naming resource groups and resources.  This will make navigating, locating, and managing resources much easier.

To create a new Azure Resource Group, you will need to utilize the new Azure Resource Manager (ARM) PowerShell commands.  Make sure you have installed the latest Azure PowerShell components from before starting.  You will log into Azure Government with the following command to access the ARM commands:

Login-AzureRMAccount –EnvironmentName AzureUSGovernment

Once you are logged in you can get a list of your existing / default resource groups by running the command:


You can also easily view a list of existing resource groups through the new Azure portal.   The portal also enables you to quickly drill down into a group to see what resources are already assigned. 

Unfortunately as of today (8/4/2016) the new preview portal does not allow you to create new resource groups.  To create a new resource group you will need to utilize PowerShell.  Below is an example of creating a new resource group in the US Government Virginia region with a name of MyDemoResourceGroup.

New-AzureRmResourceGroup -Location “USGov Virginia” -Name MyDemoResourceGroup

Now that we have a resource group we can begin creating new resources or move existing resources into it.   The simplest way to do this is by using the new portal.   Below are a few quick steps to move a resource from one group to another:

  1. Open up the new portal and drill down into a resource group that contains a resource you wish to move.
  2. Select the resource and from the settings panel choose properties.
  3. Under the resource group heading in the properties panel you will find a ling to Change resource group.  Clicking on this will provide you with a move resource panel.
  4. Choose the resources you wish to move, select the destination resource group, check the acknowledgement check box, and then click OK.   Within a few moments your resources will be moved into the destination resource group.

There are some limitations to moving resources between groups which are outlined in a documentation article titled “Move resources to new resource group or subscription”.   I highly recommend reading over this article.  You will also find examples of using PowerShell to move resources between groups in this article.


Once the resources are well organized in a structure of resource groups it is now possible to utilize tagging for identification purposes.  Although classic resources do not support tagging, you can apply tags to resource groups.   This means that you can still utilize tags to help categorize and organize your classic Azure resources.

Tags are a simple collection of key – value pairs that are associated with a resource group or an Azure Resource Manager resource.   As mentioned above, it is not possible to apply tags directly to classic Azure resources.

Best practice: Identify a tagging standard for your organization.  Ensure that all new resource groups and resources (when applicable) have the same basic tag structure. 

Resource groups and Azure Resource Manager resources can be assigned multiple key – value tags.   This provides a maximum amount of flexibility to build out a standard that works best for an organization.   Below is a small sample of keys that you may wish to assign to a resource group:

  • Agency / Department
  • Project
  • Type (Dev/QA/Test)
  • Cost Center

The easiest way to apply tags to a resource group is through the new Azure portal.   With just a few steps you can add tags with values to your resource groups.

  1. Open up the new Azure portal and choose a resource group.
  2. In the resource group details panel, click on the tag graphic in the upper right section.
  3. Enter in your key-value tag pairs for the resource group.

Once you have tagged resources you can utilize PowerShell to quickly locate resource groups or resources with a specific tag key and value.   The PowerShell command below outputs all resource group names that have the tag name of Agency with a value of Finance.

Find-AzureRmResourceGroup -Tag @{ Name=”Agency”; Value=”Finance” } -WarningAction SilentlyContinue | %{ $_.Name }

Even though Azure classic resources cannot have tags on them directly, we can utilize Azure Resource Groups to group to tag a collection of Azure classic resources.  

Role Based Access Control

By combining Azure Resource Groups with Role Base Access Control (RBAC) your organization can quickly assign proper access permissions.  RBAC enables you to provide fine grain permissions to individuals that need access to view or manage Azure Resources.  This allows us to get away from the classic model where the only management roles were subscription administrator or subscription co-administrator.   Now we can enable a more delegated approach to resource management.

Unlike tagging, RBAC can be applied to classic resources along with resource groups and ARM resources.

Note: Users who are not subscription administrators or co-administrators but have been assigned RBAC permissions on a classic object cannot manage that object using Azure Classic Powershell or the classic portal.   They must use the Azure Resource Manager PowerShell login and commands or perform management actions using the new portal.

Going Forward

The future is looking great for Azure Government!  As more ARM resource providers are deployed we will have more and more great capabilities to utilize, including ARM templates.   My recommendation is that if you are an Azure Government customer , you should begin poking around in the new preview portal.  This will prepare you well for upcoming updates to Azure Government.

Azure PowerShell for documenting VNETs

During a recent conversation I had with one of my customers I was asked if there was a way to export VNet settings from their Azure US Government subscription.  Of course PowerShell provides us the answer, however, it is not a simple single command.  

There is one command which allows you to export out all subscription VNETs along with their subnets and gateway information to an XML file.  There is another set of commands that enables you to query and navigate XML data in PowerShell.  Finally there is a command for getting network security group (NSG) information that is assigned to a subnet.

By combining all of these commands together into a structured script you can get a very good picture of your VNET configurations across your subscription.   I have built a sample script which you can download from here.

The script is for demonstration purposes only and comes with no support.  Do not utilize the script for production purposes without fully reviewing and understanding the code.   The script only looks at NSGs which are associated to subnets.  Currently Azure US Government only supports the ASM deployment model.  This script was designed to only work with that model and therefore may not be useful to people running workloads in Azure commercial under ARM.

Using Azure AD Domain Services with Azure Government VMs

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers. Users sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. To more securely administer domain-joined virtual machines, use Group Policy—an easy, familiar way to apply and enforce security baselines on all of your Azure virtual machines.

Before I go too far I want to be clear on this one point:  Azure AD Domain Services is  NOT available in Azure US Government today.   With that being said, it is possible to join Azure Virtual Machines in Azure Government to Azure Active Directory Domain Services hosted in Azure Commercial.    This means that customers who are already using Azure Active Directory as part of an Office 365 deployment can extend it to provide domain services to VMs in both Azure Commercial and Azure Government.

I am not going to go into all of the details to setup Azure Active Directory Domain Services (AAD DS) in Azure commercial.  There is great documentation available that already provides all of the information to get started.

Once you have AAD DS setup and associated with a virtual network (VNet) in Azure commercial you can extend it into Azure Government with a simple VNet to VNet connection.   Below are a few points to be aware of when setting this up:

  • AAD DS is only available in Azure commercial.  Today AAD DS is in a preview status which does not include a SLA.
  • VNets that are connected must have IP Address spaces that do not overlap.
  • You must add the AAD DS DNS IP addresses to all of the VNets, in both commercial and government, which will provide AAD DS features to virtual machines in the VNet.
  • I have not tested this with an ARM VNet in Azure commercial and an ASM (classic) VNet in Azure Government.  Based on this article it appears that establishing a VNet to VNet connection across the ARM and ASM should be possible.

To summarize, AAD DS enables organizations to quickly deploy domain joined virtual machines into Azure without having to deploy additional domain controllers in the cloud.   Currently AAD DS is in preview and does not have a SLA.   When architecting your solutions there may be situations where having full domain controllers in Azure will make more sense than using AAD DS.   Always ensure you are using an architecture that fits the solution instead of trying to fit a solution into a specific architecture.



StorSimple Virtual Array Failover Demo

In a previous post I  showed how you could create a Virtual StorSimple Array in Microsoft Azure Commercial which allows you to get started with hybrid storage.  Recently the Virtual StorSimple Array was made available in the Microsoft Azure US Government regions.   I thought that a great way to help people utilize StorSimple would be to show how simple it is to use the Virtual Array in a disaster recovery scenario.   In the video below I demonstrate how to prepare a secondary StorSimple Virtual Array and then perform a failover from the primary device to the backup device.

Azure Simple File Share

In my role at Microsoft I am working with State and Local Government customers.  My job is to help them understand and better utilize Microsoft Azure cloud services.  Recently I have had several conversations with my customers regarding a need to easily share files with the public.  These files might be government datasets, crime statics, or results of FOIA requests.  No matter what the content, the customers are concerned about the impact hosting such a solution internally would have on their infrastructure.  Sometimes these files are seldom downloaded, but other times a news story or other interest might cause massive downloads from locations all over the globe.

Sure there are lots of file sharing solutions out there.  OneDrive, Box, DropBox, just to name a few.   The problems with these solutions is that you have limited control over how the files are presented to the user and limited access to reporting.  Several of my customers have asked how Azure might help them with providing files at a large scale, enabling them to generate logging details, and to reduce risks of large download spikes.

Thinking over the requirements, I came up with several possible solutions.   The simplest involved setting up one or more virtual machines in Azure that would run IIS with directory browsing enabled.   This would work, but there is no branding options and the customer still has to manage and patch the virtual machines.

Another option  which is similar to the previous one is to utilize an Azure Web App with directory browsing enabled.  This would be just like the prior option with VMs  but the customer wouldn’t have to manage or patch the underlying system.  Unfortunately even with the largest Azure Web App size we are limited to 500GB of storage and the lack of branding is still an issue.

After looking at several other options I decided to create a quick simple .NET application that would utilize an Azure Web App along with an Azure Storage Account for public file sharing.   This would enable me to brand the site, store up to 500TB of data, and generate any necessary logging needed.   I call this demonstration solution Azure Simple File Share.

I have tested the application by loading just over 10,000 files into an Azure Storage account and I have been very impressed so far at the speed of rendering the file and folder structures.

If you would like to see the application in action, jump on over to:

If you would like to learn more about how the application works or to grab a copy of the source code, head over to GitHub:

If you build a production solution off of this, let me know!  I would love to see this in action in the real world.  If you make updates and would like to contribute code back, contact me using the comments section below.

Important note:  This application is not endorsed or supported by Microsoft.  No official support is provided by me or anyone else.  The application has not been code reviewed for security and/or nasty bugs.  If you choose to utilize this demonstration application or any of it’s source code, you are on your own.  Smile

Azure VidMan Source

A while back I made a post detailing a  demonstration web application I created for Azure Media Services called Azure VidMan.   At that time I released the source code via a zip file.  

Since then I have been working to fix some issues and move from an IaaS model to fully PaaS model.   Some of the updates include:

  • Added the ability for an administrator to start a live broadcast using the Azure Media Capture Windows Phone app.
  • Modifications so there isn’t a dependency on a full install of SQL Server.  This enables the application to run in a fully PaaS model.
  • Created an Azure PowerShell script to automatically deploy Azure VidMan in an Azure US Government subscription.
  • CSS updates to improve UI when on a mobile device.

Today I am glad to announce that I have moved the application to GitHub where you can download the latest code.

Future updates to the code will include adding additional PaaS features such as utilizing Azure Keyvault for holding the database connection string.  I will also be working on a more generic install script to work across all Azure regions.

Remember this is a demonstration application only and may contain bugs or security holes.  Do not use this in a production environment.

New Environments Added to Azure PowerShell

In the 1.1.0 version of the Azure PowerShell tools new environments have been added to make it easier for using Azure US Government, Azure China, or Azure Commercial environments.   Previously in order to use either Azure US Government or Azure China you had to manually set Azure environment variables in order for the standard Azure PowerShell cmdlets to work.  An example of this is shown in a prior blog post I wrote on how to connect PowerShell to Azure US Government.

Now the following Azure Environment definitions are available by default with Azure PowerShell:

  • AzureCloud:  Azure Commercial
  • AzureChinaCloud:   Azure China
  • AzureUSGovernment: Azure US Government

With the new Azure PowerShell tools you can easily switch between environments using the following cmdlet:  Set-AzureEnvironment

Now if we wish to connect to the Azure US Government cloud we would utilize the following cmdlet:

  1. Add-AzureAccount –Environment “AzureUSGovernment”

You can then select your Azure Subscription using Select-AzureSubscription and then begin exectuing other Azure PowerShell cmdlets.

With this new addition to the Azure PowerShell tools, connecting to and using Azure US Government or Azure China is a lot easier.

StorSimple On-Premises Virtual Array Preview

Getting started with hybrid storage is now a lot easier with the recent preview release of the StorSimple on-premises virtual array.  Now small or medium businesses have a very affordable option for meeting their on-premises storage needs. This new virtual appliance is also great for larger organizations that want to explore hybrid storage.

This virtual appliance can be run in any on-premises datacenter that has either Hyper-V or VMWare hosts available. A single on-premises StorSimple virtual array can manage up to 20TB of hybrid storage. There is a requirement that at least 10% of the overall storage is on-premises. The host must also provide 4 cores and 8GB of RAM to the virtual appliance.

Today I have posted a quick introduction video that shows how you could quickly get started with an on-premises StorSimple virtual array.


For more information on Azure preview services, including the StorSimple virtual array, visit the Microsft Azure services preview site.

Speaker & Video APIs from Microsoft Project Oxford

In a previous post I provided source code on how to utilize Microsoft Azure Media Services.  The code, although basic, provided a great introduction on how to build out a solution utilizing Azure Media Services in either the Microsoft Azure Commercial regions or the Microsoft Azure US Government regions.

Today, Microsoft has announced the availability of the Speaker & Video APIs from Microsoft Project Oxford.  The Video APIs makes it easy to analyze and automatically edit video using Microsoft video processing algorithms to detect and track faces in video, detect when motion has occurred in videos with stationary backgrounds, and smooths and stabilize videos.  With the new Speaker APIs you can use voice for another form of authention or for speaker identification.   By utilizing these new APIs you could extend your Azure Media Services solution to provide even more value with your existing  or new video assets.

Check out the announcement over on the Machine Learning Blog, or jump right over to Project Oxford and sign up to test out these features.

Technology Blog