>>ALL RIGHTY. GOOD MORNING, EVERYONE. NICE TO SEE SO MANY PEOPLE HERE. I PERSONALLY WOULD LIKE TO THINK YOU ARE ALL HERE AT 9:00 BECAUSE YOU SKIPPED THE ATTENDEE PARTY LAST NIGHT TO MAKE IT ON TIME HERE. EXCELLENT. WE HAVE SOME GOOD STUFF UP AND COMING ON GOVERNING AZURE SECTIONS WITH A FEW NEW TOOLS AND ONE IN PREVIEW AND NOW GENERALLY AVAILABLE. AS YOU CAN PROBABLY TELL BY MY ACCENT, I’M NOT LOCAL. AND THE WEATHER IS A BIT CHALLENGING TO ME BECAUSE I’M BASED OUT OF HELSINKI, FINLAND. WHEN I’M INDUCERS, I’LL COLD. WHEN I’M OUTDOORS, IT’S TOO HOT FOR ME. I’VE GOT A FEW GOALS FOR NEXT 45 MINUTES, I WANT ALL OF MY DEMOS TO WORK, I DID SACRIFICE A COUPLE MA SHEEPS FOR YOU. THE ONE I’M USING TODAY SHOULD WORK. THE OTHER AIM OR GOAL FOR ME REALLY IS THAT YOU PRONOUNCE MY FIRST NAME CORRECTLY. I’M GOOD WITH ALL OF THOSE. SO YOU JUST GO WITH ANY VERSION YOU LIKE. YES. PERFECT. THANK YOU. SO LET’S GET STARTED WITH THE NEED FOR GOVERNANCE. BACK IN THE DAY, BEFORE WE HAD AZURE, WE, OF COURSE, HAD THE ON PREMISES DATA CENTERS AND WE ALL LOVED HUGGING THE SERVERS AND PUTTING IN THE CABLES AND WATCHING THE LIGHTS BLINK, AND THEN WHEN WE STARTED TO GET CLOUD-BASED SERVICES SUCH AS AZURE, I WOULD VISIT MY CUSTOMERS, AND THEY WOULD BE SO EXCITED. WE STARTED USING AZURE, EVERYTHING IS SO QUICK AND AGILE NOW, AND NOBODY’S STOPPING US ON WHAT WE WANT TO DO. JUST LOOK AT THIS, I WOULD GO THERE, THEY WOULD HAVE MAYBE 275 RESOURCE GROUPS IN AZURE, THE NAMES WOULD BE DEMO, TEST, DO NOT DELETE, THE FINAL TEST. NOBODY KNEW WHAT WAS HAPPENING WITH THOSE. SO IT WAS THE SAME AS BACK IN THE DAY WHEN YOU WOULD VISIT A CUSTOMER WHOSE BUSINESS WAS NOT IN IT AND THEIR DATA CENTER NEEDED TO BE BUILT. NOBODY KNEW WHAT THEY WERE DOING. SO TODAY WE HAVE PLENTY OF TOOLS FOR GOVERNING AZURE AND WHAT HAPPENS IN AZURE, I FIND SOME COMPANIES CHOOSING TO ONLY HAVE ONE ADMINISTRATOR WHO ACTUALLY PROVISIONS EVERYTHING IN AZURE AND NOT ALLOWING ANYBODY ELSE TO DO ANYTHING. THE SAD THING ABOUT THAT, THEN YOU ONLY HAVE THIS ONE PERSON WHO CAN DO EVERYTHING, AND HE NEEDS TO DO THREE — 24 HOURS AT THE OFFICE JUST PROVISIONING, TESTING AND CHECKING ON STUFF. THE TOOLS WE HAVE FOR BASIC GOVERNANCE START WITH ACCOUNTS. I QUITE OFTEN SEE PEOPLE WHO ARE NOT THAT WELL IN THE KNOW WHAT AZURE ACCOUNTS CAN DO. THEY SIMPLY INVITE MICROSOFT ACCOUNT-BASED IDENTITIES TO AZURE, GRANT THEM THE GLOBAL ADMIN OR THE OWNER OF THE SUBSCRIPTION, AND YOU’RE GOOD TO GO. THAT WILL GET MESSY REALLY QUICK. SECTIONS, THIS IS THE TOPIC WE NEED TO VISIT. AND THE OLD THINKING HAS ALWAYS BEEN, WE NEED ONE SUBSCRIPTION BACK IN THE NT4 DAYS, WHEN WE NEED ONE DOMAIN, EVERYTHING IS GOOD THERE, AND WHEN ONE THING BREAKS, EVERYTHING BREAKS, THESE DAYS YOU TYPICALLY WANT TO DIVIDE YOUR SERVICES IN AZURE TO MAKE MULTIPLE SUBSCRIPTION. I’VE TALKED TO COMPANIES WHO SAY THEY WANT TO START WITH 250 SECTIONS. THEY SAY THEY NEED 250 ADMINS, AND EVERYBODY NEEDS ONE. MAYBE START WITH 1 OR 2 OR 5. AXIS CONTROL HAS BEEN THERE FOR QUITE SOME TIME. TYPICALLY YOU’RE GOOD WITH THE BUILT-IN ROLES, YOU HAVE SOME LEVERAGE IN BETWEEN. I SEE COMPANIES BUILDING CUSTOM ROLES, NOT THAT OFTEN, BECAUSE IT’S REALLY HARD TO KEEP TRACK OF WHO HAS ACCESS WHERE AND WHAT AND HOW. RESOURCE GROUPS AND TAGS AND LOG, WE LOOK INTO THOSE IN A LITTLE WHILE. AND THEN POLICIES, WHICH IS ONE OF THE MAIN TOPICS FOR THIS TALK, WITH POLICIES, WE CAN USE THE BUILT-IN POLICIES TO GOVERN WHAT OUR ADMINS, WHAT OUR DEVELOPERS, WHAT OUR USERS WHO HAVE ACCESS TO THE AZURE SUBSCRIPTIONS, WHAT CAN THEY ACTUALLY DO AND WHAT THEY SHOULDN’T BE DOING. THE POLICY IS ALLOW, DENY BASED TOKEN. YOU CAN ADD ONE OR MORE POLICIES, AND THE IDEA IS THAT IF — BUILT-IN POLICIES ARE NOT GOOD ENOUGH FOR YOU, YOU START BUILDING YOUR CUSTOM POLICIES, JUST LIKE IN HERE, I WOULD START WITH THE BUILT-IN POLICIES, OTHERWISE IT WILL GET REALLY MESSY. IF ANYONE HAS BEEN ADMINISTERING ACTIVE DIRECTORIES BACK IN THE DAY, THE POLICY IS A BIT THE SAME, IT HAS INHERITANCE, YOU WE FINE THE POLICY AT SOME LEVEL. THEN AUDITING AND MONITORING, OF COURSE, WITH AZURE, MONITOR, THE TOOLING IS MORE OR LESS THERE, BUT BY DEFAULT, NONE OF THESE SETTINGS OR NONE OF THESE FEATURES ARE ENABLED. YOU NEED TO CONFIGURE THOSE. THE EARLIER YOU GOAT TO CONFIGURING, THE BETTER OFF YOU WILL BE. IF YOU RUN SEVERAL WORKLOADS IN AZURE, YOU CAN STILL START USING THE TOOLING. AZURE MONITOR, WHICH HAS BEEN EXPANDING QUITE RAPIDLY THIS WEEK, WE GOT NEW ANNOUNCEMENTS FOR THOSE, I’LL HAVE A LOOK ON THOSE IN A SECOND. APPLICATION INSIGHTS, WHICH TRADITIONALLY HAS BEEN A TOOL FOR DEVELOPERS, DEVELOPERS WOULD ENABLE APP INSIDE, AND THE — THEY WOULD GET DATA FROM THE BACK END OF THEIR SOFTWARE, IF THEY’RE RUNNING A WEBSITE, IF SOMETHING FAILS WITHIN THEIR CODE, APPLICATION INSIDE WOULD GIVE YOU WHAT’S REALLY HAPPENING BENEATH THE SERVICES AND HOW DO WE ACTUALLY FIX THIS. YOU CAN HAVE AUTOMATED TASKS AND ACTION IN APPLICATION INSIDE, BUT THAT’S HOW IT WAS INITIALLY MARKETED. IT’S FOR DEVELOPERS, BUT I SEE IT’S MUCH MORE USEFUL FOR IT PROS AS WELL AND FOR ADMINS WHO NEED TO GOVERN ADMIN SUBSCRIPTIONS, YOU WE GET A LOT OF INFORMATION ABOUT HOW THINGS ARE WORKING AND HOW PEOPLE ARE USING THOSE TOOLS, AZURE ADVISOR, IT’S A FREE TOOL, AND IT GIVES YOU ADVICE ON HOW YOU SHOULD BETTER CONFIGURE YOUR AZURE SUBSCRIPTIONS. IT GETS SIGNALS FROM AZURE SECURITY CENTER GIVING YOU SECURITY ADVICE BUT GIVES YOU ADVICE ON PERFORMANCE, ALSO ON RELIABILITY, AND IT’S UP TO YOU REALLY TO FOLLOW THOSE SIMPLY DISCARD THEM AND SAY I KNOW BETTER THAN SOME BUILT-IN AI CAN RECOMMEND THINGS FOR ME. LOGAN LITTICS, THAT’S BEEN A PROBLEM UNDERSTANDING THAT. IT’S TRADITIONALLY BEEN A SEPARATE SERVICE, IT WAS PARTIALLY CONNECTED WITH OPERATIONS MANAGEMENT SUITE, WHICH HAS A SEPARATE PORTAL. NOW IT’S PART OF AZURE MONITOR. LOG ANALYTICS ITSELF IS BEST ACCESSIBLE FROM AZURE MONITOR TODAY. IF YOU RUN ANY SORT OF MANAGEMENT SOLUTION IN ON PREMISES, SUCH AS SYSTEM CENTER OPERATIONS MANAGER, YOU CAN OFFLOAD A LOT OF THIS BACK TO YOUR INSTALLATION OR PUSH YOUR LOG-IN DATA FROM SCUM OR SOMETHING LATER TO AZURE AND KEEP USING THESE TOOLS AS WELL. SO WITH AZURE MONITOR, THIS IS ACCESSIBLE FROM THE PORTAL, I’LL SHOW THAT TO YOU IN A BIT. IT’S REALLY ABOUT TWO THINGS, ONE IS THAT YOU CAN HAVE A LOOK ON SOMETHING AD THERE’S SOME SORT OF PROBLEM WITH YOU, YOU SIMPLY SELECT THAT RESOURCE IN AZURE MONITOR AND SELECT THE TYPE OF COUNTERS YOU’D LIKE TO FOLLOW UP ON THAT, AND THAT’S THAT. IT’S EXACTLY THE SAME AS YOU WOULD HAVE ON A WINDOWS SERVE OR WINDOWS WORKSTATION WITH PERFORMANCE MONITOR THAT YOU CAN RUN, THAT’S BEEN THERE FOR ABOUT 20 YEARS. YOU CAN ALSO CREATE ALERTS BASED ON THOSE MET RIBS, ONCE WOW MIND A GOOD METRIC, LET’S SAY YOU PROVISION ON VIRTUAL MACHINE AND WANT TO HAVE A METRIC THAT THE SYSTEM DRIVE DOES NOT FILL UP, CREATE THE METRIC, APPLY AN ALERT ON THAT AND BASED ON THE ALERT, YOU CAN HAVE AUTOMATIC TASKS TO CLEAN UP THE DISK OR SIMPLY DO WHAT EVERYBODY ELSE DOES, SEND AN E-MAIL TO SOMEBODY WHO DOESN’T WANT TO READ THE ALERT E-MAILS. WHAT’S NEW FOR AZURE MONITOR THIS WEEK? WE GET SMART GROUPS, WHICH CONSOLIDATES, IF YOU WE GET A LOT OF ALERTS FROM DIFFERENT LOCATIONS, IT CONSOLIDATES THOSE INTO A SINGLE GROUP AUTOMATICALLY. MEANING THAT IF YOU HAVE MULTIPLE SERVICES, ACTING OR BEHAVING, WITH SUCH PROBLEMS THEY COULD BE GROUPED TOGETHER, YOU CAN FIRE OFF A SINGLE ALERT INSTEAD OF FIRING OFF 27 DIFFERENT ALERTS, AND DOES THE PERSON GETTING THE 27 E-MAILS DOESN’T REALLY KNOW WHERE TO START WITH. NOW THEY WILL ONLY GET ONE E-MAIL OR ONE ACTIVITY OR ONE TASK. YOU CAN SPIN UP A PARTIAL TASK MAYBE TO FIX IT IF YOU KNOW WHAT MIGHT BE THE PROBLEM AUTOMATICALLY OR THEN YOU WILL CONNECT THIS WITH A TICKETING SYSTEM LIKE SERVICE NOW THAT WOULD THEN ENABLE YOU TO RUN MORE ADVANCED PROCESSES, IF THAT WORKS BETTER FOR YOU. THE OTHER ONE, METRIC ALERT FOR LOGS THAT I MENTIONED, NOW GENERALLY AVAILABLE, STARTING THIS WEEK, IT WAS IN PREVIEW BEFORE. I DON’T KNOW HOW YOU TREED PREVIEW AND GA TYPE OF SERVICES. I TYPICALLY START USING PREVIEW SERVICE AS EARLY AS POSSIBLE TO SEE HOW THEY ACTUALLY WORK. WHEN WE GET THE GA, WHICH MEANS WE GET SUPPORT, THERE’S PROPER DOCUMENTATION IN PLACE, THEN I KNOW THIS IS SOMETHING I CAN NOW USE MORE WIDELY WITH MY CUSTOMERS AND IN PRODUCTION ENVIRONMENTS AS WELL. APPLICATION INSIGHTS THAT I MENTIONED. THIS PROVIDES AN AWFUL LOT OF INFORMATION, IT’S OVERWHELMING BECAUSE YOU GET SO MUCH DATA. LAST NIGHT BEFORE THE ATTENDEE PARTY, I WAS HAVING DINNER NEARBY AT ONE OF THE RESTAURANTS. AS IS A TRADITION, THEY HAVE A TV THERE, I DON’T KNOW WHY, IT’S ON AND THERE’S FOOTBALL, I THINK IT’S FOOTBALL — AMERICAN FOOTBALL. ANYWAYS, THE SPORTS STUFF, THE BALL IS NOT ROUND. AND SOMEBODY WAS EXPLAINING THAT THAT’S AN UNDERTAKE, OVERTAKE OR TOUCHDOWN OR SOMETHING ELSE, I KNOW NOTHING ABOUT SPORTS, IT WAS A BIT OVERWHELM TO GO ME BECAUSE THERE WAS SO MANY MOVING BITS AND STATISTICS AND PEOPLE GIVING YOUR OPINION ON HOW THINGS SHOULD GO AND WHAT REALLY HAPPENED HERE. THE SAME GOES FOR APPLICATION INSIGHT, OPEN APPLICATION INSIGHT FOR THE FIRST TIME, THERE’S ABOUT 2,000 DIFFERENT BUTTONS YOU CAN CLICK, YOU’RE NOT SURE HOW SHOULD YOU GET STARTED WITH THIS. THE EASIEST WAY TO GET STARTED WITH APPLICATION APPLICATION INSIGHT, WHEN YOU PROVISION A NEW SERVICE, YOU WILL THAT, PRESS NEXT AND YOU’RE GOOD. LATER ON, WHEN YOU NEED TO FIND WHAT IT IS DOING FOR YOU, GO TO THE SERVICE AND THERE’S A LINK TO THE APP INSIGHT PROVISIONED FOR YOU, IT HAS TO PREDEFINE METRICS, PREDEFINED LOG ENTRIES FOR YOU THAT YOU CAN START ACTUALLY USING. SO ON THE LEFT, YOU CAN SEE ONE OF THE SERVICE THAT PROVISIONED THIS WEEK FOR A DEMO I DID ON TUESDAY ON USING BOTS WITH A BIT OF AI IN THE BACK END, AND I PROVISIONED APP INSIGHT WHEN I PROVISIONED THE BOTS, AND WITH APP INSIGHT, IT’S NOW TELLING ME HOW MANY INSTANCES I HAVE WITH THE BOTS, HOW MANY CALLS DO I GET WITH THE API WILLIAMS THE BOTS, IS SOMETHING FAILING WITH ANY OF THIS. THE OTHER TWO ARE RECOMMENDATIONS FOR ME ON YOU SHOULD MAYBE FIX THIS OR THAT AND WE — AND YOU CAN SEE THE SECURE SCORE IMPACT, WHICH IS MORE SECURITY RELATED, EVEN THOUGH WE ARE NOT REALLY ASKING SECURITY ADVICE. THIS COMES APART FROM SECURITY CENTER, AS WELL AS AZURE ADVISOR. US LIKE IN AZURE MONITOR, YOU CAN CREATE YOUR CUSTOM METRICS, CUSTOM STATISTICS IN HERE, BUNDLE THEM ALL TOGETHER OR CREATE A NEW DASHBOARD IN AZURE PORTAL AND HAVE A CUSTOM VIEW ON EVERYTHING THAT IS IMPORTANT FOR YOU. WHAT I TYPICALLY LIKE TO DO WITH MY IMPLEMENTATIONS, I CREATE CUSTOM DASHBOARDS THAT LOOK NICE, HAVE THE RELEVANT INFORMATION I NEED TO SEE, THEN OR A PLACE WHERE THEY GET COFFEE AND TEA NEAR THE CUBICLES, THEN THEY CAN ACTUALLY SEE WHAT’S HAPPENING WITH THE SERVICES. EXCUSE ME. AZURE ADVISOR, THIS IS PROBABLY THE EASIEST TO USE, BECAUSE THERE’S NOT THAT MUCH THINGS YOU CAN ACTUALLY CONFIGURE HERE. YOU’LL SEE THE HIGH AVAILABILITY WHICH MOSTLY RELATES TO VIRTUAL MACHINES, DO YOU HAVE AVAILABILITY SETS, DO YOU HAVE REPLICATION FOR DATABASES, DO YOU GET SECURITY, FROM SECURITY CENTER AND PERFORMANCE ON DIFFERENT THINGS YOU MIGHT NOT HAVE CONFIGURED YET. AS AN EXAMPLE, I DO HAVE ONE RECOMMENDATION ON SOME LEFTOVER BLOBS IN AZURE STORAGE THAT I SHOULD MAYBE CLEAN UP. THIS IS NOT REALLY THE PERFORMANCE, IT’S NOT COST RELATED, IT’S MORE PERFORMANCE RELATED WHEN WE START GETTING NEW SERVICES. THE LAST ONE IS, OF COURSE, COST. WHEN YOU WANT TO GOVERN AZURE SECTIONS, MANY TIMES YOU WANT TO UNDERSTAND WHAT HAPPENS WITH THE COST, ARE WE PAYING TOO MUCH. LOG ANALYTICS, IT COLLECTS TELEMETRY FROM ALL OF YOUR SERVICES. BE IT A WEBSITE, AN AZURE FUNCTIONS, LOG ANALYTICS COLLECTS EVERYTHING TOGETHER. THEN WE CAN DECIDE WHAT TO DO WITH THE LOGS FROM HERE. TYPICALLY, I SEE IN ENVIRONMENTS WITH HIGH SECURITY, I SEE WE WANT TO OFFLOAD THE LONGS TO A SEPARATE SYSTEM. IT MIGHT BE SOMETHING IN ON PREM OR IT MIGHT BE SOMETHING WE RUN IN A DIFFERENT SUBSCRIPTION OR CLOUD PROVIDER. THERE’S ALSO A QUERY ENGINE WITHIN LOG ANALYTICS, MEANING ALL THE LOGS WE CAN COLLECT FROM ALL THE SERVICES WE HAVE, INCLUDING ON PREMISES SERVICES, WE CAN THEN QUERY AGAINST THOSE AND HAVE ALERTS AND TASKS AND ACTIONS AND ALERTS AGAINST THESE LOGS, WITH LOG ANALYTICS, WE GET A SEPARATE QUERY ENGINE WITH A SEPARATE QUERY LANGUAGE THAT WE CAN USE. WHAT I TYPICALLY DO, I USED TO PREDEFINE QUERIES, UNLESS IT’S ABSOLUTELY NECESSARY TO BUILD MY CUSTOM QUERIES FOR SOMETHING REALLY SPECIFIC. YOU CAN SEE IN THE PICTURES, IT ALSO GIVES YOU A NICE OVERVIEW ON WHAT’S HAPPENING WITH THE SERVICES. THE LOWER PICTURE HAS A TEST VIRTUAL MACHINE RUNNING ABOUT 20 PROCESSES AND LOG ANALYTICS IS ABLE TO ANALYZE HOW IS THIS VIRTUAL VIRTUAL MACHINE TALKING TO DIFFERENT SERVICES AND WHAT SORT OF TRAFFIC IS OCCURRING INBOUND AND OUTBOUND FROM THAT VM. LET’S HAVE A DEMO, AND FOR THAT TO HAPPEN, WHAT I NEED TO DO, I NEED TO SWITCH THIS, THIS IS ALWAYS THE MOST EXCITING PART. AND WE HAVE A BLUE SCREEN. LUCKILY THERE’S A THING IN FINNISH LANGUAGE, YOU CAN YELL LOUD ENOUGH, I’LL USE MY MANTRA, WHICH IS. [ IN FINNISH ] NO, NOT WORKING. I SHOULD BE OKAY. THERE WE GO. ALL RIGHTY. SO I’VE GOT MY AZURE SUBSCRIPTION HERE, I HAVE A COUPLE SECTIONS, YOU CAN SEE — SUBSCRIPTIONS, I HAD 130 EURO, WHICH I THINK IS ABOUT $125,000, BECAUSE IT LOOKS MORE PROMISING. I HAVE A SET LIMIT, I NEED TO RELEASE THAT EARLY THIS WEEK, AND THEN I HAVE A BUNCH OF SERVICE IN HERE I FREQUENTLY USE, I PIN THOSE ON THE DASHBOARD, WE’LL START WITH-A ADS FIRST, AND MICROSOFT HAS BEEN TWEAKING WITH THE INTERFACE WITH AZURE ADVISOR QUITE FREQUENTLY. I FEEL THAT IF TWO WEEKS O GOES BY THAT I DON’T OPEN THIS, SOMEBODY HAPPENS, FIVE NEW RECOMMENDATIONS I SHOULD BE DOING. WE’LL START WITH THE METRICS. I HOPE — YES, IT SHOULD BE GOOD ENOUGH, I SELECT THE SUBSCRIPTION FIRST, I DO HAVE ONE SUBSCRIPTION RESOURCE GROUP I WANT TO USE, I HAVE A LOT OF SERVICES IN THERE, THIS IS ONE OF THE INFAMOUS DEMO RESOURCE GROUP DO NOT DELETE, BUT NOT IN USE REALLY, SO DELETE IF YOU DON’T NEED IT. I’LL SELECT VIRTUAL MACHINE FROM HERE, I’VE GOT THAT ONE VIRTUAL MACHINE IN HERE. THIS IS BASED ON THE BURSTABLE CLASS, THE B BURSTABLE MACHINES, IT IS TICKING CPU CREDITS FOR ME, IF I NEED TO OVERLOAD IT A BIT, I CAN USE THOSE CREDITS LATER ON, AS LONG AS I DON’T REBOOT THE VM. CREDITS CONSUMED ON AVERAGE, LOOKING QUITE GOOD. I CAN ADD SEPARATE METRIC, IT AUTOMATICALLY SELECTS THE SAME RESOURCE FOR ME, WHICH IS NICE, CREDITS REMAINING, WE CAN SEE THAT I HAVE ABOUT 220 CREDITS REMAINING, WHICH IS QUITE GOOD, BECAUSE I’M NOT USING THE VM THAT MUCH. IF I’M HAPPY WITH THIS, I CAN PIN THIS IN MY DASHBOARD, IF WE SCROLL TO THE FAR RIGHT, WE CAN SEE HERE WE GO. THIS IS HOW I CAN USE AZURE MONITOR TO BUILD NEW DASHBOARDS, YOU CAN CREATE NEW DASHBOARDS AND SHARE THOSE SAME DASHBOARDS WITH OTHER PEOPLE. SO GOING BACK HERE, I WANT TO HAVE A LOOK AT THE LOGS. SO THIS IS NOW THE LOG LOG ANALYTICS. YOU CAN SEE I’M USING A SEPARATE SERVICE. THE LOG ANALYTICS WORK SPACE THAT I’M USING, AND THERE’S A COUPLE OF BUILT-IN QUERIES THAT I CAN USE BASED ON HEART BEAT, PERFORMANCE, USAGE. AND I CAN SEE LIST ALL REPORTING COMPUTERS IN THE LAST HOUR. LET’S RUN THIS. IT’S GOING TO ALL OF THE LOGS THAT I HAVE IN LOG ANALYTICS IN THAT WORK SPACE. AND FROM THE FILTERING, I CAN ACTUALLY SEE IT FOUND 59 ENTRIES FOR MY — FOR MY VIRTUAL MACHINE, AND I CAN DRILL DOWN ON THIS. THE PURPOSE OF LOG ANALYTICS IS NOT FOR ME TO GO TO ALL OF THE LINES. THAT OFTEN HAPPENED BACK IN THE DAY WHEN SOMEBODY WOULD EXPLAIN R COMPLAIN IT IS NOT WORKING CORRECTLY. SOMEBODY WOULD SAY, GO AND CHECK ALL OF THE LOGS TO FIND THE PROBLEM. THEY WOULD HAVE 27 DOMAIN CONTROLLERS, AND IT WOULD TAKE TWO WEEKS TO RESOLVE IT. THE SAME IS HERE, I DON’T TO GO THROUGH THESE LINE BY LINE, I WANT TO CONNECT THIS WITH SOMETHING ELSE, AND THAT SOMETHING ELSE MIGHT BE A REPORTING INTERFACE, LIKE POWER BI AS PART OF OFFICE 365, OR IT COULD BE A SEPARATE SYSTEM THAT ANALYZES THESE AND BASED ON THE TYPE OF ALERTS WE ARE GETTING, WE MIGHT BE ACTING BASED ON THOSE. OKAY. MOVING ON FORWARD TO APPLICATION INSIGHT. AND WITH APPLICATION INSIGHT, EVEN THOUGH I PROVISION THOSE SERVICES AUTOMATICALLY WHEN I PROVISION WHATEVER SERVICES I’M DOING, IT PROVISIONS THE APPLICATION INSIGHT. I CAN GO DIRECTLY TO ALL OF THOSE. WHAT I WANT TO DO, I HAD SOME SPARE TIME DURING SUMMER, SO I BUILT A SMALL WEBSITE, WHICH IS CALLED THE AKA.MSTRACKER. YOU GUYS PROBABLY SEE WHEN YOU GO ON SOCIAL MEDIA AND SOMEBODY FROM MICROSOFT SENDS A MESSAGE, MAYBE A TWEET THAT, HEY, HERE’S THE SERVICE OR THE DOCUMENTATION THAT YOU’RE LOOKING FOR AND THE ADDRESS IS AKA.MS/SOMETHING.FUN. I THOUGHT IT WOULD BE NICE TO HAVE A DIRECTORY OF THE AKAMS URL’S. I’M PICKING ALL OF THOSE FROM TWITTER, STORING THOSE ON AZURE SQL. I’VE BEEN RUNNING IT FOR ABOUT FOUR MONTHS, I THINK HAVE ABOUT 250,000URL’S. YOU CAN GET THE ADDRESS HERE IF YOU WANT USE THIS AS WELL. I HAVE THE ADDRESSES IN HERE, THIS IS SIMPLY A SIDE THAT I NEED TO USE FOR TESTING APPLICATION INSIGHT. WHAT I’M TAG DOING HERE, WHEN I GET — WHAT I’M DOING IN HERE, IT’S AKAMS/SOMETHING. BUT — WHAT TWITTER DOES, THEY REPLACE THAT WITH THEIR OWN T.CO. I NEED TO PICK UP THAT, DO AN HTPPS CALL, I NEED TO RESOLVE IT BACK TO THE AKAMS. THEN GET THE TITLE OF THE WEBSITE SO I KNOW HOW IT POINTS BACK TO THE ALAS. FOR THAT, I NEED TO SERVERLESS. I RESOLVE THOSE AND STORE THOSE TO THE DATABASE, IT’S QUITE SIMPLE. BUT I STILL WANT TO SEE WHAT’S HAPPENING WITH THIS. I NEED TO GOVERN IT DOESN’T OVERRUN IN TERMS OF COST AND NEED TO DIAGNOSE IF THERE ARE ANY SORT OF PROBLEMS BUILT IN HERE, I CAN SEE THERE ARE FAILED RESOURCE IN THERE, SEVEN YESTERDAY — SEVEN NOT TOO MANY REQUESTS BECAUSE IT’S BEEN QUITE SLOW IN THAT SENSE. FROM HERE I CAN SEE THE APPLICATION MAP, AND IT SHOWS ME 113 INSTANCES, ABOUT 11 PERCENT OF THE CALLS THAT WERE INITIATED AGAINST THIS RESOLVER, THIS AZURE FUNCTION FAILED. AND YOU RECALL WHEN WE STARTED THE DEMO, I SAID I DID OVERRUN A BIT ON MY BUDGET, THAT’S THE REASON THEY FAILED. WHEN I OVERRUN MY BUDGET, AZURE SHUTS DOWN ALL OF THE SERVICES THAT I HAVE, SO THIS WAS RUNNING, THEN IT SHUT DOWN, THE DATABASE IS SHUT DOWN AND YANKED AWAY FROM THE FUNCTION, AND IT STARTED FAILING BEFORE IT WAS SHUT DOWN AS WELL. BUT THIS IS WHAT I CAN NOW USE TO ACTUALLY UNDERSTAND WHAT’S HAPPENING. I ALSO GET METRICS FROM HERE, WHICH USES AZURE MONITOR. BY NOW YOU’RE SEEING, HOLD ON, I’VE GOT AZURE MONITOR, CONNECTED TO LOG ANALYTICS, I HAVE APPLICATION INSIGHT, ALSO USING AZURE MONITOR. AZURE MONITOR IS REALLY THE TOOL YOU SHOULD BE USING THE MOST TO UNDERSTAND WHAT HAPPENS HAPPENING WITHIN YOUR SUBSCRIPTIONS. OKAY. SWITCHING BACK TO SLIDES, THERE’S TOO MANY BUTTONS HERE, LET’S SEE IF I WAS LUCKY, YES. LET’S MOVE ON TO AZURE GOVERNANCE TOOLS, WE HAD A LOOK AT THE MONITORING AND AUDITING TOOLS AND MOVING A BIT BEYOND THIS, WE MOVED TO AZURE GOVERNANCE, NAY ANNOUNCED AZURE GOVE EASTERNANCE, SINGULAR POLICIES THAT ALLOW OR DENY CERTAIN ACTIONS OR CERTAIN SELECTIONS FOR AZURE ADMINS WHO CAN ACCESS YOUR SUBSCRIPTION, THEN WE HAVE AZURE COST MANAGEMENT, WE NEED TO UNDERSTAND WHAT SORT OF COST WE ARE INCURRING IN OUR SERVICES, THIS IS BASED ON THE CLOUD AND ACQUISITION OF MICROSOFT DATA ACQUIRED LAST YEAR. IT’S BEEN PORTED TO BE PART OF THE AZURE PORTAL. WE HAVE AZURE BLUEPRINTS ALSO ANNOUNCED THIS WEEK IN PREVIEW AND BLUEPRINTS ALLOW US TO CREATE BLUEPRINTS THAT CONSIST SUCH POLICIES AND ROLES AND SETTINGS. THE LAST ONE IS AZURE RESOURCE GRAPH, WHICH ALLOWS US TO QUERY AND SEE WHAT SORT OF RESOURCES DO WE ACTUALLY HAVE IN AZURE SUBSCRIPTION. THAT’S NOT MY PHONE, I HOPE. STARTING WITH AZURE POLICY. POLICIES ENFORCE CERTAIN RULES AND TYPICALLY HOW I SEE CUSTOMERS USING THIS OR ASKING TO START USING THIS, WE WANT TO ENFORCE THAT NOBODY WILL PROVISION THAT ONE VIRTUAL MACHINE THAT WILL COST THE SAME AS A LARGE CAR WOULD COST IN FINLAND. INSTEAD OF GETTING A VM, WE WOULD RATHER WE GET A CAR, WE WANT TO ENFORCE NOBODY IS PROVISIONING ANYTHING THAT GOES BEYOND X AMOUNT OF EURO OR WE WANT TO ENFORCE GEOGRAPHICAL LOCATIONS. WE WANT TO HAVE ALL OF THE SERVICES IN THE WEST U.S. DATA CENTERS, FOR EXAMPLE, IN EUROPE IT WOULD BE NORTH EUROPE OR WEST EUROPE. AND THERE’S A SET OF READY-MADE POLICIES WHICH ARE RATHER GOOD. I ALWAYS START WITH THOSE BECAUSE THERE’S A LITTLE NEED TO GO BEYOND THOSE WHEN YOU GET STARTED. YOU TYPICALLY HAVE THE LOCATION RESTRICTIONS, YOU HAVE THE RESTRICTION ON CERTAIN SKU’S IN VIRTUAL MACHINE MACHINES IN DIFFERENT SERVICES AND WANT TO HAVE COMPLIANCE BASED ON THOSE, IF YOU DO CUSTOM POLICIES, THEY ARE SIMPLE BASED TEXT FILES YOU CAN HAVE. BUT AS I SAID, YOU CAN BUILD QUITE COMPLEX POLICIES QUITE QUICKLY. YOU CAN BUNDLE TOGETHER MULTIPLE POLICIES, INSTEAD OF HAVING TEN POLICIES AND APPLYING EACH OF THOSE SEPARATELY AND GETTING TEN DIFFERENT REPORTS, YOU CAN BUNDLE THEM TOGETHER TO ACHIEVE A SINGULAR GOAL THAT WOULD THEN GIVE YOU THE COMPLIANCE VIEW THAT THIS BUNCH OF POLICIES IS NOT COMPLIED IN THIS AND THIS SERVICE. MANAGEMENT GROUPS ON THE OTHER HAND, IN AZURE, THAT’S GENERALLY AVAILABLE, STARTING ABOUT THREE WEEKS AGO. AND MANAGEMENT GROUPS IS A CONTAINER TECHNOLOGY. A CONTAINER HOLDING YOUR POLICIES, HOLDING YOUR RESTRICTIONS FOR DIFFERENT SUBSCRIPTIONS, DIFFERENT RESOURCE GROUPS OR DIFFERENT MANAGEMENT GROUPS. YOU START WITH THE TENANT ROOT GROUP, WHICH IS BUILT IN. IT WILL BE CREATING THE FIRST TIME YOU GO TO MANAGEMENT GROUP SETTINGS. YOU NEED TO ALLOW YOURSELF AS GLOBAL ADMIN, YOU NEED TO ALLOW YOURSELF PERMISSION TO ACTUALLY PROVISION THE TENANT ROOT GROUP. I’LL SHOW YOU THAT IN A BIT HOW THAT HAPPENS. THEN YOU CAN CREATE ANY NUMBER OF SUBGROUPS, I HAVE ONE FOR DEVELOPMENT AND TESTING AND ONE FOR PRODUCTION. WHICH IS FAIRLY SIMPLE TO UNDERSTAND, YOU COULD HAVE THESE BASED ON LOCATION AND THEN UNDERNEATH THOSE, YOU COULD HAVE THESE BASED ON THE ENVIRONMENT OR THE NEED OR POLICY THAT YOU WOULD APPLY. AND THEN YOU BIND YOUR SUBSCRIPTIONS AND/OR RESOURCE GROUPS AS PART OF THESE MANAGEMENT GROUPS. THEY WILL HAVE INTER HANDS, INHERITANCE, MEANING IF I SET A SET OF POLICIES IN DEV AND TEST GROUP HERE, MANAGEMENT GROUP, THOSE POLICIES WILL TRICKLE DOWN TO WHATEVER IS UNDERNEATH THE DEV AND TEST GROUP MANAGEMENT GROUP. AND WHOEVER IS BENEATH THOSE CANNOT BYPASS THE POLICIES AND THE SETTINGS THAT THEY HAVE IN PLACE. YOU WILL ALSO HAVE NESTING IN THERE. SO IF YOU SET SOMETHING IN DEV AND TEST GROUP AND SET SOMETHING ELSE, IT WILL TRICKLE DOWN THROUGHOUT ALL OF THOSE GROUPS THAT YOU WILL HAVE. THE AZURE BLUEPRINTS ALLOW YOU TO CREATE PREDEFINED SETTINGS FOR YOUR AZURE ADMINS AND OPERATORS, WE CAN BUNDLE TOGETHER POLICIES, BUILT-IN TEMPLATES, ROLES, AND WE CAN ALSO CURATE THE MARKETPLACE. SO WE CAN DISALLOW USERS ON JUST GOING WILD IN THE MARKETPLACE AND PICK AND CHOOSING EVERYTHING THEY NEED. WE CAN ACTUALLY RESTRICT WHAT WILL BE HAPPENING WITHIN OUR AZURE SUBSCRIPTION. WHILE THE MANAGEMENT GROUP IS A CONTAINER FOR ENFORCING POLICIES, BLUEPRINT IS A TECHNOLOGY ENFORCING TEMPLATE POLICIES, ROLES, AGAINST THE WHOLE SUBSCRIPTION. AND WITH BLUEPRINTS, THE EARLIER YOU GET STARTED, THE BETTER OFF YOU ARE, BECAUSE IF YOU HAVE A FRESH AZURE SUBSCRIPTION, YOU CAN HAVE THE BLUEPRINT IN PLACE, WHEN THEY START BUILDING SOLUTIONS IN THERE, YOU CAN ALREADY ENFORCE WHAT YOU NEED WITHIN THE BLUEPRINT. THE PREVIEW IS AVAILABLE STARTING THIS WEEK, THIS IS NOT GENERALLY AVAILABLE YET, BUT BASED ON MY TESTING DURING THE SUMMER, IT WORKS QUITE WELL ALREADY SO FAR. I WOULD EXPECT THE GA TO FOLLOW AT SOME POINT IN THE NEAR FUTURE. AND AZURE RESOURCE GRAPH IS QUITE NEW AS WELL. AND THIS ALLOWS US IN THE OLD RESOURCES VIEW OF THE PORTAL TO, OF COURSE, LIST EVERYTHING WE HAVE IN PLACE. BUT THERE’S NOW A PROVIDER FOR POWERSHELL AND AZURE CLI. WE CAN QUERY AGAINST AZURE ON WHAT SORT OF RESOURCES DO WE HAVE, AND THIS IS THE ENGINE THAT GIVES US BACK THE RESULTS. AND THE REASON FOR THIS IS THAT WE DON’T HAVE TO LOOK THROUGH EVERYTHING, WE CAN QUERY THE ENGINE AND IT’S LIGHTNING FAST WHEN IT’S GIVING YOU STUFF BACK. YOU CAN SEE IN THE SCREEN SHOT, I’M USING AZURE CLI, I’M QUERYING THE GRAPH AND THE QUERY SUMMARIZE COUNT. HOW MANY RESOURCES DO I HAVE IN TOTAL IN THIS SUBSCRIPTION. IT’S ABOUT 222 IN THERE. IF YOU’D LIKE TO USE THE OLD RESOURCES THAT GIVES YOU THE SAME BUT YOU GET PAGING, IT’S A BIT SLOWER. IF YOU NEED TO DO REPORTING ON WHAT ASSETS DO WE HAVE IN PLACE IN THIS SUBSCRIPTION, THEN YOU CAN CHOOSE THE AZURE RESOURCE GRAPH, WHICH IS MUCH MORE FASTER FOR YOU TO USE. ALL RIGHTY. SO LET’S HAVE A LOOK ON THIS, AND ONCE AGAIN, DO THE BUTTON DANCE. EVERYTHING SEEMS TO BE WORKING. WE’LL START WITH AZURE POLICIES, LET ME CRANK UP THE FONT SIZE A BIT. I HAVE TWO SUBSCRIPTIONS THAT I CAN ACCESS WITH THE SAME ACCOUNT AS AN ADMIN. AND I’VE GOT A FEW POLICIES THAT I’VE SET IN HERE. ONE IS THE ALLOWED LOCATIONS, AND IT IS NONCOMPLIANT. MEANING THAT I’VE SET ONLY ONE ALLOWED LOCATION. I THINK IT WAS WEST U.S. OR WEST U.S. 2. THAT’S THE ONLY ONE THAT’S ALLOWED. BUT I ALREADY HAD DIFFERENT RESOURCES PROVISIONED TO AZURE THAT ARE NOT IN WEST U.S., THEY’RE IN WEST EUROPE. AND I’VE GOT 124 NONCOMPLIANT ARE RESOURCES. IF I NEED TO OPEN THIS NOW, I CAN ACTUALLY SEE THAT 8 PERCENT OF MY RESOURCES ARE COMPLIANT, WHICH IS A BIT SAD. BUT IT’S REALLY THE REASON THAT THEY ARE IN DIFFERENT LOCATIONS THAN THEY SHOULD BE IN. SO WE CAN USE AZURE POLICIES TO ACTUALLY UNDERSTAND WHAT DO WE HAVE IN PLACE NOW, WHAT’S COMPLIANT. IT COULD BE THE LOCATION, IT COULD BE SPECIFIC TYPE OF SERVICES. IT COULD BE A SPECIFIC SETTING. ONE SETTING WOULD BE THAT I FREQUENTLY GET FROM CUSTOMERS, WHAT IF WE MOVE TO AZURE, WE SET UP VIRTUES SOMEONE HAS A LOCAL ADMIN PRIVILEGE IN THERE, WHAT HAPPENS IF THEY NOW GO AND CONFIGURE THE BUILT-IN WINDOWS FIRE WALL TO ALLOW PORT A TO INBOUND, WOULDN’T THAT, IF YOU ADD SIDE BY SIDE VPN, WOULDN’T THAT MEAN SOMEBODY MIGHT BE ABLE TO HACK THE VM AND HOP ONTO OUR INTERNAL NETWORK AND I LOOK AT THEM AND SAY, THAT’S EXACTLY WHAT IT MEANS, YOU NEED TO SOMEHOW CONTROL IT. AZURE POLICIES IS ONE WAY TO DO IT. YOU HAVE DIFFERENT TOOLS, YOU HAVE GROUP POLICIES OR USE INTUNE, WITH AZURE POLICY, WE ACTUALLY SEE, THIS IS SOMETHING THAT SHOULDN’T BE HAPPENING. SO WE HAVE GOT THE BUILT-IN POLICIES IN PLACE, A FEW ONES HERE, THE ALLOWED LOCATIONS IS A ALLOWED POLICY, BUT IT’S BASED ON A BUILT-IN DEFINITION. FROM HERE, I CAN SEE THE DEFINITIONS. AND I’VE GOT FOUR INITIATIVE DEFINITIONS, AND I’VE GOT THE REST ARE POLICY DEFINITION. A POLICY DEFINITION IS A BUILT-IN SINGULAR POLICY. DO NOT ALLOW X, DO NOT ALLOW THIS OR THAT. THE INITIATIVE IS A BUNDLE OF ONE OR MORE POLICIES. WE WANT ALL OF OUR VIRTUES OR ALL OF OUR AZURE SQL DATABASES TO CONFORM TO THIS SET OF POLICIES, WE HAVE TEN POLICIES WE PUT IN THE INITIATIVE. DON’T GET TOO FANCY WITH THIS, BECAUSE, ONCE AGAIN, YOU WILL END UP IN A SITUATION YOU CANNOT ACCESS ANYTHING ANYMORE, MAYBE NOT EVEN THE POLICY DEFINITIONS TO REMOVE THOSE. SO YOU CAN ALSO ADD A NEW POLICY DEFINITION IF YOU WANT TO BUILD YOUR OWN, HERE’S THE JASON FILE FOR BUILDING IT. YOU MIGHT NEED TO LOOK UP TO WHAT YOU NEED TO HAVE IN THERE. IF YOU HAVE A LOOK ON ONE OF THESE, VM’S SHOULDN’T USE — VM’S SHOULD USE MANAGED DISK, LET’S AUDIT ALL OF THE VM’S NOT USING MANAGED DISKS, YOU CAN SEE FROM HERE, THIS IS HOW IT WORKS, CHECKING STUFF IN HERE, YOU CAN DUPLICATE THIS, BUILD YOUR OWN FROM HERE. AND FROM HERE I CAN NOW GO TO ASSIGNMENTS, AND I CAN ASSIGN A SINGLE POLICY OR I CAN ASSIGN A INITIATIVE. SO LET ME ASSIGN A SINGLE POLICY. THE SCOPE THAT I NEED TO SELECT, YOU CAN SEE FROM HERE THAT I’VE GOT THE MANAGEMENT GROUP STRUCTURE IN PLACE, I’VE GOT THE TENANT ROOT GROUP THAT I CANNOT MODIFY, UNDERNEATH THERE, I’VE CREATED I THINK NIGHT TEST. I’LL SELECT THAT ONE AND OPTIONALLY, I CAN SELECT A SUBSCRIPTION AS WELL. I MIGHT HAVE A SINGLE SUBSCRIPTION IN THAT MANAGEMENT GROUP. THIS ALL APPLIES TO THE WHOLE OF THE SUBSCRIPTION, OR I MIGHT NOW DRILL DOWN TO A SINGLE RESOURCE GROUP. I HAD THE DEMO RESOURCE GROUP, I WILL ONLY SELECT THAT ONE. AND WHAT WOULD THE POLICY BE? THESE ARE THE BUILT-IN DEFINITIONS PLUS THE CUSTOM DEFINITIONS WE HAVE IN PLACE. PLACE IN HERE. SO LET’S SEE SOMETHING FROM HERE SECURITY RELATED. LET’S MONITOR UN-ENCRYPTED V MR. DISKS IN AZURE SECURITY CENTER. I’M ADDING THIS, IT’S ASSIGNED BY MYSELF. AND I CAN CREATE A MANNING MANAGED IDENTITY. SO I’M CREATING THAT NOW. AND BASED ON MY EXPERIENCE, IT SOMETIMES TAKES A LITTLE BIT OF TIME, BUT THERE WE GO, MONITOR UN-ENCRYPTED VM DISKS, WE CAN GO TO COMPLIANCE. LET ME REFRESH THAT. ON ENCRYPTED DISKS. IT TYPICALLY TAKES TEN MINUTES THAT IT STARTS AND COMPILES AND STARTS CHECKING WHAT’S HAPPENING WITH YOUR POLICIES. THIS IS HOW YOU BUILD THE POLICIES, TYPICALLY STARTING WITH THE BUILT-IN ONES AND MOVING ON. THE NEXT THING I NEED TO SHOW YOU IS THE MANAGEMENT GROUPS. AND WITHIN MANAGEMENT GROUPS, YOU CAN SEE THAT I’VE GOT THE IGNITE TEST IN HERE, AND THE INTERFACE IS A BIT DIFFERENT THAN WHAT YOU’RE USED TO IN AZURE PORTAL YOURSELF. ONE WOULD IMAGINE WHILE I’M SELECTED, THE IGNITE TEST MANAGEMENT GROUP, I WOULD ACTUALLY CONFIGURE IT TO THE SUBSCRIPTION, I NEED TO CONFIGURE IT TO THE DAMES THROUGH HERE. AND THIS ALLOWS ME TO CONFIGURE WHAT HAPPENS IN THE MANAGEMENT GROUP AND WHAT SORT OF POLICIES WILL APPLY TO THIS MANAGEMENT GROUP. AND IN HERE, IF I GO BACK IN HERE. I CAN ADD SUBMANAGEMENT GROUPS IN HERE, I CAN ALSO ADD SUBSUBSCRIPTIONS IN HERE AS WELL. GOING BACK TO THE POLICIES, I CAN USE THE MANAGEMENT GROUPS I CREATE IN HERE, IN HERE I BIND THE SUBSCRIPTIONS AND/OR MULTIPLE SUBSCRIPTIONS AS PART OF THIS MANAGEMENT GROUP. OR I CREATE THE SUBMANAGEMENT GROUPS IN HERE. KEEP IN MIND, THAT IF YOU CREATE MANAGEMENT GROUPS, YOU TEST SOMETHING, AND THEN YOU WANT TO DELETE THE MANAGEMENT GROUP, YOU NEED TO CLEAN IT UP FIRST OR REMOVE THE SUBSCRIPTIONS FROM HERE, EVEN THEN WHEN IT’S REMOVED, YOU CAN CHECK THAT WITH AZURE CLI. EVEN IF IT’S REMOVED, THIS INTERFACE, IN MY EXPERIENCE, ACTUALLY SHOWS YOU THAT IT SOMETIMES EXISTS, WE NEED TO LOG OUT FROM THE PORTAL AND LOG BACK IN, IT’S SO HEAVILY CACHED, YOU CAN GET RID OF THAT AND CAN’T CONFIGURE ANYTHING ELSE UNLESS IT’S GONE. MOVING ON TO AZURE BLUEPRINTS, THIS IS EVEN SIMPLER IN A WAY, BUT THERE’S A NICE TWEAK HERE. I’VE GOT ONE BLUEPRINT CREATED, AND I NEED TO RIGHT CLICK THIS ONE TO GO TO EDIT. THERE’S NOT TOO MANY PLACES IN AZURE PORTAL WHERE WE NEED TO RIGHT CLICK STUFF. THIS IS ONE OF THOSE. I CAN ONLY SET THE NAME, I CAN CHANGE THE LETTER. THE LOCATION IG NIGHT TEST, THE MANAGEMENT GROUP THAT I HAD. IN HERE, I’VE ADDED ONE ARTIFACT, WHICH IS A POLICY, I COULD ADD ROLES, I COULD ADD DIFFERENT SETTINGS, BUT I CHOOSE TO USE POLICIES IN HERE, ALLOWED LOCATIONS AND THIS ONLY ALLOWS A SET VALUE. WHAT’S THE VALUE, WE SET THE VALUE WHEN WE ASSIGN THE DEFINITION. SO GOING BACK HERE, IF I ASSIGN THE BLUEPRINT, THESE ARE — THIS IS WHERE IT WILL ASK ME WHAT WOULD BE THE LOCATION YOU WOULD LIKE TO USE. AND FOR ME, SINCE IT’S JUST A TEXT FIELD, I NEED TO LOOK IT UP THAT IT WILL IT WILL BE U.S. 2, DO I WANT TO LOCK THE RESOURCES OR NOT? SO BY DEFAULT, NONE OF THE RESOURCES ARE LOCKED, BUT WHEN I ENABLE THE BLUEPRINT, I CAN CHOOSE TO LOCK THE RESOURCES SO THAT IF SOMETHING DOES NOT FIT IN HERE, WE’LL LOCK THOSE AND MODIFY THOSE. THAT WOULD MEAN THEN WE NEED TO MODIFY THE BLUEPRINT IF WE WANT TO CHANGE OR MODIFY SOMETHING AT A LATER DATE. SO I’VE GOT THE BLUEPRINT ASSIGNED NOW. I CAN SEE FROM HERE, IT’S SUCCEEDED, AND IF I GO AND CREATE A NEW VIRTUAL MACHINE, LET’S GO FOR WINDOWS 2016, I REALLY LIKE THIS NEW INTERFACE BECAUSE IT’S LIGHTNING FAST NOWADAYS AND GIVES ME A NICE OVERVIEW, I HOPE NOBODY ELSE IS USING THIS. AS THE REGION, AS THE LOCATION, I AM GOING WITH NORTH EUROPE. WE ALWAYS LAUGH AT THIS BACK AT HOME BECAUSE NORTH EUROPE TO US IS FINLAND, OF COURSE, BUT NORTH EUROPE FOR AZURE IS CLOSE TO DUBLIN, AND WE DON’T THINK THAT’S NORTH EUROPE. AND I’M SELECTING THE SIZE, I NEED TO BE UC ADMIN AND SELECT THE SUPERSECURE PASSWORD. FUBAR. 121212 HASH. DON’T WORRY, I WON’T PUT THIS ON LINE. I’M HAPPY WITH THIS. REVIEW AND CREATE. IT’S REVIEWING IT NOW. THERE’S SOMETHING MISSING OR SOMETHING INVALID. MANAGEMENT. REVIEW AGAIN, PLEASE. LET’S SEE IF THE VALIDATION GOES THROUGH, VALIDATION FAILED. LET’S HAVE A LOOK. THE ALLOWED LOCATION, FAILED. IT’S DISALLOWED BY POLICY. I SET NORTH EUROPE, THAT SHOULD BE IN HELSINKI, BUT IT’S EXPECTING WEST U.S. 2, WHICH I THINK I PUT IN THERE. WEST U.S., REGARDLESS. SO I’M A GLOBAL ADMIN MYSELF, I OWN THE WHOLE SUBSCRIPTION, WHAT I’M GETTING IS DISALLOWED BY POLICY, AND THERE’S NO SKIP OR UNDO. I HAVE TO CONFORM TO THE POLICY. EVEN IF I’M AN ADMIN MYSELF. THIS IS THE WHOLE REASON WE HAVE BLUEPRINTS AND POLICIES AND WE HAVE MANAGEMENT GROUPS. THAT WE CAN ACTUALLY LOOK AFTER THOSE GUYS WHO SHOULD KNOW BETTER AN WHAT THEY’RE DOING AND THEY HAVE THE PERMISSIONS TO DO IT. THE LAST THING I CAN QUICKLY SHOW YOU IS IN AZURE ACTIVE DIRECTORY, WHEN YOU START USING MANAGEMENT GROUPS, YOU HAVE TO GO TO AZURE ACTIVE DIRECTORY PROPERTIES AND THERE’S A SETTING HERE, CAN MANAGE AZURE SUBSCRIPTIONS, AND THIS IS A NO BY DEFAULT. YOU NEED TO SWITCH THIS TO ON SO THAT YOU GET TO START USING MANAGEMENT GROUPS. OTHERWISE, EVEN AS AN ADMIN, IT WILL SAY YOU DON’T HAVE PERMISSION TO DO THIS. THE LAST THING IS THE AZURE ADVISOR. YOU SAW THE SCREENS ALREADY, THERE’S NOT THAT MUCH ELSE TO DO HERE, YOU’RE MOST INTERESTED IN THE PERFORMANCE AND SECURITY. AND THIS AUTOMATICALLY REFRESHES QUITE OFTEN, AND FOR ME, SECURITY, OF COURSE, COMPLAINS I’M NOT FOLLOWING THE SECURITY CENTER RECOMMENDATION, IN CAN USE THE AZURE POLICIES AND POLICY AASSIGNMENTS AND INITIATIVES TO CONFORM THIS AND USE AZURE ADVISER TO ACTUALLY UNDERSTAND AM I FOLLOWING ANY OF THE STUFF I FOLLOWING IN TERMS OF CONFIGURING THE SETTINGS. SWITCHING BACK, I’M STARTING TO LEARN TO USE THE BUTTONS ALREADY. SO CALL TO ACTION, GOVERNANCE IN THREE EASY STEPS, DEPLOY POLICIES, YOU DON’T HAVE TO GO WITH THE MANAGEMENT GROUPS INITIALLY IF YOU’RE NOT SURE HOW YOU WANT TO SET THOSE. WHAT KIND OF STRUCTURE YOU WANT TO HAVE IN PLACE, START WITH THE EXISTING TEMPLATES, IT’S TEMPTING TO BUILD YOUR OWN, BUT IT’S HARD TO KEEP TRACK, WHAT DID WE BUILD AGAIN, START WITH THE LOCATION, START WITH THE ALLOWED SKU’S FOR VM OR SQL DATABASE, THOSE ARE THE EASIEST ONES. AND THEN APPLY MANAGEMENT GROUPS, BUT YOU KNOW HOW THE POLICY’S WORK, YOU SEE THE COMPLIANCE WITH THOSE, YOU CAN MOVE TO MANAGEMENT GROUPS AND MAP THOSE TOO THAT YOU CREATED AS PART OF THE MANAGEMENT GROUPS. MONITOR WHAT’S HAPPENING IN THERE AND FINALLY, THE FOURTH STEP NOT SHOWN HERE, IF YOU’RE FEELING BRAVE AND KNOW HOW THINGS ARE WORKING OUT, START TESTING OUT AZURE BLUEPRINT, IT’S IN PREVIEW NOW, ONCE YOU HAVE THE POLICIES IN PLACE AND MANAGEMENT GROUPS IN PLACE, THE NEXT LOGICAL STEP IS TO GO TO AZURE BLUEPRINTS AS WELL. THANK YOU, THAT IS ALL THAT I HAVE. THANK YOU FOR ATTENDING, I’LL BE HERE FOR ANY QUESTIONS IF YOU