Azure Linux Ubuntu not fully upgraded

Using apt-get update && apt-get upgrade -y on your Ubuntu VM in Azure sometimes does not upgrade all packages:

root@hostname6:~#
root@hostname6:~#
root@hostname6:~# apt-get update && apt-get upgrade -y
Hit:1 https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu jammy InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:4 http://azure.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:5 http://azure.archive.ubuntu.com/ubuntu jammy-security InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
libnss-systemd libpam-systemd libsystemd0 libudev1 linux-azure linux-cloud-tools-azure linux-headers-azure linux-image-azure linux-tools-azure
systemd systemd-sysv udev
0 upgraded, 0 newly installed, 0 to remove and 12 not upgraded.
root@hostname6:~#

Solution

sudo apt-get install aptitude -y
sudo aptitude safe-upgrade

aptitude safe-upgrade
Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused [...] Packages which are not currently installed may be installed to resolve dependencies unless the --no-new-installs command-line option is supplied.

Example

root@hostname6:~#
root@hostname6:~# sudo aptitude safe-upgrade
Resolving dependencies...
The following NEW packages will be installed:
linux-azure-6.8-cloud-tools-6.8.0-1041{a} linux-azure-6.8-headers-6.8.0-1041{a} linux-azure-6.8-tools-6.8.0-1041{a}
linux-cloud-tools-6.8.0-1041-azure{a} linux-headers-6.8.0-1041-azure{a} linux-image-6.8.0-1041-azure{a} linux-modules-6.8.0-1041-azure{a}
linux-tools-6.8.0-1041-azure{a}
The following packages will be upgraded:
libnss-systemd libpam-systemd libsystemd0 libudev1 linux-azure linux-cloud-tools-azure linux-headers-azure linux-image-azure linux-tools-azure
systemd systemd-sysv udev
12 packages upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 67.2 MB of archives. After unpacking 269 MB will be used.
Do you want to continue? [Y/n/?]

[..]
Current status: 0 (-12) upgradable.
root@hostname6:~#
root@hostname6:~# apt-get update
Hit:1 http://azure.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://azure.archive.ubuntu.com/ubuntu jammy-security InRelease
Hit:5 https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
Reading package lists... Done
root@hostname6:~#
root@hostname6:~# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@hostname6:~#
root@hostname6:~#

Disabled Transparent Huge Pages with created systemd service

In some applications (e.g. Splunk) you need to disable Transparent Huge Pages THP. 

When your systems are running in a managed environment (e.g. the public cloud - like Microsoft Azure) with cloud images (like "0001-com-ubuntu-server-jammy" or "0001-com-ubuntu-confidential-vm-jammy" (both Ubuntu22.04 LTS)), you may not be able to use the GRUB Edit to disable THP, because the cloud image ignores the GRUB edits. A possible solution can be a custom systemd service:

Example Disable Transparent Huge Pages once (not reboot-persistent💢):

user@devazubu227:~$
user@devazubu227:~$
user@devazubu227:~$ sudo cat /sys/kernel/mm/transparent_hugepage/enabled
[always] madvise never
user@devazubu227:~$
user@devazubu227:~$
user@devazubu227:~$ echo never | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
never
user@devazubu227:~$
user@devazubu227:~$ sudo cat /sys/kernel/mm/transparent_hugepage/enabled
always madvise [never]
user@devazubu227:~$

Example Disable Transparent Huge Pages with custom systemd service (reboot-persistent ✅):

Commands:

sudo tee /etc/systemd/system/disable-thp.service > /dev/null <<EOF
[Unit]
Description=Disable Transparent Huge Pages
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable disable-thp
sudo systemctl start disable-thp
sudo systemctl status disable-thp
cat /sys/kernel/mm/transparent_hugepage/enabled
cat /sys/kernel/mm/transparent_hugepage/defrag

Example

user@devazubu227:~$
user@devazubu227:~$
user@devazubu227:~$ sudo tee /etc/systemd/system/disable-thp.service > /dev/null <<EOF
[Unit]
Description=Disable Transparent Huge Pages
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOF
user@devazubu227:~$
user@devazubu227:~$ cat /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
user@devazubu227:~$
user@devazubu227:~$
user@devazubu227:~$ sudo systemctl daemon-reexec
user@devazubu227:~$ sudo systemctl daemon-reload
user@devazubu227:~$ sudo systemctl enable disable-thp
Created symlink /etc/systemd/system/multi-user.target.wants/disable-thp.service → /etc/systemd/system/disable-thp.service.
user@devazubu227:~$ sudo systemctl start disable-thp

user@devazubu227:~$ sudo systemctl status disable-thp
○ disable-thp.service - Disable Transparent Huge Pages
Loaded: loaded (/etc/systemd/system/disable-thp.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2025-08-07 11:01:42 UTC; 11s ago
Process: 4394 ExecStart=/bin/bash -c echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defra>
Main PID: 4394 (code=exited, status=0/SUCCESS)
CPU: 2ms

Aug 07 11:01:42 devazubu227 systemd[1]: Started Disable Transparent Huge Pages.
Aug 07 11:01:42 devazubu227 systemd[1]: disable-thp.service: Deactivated successfully.
user@devazubu227:~$
user@devazubu227:~$
user@devazubu227:~$ cat /sys/kernel/mm/transparent_hugepage/enabled
always madvise [never]
user@devazubu227:~$
user@devazubu227:~$ cat /sys/kernel/mm/transparent_hugepage/defrag
always defer defer+madvise madvise [never]
user@devazubu227:~$
user@devazubu227:~$


Azure Managed Identities (technical service accounts)

Explaination

• Azure Managed Identities = technical service accounts
• Password is automatically managed, as it was the case in managed service accounts in OnPrem ActiveDirectory
• Managed Identity types:
• System Managed Idendity ==> strictly assigned to a single Azure system (like a VM), cant be shared with another system
• User Managed Identity ==> for example for HA-clusters, in which all HA-nodes need the same user

Managed Identities dont use a password, instead they use OAuth2 and its token --> https://169.254.169.254/metadata/identity/oauth2/token 

Source: https://medium.com/@siddiquimohammad0807/azure-managed-identity-types-and-importance-c64f6292577d

Example

• When using PowerShell Connect-AzAccount --> a new window for username+password+mfa is opened --> these will be used as credentials
  
  
  
• When using PowerShell Connect-AzAccount - Identity --> no new window is opened, instead the managed identity is used --> Powershell sends HTTPS OAuth2 Query to Azure IMDS "Instance Meta Data Service" and received a token, which is then used
  

Windows PowerShell
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>
PS C:\Users\Administrator20> Install-Module Az 
NuGet provider is required to continue 
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGetprovider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies'  or 'C:\Users\Administrator20\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install
 and import the NuGet provider now?
[Y] Yes[N] No[S] Suspend[?] Help (default is "Y"): y
 
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes[A] Yes to All[N] No[L] No to All[S] Suspend[?] Help (default is "N"): y
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>
PS C:\Users\Administrator20> Connect-AzAccount -Identity
 
Subscription name Tenant
----------------- ------
274102ec-cd24-4af2-a4c2-832941ce526f
 
 
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>




AKS Security - SIEM UseCase of Get Credentials

A SIEM usecase or forensic security alert for Azure Kubernetes Service AKS should be setup for az aks get-credentials as it reveals sensitive data of AKS.

Example for Azure Cloud Shell Bash:

azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ az aks get-credentials --resource-group rgaks04app23 --name AKS04
Merged "AKS04" as current context in /home/azureksmoq/.kube/config
azureksmoq [ ~ ]$ 
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ cat /home/azureksmoq/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZ[...]RVJUSUZJQ0FURS0tLS0tCg==
    server: https://mykubernetescluster-dns-[...].hcp.eastus.azmk8s.io:443
  name: AKS04
contexts:
- context:
    cluster: AKS04
    user: clusterUser_rgaks04app23_AKS04
  name: AKS04
current-context: AKS04
kind: Config
preferences: {}
users:
- name: clusterUser_rgaks04app23_AKS04
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ[...]RS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJV[...]0VZLS0tLS0K
    token: bl0c8ko2[...]73m4ltf
azureksmoq [ ~ ]$ 
azureksmoq [ ~ ]$ 

This command can be helpful for developers or admins - but it is dual use as it reveals sensitive information. I recommend increasing your SIEM risk score or even make a use case with alerting.

Azure Documentation

Microsoft documentation for az aks get-credentials can be found here: https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials or see here: https://azure.github.io/kubelogin/quick-start.html. See also https://learn.microsoft.com/en-us/azure/aks/control-kubeconfig-access

Get access credentials for a managed Kubernetes cluster.

By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.

az aks get-credentials --name
                       --resource-group
                       [--admin]
                       [--context]
                       [--file]
                       [--format]
                       [--overwrite-existing]
                       [--public-fqdn]

Examples

Get access credentials for a managed Kubernetes cluster. (autogenerated)

az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--admin -a

Get cluster administrator credentials. Default: cluster user credentials.

default value: False

--context

If specified, overwrite the default context name. The --admin parameter takes precedence over --context.

--file -f

Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.

default value: ~\.kube\config

--format

Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.

--overwrite-existing

Overwrite any existing cluster entry with the same name.

default value: False

--public-fqdn

Get private cluster credential with server address to be public fqdn.

default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Microsoft Portals overview - msportals.io

The website msportals.io is listing a nice overview of Microsofts portals. For example administrator portals:

Microsoft 365 Admin Portals

• Microsoft 365 Admin Portal https://admin.microsoft.com  aka.ms Old 🔗 Alt
• Microsoft 365 Apps Admin Center https://config.office.com
• Exchange Admin Center (EAC) New https://admin.exchange.microsoft.com
• Exchange Admin Center (EAC) Old https://outlook.office365.com/ecp/
• Kaizala Management Portal https://manage.kaiza.la/
• Microsoft 365 Compliance https://compliance.microsoft.com
• Microsoft 365 network connectivity test https://connectivity.office.com
• Microsoft 365 Network Insights Preview https://portal.office.com/adminportal/home#/networkperformance
• Microsoft Call Quality Dashboard (Teams) https://cqd.teams.microsoft.com
• Microsoft Call Quality Dashboard (Lync) https://cqd.lync.com
• Microsoft Endpoint Manager Admin Console Intune https://endpoint.microsoft.com aka.ms 
• Microsoft Endpoint Manager Admin Console Release Candidate https://rc-devicemanagement.portal.azure.com
• Microsoft Endpoint Manager Admin Console Old https://devicemanagement.portal.azure.com
• Microsoft Intune for Education https://intuneeducation.portal.azure.com
• Microsoft Online https://portal.microsoftonline.com/IWDefault.aspx
• Microsoft Store for Business https://businessstore.microsoft.com
• Microsoft Store for Education https://educationstore.microsoft.com
• Microsoft Stream Admin Center https://web.microsoftstream.com/admin
• Microsoft Teams Admin Center https://admin.teams.microsoft.com aka.ms   
• Microsoft Teams Rooms Managed Services https://portal.rooms.microsoft.com/
• etc 

Many more can be found on msportals.io.

 

New LAPS version explained

Microsoft will release a new version of Local Administrator Password Solution (LAPS), which   provides new Azure AD features as well as new Active Directory OnPrem features and some migration features from the old version to the new one.

A video explaining everything in detail can be found here:

This video includes a nice overview showing how LAPS is working internally using CSP (lapscsp.dll), PowerShell (lapspsh.dll) or GPOs and LAPS core logic (laps.dll) which then reads and updates the expiry of accounts as well as updates their password, either in Azure Active Directory or in Windows Server Active Directory on premise:

Source: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts

LAPS can be used as solution against pass-the-hash (https://attack.mitre.org/techniques/T1550/002) and lateral-traversal attacks (https://attack.mitre.org/tactics/TA0008), as well as for securing user help desk access or recover to devices with a fine-grained security model and for RBAC in Azure AD.

 

Quick win securing Azure AD

An easy quick win for securing Azure Active Directory passwords is the feature "Azure AD Password Protection". This helps you in mitre att&cks tactic credential access, for example in the technique brute force and its sub-techniques password guessing, password spraying, credential stuffing, etc.

Users are recommended to avoide simple passwords and instead should use pass-sentences. Password breaches of the recent past reveal that the majority still chose simple passwords. Azure AD Password Protection finds (audit mode) or enforces (enforce mode) stronger passwords for everybody. There is a hidden global banned password list which is applied to every user in the Azure AD tenant. Additionally you can block custom words like your companys name, your companys slogan, the founders or CEOs name, most used childerens names or your country or famous sport team names, which are often used as weak passwords.

Microsoft promises the "password validation algorithm" automatically detects/blocks variants and combinations like "password!1", "!password", "p@ssw0rd" and so on.

This is also available for on-premise Active Directory using an agent:

 

However this needs an additional license, you need to install and agent on your domain controllers, you need to reboot the domain controllers and you need Azure AD. Also you do not see the changing content of Microsofts global password list and there is no enforcement based on Active Directory groups or OUs, so you for example cant just enforce it to priviledged accounts but must enforce it for everybody.

Of course I highly recommend to use Multi Factor Authentication MFA everywhere.

Azure CLI - list ip-addresses & show Azure Network Security Group & create Azure NSG rule

A few basic tasks in Microsoft Azure via CLI.  In order to use microsegmentation or zero-trust-networking in Azure (which I highly recommend), I recommend to work with Azure Network Security Groups.

List Azure VM ip-addresses

Azure:~$
Azure:~$ az vm list-ip-addresses
[
  {
    "virtualMachine": {
      "name": "my-vm",
      "network": {
        "privateIpAddresses": [
          "10.0.0.4"
        ],
        "publicIpAddresses": [
          {
            "id": "/subscriptions/9aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa7/resourceGroups/learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00/providers/Microsoft.Network/publicIPAddresses/my-vmPublicIP",
            "ipAddress": "13.64.0.1",
            "ipAllocationMethod": "Dynamic",
            "name": "my-vmPublicIP",
            "resourceGroup": "learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00"
          }
        ]
      },
      "resourceGroup": "learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01"
    }
  }
] 

Azure:~$
Azure:~$ 

Put IP-address of VM in variable

IPADDRESS="$(az vm list-ip-addresses \
  --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00 \
  --name my-vm \
  --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
  --output tsv)"

Azure:~$
Azure:~$ IPADDRESS="$(az vm list-ip-addresses \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00 \
>   --name my-vm \
>   --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
>   --output tsv)"
Azure:~$
Azure:~$
Azure:~$ echo $IPADDRESS
13.64.0.1
Azure:~$
Azure:~$
Azure:~$ curl --connect-timeout 5 http://$IPADDRESS
curl: (28) Connection timed out after 5000 milliseconds

Show Azure Network Security Group

Azure:~$
Azure:~$ az network nsg list \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00 \
>   --query '[].name' \
>   --output tsv
my-vmNSG
Azure:~$
Azure:~$

Azure Network Security Group Name = my-vmNSG

What is defined in Network Security Group Name my-vmNSG?

Azure:~$
Azure:~$
Azure:~$ az network nsg rule list \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00 \
>   --nsg-name my-vmNSG
[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "22",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "etag": "W/\"ae2ae2ae-ae2a-ae2a-ae2a-ae2aae2aae2a\"",
    "id": "/subscriptions/9aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa7/resourceGroups/learn-f00f00f0-f00f-f00f-f00f-f00f00f00f00/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/default-allow-ssh",
    "name": "default-allow-ssh",
    "priority": 1000,
    "protocol": "Tcp",
    "provisioningState": "Succeeded",
    "resourceGroup": "learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]
Azure:~$
Azure:~$


Show again that JSON formated by Name, Prio, Dst-Port & Access-Action:

Azure:~$
Azure:~$ az network nsg rule list \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01 \
>   --nsg-name my-vmNSG \
>   --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
>   --output table
Name               Priority    Port    Access
-----------------  ----------  ------  --------
default-allow-ssh  1000        22      Allow
Azure:~$
Azure:~$

Create Azure Network Security Group Rule for HTTP

Azure:~$
Azure:~$ az network nsg rule create \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01 \
>   --nsg-name my-vmNSG \
>   --name allow-http \
>   --protocol tcp \
>   --priority 100 \
>   --destination-port-range 80 \
>   --access Allow
{- Finished ..
  "access": "Allow",
  "description": null,
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": "80",
  "destinationPortRanges": [],
  "direction": "Inbound",
  "etag": "W/\"ae2ae2ae-ae2a-ae2a-ae2a-ae2aae2aae2a\"",
  "id": "/subscriptions/9aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa7/resourceGroups/learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/allow-http",
  "name": "allow-http",
  "priority": 100,
  "protocol": "Tcp",
  "provisioningState": "Succeeded",
  "resourceGroup": "learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01",
  "sourceAddressPrefix": "*",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
Azure:~$
Azure:~$

Show that in JSON:

Azure:~$
Azure:~$ az network nsg rule list \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01 \
>   --nsg-name my-vmNSG
[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "22",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "etag": "W/\"ae2ae2ae-ae2a-ae2a-ae2a-ae2aae2aae2a\"",
    "id": "/subscriptions/9aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa7/resourceGroups/learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/default-allow-ssh",
    "name": "default-allow-ssh",
    "priority": 1000,
    "protocol": "Tcp",
    "provisioningState": "Succeeded",
    "resourceGroup": "learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  },
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "80",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "etag": "W/\"ae2ae2ae-ae2a-ae2a-ae2a-ae2aae2aae2a\"",
    "id": "/subscriptions/9aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa7/resourceGroups/learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/allow-http",
    "name": "allow-http",
    "priority": 100,
    "protocol": "Tcp",
    "provisioningState": "Succeeded",
    "resourceGroup": "learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]
Azure:~$
Azure:~$
Azure:~$ az network nsg rule list \
>   --resource-group learn-f00f00f0-f00f-f00f-f00f-f00f00f00f01 \
>   --nsg-name my-vmNSG \
>   --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
>   --output table
Name               Priority    Port    Access
-----------------  ----------  ------  --------
default-allow-ssh  1000        22      Allow
allow-http         100         80      Allow
Azure:~$
Azure:~$

Microsoft 365 License Maps

I just found some nice Microsoft 365 licnese maps, which might be useful comparing serives, for example of Microsoft 365 Enterprise E3 vs E5. Those maps can be found here: https://m365maps.com/

Example map of Microsoft 365 Enterprise E3:

Example map of Microsoft 365 Enterprise E5: 

Access Azure Key Vault Secrets and Keys with Azure CLI

List all your Azure Key Vaults

Azure:~$
Azure:~$ az keyvault list --query [0].name
"my-keyvault-93456"
Azure:~$
Azure:~$ az keyvault list --query [0].name --output tsv
my-keyvault-93456
Azure:~$


Show secret of entry 'MyPassword' of your Azure Key Vault

Azure:~$
Azure:~$ az keyvault secret show  --name MyPassword  --vault-name $(az keyvault list --query[0].name --output tsv)  --query value  --output tsv
ThisIsYourVerySecureAndOfcourseLongPasswordIMeanPassSentence
Azure:~$
Azure:~$

Show key of entry 'SomeExampleKey' of your Azure Key Vault

The key 


Azure:~$
Azure:~$ az keyvault key show  --name SomeExampleKey  --vault-name $(az keyvault list --query [0].name --output tsv)
{
  "attributes": {
    "created": "2021-03-31T19:27:21+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2021-03-31T19:27:21+00:00"
  },
  "key": {
    "crv": "P-256",
    "d": null,
    "dp": null,
    "dq": null,
    "e": null,
    "k": null,
    "keyOps": [
      "sign",
      "verify"
    ],
    "kid": "https://my-keyvault-93456.vault.azure.net/keys/SomeExampleKey/413xxxxxxxxxxxxxxbb8d6",
    "kty": "EC",
    "n": null,
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": "OBlxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxVlBrE=",
    "y": "Gi/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+XRE="
  },
  "managed": null,
  "tags": null
}
Azure:~$


 

 

 

More Azure CLI commands for Azure Key Vault can be found here: https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest