Network Security Groups in Azure

Network Security Groups (NSG) is one of the new network features that’s available in Azure. At least as long we are using the data center in North Europe (https://azure.microsoft.com/en-us/updates/new-networking-features-now-available-in-the-north-europe-region/). By leveraging NSGs we are able to control inbound and outbound network traffic all the way down to each separate VM. This is great in those cases where we have to implement high security and hard policies on our services. For example between the public facing endpoints and backend servers in a SharePoint deployment.

Concept drawing of Network Security Groups

To use it, we need version 0.8.10 of the Azure PowerShell module, and the commands are

  • Get-AzureNetworkSecurityGroup
  • Get-AzureNetworkSecurityGroupConfig
  • Get-AzureNetworkSecurityGroupForSubnet
  • New-AzureNetworkSecurityGroup
  • Remove-AzureNetworkSecurityGroup
  • Remove-AzureNetworkSecurityGroupConfig
  • Remove-AzureNetworkSecurityGroupFromSubnet
  • Remove-AzureNetworkSecurityRule
  • Set-AzureNetworkSecurityGroupConfig
  • Set-AzureNetworkSecurityGroupToSubnet
  • Set-AzureNetworkSecurityRule


The function is somehow self explained and the link at the bottom of this post explains it even a little bit more. But the best way to get to know them is to use Get-Help, and then just try 🙂


Microsoft introduced the Azure Automation Runbook Gallery

Yesterday, Microsoft introduced the Azure Automation Runbook Gallery.  This new feature gives you a growing list of runbooks, that’s already polished and ready for use.

In other words, it just got much faster to achieve your automation goal without being a hard core PowerShell guru.

Read a more about it at the Microsoft Azure Blog http://azure.microsoft.com/blog/2014/10/07/introducing-the-azure-automation-runbook-gallery/

New release of Azure PowerShell – Version 0.8.8 is here

A new Azure PowerShell release is available. To upgrade, click this link http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 or follow the guide from the Microsoft Azure Documentation http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/

PowerShell 5 Preview is here

Windows Management Framework 5 Preview has been released, and can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=42316.

You can see some of the new features below and take a look at this blog post for more details http://blogs.technet.com/b/windowsserver/archive/2014/04/03/windows-management-framework-v5-preview.aspx

Network Switch Cmdlets

The Network Switch Cmdlets enable you to do switch, VLAN and basic Layer 2 network switch port configuration to Windows Server 2012 R2 Logo certified Network switches. Microsoft remains committed to support the Data Center Abstraction vision (DAL) and to show value for our customers and partners in this space. Using these cmdlets you can do:

  • Global switch configuration, such as:
    • Setting host name
    • Setting switch banner
    • Persist configuration
    • Enable or disable feature
  • VLAN configuration:
    • Create or remove VLAN
    • Enable or disable VLAN
    • Enumerate VLAN
    • Set friendly name to a VLAN
  • Layer 2 port configuration:
    • Enumerate ports
    • Enable or disable ports
    • Set port modes and properties
    • Add or associate VLAN to Trunk or Access on the port


OneGet is a new way to discover and install software packages from around the web. With OneGet, you can:

  • Manage a list of software repositories in which packages can be searched, acquired, and installed
  • Search and filter your repositories to find the packages you need
  • Seamlessly install and uninstall packages from one or more repositories with a single PowerShell command



How to add permission for a mailbox folder in Exchange using PowerShell

This post is inspired from a question I answered over at the Microsoft Online Services Forum at TechNet.

The case was something like this.

I have an organization that was recently setup in Exchange Online and they have unique circumstances in that every user in the organization needs “reviewer” access to every other users calendars.  I cannot change the default permission since new users added after this should not be able to see these calendars details.

Lets use PowerShell and prepare for such a deployment.

First I create two security groups. One containing the users that will have their mailboxes shared, and on that has access to these mailboxes. The names I have used there is complete conceptual, so in your production environment you probably your name them a bit more specific.

New-DistributionGroup -Type Security -Name "SG Users With Shared Calendar" -Alias "SG-Users-With-Shared-Calendar"
New-DistributionGroup -Type Security -Name "SG Users With Access To Shared Calendar" -Alias "SG-Users-With-Access-To-Shared-Calendar"

Then, we need to add the affected mailboxes to their respective groups. I just used Exchange admin center for this task, but there is of course possible to do the same using PowerShell and the Add-DistributionGroupMember CMDlet

Next single liner command to run is to give the second group access to the first groups calendar.

Get-DistributionGroupMember -Identity "SG Users With Shared Calendar" | foreach {Add-MailboxFolderPermission -Identity "$($_.Name):\Calendar" -User "SG-Users-With-Access-To-Shared-Calendar" -AccessRights Reviewer}

If you check the permission for a calendar owned by one of the users in the first group, you will see that it’s shared with our last security group


The script and way to solve this could of course be mixed up with both security groups and users to achieve the exact desired configuration, and apply to both Exchange Online and Exchange on-premises.

Below you find links to all the PowerShell CMDlets used in this post