Saturday, May 28, 2022
HomeCyber SecurityWhat I might change on Microsoft Azure | by Teri Radichel |...

What I might change on Microsoft Azure | by Teri Radichel | Cloud Safety | Apr, 2022

A couple of submissions for the Azure Wishlist and an Azure Assist Diary

I’ve been engaged on some new concepts on Microsoft Azure that intrigue me equivalent to utilizing a distant IdP to deal with person authentication with Azure dealing with authorization. I additionally signed up for Normal assist ($100/month) to see if it could possibly assist me resolve the problems extra shortly. A number of the options I’m testing out are in Preview. Listed below are just a few objects on my Azure wishlist at this time.

Apologies for typos I’ve no time at this time.

Caveat: I’m positive operating a worldwide cloud platform is just not a easy feat. So many transferring elements it boggles the thoughts how a CEO or safety govt may even maintain observe of all of this and handle it. Hoping this helps present some perception to somebody who can really deal with the problems as some issues have to be addressed over and above assist tickets.BTW: Though I am writing about Azure right here, all different cloud platforms, technical product firms, and telecommunications firms ought to take word. The guidelines on this doc apply to most assist groups I take care of throughout the board. 
  • Very complicated to report a case while you seek for Assist Request within the Azure portal. FIX: Add a button on the web page you get to while you seek for “Assist Request” to have a button to create a assist request as a substitute of getting to click on a hyperlink on the prime to get to that web page.
  • I’ve to login to GitHub to supply suggestions on documentation. FIX: Don’t make individuals log into GitHub to report an issue with documentation or I gained’t hassle. I’m busy and don’t wish to be logged into GitHub except I have to be.
e.g. “The identities of the digital community and the subnet are additionally transmitted with every request.” Networks have identities? What does that imply, precisely?
  • Assist workers is responding to questions with out reviewing or possibly understanding screenshots supplied with the case. FIX: Please take a look at the offered screenshots earlier than answering the query.
  • Assist workers are asking me to do a distant session. That may be a safety danger if individuals in an account are permitting them to do this and safety groups and directors don’t find out about it. FIX 1: Don’t ask for distant periods except it’s really required. The individual may have reproduced my steps with the data I offered. FIX 2: Distant periods ought to require increased privileges to permit and must be a button you need to toggle on within the portal, with a time restrict, that turns again off after the session. (I used to be on the lookout for the data on how the individual meant to provoke the distant session. I don’t wish to permit it. I simply needed to know what the individual needed to do precisely, so I may analyze the related danger.)
If I give somebody entry by way of a distant session can they make modifications in my account? How do you grant a distant session? I by no means would so I have never appeared into it. Shouldn’t checking the field to supply diagnostic entry be sufficient? The individual requested what error message I used to be getting, however I had already offered the error in a screenshot.I offered in an in depth weblog that had step-by-step the actions I took in two merchandise to arrange an IdP. I presume somebody may observe these steps to attempt to reproduce the issue. The IdP I am utilizing has a free trial possibility.I do not need Azure assist viewing my personal IdP configuration data. That's the reason I offered a screenshot of the web page with out the small print.Now I've requests out to the assist groups on either side and that is the place it will get tough. Which vendor is definitely going to assist me clear up the issue as a substitute of pointing to the opposite vendor? We'll see who will get this carried out first.
  • As international admin you gained’t essentially see all of the subscriptions and assets in your account till you toggle a particular button. Even after you toggle the magic button, among the logs and data is just not accessible. Even after assigning the worldwide admin the “Safety Reader” position I can’t see all of them with out making myself an proprietor of the subscription. It’s important to go in and manually assign your self as proprietor of each subscription. Then you definitely’re supposed to show off the magic toggle once more. The issue is, somebody comes alongside and creates a brand new subscription. Repeat. Additionally, what’s the purpose of the magic toggle if anybody who positive factors entry to that account can merely go in and flip the change? I’m making an attempt to know the aim of that function however haven’t found out a great motive for it but. FIX 1: Simply make the worldwide admin a real international admin and inform individuals to not use it and retailer the credentials in a protected place. FIX 2: Positively make each and all logs accessible while you flip the magic elevation toggle.
  • The International Administrator doesn’t have entry to sure elements of a brand new tenant when created. Repair: It looks as if the International admin ought to have entry to every little thing within the account by default. What if builders have created one thing the GA doesn’t find out about and it’s hidden from their view they usually don’t notice it?
  • Azure DevOps seems to be fascinating, but it surely requires a gazillion URLs which makes firewall guidelines very troublesome. FIX: Create some form of proxy for these requests so individuals can add a small variety of firewall guidelines. Maybe distinctly totally different options have a unique and clearly outlined area so organizations can block entry to a sure function utilizing community guidelines. Nonetheless, it is a bit unwieldy.
Additionally word that though you need to use a proxy for personal entry, it could be that the visitors nonetheless goes over the general public Web from a distant location not in Azure as soon as it leaves the Azure personal entry proxy. If you'd like your visitors to be really personal be certain it’s not simply permitting entry from a non-public IP deal with after which sending it over the Web anyway except that’s what you need. I haven’t examined this out but.
  • Whereas viewing audit logs assist is telling me {that a} filter is inflicting logs to not present up, however there isn’t any filtering functionality on the web page. I see an error message. The assist individual I don’t assume appeared on the display screen shot and noticed that the issue was an error message, not a filter. In the long run, this was a bug I feel. FIX 1: Take a look at assist case attachments. FIX 2: There’s a bug right here after additional evaluation, I imagine.
  • There is no such thing as a manner for me to mark a assist case as closed. FIX: As a buyer I ought to be capable of shut a case after I determine the reply myself or the system magically begins working once more (because it did final evening).
  • After the assist groups says they are going to shut a case upon my request, the case nonetheless reveals that it’s open. FIX: Mark the case as closed and have it present up as closed so it drops off the energetic listing.
  • After the assist staff says it can shut the ticket it stays open and other people maintain replying to it. FIX: Save us all time and shut the ticket so individuals don’t maintain replying to it after it’s resolved.
Instance: Azure Exercise Logs weren't working. That is initially why I signed up for assist.I submitted a assist case and magically the logs began exhibiting up as quickly as I submitted my request?!I added a remark to the ticket shortly after creating it that the difficulty was resolved. Since then I've acquired three responses, all telling me “Thanks. I'll shut the ticket.” I feel I see what the issue is with the system that's inflicting this.1. I enter my request. I get an automatic response. 2. I reply to my request saying it is okay now, please shut the request (since I can't shut it myself.)3. Somebody responds to my first request and apparently cannot see my response that it is okay now please shut?4. I reply once more saying the issue is resolved.5. I reply once more asking to shut the request.[One of my faults, I tend to send a couple of messages in spurts like one would send a text message and that's not good in a support portal. Trying not to do that but it happens.]7. Another person responds to #2 that they are going to shut the case.8. Another person responds to #4 that they are going to shut the case.So what you may have is individuals responding a number of occasions to the identical case that I would like closed saying they are going to archive and shut the case however it's nonetheless within the open standing and individuals are nonetheless responding. I am simply ready now for another individual to answer #5 telling me they are going to shut the case. Yep...simply bought it as I'm scripting this. That is 4 responses telling me they are going to shut the case and it is nonetheless open and individuals are nonetheless responding.Do individuals have to satisfy some sort of quota associated to responses as a result of they reply with messages like "I am glad I may enable you to with this." And but the case continues to be open.In the meantime, my different circumstances that I need assistance with are lacking*** from the portal, and are unresolved. *** Observe they weren't lacking (I do not assume) there are simply quirky issues with the filters and a few bugs proven within the display screen photographs under that I found out later. ***Replace: Took an hour lengthy consulting name and after I got here again this case is lastly marked shut. Nonetheless, I've one other case in the identical state. Individuals maintain replying to it and it magically began working as quickly as I signed up for assist. It is associated to Azure Monitor.
  • Assist case data is disappearing. I made feedback on a case and later they didn’t present up after somebody responded. Is that this a bug? FIX: Make sure that feedback present up after added and can’t be eliminated.
  • Emails exterior of the assist portal didn’t present up within the assist portal. Somebody emailed a solution to a query and after I logged into reply that individual’s reply was not there. Is that this a bug or an individual going across the system? FIX 1: Repair the bug that that brought on that individual’s reply to not present up or FIX 2: Make sure that individuals aren’t taking actions exterior the assist portal so there’s an correct log of the exercise on the ticket.
  • This can be simply me however the change tenant performance is just not apparent sufficient. It’s important to click on on a tenant to get the change operate to develop into energetic so you need to use it. FIX: Doubtlessly present the standing of the tenant within the listing exhibiting which one is energetic with a button on the others to make it the energetic tenant.
  • I submitted tickets within the night. I went to mattress and other people responded. Now apparently these individuals are off shift and nobody is wanting on the tickets. Repair: When somebody is off shift have another person check out the tickets and see if they will resolve them as a substitute of ready till that individual comes again on once more. Individuals simply reply to a ticket with minimal data so it meets the required timeframe after which it simply sits there. (I had the identical downside with different cloud suppliers.)
  • I submitted a brand new ticket asking if somebody may choose up the open tickets which largely revolved round permissions. The person who picked up my request didn’t learn the ticket or reply to what it was about. FIX: Learn and reply to what’s written within the case.
  • For assist tickets, the listing doesn’t inform me who’s flip it’s to reply. FIX: Add a column that reveals who’s bought the following motion.
  • I submitted a case to resolve the next: Instances not exhibiting up in portal — please add them, circumstances I’ve requested to be closed are nonetheless open, and reassignment of circumstances that haven’t been resolved in a well timed method. Now I wait…… That is the purpose the place there’s nothing for me to do as a result of all of the circumstances are deadlocked in non-responsiveness and unhelpful solutions and often I hand over and go do one thing else. I by no means get round to logging again in as a result of I’ve simply given up and eventually somebody closes them as a result of I don’t reply. I’ll attempt to come again and examine later. Repair: Enhance the entire course of earlier than it will get up to now.


  • Acquired this in one of many assist responses. It’s extraneous and makes the response rather more wordy than it must be. Repair: Solely reply with the required data.
We'll think about this challenge resolved when one of many following circumstances are met:As soon as we're capable of decide why you might be getting this error.A workaround has been offered that may permit you to clear up what you are promoting want.It has been clearly recognized and/or proven to you that what you are trying to do can't be supported by us.The difficulty that you're experiencing is by design.Microsoft works on ‘one challenge per incident’ foundation. As per Microsoft an incident is outlined as a difficulty that can't be damaged down any additional. In case you may have some other challenge after this, you would need to create a separate incident for it.Throughout the course of troubleshooting, it's doable that the difficulty could also be existent on account of an issue from a Third-Occasion Software program/{Hardware} facet. In such conditions, you would need to contact the respective vendor(s).We'll now start working collectively to resolve your challenge. If you don't agree with the scope outlined above, or want to amend it, please let me know as quickly as doable.
  • I really bought a solution on the primary strive for one case and requested to shut it. I additionally found out that one in all my requests is an Azure bug. There at the moment are 4 circumstances within the portal which I’ve requested to be closed. Repair: Permit clients to shut their very own circumstances however for now, shut circumstances as quickly as a buyer asks — with out responding as a result of that may be a waste of time and inbox.


  • Moments later my assist requests have disappeared once more. Repair: Clearly this portal has a difficulty. Observe that I took the time to determine what the bug is and offered display screen photographs under.
  • I simply found out what’s complicated about tenants. Repair: Whenever you click on on Azure Energetic Listing “Handle Tenants” must be within the left menu with every little thing else.


  • Took a break. Now the one assist requests I can see are ones that I requested assist to shut. They’re nonetheless all open besides one.


  • Went to eat dinner and got here again to this. Was nonetheless confused by filters and assist bugs and couldn’t discover tickets. Found out later this was the bug under but it surely was very complicated. Repair: Repair the bug.


  • Can not add two information when making a assist case, except I’m lacking it. I can return after I create the case and add the information — if I can see it. I simply created a case and it’s not instantly exhibiting up and I would like so as to add two extra screenshots. Repair: Permit add of a number of information on preliminary creation.


  • Went to mattress. Acquired as much as examine my circumstances.
Typically I'm wondering if individuals are deliberately making an attempt to be unhelpful or they actually don’t perceive or take the time to learn what I'm writing. We had this saying at Capital One: Assume good intentions. In order that’s what I’ll do.
  • Within the case the place I offered a step-by-step stroll by way of with detailed screenshots and directions of the actions I had taken and the ensuing error, the individual responded with a few sentences pointing to the choice within the menu within the Azure portal to carry out the motion which I offered detailed data exhibiting I had already carried out. She or he didn’t deal with the error message I offered that occurred on the finish of these steps. Repair: Learn the message offered within the case and take a look at the screenshots. If the shopper gives steps they took that led to an error, take these steps your self to see when you can reproduce the issue.
  • In a case the place I requested an individual if they may see VMs in my account, the individual responded that there are a number of subscriptions in my account. Um, sure, I do know that. Repair: Reply the query that was requested.
  • I found out that the worldwide filter is hard. I’ve been working with a number of tenants which I didn’t achieve this a lot up to now as a way to check out permission boundaries, and so on. Should you set the “international filter” it seems that it’s not really international. It solely applies to at least one tenant I feel. So although I had set the worldwide filter to all subscriptions and turned on the magic elevation toggle, I wasn’t seeing all my subscriptions. Repair: One way or the other there has bought to be a greater manner than utilizing this hidden international filter and magic button. Take away these and use filtering on the subscription web page.
  • I requested a query about not having the ability to see all of the subscriptions when logged in as a person that was assigned the safety reader position in two tenants. The person who responded to that final case replied that I’ve one tenant in my account (I offered screenshots and defined there are two.) The individual defined to me the best way to add the safety reader position. That was not my query. The person is already assigned the safety reader position as I had defined. I figured it out myself and requested the individual to shut the case. Repair: Learn the message within the case and take a look at the screenshots.
  • It looks as if after I flip off the worldwide filter it doesn’t keep off. Repair: Make sure that if somebody turns off the worldwide filter that it stays off till they flip it on once more.
  • Once I began creating assist tickets I set a default e-mail deal with. My final two tickets went to a unique deal with. I don’t know if that’s as a result of I submitted them from a unique place within the portal that was in a unique tenant or subscription or one thing. Repair: The default e-mail deal with for a person for assist tickets must be the identical throughout all of Azure after which have a extra granular approach to set totally different emails for various assets.
Right here’s the entire downside inflicting many of the confusion, apart from what seems to be a bunch of bugs when navigating sure paths of the portal:You want a filter on the prime of each web page that has the next: 
- A drop down for area
- A drop down for subscription
- A drop down for tenant
- A examine field to use the worldwide filter or not and a hyperlink to edit it
- For international admins a sign as as to if or not they've elevated privileges (or do away with that as a result of what's the level? Individuals shouldn't be utilizing the worldwide admin account - I am solely doing it for analysis functions.)
- A approach to click on on one thing that reveals which roles apply to the person on the present display screen and with the present alternatives.

Different discoveries:

  • When you may have a number of tenants the “international filter” is just not really “international” it applies solely to the present tenant. Repair: Make that clear on the display screen the place the individual is enhancing the “international filter” to make sure the individual understands it solely is international for one tenant.
  • Whenever you toggle the magic elevation button, that additionally solely applies to at least one tenant. Repair: Make it clear within the documentation — spotlight it in some way — that you need to elevate in every tenant the place you might be having a difficulty to see all subscriptions throughout all tenants.
  • When you find yourself on the subscriptions web page and you alter the filter to uncheck the worldwide filter, the following time you come again the filter reapplies the worldwide filter. Repair: Save the settings the person chosen.
  • When you choose “all subscriptions” it nonetheless applies the worldwide filter. All subscriptions doesn’t imply “all subscriptions” on this case. Repair: Uncheck the worldwide filter when somebody selects all subscriptions.
  • In an effort to view subscriptions in one other tenant you need to navigate to complicated pages as famous above and change to a unique tenant after which navigate again to the subscriptions web page to the subscriptions for that tenant. Repair: Permit switching to a unique tenant from the subscriptions web page. These two issues appear carefully associated.


Been dealing with cloud safety and container consulting calls all day and checking assist requests in between. Right here’s the newest:

  • I posted a assist case quantity on Twitter and requested that it’s closed as a result of nothing I request to be closed within the portal is getting closed and since that case had a title that apparently confused the individual that learn it. She or he solely learn the title and never the case contents. I needed that case to be closed to keep away from confusion. The individual retains responding after I requested to shut it — a number of occasions. Repair 1: When a buyer requests to shut a case, shut it. Repair 2: Higher but, let clients shut circumstances. Repair 3: Both that or permit the shopper to edit classes and topics in the event that they make a mistake.
  • I created a brand new case with a unique applicable title and offered the data required to revive the lacking circumstances within the second ticket (which I discovered later, see bug under). I attempted to be extra clear in my request to keep away from confusion. I reported the bug on this ticket later. To this point I’ve gotten no assist with that case I requested to have escalated on Twitter. I’m making an attempt Twitter as a result of I don’t understand how else to get my case escalated. It’s not working. Repair 1: Present a greater approach to deal with escalations. Repair 2: I’ve numerous points about on the similar degree, nonetheless one is extra pressing that the others. I want there was a approach to point out that. Nonetheless, I don’t need cellphone calls, so I’m not going to select precedence A. I would like the data assist gives documented within the portal for later reference. I additionally discover that it’s simpler to speak in writing with individuals who communicate one other language.

Aspect word. I really like this checkbox within the Okta assist portal:

  • One other factor I observed was that I used to be capable of clear up some circumstances myself, so I moved the precedence right down to C. (A, B, C). As soon as I spotted that the circumstances weren’t getting labored within the order I needed, I attempted to downgrade some to C, however as soon as an engineer picks it up that may’t be modified. Repair: A buyer ought to be capable of change the precedence as new data or different pressing issues come up associated to their cloud account.
  • Listing is in small print prime proper nav. Similar challenge with areas in AWS the place individuals don’t notice what area they’re in and assume all their assets are gone. Repair: The at present chosen tenant may very well be extra outstanding in view when coping with subscriptions. The pop on the market works precisely like I advisable above. The at present chosen listing may be very clear and properly designed.
  • Filter on the subscription web page has loads of house between the subscription listing and the worldwide filter checkbox. If a person has made the peak of their display screen very small to allow them to take a look at two screens without delay they won’t see the worldwide filter except they scroll down. That is know as “under the fold” in UI design. Repair: Transfer the worldwide filter checkbox to the highest of that display screen in order that whatever the peak of the filter popup, the person at all times sees it. Repair: Transfer the button on the backside to the top of the listing (take away the extraneous house).

Transferring alongside…

  • Including roles to a person in a tenant gained’t work till the person is invited to the tenant and accepts the invitation. Though my person had the mandatory roles the person couldn’t change to the tenant. Recommendations: 1. Add a word to that web page the place you assign roles that they gained’t work till the person accepts the invitation. 2. On the person’s web page the place they change to a brand new listing, add a word that claims an e-mail invitation is ready. 3. If the e-mail bounces, point out that on the customers listing the place it says “Invitation.” 4. On the customers listing the place it says “invitation” point out whether or not or not the invitation has been accepted.
  • I bought an e-mail that appears like this, FYI. Suggestion: Presumably a little bit of design work to make it look extra reliable?

This area additionally popped up. Hopefully that’s anticipated.

  • After going by way of this course of it tried to power me to login with the Microsoft Authenticator app. I needed to again up and take a look at once more to make use of a unique authenticator. Repair: Make it simpler to make use of a unique authenticator app throughout this course of.
  • Lastly…I used to be capable of get to the tenant and had assigned the safety reader position to all of the subscriptions and will see them.
  • Though that works, creating your self as a visitor person of your personal tenant appears a bit odd. I stored asking assist if there was a approach to assign a person the safety reader position throughout all subscriptions in my account. They stored repeating that I needed to assign the person the reader position individually in every subscription. In just a few circumstances they mentioned, oh by the way in which you may have a number of tenants however didn’t present an answer for granting the person entry to the second tenant and the subscriptions in it globally. I figured there have to be a greater manner so I stored wanting.

You possibly can grant tenant-wide entry to Microsoft Defender for Cloud:

This web page mentions cross-tenant administration.

With Azure Lighthouse:

This text can be helpful:

Not one of the assist individuals talked about this in any of my circumstances after I was making an attempt to realize this goal. A number of the above nonetheless appears to be written from the angle of a third-party managing your Azure assets versus an in-house safety staff, but it surely looks as if it could nonetheless be good to say.

  • So now each single case I’ve open may be closed besides a very powerful one I hoped to finish in in the future….bought assist from somebody at Microsoft who’s making an attempt to assist me with that. Thanks!!


  • Spoke too quickly. The difficulty I discussed about with the screenshot about non-compliant VMS: As soon as once more I bought a response in e-mail as a substitute of within the portal. I didn’t see it. I copied and pasted into the portal. Initially, I believed the individual had confirmed it was a bug. Then I spotted I misinterpret what she wrote. I’ve no VMs in my account and Microsoft Defender for Cloud seems to be telling me in that screenshot above that I’ve non-compliant VMs. I requested the individual assigned to this ticket if she may verify, by wanting in my account which I arrange for testing, that there aren’t any VMs in my account. As a substitute of doing that she retains telling me that I’ve different subscriptions. Sure. I do know. I’ve a number of subscriptions and a number of tenants. She is also making an attempt to get me on the cellphone. Why does Microsoft assist at all times do that? I don’t assume it is a difficult request, is it? I’ve a really small account I’ve arrange particularly for testing one thing. It looks as if it’s a quite simple ask. Take a look at the tenants and subscriptions and inform me when you see any VMs as a result of I don’t. Repair: Test what the shopper asks to substantiate you see the identical factor the shopper does, except you can’t for some motive. Should you see one thing totally different, clarify how you bought to that view. Should you can’t do what the shopper is asking, then reply and inform the shopper that as a result of constraints in your finish, equivalent to not having the ability to view all of the tenants or subscriptions, that you just can’t do what they’re asking. Observe that this individual did in the end assist me and confirmed it is a bug.


  • Acquired up within the morning. Haven’t submitted any new tickets. Found out all the problems myself besides one and two open tickets. Hoping to see all tickets closed. Nope. Repair: .
  • The views within the assist portal are complicated and don’t present me all my circumstances. I found out what’s going on and appears to be some sort of bug. Listed below are display screen photographs explaining the confusion and bug:
Once I first login and go to assist circumstances that is what I see:
Observe that the final case says “audit logs” and is among the very first issues I submitted. You used to have the ability to kind “audit logs” within the search bar and get to the audit logs when logged in as a worldwide administrator. Now it tells me I don’t have permissions. I concluded that it is a bug. I don’t assume the assist individual ever took the steps I offered or understood me. I requested to shut that ticket over a day in the past I imagine and somebody responded 20 hours in the past saying they'd shut it. As you possibly can see it’s nonetheless open.Subsequent I click on on “See all assist requests.” Wouldn’t you count on to see the “audit logs” case while you click on on “See all assist requests”? I did however possibly I don’t perceive the aim of that hyperlink. Once I click on it that is what I see:
This listing doesn't have the “audit logs” case. On that very same display screen you possibly can filter by Open, Closed, and All. If you choose "All" on this display screen, you really get "All."Of those circumstances solely the primary one must be "Open."
It additionally reveals you that I nonetheless have numerous circumstances open after requesting to shut all of them however one now. The primary one named “Assist Instances” is the one the place I requested assist to shut all of the circumstances. An operations supervisor responded in e-mail and mentioned he can’t reply within the portal as a result of some technical limitation. He mentioned he's engaged on closing all of the circumstances. I’m undecided how lengthy it's presupposed to take or if he can’t have an effect on what's going on in different departments, however they're nonetheless open.Assist Instances + TenantsThe opposite challenge is that I discovered three circumstances beneath my different tenant. I by no means signed up for assist earlier than with a number of tenants. I usually don’t even hassle with assist as a result of points such because the above. I analysis and determine issues myself. So that is my first try at assist with a number of tenants.Once I submitted the circumstances I assumed they'd be international. I additionally thought I had chosen the identical tenant every time I submitted a case. I wish to return and check that however I do not wish to proliferate extra assist tickets in my account.Once I signed up for assist, I feel I had to decide on a particular tenant. If I used to be not allowed to submit circumstances in one other tenant, the portal ought to stop me from doing that so I presume it's OK. If it wasn't, individuals wouldn’t be responding to these tickets and they're.So having tickets in a number of tenants was half, however not all the downside. I anticipated the assist system to be international. But it surely's just like AWS the place you are logging into totally different accounts and your assist requests are particular to every account. Repair: Drop down on assist web page to change tenants and talent to globally filter on all assist requests.
  • Tip for me: Once I used to work with growth groups in India, I used to have to supply very express, step-by-step directions to get issues carried out accurately. 1. Do that. 2. Try this. 3. Subsequent try this. 4. Don’t try this. I observed that one of many assist tickets I wrote in that method it bought resolved. It was the ONLY assist ticket that really bought resolved with out me figuring it out first. I bought an error within the portal. I offered the three or 4 steps to get the identical error. the individual advised me that as a way to view what I used to be making an attempt to view I needed to go over to another display screen to register Microsoft Insights or one thing. Why, while you join a safety service you need to go to another magic display screen and register some service from a listing is Repair 1: Mechanically register what’s required for a service to work correctly when somebody indicators up for it. Had this similar downside with Azure Information Shares. Repair 2: Observe to self: Present express, step-by-step directions together with each click on you made to get to the purpose the place you go the error. It seems that offering a screenshot is just not sufficient as a result of the assist individuals don’t take a look at them or possibly they don’t know the system effectively sufficient to get to these screens. They’re additionally talking one other language (one thing I can’t achieve this that isn’t an insult — I’m not that good.) and it could be more durable for them to know. Repair 3: Should you present a screenshot inform the individual to have a look at the screenshot. Repair 4: Should you present a hyperlink to a step-by-step stroll by way of with all the small print in screenshots and steps to breed the issue inform the individual you offered that and inform them to go take a look at it explicitly. Nonetheless, even while you do #3 and #4, individuals nonetheless aren’t taking a look at issues in each case. That’s when it will get irritating.


  • Got here again just a few hours later. After explaining step-by-step what I used to be after within the non-compliant VM challenge have now confirmed that my evaluation is appropriate. There’s a bug in Azure. It stories non-compliant assets although I’ve no assets on this check account. Right here’s one other screenshot:
Contemplating what may trigger this. Listed below are some guesses:A software program bug with an incorrect calculation.Would assist workers engaged on tickets in my account with non-compliant VMs trigger this?Is there a useful resource in an Azure service inflicting this?Don’t know however reported so hopefully it will get fastened quickly.
  • As I discussed I later realized that I had submitted tickets inadvertently in a unique tenant. What I spotted together with that’s that’s the reason the advisable classes after I created the ticket didn’t make sense. I recreated a case associated to an IdP integration I used to be engaged on from the proper tenant, in case that improved visibility into the error message. I nonetheless was undecided which class to select, however I discovered one with SAML within the description. Repair: Align the classes with the menus clients choose from within the portal so it’s simpler to get requests routed to the proper staff.
  • Within the new case I 1.) Offered an attachment 2.) Stated I offered an attachment with step-by-step directions and screenshots 3.) Repeated that I offered attachment. 4.) Requested the individual to have a look at the attachment and observe the steps. Right here is the response I bought:
Can you share screenshots? I’ll want extra data on this so I will help you with this challenge.




Repair: Practice individuals to have a look at attachments submitted with tickets!!!
  • On this new request I defined that I hadn’t gotten a response for nearly 24 hours. I requested if they may escalate the ticket. I waited a bit then went off to do different issues. Once I bought again nothing was carried out on the ticket. The individual requested for a the opposite ticket quantity. Once I offered it, the individual mentioned they’d shut the ticket since one other one was open. Now you wish to shut a ticket? Properly the individual wasn’t actually serving to me anyway so I mentioned to go forward and shut it. Repair: When somebody asks to escalate a ticket, don’t ask to shut it. Assist the shopper get the issue resolved as a result of that’s why they’re submitting a second ticket and asking for assist with escalation within the first place.
  • As talked about, a supervisor contacted me yesterday by way of e-mail stating that he would assist me get all my tickets closed. I’m positive that supervisor has to take care of loads of totally different departments and doesn’t actually have management over closing all of the tickets so possibly this isn’t that individual’s fault. A bunch of tickets are nonetheless open. Within the ticket the place I had requested to get these tickets closed right here’s what one other individual responded:
"We will ask the Assist Engineers questions like doubtlessly asking them to shut the case however for them to be following course of they should hear straight from you that case closure is permitted."So after I write into the ticket "you possibly can shut this" or "please shut this" does that not qualify is permission to shut the case?Repair: Let clients shut their very own circumstances.


Again for an additional day.

  • Final evening I had two tickets open. In my ticket associated to points with assist, the individual needed to downgrade the ticket to a decrease precedence. Nonetheless, one of many three objects in that ticket was to escalate my solely remaining open ticket as a result of the individual wasn’t studying it the steps I despatched over to breed the issue or wanting on the display screen shot with the error message. I didn’t wish to downgrade a request for assist resolving what must be my solely open ticket (it’s not, the others are nonetheless not closed). I despatched some clarifying data to hopefully make my ask extra clear.
  • My one excellent ticket has been assigned to a different staff. I hope it’s the proper staff. I added a brand new message on the request reiterating my request. I offered a hyperlink to the weblog submit with detailed display screen photographs and connected the doc the place I printed that weblog submit as effectively in case they didn’t wish to click on a hyperlink. Ready to listen to again. If that staff can resolve the difficulty might be fairly cool and I’ll share the outcomes.
I used to be excited about *why* an organization wouldn't have the apparent operate of letting clients shut their very own tickets. It’s such a easy factor. I think about the assist staff complains as a result of clients shut a ticket and open a brand new related ticket. However the final downside in that case is just not that the shopper is closing and open new tickets. Think about the 5 Whys. Why is the shopper submitting a number of circumstances? Why is the shopper closing and re-opening the identical case? As a result of the assist individual responding to them is just not serving to them. Their downside is just not getting resolved. Why is the issue not getting resolved? It may very well be one in all many elements together with: The assist individual doesn’t perceive what the shopper is asking both as a result of the shopper is just not clear or the assist individual doesn’t perceive English effectively sufficient. It may very well be the assist individual is afraid to let the ticket go to a different staff who may clear up it quicker for worry of being deemed “not ok” or dropping their job. It may very well be that the assist individual doesn’t have adequate coaching. Maybe the assist individual is afraid to ask for assist as a result of draconian administration or being derided by others on the identical or a unique staff. The assist operations administration could also be beneath strain to satisfy quotas and that's driving strain right down to assist groups to deal with assist circumstances too shortly and never be thorough when studying them. Assist groups might not have the instruments to do their jobs. Assist techniques which aren't customer-facing might include damaged, buggy software program. So many elements may very well be inflicting this. I can solely guess. These operating assist groups must do inner evaluation themselves to resolve the foundation causes. As soon as they resolve these root causes, clients might be happier. Assist groups might be happier. Instances might be dealt with extra effectively. The corporate will most likely lower your expenses too.
  • And…I simply bought one other response on a ticket I requested the individual to shut.


  • I’ve been going forwards and backwards with the assist individual on an pressing ticket. For some motive, the assist individual retains asking me for data that’s within the doc I connected. I don’t perceive why, but it surely looks as if the individual doesn’t wish to open the doc and observe the steps I offered to breed the error I get. The doc consists of step-by-step directions with screenshots of every step I took and a screenshot of the error on the finish. I’ve defined this downside repeatedly above and I don’t perceive why the assist individuals at Azure don’t wish to take a look at the data I offered and ask me questions I’ve already answered. Repair: Possibly it’s a communication breakdown of some type however I actually can’t perceive why the assist staff refuses to observe the steps I took to breed the error to allow them to inform me the best way to repair it???
  • The error message I’m getting from Azure in that final bullet level is a really unhelpful error message that doesn’t actually say something. I already wrote about writing higher error messages and why that’s vital right here:


  • On the way in which to select up my mail it hit me. Maybe the individual responding to my ticket doesn’t perceive the which means of the phrase “federation.” That’s the one factor I can consider. If the individual learn my doc I’m clearly federating authentication, but when they don’t perceive what federation is they may not perceive that the steps I’m taking are precisely that. Possibly my ticket nonetheless hasn’t gotten to the proper staff. I’m undecided.
  • I questioned if the individual wasn’t actually referring to federation however particularly the difficulty that Microsoft solely helps sure area configurations. If that’s the case, the individual didn’t learn the doc I despatched over which particularly refers back to the DNS documentation on this part of the doc.


  • Yep. I acquired a response to my ticket which was a replica and paste out of the above hyperlink that I’ve in my steps that I took that led to the error I’m getting.
  • Along with linking to the doc from which the individual copied and pasted, proper under that hyperlink, I present a screenshot of the error message you’re going to get when you don’t take these steps, and clarify the best way to repair it.
  • So I feel, if I perceive accurately, the individual is sending me data and asking if I took the steps within the data I despatched to them.
  • I attempted to know why the individual was sending this. Did I replace the unsuitable area? Did I miss one thing? I reviewed all of it and I can’t see that I did something unsuitable. I went again and reviewed my directions, my doc, and repeated the steps in them.
  • I nonetheless can’t get the individual to reply whether or not they really went by way of and tried the steps I offered and bought this to work.
  • In the event that they wish to validate I added the DNS data accurately, they may ask for the area identify to see if I did one thing unsuitable or discover the DNS information in my logs (I presume the area I’m making an attempt to arrange is logged? I ought to examine that….) ****

**** Observe: after going round in circles on this I made a decision I didn’t wish to present my area identify to this specific individual as a result of the individual won’t reply easy questions concerning the documentation. I began pondering what somebody may do with the data if I present it and must assume by way of {that a} bit extra. Then factor is: I offered all the data to do precisely what I did on their very own techniques and with their very own domains so they need to not want my domains to start with. Additionally, the individual won’t reply the next questions which strikes me as a bit odd so I’ve requested to escalate this ticket: 1.) Have you ever adopted my steps and efficiently applied what I’m making an attempt to get working? 2.) What area identify out of the metadata do I must put within the first textual content field when making a distant IdP? 3.) Which area from the metadata requires the DNS TXT information? 4.) The place ought to the logs be when this course of fails and are there any logs with extra detailed data? See extra under on my thought course of concerning exterior IdPs and SAML and potential dangers I’m nonetheless excited about at this level. ****

  • I requested for clarification and ready.


  • I requested earlier at this time to shut 4 tickets on Twitter. The individual on Twitter advised me to ask the engineers who personal the tickets. I responded that I already did. Please assist. The rationale I requested this was as a result of individuals maintain responding to tickets I requested to shut. How does this make sense?
  • I bought two responses to tickets I requested to shut at this time. The primary one was the “I used to be glad I may enable you to” kind response. OK high-quality. I haven’t responded to that response all day. It’s hours later. I simply bought an in depth abstract of every little thing that was mentioned and carried out within the ticket. I didn’t even learn it. Nonetheless, I’ve a query. Seeing as how the ticket is already resolved and I requested to shut it, is that basically needed? Couldn’t the individual be serving to different clients as a substitute who need assistance greater than I would like that abstract? (I don’t want the abstract it’s simply distracting and like I mentioned, I didn’t learn it, so what’s the purpose of rehashing your complete ticket?) I did look within the portal and it’s closed. Thanks.
  • Concerning my different ticket can’t discover any logs associated to the motion I’m taking to register an exterior IdP. I requested extra data in my assist ticket in case I’m simply lacking the data within the logs. It seems that it must be within the audit logs and could be regarding if actions like this are usually not logged:


Acquired up this a.m. 4 days after submitting preliminary tickets. No response on my IdP query as as to if my understanding of the DNS data is inaccurate or if there are any extra logs that would offer extra perception into the issue. The opposite ticket I submitted a day in the past: Somebody responded saying they’d be engaged on my ticket about 24 hours in the past. I responded asking if sure issues could be inflicting the issue. Immediately the portal says somebody up to date the ticket 2 hours in the past however there’s no new response within the portal.


A few days later I’m checking again in. To start with, wanted to get some work carried out. Secondly. Taxes. Bleh.

Now assist is telling me that “they” (whomever they is) can’t see the area I’m establishing for federation. Alright. We’re getting nearer to what I would like. Somebody is definitely taking a look at my particular configuration. Nonetheless, the explanation they will’t see the area is as a result of I can’t add it. That’s what the ticket is all about. I get an error message offered within the steps I requested assist to undergo to inform me what I’m doing unsuitable. I nonetheless don’t know if somebody took the steps I offered within the ticket. What I’m wondering is, why not look particularly at my configuration and account within the first place and inform me what’s unsuitable with it as a substitute of asking generic questions? That appears to be a part of the explanation that is dragging out. I offered the particular steps I took and if somebody duplicated these steps they need to get the identical error. I’m not getting a response as as to if these steps *ought to* work or if there’s a downside with the steps? However no less than lastly somebody is not only sending me hyperlinks to documentation I have already got or steps I’ve already taken however telling me what they should clear up the issue. They’re taking a look at what I’ve carried out and the steps I’ve taken. Hoping for a decision quickly and can maintain plugging away on it.

I’m going to cease this submit right here. I must get work carried out however hopefully in some way assist groups in every single place can take into consideration how you may make issues much less painful on your clients, as a result of personally I discover issues like this very painful. Azure is an effective cloud platform, and they don’t seem to be the one ones with this assist challenge.

This week finish I had somebody from AT&T principally yelling and speaking over me, repeating the identical factor in a condescending voice to the purpose the place I simply hung up. I most likely sounded a bit pissed off after I known as in a couple of $400 invoice the place I used to be charged incorrect quantities and needed to know the standing of the telephones I had shipped in. (I don’t suggest shopping for something on-line from AT&T go to a retailer.) I realized the best way to get round primary assist because of somebody on the AT&T retailer. That subsequent individual I bought in a resolution-oriented division (as a result of the corporate doesn’t wish to lose enterprise) calmly re-assured me that principally every little thing the final individual yelling at me was saying was unsuitable. The problems are usually not completely resolved however I’ve my fingers crossed that the cellphone that bought misplaced to me on the way in which to me will get processed accurately when it bought despatched again. I bought two telephones on just about the identical day after I known as and the assist individual submitted a case as a result of I had not acquired the unique cellphone for 2 weeks. Certainly one of them appeared prefer it had been opened. Now I’m hoping I don’t get charged for the cellphone I despatched again as a result of I’m sincere. I may have simply pretended it by no means confirmed up and would don’t have any danger of being charged for it.


I wasn’t going to jot down something extra right here however this response was an excessive amount of:

I perceive there could also be some confusion concerning the method that happens when assist tickets are filed.Chances are you'll discover the linked documentation useful.Handle an Azure assist request — Azure supportability | Microsoft Docs

One other condescending response. Right here’s my response:

Not useful. What could be useful could be if I may get the issues working that I’m submitting assist requests about.

I really feel like I’m shut after 5 days of forwards and backwards with Azure and one other vendor on fixing the principle factor I wish to get working, however I don’t assume both firm has really examined the steps I offered to inform me what I’m doing unsuitable. Simply maintain plugging away.

One different word is that the Azure assist portal reveals that tickets have bene up to date or modified when there’s really no response or motion exhibiting within the portal. For instance, a ticket I created 5 days in the past and was resolved shortly after I opened it reveals that it was up to date within the final hour. I’ve acquired no messages (and don’t want any since it’s resolved and must be closed) and the case continues to be open. If anybody is taking a look at that final up to date time within the portal, it appears to be inaccurate.


Properly, I’m nonetheless updating right here as a result of I needed to notice that I used to be testing out utilizing Azure Information Share in my class as a substitute of an alternate cloud service from one other present since I’m instructing an Azure class. Nonetheless, after I tried to make use of that service I set it up incorrectly in some way and I bought an error. I submitted a ticket asking the best way to repair the error. I by no means bought a response within the Azure portal on that ticket. I feel somebody might have responded in e-mail solely however as famous above I would love a document of the responses within the portal, and I’m getting so many emails for non-issues that I can’t maintain observe of what e-mail goes with what ticket. See the instance above the place 4 individuals responded to a ticket that was an azure bug that appears to have resolved itself. The responses got here after I requested to shut the ticket. Simply now I bought a prolonged three paragraph response on a ticket submitted 5 days in the past that additionally was a bug and I reported it to Azure and requested to shut the ticket. After the three paragraph response telling me the engineer was going to report the bug and shut the ticket, I bought one other e-mail from a assist supervisor on some ticket asking me how the engineer did. I don’t know which ticket that was for and I don’t have time to look it up. So again to Azure Information Retailer. I couldn’t get it working within the required timeframe and don’t have extra time to spend on it proper now. Additionally, after testing it out it requires manner too many steps for my easy use case. Different cloud companies for one thing like this are a lot easier relying on what you are attempting to do. Should you should retailer your information in a selected Azure information storage service and must share it, this service could also be your solely possibility. In my case, that’s not a requirement. I responded to the ticket after just a few days saying by no means thoughts, please shut the case.

So now I’ve one case that must be open.

That one case is the principle case I’ve been making an attempt to resolve all alongside. I feel I found out by reverse-engineering a query from an Azure assist individual that I put the DNS TXT information on the inaccurate area. I requested particularly which area through which textual content field in Azure ought to get the DNS TXT information. I additionally requested for clarification on what ought to go into one of many packing containers for area federation. In a previous request I requested for the place I can discover detailed logs that present extra data than “failed” which is principally what the error message I get within the Azure console says. I by no means bought a response on the error logs and ready to listen to again on the remainder as to what I’m doing unsuitable that’s inflicting Azure to report the error that doesn’t say something.

Within the meantime the opposite vendor is sending me hyperlinks unrelated to the issue I’m making an attempt to unravel. I’ve solely despatched them one or two questions so not calling them out right here. I’ve had repeated issues with Azure assist for years which is why I lastly wrote this weblog submit. I requested the opposite vendor which area I must put through which Azure textual content field to make this work. Possibly they’ve some logs or data that may assist me determine this out and get it working.

Now I wait…


The one who is at present assigned to my IdP ticket advised me yesterday the ticket could be escalated…

However on the similar time the individual once more requested for personal area identify and IdP data once more with a hyperlink to a folder to submit the data. I’ve repeatedly indicated that I don’t wish to present that data however that I would like generic solutions to my questions concerning the documentation.

My response: Please let me know when the ticket has been escalated.

This individual appears intent on *not* answering my questions. The individual retains asking me for personal details about by my IdP and domains. I offered the detailed steps I took as a way to keep away from sending the particular particulars of my configuration. Anybody may observe these steps to breed the issue and see if they may get the identical outcomes. Anybody may inform me on step X you say to do Y however that’s unsuitable, you’ll want to do Z. For some motive I don’t perceive, this individual doesn’t wish to or can’t try this however they gained’t come out and say it. They simply maintain tying to get my personal IdP data.

That bought me to excited about the dangers related to sharing the personal data you employ to arrange an IdP between totally different cloud techniques. What are the possibilities somebody in Azure assist may do one thing nefarious if they’ve the small print of your IdP configuration? I’ve but to completely consider this risk mannequin.

I’ve been beginning to look extra carefully at SAML configurations and safety associated to this. If somebody in Azure assist has the small print about your IdP configuration (the metadata you present to configure the IdP) may they then impersonate your IdP? Might they trick customers into logging into the unsuitable IdP and seize authentication tokens alongside the way in which? Might the person arrange an Azure IdP in their very own account utilizing your IdP data (related however totally different than subdomain hijacking)?

Azure requires that the area identify you employ in one of these federation is NOT in Azure as I documented in my steps that I despatched over. That signifies that when you use one of these federation, there’s nothing to say that somebody couldn’t take your metadata and arrange this configuration in another account. You should arrange the suitable DNS information on the related area. However is that data particular to solely your account? I must revisit that.

Ready for somebody new to reply indicating the request has been escalated.


I began this ticket on April twelfth and it’s now April twenty ninth. To be sincere I haven’t been taking a look at it carefully because it all seems like a waste of time at this level. The individual I’m speaking to is just not answering my questions and appears decided to ask for data I don’t wish to present. I simply need generic solutions as a result of at this level I don’t belief the individual. I simply wish to get the ticket escalated.

Immediately I bought two responses neither of which had been from a brand new individual and neither of which escalated the case. I replied that I recognize the trouble however I don’t wish to present anymore data till the case is escalated.

I submitted three separate circumstances with particular person questions concerning the Azure documentation — not particular to my configuration or the error I bought on the Azure platform — to see if I can get solutions one other manner. I haven’t logged again in but to see if these bought answered. I’m very busy and that is all very time consuming.

Proper now…I must get some work carried out…

Oh wait. The individual simply responded and mentioned they didn’t say they’d escalate my ticket. I’m very confused.

I requested if the individual may please escalate my case as a result of we appear to be having communication points. I don’t really feel snug offering extra data at this level. Additionally, the query I requested at first was for somebody to observe the steps I did and reproduce the error message and inform me what I’m doing unsuitable in my steps. So far as I can inform, nobody has carried out that but.


Alright this was all so distracting that I ended the pressing matter I’m engaged on and logged into the Azure portal to see if my different questions bought answered. Simply curious. No excessive expectations, however hoping they bought routed to an individual that really needs to assist.

The primary one I checked out did and the reply was affordable and looks as if it must be appropriate:

The place ought to the logs present up in Azure while you create a brand new exterior IdP. The individual tells me they’re supposed to indicate up within the audit logs. That’s what I understood from the documentation in order that confirms one factor the opposite individual completely refused to reply for some motive. Thanks.

However now the issue is, I can’t discover any entries associated to my motion so as to add an exterior IdP utilizing SAML federation. I may simply be on the lookout for it incorrectly or not know what to look on or what it seems to be like. Or there may very well be a bug associated to the particular error message I get. I requested the individual if they may ship me a pattern or inform me what to look on to see the entries associated to the 4 steps I took to attempt to add a brand new IdP. (I offered these 4 steps after I submitted the ticket). Hopefully the individual can ship me a pattern or reply this. Then I’ll repeat the steps and look once more to see if it’s a bug or I’m lacking one thing.

For the opposite two questions, which had been distinctly totally different if the assist individuals and bothered to open and browse them, I bought two responses which each mentioned one thing to the impact of, “It seems to be such as you submitted two duplicate tickets. Please verify.” Clearly neither individual (or the identical individual?) bothered to learn the contents of the ticket. Even when they presumed it was a reproduction, why did you not reply no less than one of what you incorrectly presumed to be a reproduction?? At the least one in all my questions would have been answered. What a waste of everybody’s time.

All that is why I by no means pay for Azure assist. However I responded hopefully in a civil method and avoiding the phrases going by way of my thoughts. I clarified that they had been two separate tickets with two totally different questions in every of them. Might you please reply my questions?

I used to be excited about alternate methods to resolve this downside and I needed to analysis another safety points anyway associated to this. I’m about to arrange my ADFS server and begin reverse engineering this complete course of myself so I can determine what’s going on. Asking assist is certainly not saving me any time. I’ve arrange ADFS servers up to now however hoped to keep away from the effort.


Based mostly on my experiences thus far I might not use Azure, personally, if I used to be a small enterprise getting began. AWS is rather more begin up pleasant, although have challenges with their assist as effectively generally. The factor is, after I wrote about it, they reached out to me to assist resolve the issue. In case you have a big firm with a devoted account supervisor hopefully you might be getting higher assist than this.

As a facet word, I simply had an interplay with Google Assist that was heavenly in comparison with all of this. To be truthful, it could have been an easier query, however nonetheless, it was far superior to this complete expertise. My solely downside with Google assist is that I can’t discover my ticket listing in Google Workspace, however that would simply be me. I did have challenges after I by chance registered a workspace by way of Google Domains. I can’t suggest that. Create your Workspace straight at Google. However I digress.

Replace Might 6

I had one other challenge in Azure that was really resolved. The assist individual mentioned it was a bug. There’s a mystical magical property on an Azure service which you will get to from the CLI however you can’t see within the portal. It’s additionally very fascinating since you may assume you may have restricted personal networking with an endpoint on this specific service however the that may be overridden.

Anyway lastly somebody resolved the difficulty. I had already requested for the case to be shut. Now the supervisor is sending me emails concerning the case. REALLY? Is that this downside holding circumstances open due to Azure assist managers? Simply shut the case.

By the way in which I gave up on the preliminary challenge I submitted after I began this weblog submit for now. As you possibly can see it’s taking days of my life and I’m actually busy. The purpose is previous the place I might use it in a category. I’d choose it up once more or attempt to attain out on to individuals at Microsoft and Okta that I do know to resolve the issue as a substitute. I’m undecided but however proper now I’m too busy to consider it.


I needed to submit one other request at this time. I attempted to create a VM in a subscription and the error is that the scale is just not obtainable. The opposite challenge is that I can’t create VMs in any respect based on the error message. Once I click on on the “See all sizes” listing I randomly do or don’t get alternate sizes however I can’t select any of them. It may very well be an entry challenge however whether it is, these error messages are fully inaccurate and complicated, so I submitted a request to see what’s going on with display screen photographs so Azure can see what the expertise seems to be like.

Since I used to be in there I replied to the open ticket the supervisor replied to and defined that I had found out the best way to repair my challenge myself (add my IP to a service firewall) however then that wasn’t working so I got here again to re-open the ticket. That’s when the assist individual had responded with a bug and resolved the issue. All good. I didn’t wish to reply and generate extra emails. I had already requested to shut the ticket so I assumed that will be the top of it. However, I defined the three bugs associated to what I used to be making an attempt to do to the supervisor together with the truth that the documentation and Azure portal doesn’t have the general public entry possibility and requested to shut it.

Only for kicks I checked out my authentic ticket on the IdP. FINALLY, FINALLY, FINALLY!!! I bought a technical supervisor on the ticket who mentioned they reproduced the error and confirmed it’s a bug. The ETA for the repair is 5/13/22.


Now I simply want somebody to reply a few questions associated to placing within the correct IdP area however I’m busy so I’ll come again to that later.

  • I found one thing lately with the assistance of scholars in a category which I missed for too lengthy — however I by no means would have anticipated a cloud platform to work this manner. Azure personal IPs are usually not by default disallowed Web visitors like they’re on AWS and Google Cloud Platform. Azure creates a magical outbound IP deal with on personal IPs that offers them outbound entry to C2 hosts, oops I imply the Web. It seems there isn’t any approach to flip it off however you are able to do issues like add a NAT to your networking. OK so to dam that you need to add a NAT and pay for it after which disallow all outbound Web visitors to the NAT? Hopefully NSG guidelines apply so when you block all outbound visitors to a subnet or host it could possibly’t attain out to the Web. I haven’t examined that. There must be a approach to flip that off.

Might 12, 2022

I submitted a assist request on Might 1st as a result of I can’t create any VMs in a selected subscription. The person who answered the case advised me to place in a restrict enhance request. Nonetheless, after I checked out my Azure quota I ought to have had 10 of quite a few sorts of VMs. I put within the restrict enhance once more anyway based on the individual’s directions simply in case it could assist. I needed to put in 11 as a result of my current quota was 10. I had solely created one VM ever on this account as much as that time as a result of it’s a brand new account I created particularly for a category. That reveals that I do have a quota of 10 already — unused — since I can’t put in a restrict enhance for lower than 10 within the area I’m making an attempt to create VMs in.

The one who responded to the quota enhance couldn’t grant entry to among the sorts of VM photographs I requested as they don’t seem to be usable with present {hardware}. Why are they within the listing in that case???

The quota enhance didn’t work. I can’t create VMs in virtually any area.

Initially I believed it was a permission challenge as a result of I found out I may create a VM with the worldwide administrator in a selected account and area. Nonetheless, a later check produced totally different outcomes.

I requested individuals on Twitter in the event that they had been experiencing this downside and numerous different individuals are so this isn’t simply particular to my account.

I bought an error message a couple of “low precedence” request failure. I’m not requesting low precedence VMS or spot VMs:

This isn’t a free account and I’m paying $100/month for assist which thus far has price me loads of time and normally I resolved the difficulty myself. Within the different circumstances they had been largely bugs besides I feel one.

I let the one who elevated the quota and the one who responded on the case the place I mentioned I couldn’t create VMs know {that a} restrict enhance is just not fixing the issue. I submitted the error message I get.

The individual engaged on the quota didn’t reply. That individual responded initially that they’re overloaded with requests. I’m wondering if that’s as a result of one thing is damaged in relation to quotas and restrict enhance requests.

The individual to whom I submitted the unique case is requesting a cellphone name — Once more Azure assist??? If I needed a cellphone name I might have put that on the ticket. Moreover, why is it that this individual wants a cellphone name within the first place? This can be a easy request:

I wish to create a VM in area X with person Y.

I offered entry to diagnostic logs.

I offered a replica of the error message after I create a VM. Why is that this individual asking for a cellphone name as a substitute of wanting within the logs to resolve the issue? What extra data may probably be required to unravel this downside on the Azure facet? Possibly there’s something however I’m too busy proper now and truthfully not within the temper for a cellphone name with Azure assist.

I’ll now methodically undergo my account and see if I can create a VM wherever. I observed that after I tried to create a VM in AUSTRALIA I had entry to take action, whereas a bunch of different areas within the US say my subscription is just not allowed to create VMs in these areas. I by no means requested for entry in Australia.

I’m additionally going to methodically check which customers and VMs are allowed to create a VM and what permissions could also be missing. This looks as if one thing that will be straightforward sufficient for Azure assist to do — particularly provided that that is occurring to others, not simply me.

Time for a deep dive into the logs and configuration….

By the way in which, I additionally checked on the 2 tickets the place I submitted questions on an IdP configuration on April twenty fifth yesterday and nobody had responded to these questions but. Don’t have time to have a look at these proper now.


Replace with screenshots. Troubleshooting…

It was that you may open an Azure account and create a VM with the worldwide administrator account. I don’t actually suggest that but it surely used to work. Possibly one thing modified. However right here’s what occurs after I try this:

As you possibly can see under there aren’t any obtainable sizes. That is additionally what I see after I selected different sorts of VMs.

That is what I seen after I click on “all sizes.”

Now develop the listing:

I’m in US East 1. I attempted a unique availability zone and didn’t work both. Subsequent I switched to East US 2 on this VM creation display screen. This looks as if a bug. There’s no pricing and the error message references East US as a substitute of East US 2:

Let’s return and begin over since switching areas on this display screen appears to have a bug.

Let’s select a Home windows VM — similar factor:

With this Home windows VM possibility East US produces the identical end result however curiously East US 2 produces a unique end result while you click on to see all the scale choices. The E-Collection is in a separate class. It appears to be selectable (and is dear). Selecting this feature appears to cross validation. Checking to see if it really works.

I’ve already offered suggestions a number of occasions and thru assist circumstances. Unsure that is working.

Nope. Though the VM handed validation right here’s the error message (which is totally different than the one I noticed beforehand about low precedence):

Can’t create a VM in South Central US, apparently.

Oh wait…I bought an error above that I couldn’t create that VM with the E-series measurement. I clicked the delete button on that web page after I bought the error simply to wash up something which will have been partially deleted. Nonetheless, after I bought to create a brand new VM I see that it seems in my listing of VMS. No error message seems right here.

Nonetheless, while you click on on the VM you see an error message:

Apparently the VM failed, however the next assets had been nonetheless created an hanging round in my account:

That’s problematic. First, I’d be billed for them if I didn’t notice they had been there. A community interface is hanging round for somebody to connect to one thing else and likewise a public IP deal with. I’m going to force-delete these.

I get an fascinating error message after I *delete* assets?

So Azure doesn’t have capability to delete assets??

It labored after two extra makes an attempt and refresh after every try.

It seems that my subscription additionally can’t create assets in West US 3.

Did I put some restriction on this account? I don’t recall doing that. I’m going to show about Azure governance however I don’t imagine I utilized any such restrictions up up to now that I keep in mind.

OK fascinating. Australia Southeast is OK. If I had put restrictions on this I don’t keep in mind in the intervening time, this area wouldn’t be working as I’ve no motive to permit this area. In order that’s odd.

It additionally seems that I can choose numerous assets on this area.

Let’s give it a strive. Why not. I’ve been to Australia. I like it there!

Azure tends to default to costly sizes. I’m going to decide on the least costly one.

Oh, additionally fascinating. I couldn’t launch this VM till I put in a cellphone quantity. I didn’t put in an actual one as I do NOT need somebody vishing or making an attempt to get at my cellphone quantity used for authenticating to loads of various things.

Properly, that appears to work. I can create VMs in Australia. That’s tremendous. I assume it’s higher than nothing.

Went to submit this data in a brand new assist request since I’m in a unique tenant and subscription for this check. Right here’s what it says. That is completely not useful as a result of this hasn’t labored for nearly two weeks now. Moreover, clients don’t wish to must guess by trial and error like I’m doing above to determine the place they will create a VM. Moreover, VMs are usually not obtainable in virtually each US area??? Both Azure has a severe capability challenge or some sort of bug associated to quotas and VM availability.

I submitted a brand new case with the a doc and all these screenshots connected to it. I requested that this downside be escalated because it looks as if some sort of bug. Does Azure actually not have capability in your complete United States to the purpose the place I’ve to create a VM in Australia?? Looks like one thing is unsuitable right here.

I additionally as soon as once more requested EMAIL assist, with responses within the portal solely. Hopefully, the Azure assist engineer that will get this request will honor that desire and the escalation request. Hopefully they are going to take a look at the attachment. As with all my different requests I offered entry to diagnostic logs as it is a check account. It doesn’t look like anybody is definitely taking a look at these diagnostic logs so far as I can inform. The urged response within the preliminary case to extend quota was not aligned with the error messages, the quota allotted to my account, and the variety of digital machines I can created thus far.

There’s one other minor challenge with the above display screen. Whenever you change from precedence C to precedence B you need to re-enter your most well-liked contact methodology and enterprise hours. It’s not a giant deal however mildly irritating that it could possibly’t simply save these settings.

For the sake of completeness, I’ve been getting totally different error messages for a similar challenge. Up to now I bought this quota error although the boundaries in my account confirmed that I had obtainable capability. This has to do with “LowPriorityCores” quota however I used to be not selecting a low precedence possibility.

The error message I bought at this time is totally totally different when selecting the identical choices so it looks as if there’s some sort of bug in all of this (or 6).

Additionally, I searched on my quota in East US and East US 2 for the BS occasion measurement for instance:

Except I’m taking a look at it unsuitable I ought to be capable of create ten of these in East US 2. I haven’t been capable of create one, ever. It’s not only a “capability in the intervening time” factor. It looks as if the assist engineer that advised me to place in a request to extend my quota didn’t even examine to see if that was really the issue. That could be why the staff that’s dealing with quota will increase is severely overloaded in the intervening time per their message again to me. Different assist workers are usually not verifying {that a} restricted quota is the difficulty by wanting on the settings within the buyer account or error messages they’re assuming that’s the downside and telling individuals to submit restrict enhance requests. These requests create extra work for the quota enhance staff with out really fixing the issue.

Replace Might 13, 2022

Final evening, I additionally continued to analyze the difficulty in my account that’s stopping making a VM in any US area with AZs. In some unspecified time in the future, I spotted that I couldn’t create a VM with AZs within the Australian area above the place I took a display screen shot. The VM that labored didn’t embody AZs. I began to assume possibly I can solely create a VM with no AZs, Nonetheless, I went on to create a VM with AZs in one other Australian area with the latests Microsoft VM picture. I presume the newest model of Microsoft datacenter works with AZs? I’m digging round for any documentation that tells me limitations that could be stopping me from doing this.

After interacting with Azure assist on Twitter, they mentioned they discovered the ticket and had been going to do one thing about it. They didn’t. Once I logged into my account this a.m. right here’s what I discovered:

  1. The case the place I requested escalation — I offered the display screen photographs above that reveals precisely what’s failing in an attachment. As soon as acquire the individual merely asks me what I’m making an attempt to do. *sigh*
  2. The case the place I initially reported the error messages on the VM creation display screen ….no response.
  3. The case the place I requested for an elevated quota request and reiterated that after rising the quota I nonetheless can’t create a VM: The individual requested me what quota and areas I wish to use. *sigh* The individual did say this which is fascinating:

“There are particular restrictions on a number of Azure subscriptions and due to that you could be not be capable of create VM within the requested area.”

OK so I create a brand new Azure account, I’m positioned close to the East US areas so Azure defaults to that. I can’t create a single VM of any kind or measurement in that area within the default tenant and subscription. I requested for clarification as to precisely what the issue is on this case. On Twitter the Azure assist staff says this isn’t documented. Hoping to get extra data from my Azure assist case the place I requested an evidence.

So for now I replied to 2 tickets asking for the next:

The flexibility to create any Linux or Home windows VMs with AZs in East US, East US2, West US2 in any B sequence or D sequence measurement.

I imply, I simply wish to create one VM.

We’ll see what occurs.

In the meantime…I searched round for others which may experiencing the identical points. Appears to be an even bigger downside in Europe:

I discovered this web page on allocation points on Azure.

Fascinating that they seek advice from StackOverflow previous to Azure assist:

One factor that I’m making an attempt to determine when wanting within the Azure portal is that are the newest/finest VM sizes to make use of. I’ve tried many several types of VMs and loads of them don’t work. Additionally, it looks as if among the cheaper choices are being deprecated. The article above explains which VMs to not use however actually this must be apparent when selecting a measurement within the portal.

Moreover, as proven within the screenshots above — I can’t select *any* measurement in US areas although I’ve quota for all of them.

Different examples of individuals having related points on numerous boards:


Making a VM in an availability set works. It doesn’t work with the provision zone possibility. That’s one approach to work across the VM downside. Properly, virtually. It let me choose from numerous machine sizes. But it surely nonetheless fails. And…the diagnose blade fails as effectively.

Self-diagnostics…no points.

Oh. Simply wait a couple of minutes after which appears to be OK. Incorrect error messages.


That’s it for now. Again to making an attempt to check new options in preview and put together for an Azure class! I am going by way of the struggles of figuring new issues out so my college students and clients don’t must. =)

Teri Radichel — Observe me @teriradichel

© 2nd Sight Lab 2022


Wish to be taught extra about Cybersecurity and Cloud Safety? Try: Cybersecurity for Executives within the Age of Cloud on Amazon

Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching

Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.

Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.

Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts



Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments