Azure pros share their latest insights on scanning container images, shifting VM snapshots between regions, Azure AD and Jitsi video meeting software.
Scanning container images with Azure Security Center
Richard Hooper, writing on Pixel Robots, launched the month of April by detailing how to scan Container Registry container images with Azure Security Center, which can be an important step in assessing potential vulnerabilities. After an image is pushed to the registry, a webhook can inform Security Center to launch a vulnerability scan using Qualys, which currently only applies to Linux containers. Hooper demonstrated how to navigate to Security Center in Azure portal, access Policy & Compliance and disable all plans other than Container Registry. He wrote:
As you probably know Azure Security Centre can cost a bit, but luckily you can pick and choose the bits you would like to move to the standard tier…At the moment this only works on a push of an image. I would like to see it scanning on a schedule as I am sure your aware vulnerabilities can crop up at any time. But until then this along with scanning on container image build…should help keep you secure.
Copying VM snapshots between regions with PowerShell
Thomas Thornton recently detailed how to create VM snapshots of disks to do a restore in Azure with PowerShell and expounded on the theme, looking at how to copy VM snapshots to a different region for enhanced disaster recovery. For his example, he wanted to migrate the snapshots from the North Europe region to West Europe as a VHD. He shared a sample PowerShell script that overwrites a preexisting file for improved disaster recovery. The $snapshots command helps to return snapshots created within a 12 hour period, in case there are multiple generated.
Users need to be on the lookout for the “pending” status which indicates the VHD is still being copied. Thornton created basic logic for naming Managed Disks in West Europe.
Diagnosing a common Azure AD error
Microsoft MVP Sander Berkouwer, writing on The Things That Are Better Left Unspoken explained the AADSTS50052 error that crops up for some users when signing into Azure AD. The alert usually comes with a brief description, “InvalidPasswordExceedsMaxLength,” and blocks users from logging in. He wrote:
The error occurs, because you are trying to sign in with an account that has a password of over 256 characters. This limit on passwords is in effect in Azure AD since March 13th, 2020, at 10AM PST (18:00 UTC)… For a synchronized account, sign into the on-premises identity platform and reset the password or have the password reset in the on-premises identity platform to a password that is configured with 256 characters or less.
By contrast, for Azure accounts users can reset the password with self-service password reset functionality, signing in with an SSPR or FIDO 2 key enabled admin account.
New developments in Azure AD
Also on The Things That Are Better Left Unspoken, Berkouwer gave an overview of new developments in Azure AD in March. Government users were granted B2B collaboration features, together with a Monitor integration for Azure Logs and Identity Protection. Berkouwer identified a variety of changes, including sign-in logs available for free tenants through Azure Portal, a 256 character password limit, SSPR changes in China or the deprecation of directory-wide groups.
Although many of the changes touched Azure Government, Berkouwer pointed out that Azure AD’s app provisioning has expanded to permit downloading and storing provisioning configurations, in JSON files.