Manage your Azure Hybrid Cloud modern infrastructures with Microsoft Admin Center and Azure AD


Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Share on RedditEmail this to someone
Share Button

Are you already running Workloads in the Azure Cloud? I think that almost everyone in IT nowadays uses Cloud in some other way, whether it’s Office 365, Azure Site Recovery, Azure Compute (IaaS) or when you’re just at the beginning at the drawing table –  designing phase. Microsoft Azure is dominating in the number of services, and the Q1, 2018 statistics saying that as well.

Microsoft released Admin Center not so long ago, which was formerly going by the name of Project Honolulu. My personal opinion, after my first hands-on experience with Admin Center is really good, this is a big step forward to Modern Management in a Hybrid Cloud scenario. So I started writing this article and share it with the Microsoft Community!

Microsoft just released a new Preview 1808 of Admin Center – see below the Tweet of Jeff Woolsey – Principal Program Manager, Windows Server/Hybrid Cloud at Microsoft. I’m using this latest version in this blog.

Admin Center is, in my opinion, the revolution of how we IT Admins going to manage our Cloud and on-premises workloads in a Hybrid Cloud perspective. We probably all grown up – and (I guess?) still using Microsoft Management Console (MMC) in our daily work. Just for the simple reason – there isn’t a replacement – or better solution yet… That’s is going to change soon, there is a new kid in town with lots of more benefits compared to MMC, and it’s aligning much better with the different Azure Cloud Services and upcoming server 2019 workloads as well!

One significant key improvement of Admin Center Console – it’s entirely HTML5 – web-based. Yes, you hear me correct! Luckily, no Silverlight involved here… think about all the advantages; all the management can take place through from a browser perspective, and won’t require a direct Remote Desktop or MMC “connect to another computer” session anymore to fulfill your management tasks – all combined in one unified pane of glass portal.

One interesting thing to share is that Admin Center doesn’t work on Internet Explorer. Microsoft currently advises Edge (or Google Chrome) for Admin Center.

When you expose applications or web portals to the public internet world in an HA – load balanced manner, always place an Azure Load Balancer, Application Proxy or Azure Traffic Manager – or a combination of both between the Admin Center Virtual Machines and the internet. The Network Security Group on the network interface of the Admin Center server need to have at least HTTPS as open port HTTP as well when u use the new redirection function), therefore know that Admin Center is fully prepared for Azure AD integration, with for instance Azure MFA + Conditional Access – you’re safe and secure in exposing the Admin Center console to the internet.

Microsoft is investing a lot of time in the improvements of Admin Center – and I expect a big bang in new features for Admin Center during the Microsoft Ignite event in September – where Microsoft (hopefully) also releases Server 2019.  This new Server OS will have even more integrations and extensions for different Azure and On-Premises services. Looking forward to it, I’ll be there – do I see you there?

See below how the setup of this article looks like in a more architectural picture.

In this article, I’ll share my insights on Microsoft Admin Center (1808). Show you some of the benefits, and I’ll walk you through the complete installation and configuration process on how you implement Admin Center!

Enjoy reading!

Table of Contents

Click on the title to forward to the subject of content:

Did you know?

  • Windows Admin Center Preview 1808 includes a new Apps & Features tool – Apps & Features is a new extension that allows Administrators to remotely manage the components that are installed on their Windows deployments.
  • Admin Center is not supported for Internet Explorer – Microsoft advice the use of Edge or Google Chrome!
  • It’s a completely browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PCs.
  • Admin Center Preview 1808 makes it possible to redirect from port 80 to 443 during the installation.
  • You can deploy Windows Admin Center in a failover cluster to provide high availability for your Windows Admin Center gateway service. The solution provided is an active-passive solution, where only one instance of Windows Admin Center is active. If one of the nodes in the cluster fails, Windows Admin Center gracefully fails over to another node, letting you continue managing the servers in your environment seamlessly.
  • Admin Center now supports Azure Update Management integration from the Server Connect menu
  • It comes at no additional cost beyond Windows and is ready to use in production.
  • Admin Center is currently only supported for Windows 10 (1709) and Windows Server 2016
  • It can be installed on Windows Server with Desktop Experience as well as on the Core version
  • Windows Admin Center requires PowerShell features that are not included by default in Windows Server 2012 and 2012 R2. To manage Windows Server 2012 or 2012 R2 with Windows Admin Center, you will need to install WMF version 5.1 or higher on those servers.
  • The interaction between server takes place over PowerShell and WMI over WinRM and will be transferred to different IT Administration over a secure SSL connection
  • Windows Admin Center is the official product name for “Project Honolulu” and reinforces the vision of an integrated experience for IT admins across a breadth of core administrative and management scenarios.
  • Windows Admin Center does not require internet access and does not require Microsoft Azure.

Dashboard Overview screen

See below the standard landing page when you open the Server Manager option for a specific Virtual Machine. The standard CPU, RAM, Network and Disk utilization metrics can be found here as well as resources and power management options. Very useful, but one thing that’s annoying is are all the different frames. The frames are not aligning with the size/resolution of your screen, and cause much more scrolling then needed.

Azure AD integration

This feature is critical when you are already running workloads in Azure, or use Azure AD Connect already. You will need first to register your Windows Admin Center gateway with Azure. You only need to do this once for your Windows Admin Center gateway – the setting is preserved when you update your portal to a newer version.

Another very cool thing is that you can use Conditional Access on the Azure AD authentication level to provide secure access to the Admin Center portal – think about a public scenario – where the gateway is exposed to the internet? You want to have Azure MFA sec. authentication in place, and probably don’t want to require MFA internally? Conditional Access makes that all possible. Very cool/awesome, right?

I’ll describe all the steps of doing this later on in this article! 

 

Azure Site Recovery Hyper-V support for Azure Virtual Machines

You can now instantly protect your Hyper-V Virtual Machines from Windows Admin Center with Azure Site Recovery. The latest new version build gives you a suggestion for the usage of Azure Site Recovery as well as Update Management and Storage Migration. A very cool enhancement! When your Admin Center resides outside Azure – You’ll need an Azure Site-to-Site or ExpressRoute connection with your Azure vNet to manage Virtual Machines directly. Another approach is to assign Public IPs to every single Virtual Machine and open the WinRM 5986 port on the NSG (including IP filter) and local firewall. Or you can create a so-called, WAC Gateway VM to provide the connection as well. Check this article for more technical information.

Note: The Virtual Machine and Virtual Switches integration currently only works for Hyper-V server enrolments.

Azure Update Management support for Admin Center

Admin Center supports Azure Update Management. Update Management is, in a nutshell, the Cloud version of what Windows Update Services (WSUS) was on-premises.  

To activate the Azure Update integration – just open the Server Connection screen in Admin Center. If you aren’t using Azure Update Management yet, please check out this article to get started.

Note: Version Admin Center Preview 1807 or higher is required for the usage of Update Management, and (obviously) requires a gateway connection to your Azure tenant subscription.

Remote Desktop integration

Say bye to Remote Desktop Management software! Admin Center has it all integrated for free! To use Remote Desktop within Windows Admin Center, you will need to enable Remote Desktop on your Windows Server 2008 R2 server. The frame inside the Admin Center console allows you to manage your Server with Desktop Experience activates!

Note: Are you a Remote Desktops Services – RDS Administrators? RDS now supports HTML and integration with Admin Center as well. Please check out this TechNet article for more info!

Extension Manager

The Windows Admin Center SDK is available in public preview. As a platform, growing our ecosystem and enabling partner extensibility has been a critical priority since the beginning. We’ve been working with early-adopter partners to refine the extension development experience of our SDK.

My honest hope is that different vendors, such as Citrix, VMware, Nutanix, and likely others will create customer extensions soon to make the Admin Center more unified and simplified in switching to other consoles for gathering additional information.

Let’s Microsoft and others create one Unified Console to rule them all! 

Azure Mobile App

Nothing directly particular to Admin Center, furthermore positively related to management. Microsoft releases a cool Azure Mobile App for Android and iOS where you efficiently can manage your Azure Infrastructure-As-a-Service environment as a snap. Think about scenario’s when you’re on the road and need to change or reboot a Virtual Machine – you can do this all directly from your mobile device – any place, anywhere any time!

Deploy an Azure Virtual Machine for Admin Center

For this article, I’ll deploy the Admin Center in Azure Infrastructure-As-a-Service. Of course, you can follow the same steps from the – Download the Admin Center software – section for your on-premises environment as well!

Choose for Windows Server 2016 Datacenter

Click on Create

Fill in the required information and click Ok 

Extra: Use the HUB program to same resource costs if you have an Enterprise Agreement and Software assurance with Microsoft on Server OS.

 

Choose for a VM size

 

Configure the settings of the Virtual Machine and assign the right Virtual Network.

Click Ok

Note: A public IP is not needed for my customer case, as I’m not exposing my Web Console over the internet directly, but choose to do this over an Azure Load Balancing configuration – whenever you haven’t got a Site-to-Site VPN or ExpressRoute, you’ll need to assign a Public IP and open RDP to provide the Remote Desktop connection for the installation 

Check the summary

 Click on Create

 

Setup a Remote Desktop Connection to the Virtual Machine and join the machine to the domain.

Request an internal or external SSL certificate

We now need to request an SSL certificate for our Admin Center web portal. I’ll use my own Active Directory Root CA for this purpose – but you can use a Public Certificate Authority, such as GoDaddy as well.

 Create a DNS A record for Admin Center

 point it to the internal IP Address of the Admin Center server

 Request the Web Server Certificate – based on the DNS record

RootCA Web Server SSL Enrolment finished

Or upload the certificate to the Local Computer Certificate Store.

Open the Certificate Properties and Copy the Thumbprint which we need to use in the next steps.

Continue with the installation steps

Download and install Microsoft Admin Center

Windows Admin Center Preview 1808 can directly be downloaded from the Windows Server Insider Preview download page, under the Additional Downloads dropdown. If you have not yet registered as an Insider, see Getting Started with Windows Server on the Windows Insiders for Business portal.

Start the installation by opening the MSI

Choose how you want to update Admin Center

Click Next

Make sure the first option is checked (default)

Click Next

Paste the Thumbprint of your SSL certificate in the second – use an SSL certificate installed on this computer – section.

Click on Install

Note: Remove the spaces from the Certificate properties copy-paste action

Check out this cool new HTTP > HTTPS redirection option as well – you’ll need to expose port 80 as well when you publish Admin Center to the public internet.

The installation is started, this can take up to 3 – 5 minutes…

The installation is finished

Open the Admin Center Web Page 

Open the shortcut on the Admin Center server – or just open an Edge or Google Chrome Internet Browser in the same network and open put in the DNS name. For example https://admincenter.infrashare.net

Note: Admin Center is not supported for Internet Explorer – Microsoft advice the use of Edge Google Chrome is having problems as well! Chrome has a bug regarding the websockets protocol and NTLM authentication.

Skip the Tour

We are now in the landing Windows Admin Center screen where we can find all the active server connections – obviously, only the Admin Center server is listed, and we now need to add our servers to the management portal!

Add the Servers as Connections

Click on Add to add additional servers

Enter the FQDN of your Servers

Make sure that the Server(s) are listed

Note: You can use an service account for this purpose as well. Please make sure that the service account has at least Local Administrator right to that specific Virtual Machine!

Add the extra servers you want to manage as well and add to Admin Center

Manage the Server in Admin Center

Click on Connect to open the Management of the Server

You’ll see the first Overview landing page – where you’ll find all the default performance metrics and power management as well.

On the left side of the screen – you’ll see all the default management tasks that can be performed by default for Windows Operating Servers in your environment.

 

Remote PowerShell Access

One of the other cool integrations are the PowerShell box that pops-out from the menu to use as Remote PowerShell console servers. Very handy and easy for different use cases, such as Core servers or any other Security or Delegation reasons.

Roles & Features

Install and Remove Roles and Features easily from the menu as well.

Activate Gateway Access for Microsoft Azure and Azure AD

So what about external access and Azure? You’ll need to activate Gateway Access to set up the connection with your Azure tenant and Azure AD subscription. I’ll explain all the technical steps in this section…

Note: The previous versions of Admin Center was a pain in the *** when talking about activating Azure AD. This is all history and they simplified the setup in a very positive way!

Open the Settings menu and go to Access

Set Azure Active Directory to Yes

Click on Register

Copy the Code and click on Device Login

Paste the code in the text field

Click on Continue

Logon with your Azure AD Global Administrator account

The connection has been made successful – close the screen…

Switch back to the Admin Center Portal and select your Azure AD tenant

Click on Register

Almost Done.

Go to the Azure Portal

Open the Azure AD Application and go to settings > Required permissions and set the Grant Permissions to Yes

Click on the new WAC App Registration

Click on Required Permissions

Click on Grant permissions

Click on Yes

 

Open the Users and Groups tab, select Add user, and then assign a role to each user or group you add which require to have access to Admin Center.

We’re now done with the Azure AD Application registration process. In the Admin Center console – Gateway Access must now stand on Azure Active Directory!

When you now enter your Admin Center URL again in Edge – you’ll be redirected to the Azure AD authentication portal.

Activate Azure AD Multi-Factor Authentication (MFA)

Note: You’ll need to have Azure AD Premium – Enterprise E5 + Security or lossless Azure MFA license activated and assigned to your users before you can continue with these steps!

Go to the Azure AD menu in the Azure portal

Go to Users

Go to Multi-Factor Authentication

Enable the MFA setting for your Administrators

Click on – Enable multi-factor auth

Your Administrators will now require to setup a Mobile Device App, Phone Number or SMS Code the first time they require access to the Admin Center Portal.

Note: If this is the first time, they’re asked to choose which kind of secondary auth. the method they want to use as MFA.

Configure Azure AD Conditional Access – MFA IP Whitelisting

As mentioned at the beginning of this article, Conditional Access can increase your authentication to Azure AD authenticated applications massive, such as Windows Admin Center now supports.

You can provide access to Admin Center based on different conditions, such as Client IP, Antivirus, Location, User and Groups and more.

Note: Conditional Access required an Azure AD Premium license or Enterprise Mobility E5 + Security for every user. You can request and use the trial version as well for this article.

See below an example of the Condition based on Device Platform

Open the Azure AD menu in the Azure portal

Click on Conditional Access followed by Named Locations

 

Click on Configure MFA trusted IPs

 Add all the external IPs that you want to whitelist from the Azure MFA requirement when using Admin Center.

MFA is now no longer required within your network!

Looking for more in-depth configuration stuff around Azure AD and Conditional Access? I highly recommend reading the blogs of fellow Microsoft MVP – Per Larsen!

How to get started with Conditional Access

https://osddeployment.dk/2018/07/01/how-to-get-started-with-conditional-access/

Configure external access through Azure Load Balancing for the Admin Center Web Portal

If you’re using Admin Center publicly – and need to expose it to the internet. Please follow the next steps.

 Open inbound port 443 on the Network Security Group (NSG) of the AdminCenter Virtual Machine

Open the Network Interface

Click on Add inbound port Rule

Enter the required information

Click on Add

Open the Load balancers Service

Click on Add

Enter in a name for the Load Balancer and fill in the required information, such as the Public IP and type external. A name for the Public IP – make the Public IP Static to avoid changing the DNS records in the future.

Click on Create

Open the Load Balancer

 

Create a Public DNS record at your ISP Portal – and place it to the Public IP address, which you’ll find at the Overview screen

 

 

Create a NAT rule for HTTPS traffic from the outside to the AdminCenter Virtual Machine

If you’re load balancing multiple Admin Center servers for High Availability purposes – please replace the NAT rule for the Health Probe and Load Balancing Pool and Rules. See below the steps to provide that as well.

Create a Probe for 443 – SSL traffic

Give in the 443 port and name of the probe

 Create a Backend-Pool

Repeat the same steps for port 80 – HTTP to activate the HTTP > HTTPS redirection as well for external purposes

And the final step – create a load Balancing Rule

Test the external Connection

You’ve now an external active Admin Center with the highest level of security through Azure AD and Conditional Access!

That’s it again – hope this helps, and thanks for stopping by.

Cheers,

Christiaan Brinkhoff

Share Button
Christiaan Brinkhoff

Christiaan Brinkhoff

Christiaan Brinkhoff works as a Cloud Architect and Evangelist for FSLogix, and own his own consulting firm. Where he focuses mainly on Public Cloud infrastructures and End-User Computing environments for the larger multinational enterprise customers. He designs and provide complex migrations, helps customers with the Digital Transformation, advises on Cloud strategies, writes business continuity plans, strategies, and realizes on-premises and cloud-based environments. When he wants to get something done, he keeps going until he reaches his goal. He is very resourceful in finding solutions for challenges that seem impossible at first.

In addition to his work, he also shares his knowledge by speaking at large international conferences, such as Citrix Synergy, E2EVC - PubForum (Amsterdam, Athens), local user groups (Dutch, Irish, Swedish and Denmark User Group), and provides webinars and writes articles for IT vendors, as well as his website, christiaanbrinkhoff.com - to share his passion for Cloud innovation. This community-related work got him the privilege to achieve the following three vendor awards, such as Microsoft Valuable Professional (MVP) for Microsoft Azure, Citrix Technology Professional (CTP), and VMware vExpert.
Christiaan Brinkhoff