I found below article from the azure website for domain delegation to Azure DNS.
Delegate a domain to Azure DNS
But above article is based on PowerShell . I don't have knowledge in it. I want to do this from azure portal.But i don't find any help for it.
Hi assuming you have bought your domain you need to log on to the control panel of the company you purchased the domain from and ammend the "Name servers" to be those assigned by Azure DNS.
In the article you posted, under the section "Finding the name server names" the servers listed in the orange box are the name servers you need to enter in your domain registrar's control panel. In order for these servers to be assigned you have to have first created the zone in Azure DNS which is set out in this article: https://learn.microsoft.com/en-us/azure/dns/dns-getstarted-create-dnszone-portal
Once you make this change due to the nature of DNS it can take a while for the changes to work.
Related
We've been told by Microsoft support that Azure DevOps Services supports tenant restrictions. While we have tenant restrictions enabled on a number of other services, it does't seem to apply to DevOps. Not only can we still log in to organizations outside of our tenant, we can also log in to our own organization and, if our corp email is added as a user in that org, the organization also shows up. I'd expect that our users would be blocked from logging into or accessing any external orgs.
I'm a little confused about why this isn't just working as expected and despite them saying Azure DevOps Services supports tenant restrictions, I'm not finding much documentation to back that up.
Have you been able to migrate to Azure DevOps Services and ensure that your users are only able to access orgs within your own tenant? How?
Azure DevOps Service supports the Azure Active Directory (Azure AD) tenant policy to restrict users from creating an organization in Azure DevOps. This policy is turned off, by default. You must be an Azure DevOps Administrator in Azure AD to manage this policy.
Check following link for more details:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops
Notice:
This policy is supported only for company owned (Azure Active
Directory) organizations. Users creating organization using their
personal account (MSA or GitHub) have no restrictions.
https://devblogs.microsoft.com/devops/policy-support-to-restrict-creating-new-azure-devops-organizations/
We finally received a more concrete answer to this question from Premier Support. Sounds like this wasn't entirely clear internally either. Azure DevOps Services supports TRv1 which provides tenant restrictions from client to proxy, but does not support TRv2 tenant restrictions which provides server to server restrictions. TRv1 will prevent you from authenticating against an org outside your tenant directly but does nothing to prevent the background authentication that happens if your account is configured to be able to access a secondary tenant's org. The server to server connection strips off the header information necessary to restrict you from accessing the secondary tenant. While this feature may be on their radar there is no expectation or firm timeline for it's release at this time.
I've tried to get VSTS to connect to our enterprise Git repository.
To do this I had to get our firewall opened up, and as a result we found that VSTS does not connect to our network using the VSTS domain, ie ########.visualstudio.com
Instead it connects using the IP address of the build agent, which is in the range specified in the Azure Public IP list.
Does anyone know if this is a bug on MS's part? We could free up our firewall to all the Azure Public IP's, but this is very fragile (they can/will change), and presents a significant security risk as anyone using Azure could attempt to connect to our Git repository.
Interestingly, if you install a private build agent, then VSTS connects to this using the VSTS domain, we have observed this.
In my opinion, it's because the Hosted Build IP updates continuously. You can check the following Q&A:
What IP Addresses are used by Hosted Build?
We have an XML document released every Wednesday that contains all of
the IP ranges for Azure Datacenters broken out by region. Please see
https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653:
This file contains the Compute IP address ranges (including SQL
ranges) used by the Microsoft Azure Datacenters. A new xml file will
be uploaded every Wednesday (Pacific Time) with the new planned IP
address ranges. New IP address ranges will be effective on the
following Monday (Pacific Time). Please download the new xml file and
perform the necessary changes on your site before Monday. The Hosted
agent should be in the same region as your VSTS account, you need to
whitelist the IP address ranges for your region which you can get from
the link above. To verify your region in VSTS navigate to the
Settings page at .visualstudio.com/_admin/_home/settings,
Under Account you will see a field for Region.
I was recently trying to configure reverse dns for my mail server (which is hosted on Azure). But everytime I try this command:
Set-AzureService –ServiceName “MyVMName” -Description "VM with reverse dns" –ReverseDnsFqdn “myvmname.cloudapp.net."
It can't find the resource:
(Set-AzureService : ResourceNotFound: The hosted service does not
exist.)
And when I type in Get-AzureRmResource, I have all my resources, including my VM. So I don't understand, I really hope you guys can help me, because it's almost like I can't send mail without the reverse dns record.
From what I see, your Virtual Machine is created with Azure Resource Manager, while you try to set the reverse DNS entry using the Azure Service Management. This will not work.
Here is an article describing what is the difference between Azure Resource Manager and Azure Service Management and why that matters.
And here is an article on how to set Reverse DNS for your VM using Resource Manager.
AzureService will only show ASM (classic) service:
Set-AzureService
When you type:
Get-AzureRmResource
It will display all the ARM (resource manager). Therefore this will not work because you are looking at two different things.
I'm migrating a pretty serious multi-tenant application to Azure, and one of the challenges I see coming is that it hosts over a hundred domains.
On the Azure side, the only way I see to add a custom domain is hand-entering them via the portal. I would really like to script this out with Azure PowerShell or (perhaps less desirable for this one-off operation) one of the .Net APIs.
I did find this, which shows that it can be done with one of the REST APIs: Add a domain to an Azure web site via code
Is there anything for PowerShell?
you can use -
Set-AzureWebsite -Name "ramisample" -HostNames #('www.abc.com', 'abc.com')
Make sure you point the CNAME records before adding them as domains.
My build agents are not starting after I change the properties credentials to the domain account from the network service. I done this because the network service account cannot write to my drop folder.
Each time I add the network service to the drop folder share, it appears then disappears.
http://msdn.microsoft.com/en-us/library/bb778394.aspx I followed this but some steps are different, i have xp and it doesn't show the share tab so i go through security tab
So I guess I'm asking two questions here;
Agents are not starting after changing credentials.
Network service not able to write to the drop folder.
Thanks in advance
Yes, Network Service won't have permissions to write to a drop location. That's pretty standard. You need to be using a domain account.
The TFS Build Service will need to run as a domain user so it can write to the drop location.
The domain account for the build agent will need to be in the TFS Project Collection group for build service accounts (internal to TFS). I can't remember what it's actually called but you need to be a collection administrator to update it.
The domain account will also need some login as batch/service permissions but that should be done automatically when you reconfigure the service. Do you use the TFS Admin console to reconfigure the agent or did you just set the credentials on the service? (You should use the TFS Admin console).