Niraj Bhatt – Architect's Blog

Ruminations on .NET, Architecture & Design

Tag Archives: Windows Azure

Using a Single Windows Azure Active Directory tenant for All EA Azure Subscriptions

As you know by now Windows Azure Active Directory is at the root of every Azure subscription.


But in an EA setup you typically have multiple subscriptions and you definitely don’t want to create a different WAAD tenant for every other subscription. So here’s what you can do (there might be other ways too of achieving this). You can first create a Shared account and under that a Shared Subscription. Also create the WAAD tenant you want to use and ensure your shared subscription is under that WAAD tenant. In that WAAD tenant create all the account administrators.


Now go to your EA portal, and add new accounts specifying the account administrators you just created. That’s it – next when you create subscriptions for those newly created accounts, these subscriptions will be by default part of the same WAAD tenant under which you created your shared subscription.


It can’t get any easier, isn’t it 🙂 ?

Windows Azure Portals and Access Levels

When you sign up for Windows Azure you get a subscription and you are made the Service administrator of that subscription.


While this creates a simple access model, things do get little complicated in an Enterprise where users need various levels of access. This blog post would help you understand these access levels. 

Enterprise Administrator
Enterprise Administrator has the ability to add or associate Accounts to the Enrollment and can view usage data across all Accounts. There is no limit to the number of Enterprise Administrators on an Enrollment.
Typical Audience: CIO, CTO, IT Director
URL to GO:

Account Owner
Account Owner can add Subscriptions for their Account, update the Service Administrator and Co-Administrator for an individual Subscription, and can view usage data for their Account. By default all subscriptions are named as ‘Enterprise’ on creation. You can edit the name post creation in the account portal. Under EA usage, only Account Administrators can sign up for Preview features. Recommendation for accounts to be created is either on functional, business or geographic divisions, though creating a hierarchy of accounts would help larger organizations.
Typical Audience: Business Heads, IT Divisional Heads
URL to GO:

Service Administrator
Service Administrator and up to nine Co-Administrators per Subscription have the ability to access and manage Subscriptions and development projects within the Azure Management Portal. The Service Administrator does not have access to the Enterprise Portal unless they also have one of the other two roles. It’s recommended to create separate subscriptions for Development and Production, with production having strict restricted access.
Typical Audience: Project Manager, IT Operations
URL to GO:

Subscription co-administrators can perform all tasks that the service administrator for the subscription can perform. A co-administrator cannot remove the service administrator from a subscription. The service administrator and co-administrators for a subscription can add or remove co-administrators from the subscription.
Typical Audience: Test Manager, Technical Architect, Build Manager
URL to GO:

That’s it! With above know-how you can create an EA Setup like below


Hope this helps 🙂

Azure Benefits for MSDN subscribers

Friends, hope you are aware of this great offer. Click on the image below to sign up 🙂


Recovering from Windows Azure Virtual Machines failures – Unable to establish RDP connection

Your ability to recover from failures is quintessential while working with any cloud platform and same applies to Windows Azure Virtual Machines. Being in preview mode you might experience some glitches around this offering. For instance, there were times when I would setup a VM and next day I wasn’t able to RDP (Remote Desktop) into it. It looked like my hard work of setting up the VM would go down the drain. But those initial struggles filled my knowledge gaps. While the stability of VMs is dramatically improvising as we approach the General Availability, below are few pointers to deal with such failures. Hope you find them useful. 

a. Restart VM: First is to restart your VM. That should do the trick whenever your VM becomes unresponsive.

b. Delete VM: In case restart doesn’t help or restart operation is failing you can try deleting and re-creating VM. If you are attempting a manual delete via Azure Portal, you should delete the underlying Cloud Service too. Cloud Service – is the container holding your VM and would become visible when you delete the VM (will detail this in an upcoming post). Deleting your Cloud Service would allow you to reuse your DNS name (as a best practice ensure that your VM and DNS names are prefixed with unique identifiers). I have seen few developers struggle and provide different names to their VMs every time they delete it, failing to realize that they need to delete the Cloud Service too. Below Figure shows how you can create a new VM by selecting an existing disk (New -> Compute -> Virtual Machine -> From Gallery)

Azure VM Disks

c. Resize VM: An alternative to deleting your VM is to change the size of your VM. This is less intrusive but might not be feasible in all the scenarios.

d. Unlock VHD / Disk: At times, after you delete your VM, the portal might show that Disk is still attached to the deleted VM. This would result into a quandary because you can’t reuse the Disk to create a new VM until it’s detached. The easier option to resolve this is to delete the disk object. Deleting the Disk object would still retain the underlying blob. After deletion you can re-create the disk object and use it to spawn a new VM. If you can’t delete the disk then your only option is to break the blob lease manually via PowerShell or using Storage Client Library (refer to this MSDN forum link for further information).

Please do leave a comment, if you have used other approaches.

Controlling Windows Azure VM lifetimes

Most of the Cloud computing resources are billable on an hourly basis and it’s important that you release these resources when you no longer need them. This typically applies to Windows Azure Virtual machines not running 24×7, example – there could be business workloads which requires an application to be available only twelve hours on week days. To limit running costs most users stop their VMs, just to realize that Windows Azure bills for VMs that are in a stopped state. So, your only option to control costs is to delete the VMs. But wouldn’t deleting VM cause any issues?

The answer is both No and Yes. When you delete a VM you are just deleting VM instance but the underlying OS and data disks are still intact (in fact, you still keeping paying for their storage which luckily is quite negligible). Hence, you can easily resurrect your VM without much harm. It’s important to note that when you delete the VM, you still retain the underlying Cloud Service container and its associated Site URL. The issue you might face though when you delete and re-create the VM, is the public IP address change. I work in an organization with strict IT security rules and locked down access. Static IP was necessary for me to raise an outbound RDP access request with my IT team. But with IP changing everyday it was definitely turning into a challenge. In end the solution I adopted was to create an extra small VM running 24×7 and bounce from there to other VMs.

To delete a VM you can use PowerShell cmdlets. PowerShell cmdlets allow you to export your VM configuration, delete the VM and then re-create VM using exported configuration.

Export-AzureVM -ServiceName ” -Name ” -Path ‘c:\vmconf.xml’

Remove-AzureVM -ServiceName ” -Name ”

Import-AzureVM -Path ‘c:\vmconf.xml’ | New-AzureVM -ServiceName ” -VNetName ‘’ -DnsSettings ‘’

Export configuration as shown above is stored in a XML file. It contains various properties of a VM including Endpoints, disks, VM size, subnet, etc. Below snapshot from Azure Portal shows an empty Cloud Service Container post deletion of the VM. Currently there is no cost associated with an empty cloud service. It’s important to note that when you retain Cloud Service you also retain the underlying DNS URL.

Passing Parameters to Hadoop Streaming

This weekend I would be presenting @ BDOTNET UG meet on topic – “Big Talk: Hadoop on Azure”. In case you are around and plan to attend here’s the facebook event link. In this talk I would help you get started with Hadoop and show how you can leverage it with Windows Azure. With that, let’s focus on the subject of this blog post.

Hadoop Streaming allows you to write and run MapReduce jobs in language of your choice. For Azure and Microsoft world this would be mostly C#. You can create your programs / executable in C#, read input from Console and write output to Console. Mapper task would feed input lines to your executable via console (standard input) and also collect output via console (standard output). It converts output into key value pairs. Reducer task on other hand converts key value pairs into input lines, feeds it to your executable (via console), and collects the output (via console) converting it back to key value pairs. For scenarios where you need only mapper you can emit reducer and set ‘numReduceTasks’ to zero as shown below:

call hadoop.cmd jar hadoop-streaming.jar -files "hdfs://" -mapper "Mapper.exe" -input "asv://account/inputdata/" -output "/example/data/StreamingOutput/mywc" -numReduceTasks=0

IP address in above case is that of Namenode (you can get by executing following command from Javascript console – #cat file:///apps/dist/conf/core-site.xml).

Now at times, your mapper program would need additional parameters to carry out its operations e.g. say you want mapper to filter data on few attributes. So, how do can we pass these attributes to Mapper executable? Simple – pass them as command line parameters and in your program read them from args.

call hadoop.cmd jar hadoop-streaming.jar -files "hdfs://" -mapper "Mapper.exe param1 param2 param3" -input "asv://account/inputdata/" -output "/example/data/StreamingOutput/mywc" -numReduceTasks=0

static void Main(string[] args)
string line;

string parameterOne = args[0];
string parameterTwo = args[1];
string parameterThree = args[2];

Hope this helps!

Presenting at Great Indian Developer Summit 2012

Readers, I have been blogging quite less lately but really working on bouncing back soon. Meanwhile, I am speaking at the Great Indian Developer Summit (GIDS) 2012 on Windows Azure Access Control Service Usage Patterns. My session is on 17th April, 10 a.m. IST. Infact, this is my 4th presentation at GIDS conference, having presented at last three. If you are attending the summit, do drop by my session; I am committed to provide maximum ROI on your time investment. Below is the session snapshot

“Access Control Service (ACS) is perhaps the most powerful but least understood aspect of Windows Azure. While developers / architects understand it’s value proposition they are often left confused with surrounding acronyms and buzzwords like Active / Passive federation, SWT, SAML, ADFS, WIF, WS-Trust, WS-Federation, OAuth, OAuth WRAP, etc. This session distills the facts along with the underlying business motivation helping you with your moment on ACS. Having built the initial base session advances to focus on typical usage patterns of Access Control Service within enterprises. These common recurring implementation themes would further simply the mapping of ACS to your LOB applications. Attend this session to walk out with real implementation knowledge on ACS.”

Here’s the presenter billboard (speciality of GIDS 🙂 )

Looking forward to meet you in person…

Demystifying Access Control Service

Having presented quite a few sessions on Claims Based Idenitity and Access Control Service I still see quite a few participants confused on how to get started. While most of them are able to understand the underlying business motivation, they are list lost admist all the new terms like SAML, SWT, OAuth, WRAP, WIF, ACS, ADFS, Claims, Active / Passive Federation, etc. Let’s get them in turn.

At the heart of these offerings is the below simple block diagram which drives the key concept of –  Relying on a trusted External Entity (Identity Provider) for – Authenticating users and Providing user attributes (claims) to saves our services / applications from Identity nightmares. So, for your Service or your Application, you establish trust with an identity provider by sharing a X509 certificate or a shared secret. Clients or users of your service / application no longer connect with you for authentication, rather they authenticate with an identity provider to get back a claims token. That token is then presented to your service / application. As your service / application has a trust established with that IP they can validate the trust of the incoming token and then use the claims bundled in it to authorize the level of access for client / user.

Above flow becomes little complex when RP needs to trust multiple identity providers (for instance you are offering a multi-tenant service for individuals and coporates with each of them having a different identity provider). Not only RP would have to establish trust with all these providers but the Identity Providers too would have to register this RP to issue tokens on request. This is where a mediator called federation provider comes into picture. RP get registered only with federation provider and federation provider in turn is registered and trusted by various identity providers. Hence it simplifies many-to-many relationship into easily manageable one-to-one. Access control service (ACS) is a federation provider hosted on Windows Azure.

You will also find two federation terms used quite frequently – Passive & Active federation. Passive federation is assoicated with web applications (rather web browsers) where authentication happens via a set of redirects. Active federation is assoicated with Web Services and clients that explicity get authenticated.

Once a client authenticates with Identity Provider he get a token back. There are two token formats supported by Access Control Service – SAML and SWT. SAML exchange happens over WS-* protocols while SWT tokens are usually transferred over OAuth WRAP / OAuth 2.0 protocols (details here). You are most likely to use SWT tokens for RESTful services hosted in Azure. You can find more details about these token formats explained here

ACS would accept either of the token formats as input and would also return either of them as outputs. For instance there could be scenarios where you get a SAML token from ADFS (corporate identity provider), you use that to get authenticated with ACS and ACS returns you back a SWT token which in turn is used to access a protected REST Service (offered by a business partner).

Let’s start with SWT tokens. To see SWT tokens and OAuth WRAP in action protecting a WCF REST Service (active federation) I would recommend you have  a look at the ACS samples. Establishing trust between RP & ACS is quite simple – you exchange a shared secret. When client authenticates with ACS he gets back a SWT token which integrated HMAC256 hash. Relying part checks the authenticity of hash and claims inside the token on incoming tokens  to allow access to requesting client. You should see that retrieving SWT tokens using WRAP protocol from ACS and sending it to a RP is quite simple, infact you would hardly need anything beyond HTTP client library.

//Requesting a SWT token with username / password from Access Control Service

var client = new WebClient();
client.BaseAddress = string.Format(“https://{0}.{1}”, serviceNamespace, acsHostName);

var values = new NameValueCollection();
values.Add(“wrap_name”, unamepass.Username); /*Service Identity to be specified in Access Control Service*/
values.Add(“wrap_password”, unamepass.Password);
values.Add(“wrap_scope”, ConfigurationManager.AppSettings[“relyingpartyname”]);

byte[] responseBytes = client.UploadValues(“WRAPv0.9/”, “POST”, values); /*SWT token is received in raw format*/

Handling WS-*/SAML on the other hand is little more complex. Luckily for us Microsoft provides nice Visual Studio integreated tooling (FedUtil – Add STS Reference) for working with WS-*/SAML tokens along with WIF (Windows Identity Foundation) SDK. This tooling can be leveraged by both services and applications. In fact all you need to establish trust with identity providers is federation metadata and tooling generates that for you in form a file called FederationMedata.xml. WIF SDK, in addition, provides web controls for federated sign in and sign in status (Look at this article in case you want to extend WIF for handling SWT tokens).

Tooling also sets you up by plugging necessary modules in your RP’s web.config namely – WSFederationAuthenticationModule and SessionAuthenticationModule. Former helps you validate authenticity of incoming token while later establishes a session between client and relying party (FedAuth Cookie) so that token validation doesn’t become an overhead for every operation invoked. You can also add an additional module to this called ClaimsAuthorizationModule which let’s you invoke your custom ClaimsAuthorizationManger class as shown below.

<claimsAuthorizationManager type=”WebApplication4.CustomAuthorizationManager”/>

public class CustomAuthorizationManager : ClaimsAuthorizationManager    
public override bool CheckAccess(AuthorizationContext context)        
return base.CheckAccess(context);        


Book Review: Microsoft Windows Azure Development Cookbook

Apparently, this is my first public book review. A month back when PACKT Publishing asked me to do a review of this book I was delighted for couple of reasons. Firstly, I would get my hands on a book I so much wanted to read and secondly review the work of the maestro – Neil Mackenzie. If you don’t know Neil most probably you haven’t done a serious Windows Azure project 🙂 . Neil is the most active person on Windows Azure MSDN Forum, maintains a comprehensive blog on Windows Azure (at times I have felt that the depth of his blog entries surpasses that of MSDN documentation) and a Windows Azure MVP we all are proud of.

Highlight of the book for me are the exercises (referred as recipes), which are to the point, with concise code snippets, cutting the unnecessary verbose. Book’s first chapter starts with a very important yet very less discussed topic – authenticating with Windows Azure Platform. Chapter covers authentication scenarios pertaining to Azure Storage, Service Management, and AppFabric (caching) covering subtle topic of storage key rotation. Second chapter gives a thorough coverage of Blob storage including Leasing and leveraging Azure CDN. Third and fourth chapter dive into Tables and Queues again discussing key topics Pagination and polling back off (we recently helped a client cut on its transactional cost using similar approach). Fifth chapter which happens to be longest chapter of the book is really packed. You would be amazed at how much information is covered in these hundred pages. Chapter covers everything about hosting on Azure – multiple websites in a single role, HTTPS support, VM Role, Azure Connect and MarketPlace DataMarket among others. Chapter sixth and seventh contains vital topics of diagnostics (your key to success on Azure Platform) and service management APIs. It’s interesting to read the PowerShell coverage of these chapters. Finally book ends with couple of chapters around SQL Azure and Azure AppFabric. I was impressed with Neil’s knowledge around SQL Server DB and detailing of DMVs (dynamic management views).

Coming to the cons of the book, depending on your experience you might feel that book could have been better organized. May be an introduction chapter or an appendix at the end providing a 360 degree overview of Windows Azure could have been helpful. Also, while recipes are compact; snippets and corresponding explanations are done separately which at times is tedious to shuffle between. Lack of screenshots might be a concern to few readers. Also few topics like Access Control Service, WCF services, etc. have lesser focus (in case those are your prime use cases).

To sum up, writing Azure book is tough, especially with the rapid release cycles and features being churned regularly. Considering that, I would commend author for his work and would strongly recommend this book to accelerate your knowledge on Windows Azure. Three hundred plus pages can easily transform you into a PRO, helping you create more effective Windows Azure solutions.

Happy Reading 🙂 !!!

(P.S. You can download a sample chapter of the book from here).

Installations for Setting up Windows Azure

Recently I had to format my machine and then had to go through the pain of setting it up again. I always have Windows Azure bits running on my machine. Hence, I thought of sharing related links which I have kept handy, hoping in case you have fresh machine to start with it would be helpful to you as well. Quick note to check the date of this blog post as the steps outlined could have been outdated (though I would try my best to revise the post as much as possible). Below are tools / SDKs one would ideally install after installing VS.NET 2010 (and SQL Server Express).

a) Windows Azure SDK and tools for Visual Studio – The latest release of Windows Azure SDK is 1.4. If you want to install SDK and corresponding tooling for Visual Studio you can use the bundle – ‘VSCloudService.exe’. I would encourage you to follow the steps outlined in the Instructions section of the download page.

b) Windows Identity Foundation Runtime – One would need this runtime for working with Windows Azure AppFabric components like Service Bus and Access Control Service

c) Windows Identity Foundation SDK – Apart from providing samples this WIF SDK provides tooling for Visual Studio making the WIF work experience a breeze

d) Windows Azure AppFabric SDK V 1.0 – The necessary SDK to work with Windows Azure Appfabric

e) Windows Azure AppFabric SDK V 2.0 – This update provides access to latest components of Windows Azure AppFabric like Caching Service and few enhancements to the existing components

Hope this helps!!!