Introduction
Transitioning more and more to modern, many strive to get rid of the classic VPN for their endpoints. As we have more options managing endpoint without building a large and complex infrastructure it become natural to disconnect the traditional access model and build more enterprise applications to authenticate with your azure account.
When devices are roaming around on internet and have no VPN connection, it is somewhat more difficult to singlehandedly connect to an endpoint and investigate issues. This blogpost will cover how to deal with that using Azure blob as a temporary storage provider for logging.
Thanks, Tom Degreef for inspiration!
Requirements
- Azure storage account
- CMG
Azure Storage
Go to portal.azure.com
I already have a storage account I can use. We choose the storage account where “kind” says BlobStorage. (How to create the storage account is not covered by this blog)
Create a new Container
Create “templogs”
Public access level: Blob
Be sure you read the exclamation mark. This container is not a place to store sensitive data for a longer period, but for this purpose it will be ok.
Choose Storage Explorer
Get Shared Access Signature
Set expiry time to the future some time.
Add permissions
Create
Copy the Container name
Copy the Query string
Save them to notepad for now.
Close
Prepare your client environment
Before we can run the script on clients, we need to make sure they have the PowerShell modules.
Azure.Storage and AzureRM.profile
Start a Windows 10 client and fire up PowerShell shell.
Install-module azure.storage
Go through the prompts
Install-module azureRM.profile
Go through the prompts
To automize this, go to file explorer
Copy the folder Azure.Storage and AzureRM.profile
Create a script and a MEMCM package that copies these 2 folders to your clients.
Deploy the package to your clients.
MEMCM preparations
Download this script
Start your MEMCM Console
Create Script
Copy the content of the Github Script
Paste the code to the script in MEMCM.
We need to change the xxx parameters
StorageAccountName can be found here:
StorSas parameter where the string we saved to notepad earlier.
Container parameter also went to the notepad doc.
When added, click next next and done.
Approve the script
And we are ready to rock and roll getting logs
Right click a device -> run script
Get logs from device
Next
On the device CPC-TEST02 it starts adding a zip file containing a lot of good logs to debug info on that client.
And on the Azure Storage
You can either choose to grab it manually or go to Tom Degreef’s blog and get his download script, to automate the last part. Look for “Retrieve the logs”
Summary
There is always a scenario that goes into haywire and we need a way to reach out and have some insight of the problem. Guiding a user how to do things can be time consuming and not very agile. We need to be able to get logs even though our endpoints roam the internet. This is good example of how that can be achieved.
Happy testing!
