Cloud Computing, Office 365

Office 365 Business Plans (Enterprise)

Office365

Advertisements
Cloud Computing, Microsoft Azure, Powershell

Creating a file share in AZURE

Microsoft Azure offers fully managed file shares in the cloud. Because Azure File Storage exposes file shares using the Server Message Block 3.0 (SMB) protocol, the predominantly used file share protocol for existing on-premises applications, it simplifies moving your existing applications to the cloud, and because Azure File Storage allows applications to mount file shares from anywhere in the world, your on-premises applications can take advantage of cloud storage without change. Azure File Storage also implements REST API protocol, which enables you to develop modern applications that integrate with existing applications. And Microsoft Azure File Storage has got new features like; SMB 3.0 support, includes encryption and persistent handles, a new browser-based file explorer in the Azure portal,  Azure Storage Metrics for Azure File storage an also the ability to mount Azure File Storage file shares from outside of Azure datacenters.

So how to create a file share; (GUI or Powershell), let’s try Powershell…

Choose your storage account… We will need the name for our powershell cmdlets;

fileShare01

And then click on the storage account to go on CONFIGURE .

fileShare02

At the very bottom click on Manage Access Keys to get your key;

fileShare022

We are interested in the Primary Access Key, and click on the little file icon next to it to copy. This is the long key such as

b8VW6dmfugxsrNyF/TkHO9lkA00123456789KWEBJzPC0OBFStObAuUwzNJWUkT8Qs5AdUJsHGUiCYqbcjSw==

Next is we need to run our Powershell cmdlets;

$storageaccount = “msenelstorage01

$storageaccount_key = “b8VW6dmfugxsrNyF/TkHO9lkA0vSPs4jEos0w+KWEBJzPC0OBFStObAuUwzNJWUkT8Qs5AdUJsHGUiCYqbcjSw==

$sharename = “Logs”

$storageaccount_context = New-AzureStorageContext $storageaccount $storageaccount_key

$create_share = New-AzureStorageShare $sharename -Context $storageaccount_context

And let’s run this….

PS C:\Users\murat.senel> $storageaccount = “msenelstorage01”

$storageaccount_key = “b8VW6dmfugxsrNyF/TkHO9lkA0123456789jEos0w+KWEBJzPCFStObAuUwzNJWUkT8Qs5AdUJsHGUiCYqbcjSw==”

$sharename = “logs”

$storageaccount_context = New-AzureStorageContext $storageaccount $storageaccount_key

$create_share = New-AzureStorageShare $sharename -Context $storageaccount_context

PS C:\Users\murat.senel>

In the storage account, you can see the URL for file storage;

fileShare023

https://msenelstorage01.file.core.windows.net/

Now we can only check this on the Preview Portal as GUI;

Go to the Portal;

fileShare024

Click on the storage account that you used;

fileShare0245

Click on the Files >

fileShare02456

There it is, our Logs file share created….

The second method might be easier if you don’t want to use Powershell…

You can basically go to the File Share tab and  on the top you will see New Share tab.

fileShare02457

What else can we show with a file share ?

Lets’ create a directory (called Server001Logs) in the Logs share;

PS C:\Users\murat.senel> New-AzureStorageDirectory -Share $create_share -Path Server001Logs

Directory: https://msenelstorage01.file.core.windows.net/logs

Type                Length             Name                                                                                                                 —-                ——             —-                                                                                                                    DIR                                    Server001Logs

And upload a file in to that directory…

Set-AzureStorageFileContent -Share $create_share -Source C:\MyScripts\serverlist.txt -Path Server001Logs

Let’s check them on the Portal ….

fileShare0245788

Directory is there .. And our uploaded file is …… >

fileShare09

also there…. 😉

Cloud Computing

Administrator Roles in Azure AD

In various Azure projects we needed to assign certain roles to our users in Azure AD. Main thing is to understand their tasks and scope of responsibilities. Azure gives us a few roles which give users to access various features such as managing subscriptions, assigning other administrator roles, password reset, managing service requests and managing user account. When we assign these roles to users, they will access all these features across all of the cloud services that your organization has subscribed to. This is very important to bear in mind.

admin

The following administrator roles are available:

  • Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Global administrator: Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.
  • Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.
  • Service administrator: Manages service requests and monitors service health.
    Note: To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to the user in the Azure classic portal.
  • User administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Administrator permissions

Billing administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Perform billing and purchasing operations for Office products

Reset user passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Global administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Perform billing and purchasing operations for Office products

Reset user passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Enable or disable multi-factor authentication

N/A

Password administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Reset user passwords

Perform billing and purchasing operations for Office products

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Service administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Reset user passwords

Perform billing and purchasing operations for Office products

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

User administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Reset user passwords, with limitations. He or she cannot reset passwords for billing, global, and service administrators.

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses, with limitations. He or she cannot delete a global administrator or create other administrators.

Perform billing and purchasing operations for Office products

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Enable or disable multi-factor authentication

Cloud Computing, Powershell

Uploading a VHD file to Azure Storage

Get your Azure Subscription details first….

PS C:\Users\user> Get-AzureRmSubscription

SubscriptionName : Free Trial

SubscriptionId   : ba6d424f-f1d9-40c1-be8d-123f6aad8a7b

TenantId         : dc608e75-2124-48be-9dbc-7a248dc51fb2

State            : Enabled

 

PS C:\Users\user> Get-AzureRmSubscription | ft -Property SubscriptionName

SubscriptionName

—————-

Free Trial                                                                                                                                        

PS C:\Users\user> Get-AzurePublishSettingsFile

PS C:\Users\user> Import-AzurePublishSettingsFile

cmdlet Import-AzurePublishSettingsFile at command pipeline position 1

Supply values for the following parameters:

(Type !? for Help.)

PublishSettingsFile: “C:\book\Free Trial-2-20-2016-credentials.publishsettings”

Id          : ba6d424f-f1d9-40c1-be8d-123456789

Name        : Free Trial

Environment : AzureCloud

Account     : B62082C30D0DA9850123456789

State       :

Properties  : {[Default, True]}

We will need our storage account details such as Name (Label)

PS C:\Users\user> Get-AzureStorageAccount | Format-Table -Property Label

Label

—–

2mportalvhdstorage01

llportalvhds9storage02 

msenelstorage012345abscdr

ndportalvhdsmrw0123456

Select your Storage Account

PS C:\Users\user> $storageAccountName = ‘llportalvhds9storage02 ‘

Set-AzureSubscription -SubscriptionName “Free Trial” -CurrentStorageAccountName $storageAccountName

PS C:\Users\user> Get-AzureStorageContainer

Blob End Point: https://llportalvhds9storage02 .blob.core.windows.net/

 

Name                                           PublicAccess         LastModified

—-                                             ——-                   ———-

vhds                                                 Off                       2/18/2016 11:21:41 AM +00:00

I have a copy of Nano server VHD. I think this is the smallest one I can use (543MB). Don’t forget you will be copying your vhd in to the cloud and it will take some time.

 PS C:\Users\user> $LocalVHD = “C:\book\Nano2016.vhd”

$AzureVHD = “https://llportalvhds9storage02 .blob.core.windows.net/vhds/Nano2016.vhd”

Add-AzureVhd -LocalFilePath $LocalVHD -Destination $AzureVHD

Calculating….

1579

 Uploading….

1578

After finished uploading…..

157

 

 

 

Go to Storage in Azure Portal,

Capture1

Find your Storage Account and click on it,

15

Go to Containers and click on vhds, you should be able to see your vhd file.

 Capture2

Making a copy of the VHD file;

It is always good practice to have a copy of some of your vhds if they are critical to your business. Otherwise you will go through everything from the beginning to upload them again. So;

Go back to Storage and at the bottom of the screen choose Manage Access Keys..

156

Get the storage account name and primary access key for our powershell cmdlet; copy them on to notepad so you can reuse them.

Capture3

#Storage account needs to be authenticated

$context = New-AzureStorageContext -StorageAccountName “llportalvhds9storage02″`

 -StorageAccountKey “abcdefghijklmnopqrstuvyz”  -Protocol Http

$containername = “vhds”

$blobname = “Nano2016.vhd”

#From storage we need to get the VHD’s blob

$blob = Get-AzureStorageBlob -Context $context -Container $containername -Blob $blobname

$uri = “https://llportalvhds9storage02 .blob.core.windows.net/vhds/Nano2016.vhd”

Start-AzureStorageBlobCopy -SrcUri $uri -DestContext $context -DestContainer $containername -DestBlob “Nano2016.vhd-copy.vhd”

To check it, either go to Azure Portal > Storage > Click on the Storage Account > vhds

Capture4

Or use Powershell to check it if it is in our container (vhds);

$context = New-AzureStorageContext -StorageAccountName “llportalvhds9g0s6kqhgqxw”`

 -StorageAccountKey “abcdefghijklmnopqrstuvyz”  -Protocol Http

$containername = “vhds”

$blobcopyname = ” Nano2016.vhd-copy.vhd”

 

#From storage we need to get the VHD’s blob

$blobcopy = Get-AzureStorageBlob -Context $context -Container $containername`

-Blob $blobcopyname

$blobcopy

1

 

Creating an image from a VHD file

 Go to Virtual Machines in Azure Portal and choose Images;

 Capture5

 Click on the “Create an image”

 3456789

456789

Now you can create virtual machine using your image….

56789

Creating a Disk from a VHD file

Go to Virtual Machines in Azure Portal and choose Disks;

 6789

At the bottom of the screen choose Create….

789

If it is OS disk make sure you click “This VHD contains an operating system”..

89

And again you can use this disk to create your virtual machines….

9

Using  PowerShell;

$AzureVHD = “https://llportalvhds9storage02 .blob.core.windows.net/vhds/Nano2016.vhd”

 Add-AzureDisk -DiskName ‘NanoOSDisk’ -MediaLocation $AzureVHD `
-Label ‘Nano Server 2016 OS Disk’ -OS Windows

 

Certification, Cloud Computing, Networking / Infrastructure

Microsoft Azure – How to Configure a VNet-to-VNet connection

In your infrastructure you will probably have a few virtual networks (VNETs). They might be premises sites or azure VNETs. You can connect these multiple VNETs to each other. Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to ether other virtual networks or on-premises sites.

What I have got here in my scenario is: 2 sites, one in US and one in Europe which we will create; (Basically 2 sites in 2 different regions). Connecting a virtual network to another virtual network (VNET-to-VNET) is very similar to connecting a virtual network to an on-premises site location.  A couple of different steps such as downloading the script created by Azure and running it on your on premises gateway device. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE.

Capture121

Let’s create these VNETS now;

Log in to the Azure Classic Portal (not the Azure Portal). In the lower left-hand corner of the screen, click New. In the navigation pane, click Network Services, and then click Virtual Network. Click Custom Create to begin the configuration wizard.

Captur

On the Virtual Network Details page, enter the VNET name and choose your location (region).

On the DNS Servers and VPN Connectivity page, enter your DNS server name and IP address. You are not going to create one. This is purely name resolution for this virtual network. And don’t click any boxes, leave them as they are.

Captu

On the Virtual Network Address Spaces page, specify the address range that you want to use for your virtual network. In my case for Us it will be 10.20.0.0 /16 .These are the dynamic IP addresses (DIPS) that will be assigned to the VMs and other role instances that you deploy to this virtual network. It’s especially important to select a range that does not overlap with any of the ranges that are used for your on-premises network. You will get error message informing you that you have chosen an overlapped network range. You can modify your subnet here and create other subnets for other services but for now these are not required.

Capt

 

Click on the to create it. Create another VNET following the steps above. I will choose 10.10.0.0 /16 and North Europe for my VNET-EU.

Capt1

 

Next we need to add local networks to these virtual networks. I will configure each VNET as a local network. Microsoft refers local networks as on premises network.

Capt12

 

In the lower left-hand corner of the screen, click New. In the navigation pane, click Network Services, and then click Virtual Network. Click Add Local Network

Capt23

 

On the Specify your local network details page, for Name, enter the name of a virtual network that you want to use in your VNet-to-VNet configuration. For this example, I’ll use VNET-EU, as we’ll be pointing VNET-US to this virtual network for our configuration.

For VPN Device IP Address, use any IP address. Typically, you’d use the actual external IP address for a VPN device. For VNet-to-VNet configurations, you will use the Gateway IP address. But, given that you haven’t created the gateway yet, I will use an IP address from my IP range for now. (10.10.0.50). I will then go back into these settings and configure them with the corresponding gateway IP addresses once Azure generates it. Do the same steps for VNET-US and choose 10.20.0.50

Next I will have to point each VNET to each other as Local Network. Go to Networks and then click on the first VNET and click Configure. Scroll down to Connection and tick the box for Connect to the Local Network and choose the other VNET under Local Network.

C

 

In the virtual network address spaces section on the same page, click add gateway subnet, then click the save icon at the bottom of the page to save your configuration.

C1

 

Repeat the step for VNET-US to specify VNET-EU as a local network.

Next step will be creating dynamic routing gateways for each VNET. On the Networks page, make sure the status column for your virtual network is Created.

C2

 

In the Name column, click the name of your virtual network.

On the Dashboard page, notice that this VNet doesn’t have a gateway configured yet. You’ll see this status change as you go through the steps to configure your gateway. At the bottom of the page, click Create Gateway. You must select Dynamic Routing.

C4

When the system prompts you to confirm that you want the gateway created, click Yes. Repeat the same steps for the other VNET. When your gateway is creating, notice the gateway graphic on the page changes to yellow and says Creating Gateway. It typically takes about 15-20 minutes for the gateway to create.

C5

After gateways created, they will be assigned IP addresses and we need to modify our Local Network IPs we assigned temporary when we added them to VNETs to these IPs.

C7

After everything has completed we will need to make sure each connection and both sides of the gateway are using the same PRESHARED KEY.

I will use Powershell to complete this part. First connect to your subscription’

p1

 

And then just check your VNET connections using Get-AzureVNetConnection

p2

 

Lastly run;

Set-AzureVNetGatewayKey -VNetName VNET-EU -LocalNetworkSiteName VNET-US -SharedKey 123456789

Set-AzureVNetGatewayKey -VNetName VNET-US -LocalNetworkSiteName VNET-EU -SharedKey 123456789

(Make sure for production environment you use much better shared keys)

p3

 

And you will see connection is successful.

Capture7777

Capture888

 

 

 

Cloud Computing, Networking / Infrastructure

Microsoft’s StorSimple

 

 

Standard storage management comes with a few challenges. Thinking about capacity, types, tiering, provisioning, scalability. Making plans and decisions take long time and on top of these what about backups and data archiving? They bring their own challenges. Many hours spent just to keep everything the way we wanted around our budget.

I first heard about Storsimple when I was watching one of Azure MVA courses. The idea of storing data based on how often they are accessed and making decisions on where to store is simple and at the same time makes business sense. Applying a simple logic will save a lot of effort and money in the long run.

So If you are tired of buying and installing storage and rebalancing workloads all the time, you really need to have a look at StorSimple. The same is true for managing data protection, because off-site data protection is completely automated with StorSimple you have got no worries on that. And if you can’t perform DR because it’s too disruptive and takes too long, you need to look into non-disruptive, thin recovery with StorSimple.

How does it work?

 

StorSimple is comprised SSDs (split into two layers), HHDs and Cloud. When a user saved the data it goes to first SSD layer on the StorSimple appliance. And this is deduplicated to the second SSD layer along with the other data comes from other users. When the data is accessed it remains active and stays “hot”. Again users keep creating other data and previously created data becomes less accessed and becomes “cold”. Then this data is moved to the HDD layer and it is also compressed in this layer. As the other data becomes cold and they are all moved to the HDD layer and as the data keeps coming to this layer, it will filled up and reach the threshold. The original data moved to the cloud. When the data is in Azure, it will be copied 3 times locally and another 3 copies will be geo-replicated within region. As you may guess it will be a delayed respond when the user requests that data in the cloud as opposed to the data saved on the other layers. Data will be pulled by StorSimple from Azure and presented to the user and it is managed by Azure portal. The new StorSimple Manager is an Azure management portal which controls all functions of all StorSimple arrays across the enterprise. It provides a single, consolidated management point that uses the Internet as a control plane to configure all parameters of StorSimple 8000 arrays and for displaying up-to-the-minute status information in a comprehensive dashboard.

Cloud Computing

Azure Subscription Limitations and others …

When I was implementing some services in Azure, I came across some issues related to some limitations. I wasn’t aware of some of them but I used this list below to see the big picture. There are other limitations in the list but these are the most frequently requested. If you are close to default limits you can definitely give Microsoft a ring and they will give you option above the default but not the maximum value.

Subscription Limits

Subscription Limits

Resource Default Limit Maximum Limit
Cores per subscription 1 20 10,000
Co-administrators per subscription 200 200
Storage accounts per subscription 100 100
Cloud services per subscription 20 200
Local networks per subscription 10 500
SQL Database servers per subscription 6 150
DNS servers per subscription 9 100
Reserved IPs per subscription 20 100
ExpressRoute dedicated circuits per subscription 10 25
Hosted service certificates per subscription 400 400
Affinity groups per subscription 256 256
Batch accounts per region per subscription 1 50
Alert rules per subscription 250 250

1Extra Small instances count as one core towards the core limit despite using a partial core.

Subscription Limits – Azure Resource Manager

The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those limits.

Resource Default Limit Maximum Limit
VMs per subscription 201 per Region 10,000 per Region
Co-administrators per subscription Unlimited Unlimited
Storage accounts per subscription 100 1002
Resource Groups per subscription 800 800
Availability Sets per subscription 2000 per Region 2000 per Region
Resource Manager API Reads 15000 per hour 15000 per hour
Resource Manager API Writes 1200 per hour 1200 per hour
Resource Manager API request size 4194304 bytes 4194304 bytes
Cloud services per subscription Deprecated3 Deprecated3
Affinity groups per subscription Deprecated3 Deprecated3

1Default limits vary by offer Category Type, such as Free Trial, Pay-As-You-Go, etc.

2Limit can be increased by contacting support.

3These features are no longer required with Azure Resource Groups and the Azure Resource Manager.

Resource Group Limits

Resource Default Limit Maximum Limit
Resources per resource group (per resource type) 800 800
Deployments per resource group 800 800
Resources per deployment 800 800
Management Locks (per unique scope) 20 20
Number of Tags (per resource or resource group) 15 15
Tag key length 512 512
Tag value length 256 256

Virtual Machines Limits

Virtual Machine Limits

Resource Default Limit Maximum Limit
Virtual machines per cloud service1 50 50
Input endpoints per cloud service2 150 150

1Virtual machines created in Service Management (instead of Resource Manager) are automatically stored in a cloud service. You can add more virtual machines to that cloud service for load balancing and availability.

2Input endpoints allow communications to a virtual machine from outside the virtual machine’s cloud service. Virtual machines in the same cloud service or virtual network can automatically communicate with each other.

Virtual Machines Limits – Azure Resource Manager

The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those limits.

Resource Default Limit
Virtual machines per availability set 100
Certificates per subscription Unlimited1

1With Azure Resource Manager, certificates are stored in the Azure Key Vault. Although the number of certificates is unlimited for a subscription, there is still a 1 MB limit of certificates per deployment (which consists of either a single VM or an availability set).

Networking Limits

ExpressRoute Limits

The following limits apply to ExpressRoute resources per subscription.

Resource Default Limit
ExpressRoute circuits per subscription 10
ExpressRoute circuits per region per subscription for ARM 10
Maximum number of routes for Azure private peering with ExpressRoute standard 4,000
Maximum number of routes for Azure private peering with ExpressRoute premium add-on 10,000
Maximum number of routes for Azure public peering with ExpressRoute standard 200
Maximum number of routes for Azure public peering with ExpressRoute premium add-on 200
Maximum number of routes for Azure Microsoft peering with ExpressRoute standard 200
Maximum number of routes for Azure Microsoft peering with ExpressRoute premium add-on 200
Number of virtual network links allowed per ExpressRoute circuit see table below

Number of Virtual Networks per ExpressRoute circuit

Circuit Size Number of VNet links for standard Number of VNet Links with Premium add-on
10 Mbps 10 Not Supported
50 Mbps 10 20
100 Mbps 10 25
200 Mbps 10 25
500 Mbps 10 40
1 Gbps 10 50
2 Gbps 10 60
5 Gbps 10 75
10 Gbps 10 100

Networking Limits

The following limits apply only for networking resources managed through the classic deployment model per subscription.

Resource Default limit Maximum limit
Virtual networks per subscription 50 100
Local network sites per virtual network 20 contact support
DNS Servers per virtual network 20 100
Virtual machines and role instances per virtual network 2048 2048
Concurrent TCP connections for a virtual machine or role instance 500K 500K
Network Security Groups (NSG) 100 200
NSG rules per NSG 200 400
User defined route tables 100 200
User defined routes per route table 100 500
Public IP addresses (dynamic) 5 contact support
Reserved public IP addresses 20 contact support
Public VIP per deployment 5 contact support
Private VIP (ILB) per deployment 1 1
Endpoint Access Control Lists (ACLs) 50 50

Networking Limits – Azure Resource Manager

The following limits apply only for networking resources managed through Azure Resource Manager per region per subscription.

Resource Default limit Maximum Limit
Virtual networks per subscription 50 500
DNS Servers per virtual network 9 25
Virtual machines and role instances per virtual network 2048 2048
Concurrent TCP connections for a virtual machine or role instance 500K 500K
Network Interfaces (NIC) 300 1000
Network Security Groups (NSG) 100 400
NSG rules per NSG 200 500
User defined route tables 100 400
User defined routes per route table 100 500
Public IP addresses (dynamic) 60 contact support
Reserved public IP addresses 20 contact support
Load balancers (internal and internet facing) 100 contact support
Load balancer rules per load balancer 150 150
Public front end IP per load balancer 5 contact support
Private front end IP per load balancer 1 contact support
Application gateways 50 50

Contact support in case you need to increase limits from default.

Traffic Manager Limits

Resource Default limit
Profiles per subscription 100 1
Endpoints per profile 200

1Contact support in case you need to increase these limits.

DNS Limits

Resource Default limit
Zones per subscription 50 1
Record sets per zone 1000 1
Records per record set 20

1 Contact support in case you need to increase these limits. The Azure DNS service is currently in Preview. These limits will be reviewed when the service reaches General Availability.

Storage Limits

Storage Service Limits

Resource Default Limit
Max number of storage accounts per subscription 1001
TB per storage account 500 TB
Max number of blob containers, blobs, file shares, tables, queues, entities, or messages per storage account Only limit is the 500 TB storage account capacity
Max size of a single blob container, table, or queue 500 TB
Max number of blocks in a block blob or append blob 50,000
Max size of a block in a block blob or append blob 4 MB
Max size of a block blob or append blob 50,000 X 4 MB (approx. 195 GB)
Max size of a page blob 1 TB
Max size of a table entity 1 MB
Max number of properties in a table entity 252
Max size of a message in a queue 64 KB
Max size of a file share 5 TB
Max size of a file in a file share 1 TB
Max number of files in a file share Only limit is the 5 TB total capacity of the file share
Max 8 KB IOPS per share 1000
Max number of files in a file share Only limit is the 5 TB total capacity of the file share
Max number of blob containers, blobs, file shares, tables, queues, entities, or messages per storage account Only limit is the 500 TB storage account capacity
Max number of stored access policies per container, file share, table, or queue 5
Total Request Rate (assuming 1KB object size) per storage account Up to 20,000 IOPS, entities per second, or messages per second
Target throughput for single blob Up to 60 MB per second, or up to 500 requests per second
Target throughput for single queue (1 KB messages) Up to 2000 messages per second
Target throughput for single table partition (1 KB entities) Up to 2000 entities per second
Target throughput for single file share Up to 60 MB per second
Max ingress2 per storage account (US Regions) 10 Gbps if GRS/ZRS3 enabled, 20 Gbps for LRS
Max egress2 per storage account (US Regions) 20 Gbps if RA-GRS/GRS/ZRS3 enabled, 30 Gbps for LRS
Max ingress2 per storage account (European and Asian Regions) 5 Gbps if GRS/ZRS3 enabled, 10 Gbps for LRS
Max egress2 per storage account (European and Asian Regions) 10 Gbps if RA-GRS/GRS/ZRS3 enabled, 15 Gbps for LRS

1If you require more than 100 storage accounts, contact Azure Support for assistance.

2Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being received from a storage account.

3Azure Storage replication options include:

  • RA-GRS: Read-access geo-redundant storage. If RA-GRS is enabled, egress targets for the secondary location are identical to those for the primary location.
  • GRS: Geo-redundant storage.
  • ZRS: Zone-redundant storage. Available only for block blobs.
  • LRS: Locally redundant storage.

Virtual Machine Disk Limits

An Azure virtual machine supports attaching a number of data disks. For optimal performance, you will want to limit the number of highly utilized disks attached to the virtual machine to avoid possible throttling. If all disks are not being highly utilized at the same time, the storage account can support a larger number disks.

  • For standard storage accounts: A standard storage account has a maximum total request rate of 20,000 IOPS. The total IOPS across all of your virtual machine disks in a standard storage account should not exceed this limit.You can roughly calculate the number of highly utilized disks supported by a single standard storage account based on the request rate limit. For example, for a Basic Tier VM, the maximum number of highly utilized disks is about 66 (20,000/300 IOPS per disk), and for a Standard Tier VM, it is about 40 (20,000/500 IOPS per disk), as shown in the table below.
  • For premium storage accounts: A premium storage account has a maximum total throughput rate of 50 Gbps. The total throughput across all of your VM disks should not exceed this limit.

Standard storage accounts

Virtual machine disks: per disk limits

VM Tier Basic Tier VM Standard Tier VM
Disk size 1023 GB 1023 GB
Max 8 KB IOPS per persistent disk 300 500
Max number of highly utilized disks 66 40

Premium storage accounts

Virtual machine disks: per account limits

Resource Default Limit
Total disk capacity per account 35 TB
Total snapshot capacity per account 10 TB
Max bandwidth per account (ingress + egress1) <=50 Gbps

1Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being received from a storage account.

Virtual machine disks: per disk limits

Premium Storage Disk Type P10 P20 P30
Disk size 128 GiB 512 GiB 1024 GiB (1 TB)
Max IOPS per disk 500 2300 5000
Max throughput per disk 100 MB per second 150 MB per second 200 MB per second
Max number of highly utilized disks 62 41 31

Storage Resource Provider Limits

The following limits apply when using the Azure Resource Manager and Azure Resource Groups only.

Resource Default Limit
Storage account management operations (read) 800 per 5 minutes
Storage account management operations (write) 200 per hour
Storage account management operations (list) 100 per 5 minutes

Cloud Services Limits

Resource Default Limit Maximum Limit
Web/worker roles per deployment1 25 25
Instance Input Endpoints per deployment 25 25
Input Endpoints per deployment 25 25
Internal Endpoints per deployment 25 25

1Each Cloud Service with Web/Worker roles can have two deployments, one for production and one for staging. Also note that this limit refers to the number of distinct roles (configuration) and not the number of instances per role (scaling).

Active Directory Limits

Here are the usage constraints and other service limits for the Azure Active Directory service.

Category Limits
Directories A single user can only be associated with a maximum of 20 Azure Active Directory directories.
Examples of possible combinations:

  • A single user creates 20 directories.
  • A single user is added to 20 directories as a member.
  • A single user creates 10 directories and later is added by others to 10 different directories.
Objects
  • A maximum of 500,000 objects can be used in a single directory by users of the Free edition of Azure Active Directory.
  • A non-admin user can create no more than 250 objects.
Schema extensions
  • String type extensions can have maximum of 256 characters.
  • Binary type extensions are limited to 256 bytes.
  • 100 extension values (across ALL types and ALL applications) can be written to any single object.
  • Only “User”, “Group”, “TenantDetail”, “Device”, “Application” and “ServicePrincipal” entities can be extended with “String” type or “Binary” type single-valued attributes.
  • Schema extensions are available only in Graph API-version 1.21-preview. The application must be granted write access to register an extension.
Applications A maximum of 10 users can be owners of a single application.
Groups
  • A maximum of 10 users can be owners of a single group.
  • Any number of objects can be members of a single group in Azure Active Directory.
  • The number of members in a group you can synchronize from your on-premises Active Directory to Azure Active Directory is limited to 15K members, using Azure Active Directory Directory Synchronization (DirSync).
  • The number of members in a group you can synchronize from your on-premises Active Directory to Azure Active Directory using Azure AD Connect is limited to 50K members.
Access Panel
  • There is no limit to the number of applications that can be seen in the Access Panel per end user, for users assigned licenses for Azure AD Premium or the Enterprise Mobility Suite.
  • A maximum of 10 app tiles (examples: Box, Salesforce, or Dropbox) can be seen in the Access Panel for each end user for users assigned licenses for Free or Azure AD Basic editions of Azure Active Directory. This limit does not apply to Administrator accounts.
Reports A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated.

Multi-Factor Authentication

Resource Default Limit Maximum Limit
Max number of Trusted IP addresses/ranges per subscription1 0 12
Remember my devices – number of days 14 60
Max number of app passwords? 0 No Limit
Allow X attempts during MFA call 1 99
Two-way Text message Timeout Seconds 60 600
Default one-time bypass seconds 300 1800
Lock user account after X consecutive MFA denials Not Set 99
Reset account lockout counter after X minutes Not Set 9999
Unlock account after X minutes Not Set 9999

1This is expected to increase in the future…