Skip to main content

Microsoft Azure Portal - Global & Advanced Filters

· 5 min read

We've all been there! In the Azure portal, looking for a resource or subscription and cannot find it! Once permissions are ruled out, you are left with the Portal itself, and the filter.

You may see a checkbox or message like the below:

Show only subscriptions selected in the global subscriptions filter.

Show only subscriptions selected in the global subscriptions filter

This is because the Microsoft Azure portal has a default filter, which is very handy in hiding subscriptions and resources you don't want to see or use all the time.

The following Microsoft document 'Manage Azure portal settings and preferences' is a great place to start, but let us take a look ourselves.

Azure Portal Filters

Global Subscription Filter

Let us take a look at the Global subscription filter.

  1. Log in to the Microsoft Azure Portal
  2. Click on 'Settings' on the top right-hand navigation bar
  3. Azure Portal - Settings
  4. Click on the dropdown list under the Default subscription filter
  5. Here you can select or de-select the subscriptions you want to display by default in the Microsoft Azure Portal.
  6. Azure Portal - Global Filter
  7. There is no Save button, the changes will automatically take effect.

Advanced Filters

Let us take a look at the Advanced subscription filters.

  1. Log in to the Microsoft Azure Portal
  2. Click on 'Settings' on the top right-hand navigation bar
  3. Azure Portal - Settings
  4. Toggle Advanced Filters
  5. Click Continue to reload the Azure Portal, your Global subscription filter will be changed to an advanced filter.
  6. Click Modify Advanced filters
  7. Click + Create a filter
  8. Here you have the ability to create a filter or filters, to help match your requirements. You can create filters based on subscription ID and subscription name.
Filter TypeOperatorValueNote
Subscription ID==Subscription ID arrayEqual
Subscription name!=Subscription ID arrayDoes not Equal
Subscription statecontainsStringContains
!containsStringDoes not Contain
startswithStringStarts with
!startswithStringDoes not start with
endswithStringEnds with
!endswithStringDoes not end with
Subscription StateDescription
Activate/EnabledYour Azure subscription is active. You can use the subscription to deploy new resources and manage existing ones.
DeletedYour Azure subscription has been deleted along with all underlying resources/data.
DisabledYour Azure subscription is disabled and can no longer be used to create or manage Azure resources. While in this state, your virtual machines are de-allocated, temporary IP addresses are freed, storage is read-only and other services are disabled.
ExpiredYour Azure subscription is expired because it was canceled. You can reactivate an expired subscription.
Past DueYour Azure subscription has an outstanding payment pending. Your subscription is still active but failure to pay the dues may result in subscription being disabled.
WarnedYour Azure subscription is in a warned state and will be disabled shortly if the warning reason isn't addressed. A subscription may be in warned state if its past due, canceled by user, or if the subscription has expired.
  1. Using the logic above, we can easily create filters based on the state of a subscription and name, an example is, creating a filter that displays all subscriptions with 'dev' in its name:
  2. Azure Portal - Advanced Subscription Filter

You can only have one Filter displayed at once in the Azure Portal, but you can easily switch between them, by clicking Activate, next to the filter name.

If you wish to disable Advanced Filters, and go back to the Global Filter, you can deselect the Toggle for Advanced Filters.

Additional Resources

Microsoft Docs

To get the most out of your Azure Portal experience, the below Microsoft documentation is worth a read (in no particular order).

Send Feedback to Microsoft

On the last note, Microsoft has made it easy to create Feedback, that will get fed back to the Azure Portal and product teams straight in the Microsoft Azure Portal, if you ever see anything that may need changing, or a link out of date don't hesitate to send your feedback to Microsoft, by pressing the little Feedback button on the top right of your navigation bar.

Azure Portal - Feedback

The Microsoft Azure portal is in development all the time and is now built with Azure Resource Graph capabilities, it is very easy not to try and see new functionality, so I recommend you keep your eyes out and try new features.

Microsoft Azure Portal - Recent Resources

· One min read

The Microsoft Azure Portal displays a list of Recent resources (whether they are subscriptions or Resources) you have accessed, usually when you first log in to the portal itself.

This capability makes it quick to access resources you use the most often, but sometimes you may want to view the resources in a list for easy access or clear the recent resources (ie if you are going to do a presentation) - this is how you can do it.

The Azure portal has a service called: Recent, to access it.

  1. Log in to the Microsoft Azure Portal
  2. In the search bar type in: Recent
  3. Azure Portal - Recent
  4. Select Recent
  5. You will be taken to the Recent Resources view, where you can select Clear to clear your Recent Resources, or you can view all your recent resources for easy access.
  6. Azure Portal - Clear Recent

You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'

· 2 min read

You may be attempting to deploy an Azure Landing Zone, such as the Enterprise Scale Landing Zone and receive the following error:

You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'.

This is because by default, even if you have Owner right on an Azure subscription, and are a Global Administer, you are unable to assign rights at the root '/' tenant level, to be able to create new Management Groups and move subscriptions between them.

However, users who have the Global Microsoft Entra ID role can elevate rights to do this. There are a few steps to enabling this, including using Azure PowerShell to assign rights.

With an account with Global Administrator rights, do the following:

  1. Sign in to the Azure Portal

  2. Open Microsoft Entra ID

  3. Click Properties

  4. Toggle the 'Access management for Azure resources' to 'Yes'

  5. Click Save

  6. Open PowerShell

  7. Run:

  8. Login with your account, and make sure you are in the correct directory (if you aren't you can use Connect-Az Account - tenantid 'tenantidhere').

  9. Type:

  10. Copy the ID of the user you are logged in as, and run the following (replace the ObjectId to match the ID of your user):

    $user =  Get-AzADUser -ObjectId f53eaa59-0fc0-4103-b9cb-1650e3069da8
  11. Once the user ID has been stored in a variable, its finally time to assign the rights, run the following:

    New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
  12. Give Microsoft Entra ID 10-15 minutes to replicate the Azure AD changes, log out and back in and you should now be able to deploy the Landing Zone.

Note: Remember to go back and change the toggle to 'Allow management of Azure resources' to 'No', or all Global Administrators of Microsoft Entra ID will be able to manage all Azure resources.

Once the Landing Zone is deployed, you should also remove your role assignment at the root level by running:

Remove-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

Turn on a Azure Virtual Machine using Azure Automation

· 11 min read

Turning off a Virtual Machine in Microsoft Azure on a schedule can quickly be done using the built-in Shutdown controls in the Virtual Machine blade (part of Azure Lab Services, but not a requirement), but what about starting it?

You have a few options, Logic Apps, PowerShell, Functions and Runbooks; most of the time, these will run on a standard 7 AM to 5 PM Monday to Friday schedule (meaning the Virtual Machine is off during off-peak hours and weekends, reducing compute cost).

This works fine for most scenarios, but what happens if a Bank or Public Holiday falls during the week? With the normal schedule, your Virtual Machine starts.

Because all your users are on Holiday, it wastes money while you and your users drink snicker cocktails at the beach?

This is where using a third party timezone API like 'AbstractApi' comes in handy; incorporating a lookup to check if it's a Public Holiday before starting that Virtual Machine can help reduce unnecessary costs.

Virtual Machines in Microsoft Azure have different states and, depending on what state the Virtual Machine is in, will determine whether you get billed or not (for the Compute, storage and network adapters are still billed).

Power stateDescriptionBilling
StartingVirtual Machine is powering up.Billed
RunningVirtual Machine is fully up. This is the standard working state.Billed
StoppingThis is a transitional state between running and stopped.Billed
StoppedThe Virtual Machine is allocated on a host but not running. Also called PoweredOff state or Stopped (Allocated). This can be result of invoking the PowerOff API operation or invoking shutdown from within the guest OS. The Stopped state may also be observed briefly during VM creation or while starting a VM from Deallocated state.Billed
DeallocatingThis is the transitional state between running and deallocated.Not billed
DeallocatedThe Virtual Machine has released the lease on the underlying hardware and is completely powered off. This state is also referred to as Stopped (Deallocated).Not billed

I have written a base runbook that does precisely that, every time the runbook runs, it checks if it is a public Holiday. If it is - then the Virtual Machine isn't started; if it isn't, then the virtual machine is started.


Today, we are going to set up an Azure Automation runbook, triggered by a scheduled will go through the following steps:

  1. On a schedule (7 AM, it will trigger an Azure Automation runbook)
  2. The Azure Automation runbook will do a lookup to an external API, in this case, AbstractApi.
  3. The runbook will check the date and detect if it falls on a Public Holiday; if it is a Public Holiday, it will exit the Azure Automation runbook; if it is a standard workday, it will start the Virtual Machine.

To do this, we need a few resources.

And, of course, 'Contributor' rights to the Microsoft Azure subscription to create the resources and the schedule, along with setting up the System Managed identity to grant the Azure Automation account access to start the Virtual Machine.

We will set up this from scratch using the Azure Portal and use an already created PowerShell Azure Automation runbook.

Deploy Start VM Solution

Setup Azure Automation Account

Create Azure Automation Account

First, we need an Azure Automation resource.

  1. Log into the Microsoft Azure Portal.
  2. Click + Create a resource.
  3. Type in automation
  4. Select Create under Automation, and select Automation.
  5. Create Azure Automation Account
  6. Select your subscription
  7. Select your Resource Group or Create one if you don't already have one (I recommend placing your automation resources in an Azure Management or Automation resource group, this will also contain your Runbooks)
  8. Select your region
  9. Create Azure Automation Account
  10. Select Next
  11. Make sure: System assigned is selected for Managed identities (this will be required for giving your automation account permissions to deallocate your Virtual Machine, but it can be enabled later if you already have an Azure Automation account).
  12. Click Next
  13. Leave Network connectivity as default (Public access)
  14. Click Next
  15. Enter in appropriate tags
  16. Create Azure Automation Account
  17. Click Review + Create
  18. After validation has passed, select Create
Configure System Identity

Now that we have our Azure Automation account, its time to set up the System Managed Identity and grant it the following roles:

  • Virtual Machine Contributor (to deallocate the Virtual Machine)

You can set up a custom role to be least privileged and use that instead. But in this article, we will stick to the built-in roles.

  1. Log into the Microsoft Azure Portal.
  2. Navigate to your Azure Automation account
  3. Click on: Identity
  4. Make sure that the System assigned toggle is: On and click Azure role assignments.
  5. Azure Automation Account managed identity
  6. Click + Add role assignments
  7. Select the Subscription (make sure this subscription matches the same subscription your Virtual Machines are in)
  8. Select Role: Virtual Machine Contributor
  9. Click Save
  10. Click Refresh (it may take a few seconds to update the Portal, so if it is blank - give it 10 seconds and try again).
  11. You have now set up the System Managed identity and granted it the roles necessary to execute the automation.
Setup Abstract API Key

Now we need to create an API key, which will be used in the runbook to start the Virtual Machine, the API key will allow connections to the Abstract API to retrieve public Holliday information.

  1. Create an Abstract API account
  2. Log in to the newly created account
  3. On the left-hand navigation bar, click on Holidays
  4. Click on 'Try it out
  5. Copy the API key
  6. Abstract API - API Key
  7. Copy the API key, as we will need it for the next steps.
Import Runbook

Now that the modules have been imported into your Azure Automation account, it is time to import the Azure Automation runbook.

  1. Log into the Microsoft Azure Portal.
  2. Navigate to your Azure Automation account
  3. Click on Runbooks
  4. Click + Create a runbook
  5. Specify a name (i.e. Start-AzureVirtualMachine)
  6. Select Runbook type of PowerShell
    1. A select Runtime version of: 5.1 (7.1 works as well).
  7. Type in a Description that explains the runbook (this isn't mandatory, but like Tags is recommended, this is an opportunity to indicate to others what it is for and who set it up)
  8. Click Create
  9. Now you will be greeted with a blank edit pane; paste in the Runbook from below:
#requires -Version 3.0 -Modules Az.Accounts, Az.Resources
PowerShell Azure Automation Runbook for Starting/Stopping Virtual Machines.
Luke Murray (
1.0 - 28/04/22 - script versioned to '1.0'.
1. The script first checks if today is a holiday by making a call to the Abstract API.
The Abstract API returns a JSON object containing the holiday name and (optional) description.
The script checks if the name property is null. If it is not null, the script displays a message indicating that today is a holiday.
If the name property is null, the script displays a message indicating that today is not a holiday.
2. The script then checks if the virtual machine is running or not. If it is running, the script will stop the virtual machine.
If it is not running, the script will start the virtual machine, depending on the Shutdown tag value

[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]

[Parameter(Mandatory = $true)]

$CountryCode = 'NZ'

$tDate =(Get-Date).ToUniversalTime()
$tz = [System.TimeZoneInfo]::FindSystemTimeZoneById("New Zealand Standard Time")
$Date = [System.TimeZoneInfo]::ConvertTimeFromUtc($tDate, $tz)

$API = Get-AutomationVariable -Name AbstractApiKey
$Holiday = Invoke-WebRequest -Uri ('{0}&country={1}&year={2}&month={3}&day={4}' -f $API, $CountryCode, $Date.Year, $Date.Month, $Date.Day)

$Holidays = $Holiday.Content
$Holidays = $Holidays | ConvertFrom-Json

IF ($null -ne $
Write-Output -InputObject ("Today is a holiday. The Holiday today is: {0}. The Azure Virtual Machine won't be started." -f $
Write-Output -Message 'No holiday today. The Virtual Machine will be started.'

# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process
# Connect to Azure with system-assigned managed identity (Azure Automation account, which has been given VM Start permissions)
$AzureContext = (Connect-AzAccount -Identity).context
Write-Output -InputObject $AzureContext
# set and store context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
Write-Output -InputObject $AzureContext

$vms = Get-AzResource -TagName $TagName -TagValue $TagValue | Where-Object -FilterScript {
$_.ResourceType -like 'Microsoft.Compute/virtualMachines'

Foreach ($vm in $vms)
if ($Shutdown -eq $true)
Write-Output -InputObject "Stopping $($vm.Name)"
Stop-AzVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName -Force
Write-Output -InputObject "Starting $($vm.Name)"
Start-AzVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName
  1. Change the country code to align with your own country. You can use the IP geolocation API in Abstract API to do a live test, which will give you your country code. Feel free to amend the Write-Output messages to make sense for your environment.
  2. Click Save
  3. Azure Runbook - PowerShell
  4. Click Publish (so the runbook is actually in production and can be used)
  5. You can select View or Edit at any stage, but you have now imported the Azure Automation runbook!
Setup Variables

Now that the Azure runbook has been imported, we need to set up the variables, which include the API key.

  1. Log into the Microsoft Azure Portal.
  2. Navigate to your Azure Automation account
  3. Click Variables
  4. Click + Add a variable
  5. Create a Variable named: AbstractApiKey (this needs to match the variable name as part of the 'Get-AutomationVariable' cmdlet).
  6. Enter in a description
  7. Select String
  8. Enter in the API key you retrieved earlier from Abstract API.
  9. Azure Automation - Variables
  10. Click Save
Setup Schedule

Now that the variables have been set up, we need to set up the schedule. This is the schedule that will be used to start the Virtual Machine. In the example below we are going to use a Standard Monday -> Friday work week, but adjust the time and date for when you need to start the virtual machine up.

  1. Log into the Microsoft Azure Portal.
  2. Navigate to your Azure Automation account
  3. Click Schedule
  4. Click + Add a schedule
  5. Type in a name for the schedule (ie Azure Virtual Machine - Start).
  6. Type in a Description
  7. Select the Start Date to match when you want to start the Schedule (ie first Monday of the week).
  8. Select your Timezone, so that the script runs on the right time/date which makes your timezone.
  9. For Recurrance, specify: Recurring
  10. Set it to Recur every: 1 Day
  11. Check Monday, Tuesday, Wednesday, Thursday, and Friday
  12. Leave Saturday and Sunday unchecked.
  13. Click Create
  14. Now that the Schedule has been created, we need to bind it to a Runbook
  15. On the Automation account blade, click on Runbooks
  16. Click on your 'Start Azure Virtual Machine' runbook
  17. Select Schedules
  18. Click Add a Schedule
  19. Press: Link a schedule to your runbook
  20. Select your newly created Schedule
  21. For the Tag Name, select Shutdown
  22. For the Tag Value name, Select Yes
  23. For Shutdown, select false
  24. Click Ok
  25. Your schedule has now been configured and the runbook will run the next time it matches your scheduled date and time.
Configure Tags

The runbook is written, so it doesn't need to be adjusted for future machines and making changes on the fly, this relies on each Virtual Machine that you want started to be started using the Runbook to be tagged.

  1. Log into the Microsoft Azure Portal.
  2. Navigate to your Azure Virtual Machine
  3. Click Tags
  4. Add the following tag:
Tag KeyTag Value

Congratulations, the next time your schedule triggers, every runbook with the Shutdown tag will be started, according to your schedule, and workday. If it's a Public Holiday or a Weekend, the Virtual Machine will remain off - saving cost.

Microsoft Azure Naming Conventions

· 8 min read

Accurately representing and naming your resources is essential for security purposes.

In a security incident, it is critical to identify affected systems quickly, what functions those systems support, and the potential business impact.

A useful naming convention composes resource names from important information about each resource. A well-chosen name helps you quickly identify the resource's type, its associated workload, its deployment environment, and the Azure region hosting it.

Some resource names, such as PaaS services with public endpoints or virtual machine DNS labels, have global scopes, so they must be unique across the Azure platform.

There's no one size fits all to Azure naming conventions, it needs to suit your organisation, however, it is worth noting that there are limitations to naming rules to Azure resources.

The use of these limitations and scopes have been used to determine the following naming conventions across associated resources.

CasingName Format

Naming Convention Examples

EnvironmentApplication NameAzure RegionAzure ServiceExample Name
Productionapplication1Australia EastApp Servicecompany-application1-asvc-au-e-prod
Productionapplication1Australia EastApp Service Environmentcompany-application1-ase-au-e-prod
Productionapplication1Australia EastApp Service Plancompany-application1-asp-au-e-prod
Productionapplication1Australia EastApplication Gatewaycompany-application1-agw-au-e-prod
Productionapplication1Australia EastAutomation Accountcompany-application1-aum-au-e-prod
Productionapplication1Australia EastAvailability Setcompany-application1-avs-au-e-prod
Productionapplication1Australia EastAzure Arc enabled Kubernetes clustercompany-application1-arck-au-e-prod
Productionapplication1Australia EastAzure Arc enabled servercompany-application1-arcs-au-e-prod
Productionapplication1Australia EastAzure Cosmos DB databasecompany-application1-cosmos-au-e-prod
Productionapplication1Australia EastAzure Data Factorycompany-application1-adf-au-e-prod
Productionapplication1Australia EastAzure Searchcompany-application1-srch-au-e-prod
Productionapplication1Australia EastAzure SQL Databasecompany-application1-sqldb-au-e-prod
Productionapplication1Australia EastAzure SQL Elastic Poolcompany-application1-sqlep-au-e-prod
Productionapplication1Australia EastAzure SQL Servercompany-application1-sql-au-e-prod
Productionapplication1Australia EastContainer registrycompany-application1-cr-au-e-prod
Productionapplication1Australia EastCosmos DBcompany-application1-cdb-au-e-prod
Productionapplication1Australia EastFunction Appcompany-application1-func-au-e-prod
Productionapplication1Australia EastGateway connectioncompany-application1-cn-au-e-prod
Testapplication1Australia EastIoT Centralcompany-application1-iotc-au-e-test
Testapplication1Australia EastKey Vaultcompany-application1-kv-au-e-test
Testapplication1Australia EastLoad Balancercompany-application1-lb-au-e-test
Testapplication1Australia EastLocal Network Gatewaycompany-application1-lgw-au-e-test
Testapplication1Australia EastLog Analytics workspacecompany-application1-la-au-e-test
Productionapplication1Australia EastMySQL databasecompany-application1-mysql-au-e-prod
Productionapplication1Australia EastNetwork Interfacecompany-application1-nic-au-e-prod
Productionapplication1Australia EastNetwork Security Groupcompany-application1-nsg-au-e-prod
Productionapplication1Australia EastNetwork Security Group Rulecompany-application1-nsg-au-e-prod
Productionapplication1Australia EastPublic IP Addresscompany-application1-pip-au-e-prod
ProductionAustralia EastRecovery Services vaultcompany-rsv-au-e-prod
Productionapplication1Australia EastRecovery Services Vault - Backup policiescompany-application1-rsvp-au-e-prod
Productionapplication1Australia EastResource Groupcompany-application1-rg-au-e-prod
Productionapplication1Australia EastRoute tablecompany-application1-route-au-e-prod
Productionapplication1Australia EastRunbookscompany-application1-run-au-e-prod
Productionapplication1Australia EastService Bus - Namespacecompany-application1-sbns-au-e-prod
Productionapplication1Australia EastSQL Data Warehousecompany-application1-sqldw-au-e-prod
Productionapplication1Australia EastSQL Managed Instancecompany-application1-sqlmi-au-e-prod
ProductionApp1Australia EastStorage Accountcompany-pp1-stg-au-e-prod
Productionapplication1Australia EastSubnetcompany-application1-snet-au-e-prod
Productionapplication1Australia EastSubscriptioncompany-application1-sub-prod
Productionapplication1Australia EastTraffic Manager Profilecompany-application1-tmp-au-e-prod
Productionapplication1Australia EastUser defined route (UDR)company-application1-udr-au-e-prod
Productionapplication1Australia EastVirtual machine scale setcompany-application1-vmss-au-e-prod
Productionapplication1Australia EastVirtual Networkcompany-application1-vn-au-e-prod
Productionapplication1Australia EastVirtual Network Gatewaycompany-application1-vngw-au-e-prod

Azure Naming - Global

Resource Group

EnvironmentApplication NameAzure RegionAzure ServiceExample Name
Productionapplication1Australia EastResource Groupcompany-application1-rg-au-e-prod

Resource Type Codes

Resource TypeShort CodeScopeCharacter Limit
App ServiceasvcGlobal40
App Service EnvironmentaseResource Group38
App Service PlanaspResource Group40
Application GatewayagwResource Group80
Automation AccountaumResource Group50
Availability SetavsResource Group80
Azure Arc enabled Kubernetes clusterarckResource Group63
Azure Arc enabled serverarcsResource Group15
Azure Cosmos DB databasecosmosGlobal63
Azure Data FactoryadfGlobal63
Azure SearchsrchGlobal60
Azure SQL DatabasesqldbServer128
Azure SQL Elastic PoolsqlepServer128
Azure SQL ServersqlGlobal63
Container registrycrGlobal50
Cosmos DBcdbGlobal50
Function AppfuncGlobal40
Gateway connectioncnResource Group80
IoT CentraliotcGlobal63
Key VaultkvGlobal24
Load BalancerlbResource Group80
Local Network GatewaylgwResource Group80
Log Analytics workspacelaGlobal24
MySQL databasemysqlGlobal63
Network InterfacenicResource Group80
Network Security GroupnsgResource Group80
Network Security Group RulensgResource Group80
Public IP AddresspipResource Group80
Recovery Services vaultrsvResource Group50
Recovery Services Vault - Backup policiesrsvpvault50
Resource GrouprgGlobal64
Route tablerouteResource Group80
RunbooksrunAutomation Account63
Service Bus - NamespacesbnsGlobal50
SQL Data WarehousesqldwGlobal63
SQL Managed InstancesqlmiGlobal63
Storage AccountstgGlobal24
SubnetsnetVirtual Network80
Traffic Manager ProfiletmpResource Group63
User defined route (UDR)udrResource Group80
Virtual MachinevmResource Group15
Virtual machine scale setvmssResource Group15
Virtual NetworkvnResource Group63
Virtual Network GatewayvngwResource Group80

Environment Names

Environment NameLong Code

Azure Regions

Azure RegionGeo Short CodeDatacentre Short CodeShort Code
East USuseus-e
East US 2use2us-e2
Central USuscus-c
North Central USuscnus-cn
West Central USuscwus-cw
West USuswus-w
West US 2usw2us-w2
Australia Eastaueau-e
Australia Southeastauseau-se
Australia Centralaucau-c
New Zealand Northnznnz-n