Christoph Vollmann

Azure, Office 365 and SharePoint from a consultant perspective

Save money using Azure Hybrid Benefit for your VMs

What is the Hybrid (Use) Benefit?

Azure Hybrid Benefit (a.k.a. Azure Hybrid Use Benefit or HUB) is a offer by Microsoft for (re)using already existing On-premises licenses for Windows Server or SQL Server on Azure if they are under Software Assurance.

There are a few rules in place as to when and if you’re eligible for this.

A short exerpt from the Azure Hybrid Use FAQ regarding Windows Server:

Each 2-processor license or each set of 16-core licenses, Datacenter or Standard Editions, are entitled to two instances of up to 8 cores, or one instance of up to 16 cores. Datacenter Edition licenses allow for simultaneous usage both on-premises and in Azure. Standard Edition licenses must be used either on-premises or in Azure, although customers get 180 days of concurrent use rights while they are migrating their servers.

In the end, you only pay the Linux price of a virtual machine (only Compute costs), without the added minute price for the Windows Server license.

How can I use Hybrid Benefit for my VM?

You can activate this benefit while deploying your VM from the Portal.

Activate Azure Hybrid Use while deploying your VM

If you’re deploying your VM via PowerShell or Azure CLI you have to provide the “LicenseType” parameter.

Here is an example creating a new Windows Server 2016 VM with activated Hybrid Benefit.

New-AzVM `
    -ResourceGroupName "rg-workload1" `
    -Name "vm-srvwithhub" `
    -Location "West Europe" `
    -ImageName "Win2016Datacenter" `
    -LicenseType "Windows_Server"

How can I see how many VMs are using Hybrid Benefit?

It’s really just a parameter on the VM. So you can easily query all VMs within your subscription and look at the “LicenseType” parameter.

Get-AzVM ` | 
    Where-Object { $_.LicenseType -like "Windows_Server" } | `
    Select-Object ResourceGroupName, Name, LicenseType -ExpandProperty "HardwareProfile"

Be sure to also view and export the hardware size to determine exactly how many Windows Server licenses you are using.

For how many VMs may I activate the Hybrid Benefit?

Use this calculator to get your maximum server count with activated HUB:

Hybrid Benefit Calculator for Windows Server VMs

I hope this helps you to save further (also unnecessary) costs in Azure.

Export your Azure inventory as CSV files

You can always use the Azure portal to export all your resources to one CSV file (Use the “All resources” blade and then click “Export to CSV”).

Script for exporting your inventory

Or you can use this script to export your Azure inventory. It builds different CSV files for each subscription with resources.

After downloading open your favorite PowerShell and type


Marketplace resources vs. CSP contracts

It also creates a CSV file thats contains only your marketplace items. This is most useful if you change your Azure contract model.

For example you switch from your EA/SCE or Pay-As-You-Go to a CSP contract then some of the marketplace resources aren’t available yet in CSP.

So you can send your CSP provider this files to give them an overview about your Azure environment and then discuss with them if all your resources will be available.


Download ZIP file

or view the repository on GitHub:

I’ve tested this with:

  • PowerShell 5.1
  • PowerShell 6.0 Core
  • Azure Az Module Version 3.3.0

Don’t hesitate to contact me if you have questions or ideas for this script.

What are the default security settings for an Azure VNet?

My client has asked me in our workshop:

What are the default security settings for an Azure VNet?

On an Azure VNet you cannot initially apply things like a Network Security Group, only things like allowed services (via Service endpoints or Private endpoints). So there are no default security settings except those that Microsoft itself always applies (e.g. DDoS Protection).

However, each VNet consists of at least one subnet. Network Security Groups (NSGs) can (and should) then be applied at the subnet level.

Whats a Network Security Group?

An NSG contains security rules in the form of a 5-tuple ACL.
So you define source IP (or IP range), destination IP (or IP range), source port, destination port and protocol (TCP or UPD). Furthermore you define the action – Allow or Deny.

The order is determined by priority. Higher priority (lower number) means that the rule will beat a rule with lower priority.

What are the default rules?

Default Network Security Group rules

For outgoing connections you’ll find these rules:

  • Allow any outgoing connections to other resources in the same VNet
  • Allow any outgoing connections to the Internet
  • Everything else outgoing? Deny

For incoming connections you’ll find these rules:

  • Allow any incoming connections from other resources in the same VNet
  • Allow any connections from Azure Load Balancer probes
  • Everything else incoming? Deny

“Unwritten rule” – Port 25

Port 25 (used for sending Emails over SMTP) is blocked by default if you’re not on an EA contract or your agreement was made after November 2017. If you want to send Mails from your VMs over Port 25, you’ll have to open a support case at Microsoft.
Why does this rule exist? I think that Microsoft wants to prevent spambots from running in Azure on a large scale and messing up the entire IP address space.

Should I adjust these default rules?

It depends (of course). For example, if you don’t want your resources in this VNet to communicate directly with the Internet, you have to adapt this rule.
Very often a rule is also set up that opens the RDP port for Windows or SSH for Linux. For this you should rather use modern methods like Azure Bastion or Just-in-time Access.

Learn more

Microsoft Docs about Network Security Groups

4 useful sites for your next Azure Workshop

Besides the Azure Portal of course, there are some useful and nicely done websites that I use during my workshops. Maybe they are also helpful for your next meeting.

Azure Charts

This site from Alexey Polkovnikov gives you a great overview over all Azure services and their latest updates. At this moment the region comparison tool is very useful to me. I use it for example to show my customers what services are still missing in the new Germany datacenters compared to West Europe.

Azure Speed

If my customers asking me about the “best” Azure region for they workloads from their location, i’ll open up Azure Speed and then discuss with them.

When talking about different prices for the same service in each region, I’m opening and show them the difference in VM pricing.

AAD Application Proxy Port Check

“Are we ready for AAD App Proxy?” – Start with checking the connections from your designated server. It’s a nice starting point. 

If you have more useful sites, let me know!

SharePoint 2016 Feature Pack 1: Aktivieren des modernen OneDrive for Business

Nach der Installation des Feature Pack 1 für SharePoint 2016 hatte sich mein Kunde auf eine frische OneDrive Oberfläche für seine Nutzer gefreut. Doch Pustekuchen. Er sah weiterhin das klassische OneDrive.

Um die neue Version zu aktivieren, halfen drei einfache Zeilen PowerShell:

$farm = Get-SPFarm
$farm.OneDriveUserExperienceVersion = [Microsoft.SharePoint.Administration.OneDriveUserExperienceVersion]::Version2

Im Vergleich das alte OneDrive:

Und hier das neue OneDrive:

Wichtiger Hinweis: Nicht jeder darf dieses Feature aktivieren

Sie brauchen einen Microsoft-Vertrag mit aktiver Software Assurance für SharePoint, während Sie dieses Feature aktivieren. Sollten Sie also Ihre SharePoint Server Lizenzen ohne Software Assurance erworben haben, dürfen Sie das moderne OneDrive also nicht aktivieren bzw. müssen es deaktivieren (im o.g. Skript einfach [Microsoft.SharePoint.Administration.OneDriveUserExperienceVersion]::Version1 eintragen).


« Older posts

© 2020 Christoph Vollmann

Theme by Anders NorenUp ↑