Summary: Bryan Zink, one of our esteemed Senior Microsoft Premier Field Engineers based in the US, dives into the details of what you need to do to get ready for RAP as a Service for Active Directory in order to optimize your experience with this exciting new toolset and offering from Microsoft Services. This is the first of a three part series from Bryan, so there’s more great stuff forthcoming. Enjoy!
Bryan here again to unpack RAP as a Service for Active Directory (RAP as a Service-AD) just a bit more. This is the first in a series to help you be prepared to get and make the most of your RAP as a Service experience. In a previous post I gave some insight into where RAP as a Service for AD came from, how it works and why it matters. In this post, we’ll look briefly at how you can be ready to get out of the experience. Part two will dig into the Data Collection and Submission process in much more detail. Part three will share some guidance on making the most of RAP as a Service AD after you receive the results and recommendations from Microsoft.
Before it all begins
Start by taking a quick look at the current details such as what size environment RAP as a Service-AD can assess. You’ll find that information spelled out on the Public facing RAP as a Service-AD site.
All of the current RAP as a Service services pre-requisites documents can be found here. Feel free to take a look now.
You might also be interested to know how any data you submit is handled by the RAP as a Service-AD process. Those details are also posted on the Public RAP as a Service site here.
As mentioned in my previous post in the How it Works section, you know the analysis all happens in the Azure Cloud. You need to also make sure you have proper connectivity so the RAP as a Service Client can get to and fully submit data.
Ensure access to https://services.premier.microsoft.com
Access to https://ppas.uservoice.com for access to the Support Forum and Knowledge Base Articles.
The other thing to be most concerned about prior to the start of a RAP as a Service-AD is the type of connectivity the toolset will expect in your environment. To get a quick look, Microsoft publishes the Risk and Health Assessment Program for Active Directory (ADRAP) – Scoping Tool which currently is available for free download here. Yes, I know, some of you are now thinking “Hey, this tool says ADRAP and you told us RAP as a Service-AD replaced the ADRAP.” You would be correct. At the moment, this scoping tool can still be used just to verify connectivity in your environment that will properly support data collection so go get it and run it to double check things.
OK, now that you’re almost ready, let’s take a quick look at how the data collection process works.
Step 1: Once it’s all scheduled, you’ll receive an email with a bunch of details related to pre-requisites etc. This email will also contain details to sign-in to the Online Services portal to activate the engagement. This requires a Microsoft Account referenced earlier in the article.
Step 2: Download and install the RAP as a Service Client directly from the Online Services portal. Make a note, the “download & run” link is where you will regularly update the RAP as a Service Client during the lifecycle of your usage time.
Step 3: Launch the RAP as a Service Client and start the collection process. You’ll notice right away, the client is intended to be streamlined for the collection process. If you’ve previously made sure all of the pre-requisites are in place and you know connectivity is not a problem, the data collection phase will be pretty smooth. At the present time, the performance sampling runs for about an hour so no need to just watch it collect.
Once the data collection process is complete, you really only have a couple of options. You can either Export the collected data or you can Submit. For almost all of you reading this, you’ll be Submitting data now. Just below, we’ll take a really quick look at the Export function.
Internet connectivity is required to submit the collected data to Microsoft so ensure access to *.accesscontrol.windows.net — URL is used to authenticate the data submission before accepting it.
By clicking the Submit button, you’re sending the collected data up to the Azure Cloud to be analyzed against the existing set of rules. In parts 2 and 3 of this series, we’ll look more into viewing this data and what you should be doing with it.
Now a quick word about exporting data. There will be certain circumstances where the data collection machine (or even the analyzed AD Forest) may not have connectivity to the Internet. If you’re in that scenario, you’ll need to install the RAP as a Service Client onto a second machine that DOES have Internet access. If this is you, just make sure this second machine has the connectivity noted earlier in this article.
So, once you’ve exported data from the data collection machine, get the Export Package copied over to your new RAP as a Service Client machine. From here, you’ll start the RAP as a Service Client and Import an Existing assessment and then Submit.
There will be more detail on this “alternate submission” process in part two of this series.