Azure Hybrid Management & Security: What’s New and Insights from the Field – April 2025

With this article, I’m launching a new monthly series focused on the management and security of hybrid and multicloud environments with Azure, which takes over from the previous “Azure Management Services: What’s New” series.

The evolution of IT architectures and the growing adoption of hybrid models require a shift in how we approach operations, governance, and resource protection. Tools like Azure Arc, the integration of Artificial Intelligence into management processes, and new models for automation now form the foundation for modern, scalable IT control.

This new series, “Azure Hybrid Management & Security: What’s New and Insights from the Field”, is designed to follow this transformation closely. Every month, I will share:

  • the most relevant updates and announcements from Microsoft;

  • a selection of hands-on recommendations and field-proven practices;

  • a focus on the key tools that enable effective and secure management.

The goal is twofold: to keep you up to date, and to offer practical guidance for architects, IT leaders, and operational teams dealing with complex and distributed environments.

The key areas we will cover in this series, along with the corresponding tools and services, include:

🔹 Hybrid and multicloud environment management – with Azure Arc, which extends policy, security, management, and automation capabilities to on-premises and multicloud resources.

🔹 AI and intelligent automation – enabled by Microsoft Copilot in Azure, AIOps capabilities, and predictive tools to streamline operations and support smarter decision-making.

🔹 Security posture across hybrid and multicloud infrastructures – using Microsoft Defender for Cloud and other native services for vulnerability management and advanced threat protection.

🔹 Governance and policy management – leveraging tools such as Azure Policy, Azure Cost Management, and Resource Graph to ensure control, standardization, and cost/resource optimization.

🔹 Update & Patching – through Azure Update Management, Azure Automation, and native patching capabilities across Azure Arc-enabled environments.

🔹 Backup & Resilience – using Azure Backup and Azure Site Recovery to ensure business continuity, data protection, and disaster recovery.

🔹 Monitoring – with tools like Azure Monitor, Log Analytics, and Application Insights for comprehensive visibility and effective troubleshooting.

AI and intelligent automation

Microsoft Copilot in Azure

Microsoft Copilot in Azure is now available!

Microsoft has announced the general availability of Copilot in Azure, marking a significant milestone in the evolution of intelligent cloud management. Copilot in Azure introduces an AI-based assistant that leverages Large Language Models (LLMs), the Azure control plane, and real-time information from the user’s environment. This enables the optimization of operational tasks, improved productivity, and full realization of the benefits offered by the cloud. With its production release, users can now enjoy enhanced performance, greater response accuracy, and full localization support across all languages of the Azure portal. The currently available features come at no additional cost, although Microsoft has indicated that future enhancements may introduce a pricing model. To ensure fair and sustainable use, protective mechanisms such as temporary throttling in case of excessive use of generative services have been implemented.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Threat Detection in Azure Backup with Microsoft Defender for Cloud (Private Preview)

A new Threat Detection feature for Azure Backup, integrated with Microsoft Defender for Cloud (MDC), has been released in Private Preview. This innovative capability allows for the assessment of the health status of Azure VM recovery points (RPs), distinguishing between secure and potentially compromised restore points. The analysis relies on signals from real-time scans performed by Microsoft Defender for Endpoint (MDE), as part of Microsoft Defender for Servers plans. Azure Backup uses behavioral and heuristic signals detected by MDE to identify anomalies that may indicate the presence of ransomware in backup data.

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • AI Posture Management in GCP Vertex AI (Preview): support has been extended to AI workloads on Google Cloud Platform (GCP) via Vertex AI. Key features introduced include:
  • Automatic discovery of AI components, data, and artifacts.
  • Detection of misconfigurations with integrated suggestions and remediation actions.
  • Attack path analysis to identify and mitigate security risks.

  • Integration with Mend.io (Preview): a new integration designed to enhance application security by identifying and mitigating vulnerabilities in third-party software dependencies.

  • GitHub Permissions Update: GitHub connectors can now request administrative permissions for Custom Properties, useful for enabling new contextualization capabilities. Permissions can be granted:
  • Directly from the GitHub Apps section in the organization settings.
  • Or via an automated email from GitHub Support.

  • Defender for SQL Server on Machines Plan Update: a new lightweight agent has been introduced, which no longer requires the Azure Monitor Agent. This simplifies onboarding and improves coverage.

Note: after the update, costs may increase if additional SQL Server instances are protected.

  • New Malware Scanning Limit in Defender for Storage: the default limit for on-upload malware scanning has been increased from 5,000GB to 10,000GB. This applies to:
  • New subscriptions
  • Reactivated subscriptions
    The limit can be customized based on specific needs.

  • API Security Posture Management (General Availability): this capability is now generally available (GA) within the Defender CSPM Plan. Key features include:
  • Unified API inventory
  • Identification of new risk types, such as unauthenticated or unencrypted APIs
  • Mapping of exposed APIs via Azure API Management to Kubernetes Ingress and VMs
  • Support for Attack Path Analysis to better manage and mitigate risks

  • Improvements to Defender for App Service Alerts (effective April 30, 2025):
  • New alerts introduced for suspicious code execution and access to internal or remote endpoints
  • Detection optimized to reduce false positives
  • Deprecated alert: “Suspicious WordPress theme invocation detected”

Governance and policy management

Azure Cost Management

AKS Cost Optimization with Azure Advisor

Azure Advisor introduces a new feature designed to support cost optimization in Azure Kubernetes Service (AKS) clusters. Thanks to AKS-specific recommendations, it is now possible to identify concrete saving opportunities through actionable suggestions based on container cost management best practices. The recommendations are tailored to the cluster’s configuration and cover key scenarios such as rightsizing, autoscaling, consumption visibility, and SKU selection.

Environmental Sustainability

New Enhancements for Carbon Optimization in Azure (Preview)

The Carbon Optimization feature in Azure is enriched with new capabilities in Public Preview, aimed at improving the analysis and visibility of emissions data generated by cloud workloads. Key updates include a new version of the API (2024-02-01-preview), which surpasses the previous limit of 5,000 items, enabling the processing of much larger datasets for in-depth analysis. Additionally, the access model has been expanded: users with the Subscription Reader role can now view emissions data, promoting a more collaborative approach to sustainability. Another important update involves the categorization of emissions: data is now organized by resource type (e.g., virtual machines or Azure Data Explorer) rather than by service, offering more useful granularity to identify critical areas. Finally, new filters by resource type and geographic region make it easier to focus on specific segments of the infrastructure for environmental optimization.

Backup & Resilience

Azure Backup

Backup for Azure File Share in AKS with Azure Backup (Private Preview)

Microsoft has announced the start of the Private Preview for backup support of Persistent Volumes based on Azure File Share in Azure Kubernetes Service (AKS) environments. This new feature extends protection coverage for stateful workloads running on AKS, adding support for SMB-based Azure File Shares in addition to the existing support for Azure Disks.
Through snapshot-based backup mechanisms, it’s now possible to enable application-level protection for a broader range of workloads, maintaining an instant backup and restore experience with retention of up to 30 days.

Vaulted Backup for Azure Data Lake Storage (Public Preview)

Vaulted backup for Azure Data Lake Storage is now available in Public Preview, enabling more comprehensive and resilient data protection using Azure Backup vaults. The vault stores recovery points over time and allows for the definition of a backup schedule (daily or weekly), with retention options of up to 10 years to meet the most stringent compliance requirements.
This new feature introduces an effective off-site copy strategy, safeguarding backups from accidental deletion or malicious attacks through source-data isolation, soft-delete, immutability, and data encryption. In the event the source storage is compromised, recovery can be performed on an alternate account, ensuring business continuity even in critical scenarios.

Azure Site Recovery

Shared Disk Protection

Azure Site Recovery for Shared Disk is now generally available, enabling protection, monitoring, and recovery of workloads running on Windows Server Failover Clusters (WSFC) hosted on Azure virtual machines with shared disks. This new capability extends business continuity and disaster recovery options to mission-critical scenarios such as SQL Server with Failover Cluster Instance (FCI), SAP ASCS, and Scale-out File Server.
The feature supports Windows Server 2016 and later, up to four nodes per cluster, and allows an unlimited number of shared disks per environment. Additionally, support for high write-frequency scenarios and PowerShell integration ensures scalable and automated management. This represents a significant advancement for organizations looking to implement advanced disaster recovery solutions in complex and distributed Azure environments.

Monitoring

Azure Monitor

I/O Performance Analysis for SQL Server on Azure Virtual Machines

I/O performance analysis for SQL Server running on Azure virtual machines is now available. This feature enables the identification and resolution of I/O-related bottlenecks. From the Azure portal, users can view detailed metrics and receive operational guidance to improve SQL Server instance performance, particularly when delays are caused by disk or VM throttling.
This feature allows immediate assessment of storage health and application of best practice rules. When no issues are detected, a green visual indicator is shown; otherwise, the system identifies the impact level and the exact moment of the anomaly, which may relate to disk or cache latency. It is also possible to run a subset of SQL Server best practice assessment rules and compare results over time, gaining a useful historical perspective for performance tuning.

Monitoring Java and Node.js Microservices on AKS (Preview)

A new integration between Azure Monitor Application Insights and Java and Node.js microservices deployed on AKS is now available in Public Preview. This enables automatic monitoring without any code changes.
Thanks to auto-instrumentation built into the AKS cluster, immediate visibility into Java and Node.js applications running on Linux nodes is now possible, using specific libraries. Log data, metrics, and tracing—compliant with the OpenTelemetry standard—are sent directly to the Application Insights resource.
This integration also allows application telemetry to be linked with infrastructure signals through OpenTelemetry Resource attributes, simplifying root cause analysis and improving correlation with Container Insights data. The result is faster and more effective application performance diagnostics.

Conclusions

The growing complexity of IT environments—now increasingly hybrid and distributed—requires an evolved approach to management and security. With this new monthly column, Azure Hybrid Management & Security: updates and field insights, I aim to provide a reliable reference point for navigating updates, tools, and best practices, with a practical and concrete focus.
The proposed insights not only help keep pace with Microsoft’s ongoing innovations but are especially designed to support IT professionals in the conscious adoption of scalable, secure, and sustainable solutions. I encourage you to follow this article series regularly to stay up to date and more effectively tackle the challenges of multi-cloud management.

Please follow and like us: