Azure Hybrid Management & Security: What’s New and Insights from the Field – September 2025

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

  • Provide an overview of the most relevant updates released by Microsoft;

  • Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

  • Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Starting September 30, 2025, Azure App Service on Azure Arc-enabled Kubernetes will be retired and it will no longer be possible to install the extension. To continue hosting application workloads, Microsoft recommends migrating to alternative solutions such as Azure Container Apps on Azure Arc-enabled Kubernetes, which also enables you to leverage Logic Apps Hybrid. A timely assessment and migration plan is recommended to ensure completion by the deadlines, minimizing risks and service disruptions in hybrid and multicloud environments.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Malware automated remediation in Defender for Storage (preview): the automated remediation feature for Defender for Storage malware scanning is now available in public preview. When on-upload or on-demand scans detect malicious blobs, the contents can be soft-deleted automatically. This ensures immediate isolation while maintaining recoverability for forensic analysis purposes. The setting can be toggled at the subscription or storage account level from the Microsoft Defender for Cloud blade in the Azure portal, or via API.
  • Refined attack paths: attack paths have been improved to reflect realistic risks that an adversary could use to compromise the organization. The new experience emphasizes external entry points and the attacker’s progression toward business-critical assets, providing greater clarity, focus, and prioritization. This enables security teams to respond more quickly and confidently to the most critical exposures.
  • Trusted IPs for Internet exposure analysis: Defender for Cloud allows you to define trusted IP ranges to reduce false positives in Internet exposure analysis. Resources that are only accessible from trusted IPs are classified as trusted and, as a result, Defender for Cloud does not generate attack paths for those sources.
  • Exposure width for Internet exposure analysis (GA): the Exposure width metric is now Generally Available in Microsoft Defender for Cloud. This capability shows how a resource is exposed to the Internet based on network rules, helping security teams quickly identify and remediate the most critical attack paths.
  • Trivy dependency scanning for code repositories (update): Defender for Cloud now includes open-source dependency scanning based on Trivy in filesystem mode, to automatically detect operating system and library vulnerabilities in GitHub and Azure DevOps repositories.

Backup & Resilience

Azure Backup

Vaulted backup for Azure Files (Premium)

With Azure Backup, “in-vault” protection is now available for Premium shares as well, ensuring business continuity and compliance even in the event of accidental deletions, malicious activity, or ransomware. Vaulted backup keeps a secure, off-site copy of the data, independent of the source account.

Key capabilities of vaulted backup:

  • Off-site protection: stores an independent copy of data in the vault, enabling restore even if the source account is lost or compromised. You can restore to the original account or to an alternate account.
  • Resilience to deletions and attacks: isolated backups that protect against accidental deletions, insider threats, and ransomware, ensuring operational continuity.
  • Automatic and flexible backups: support for daily/weekly schedules, or on-demand backups when needed.
  • Long-term retention: ability to retain backup data for up to 99 years, meeting compliance and archiving requirements.
  • Security by design: safeguards such as soft delete, immutability, encryption, and multi-user authorization protect data in the vault from tampering or misuse.

Azure Site Recovery

Support for virtual machines with Premium SSD v2 disks

General availability has been announced for Azure Site Recovery (ASR) support for virtual machines that use Premium SSD v2 disks. ASR enables replication across Azure regions and from on-premises to Azure, automated failover, and non-disruptive disaster recovery testing, helping ensure business continuity with built-in security, compliance, and native integration with Azure services. Premium SSD v2 delivers low latency and consistent performance, with the flexibility to scale throughput and IOPS independently—an ideal combination for enterprise workloads such as SQL Server, Oracle, SAP, and big data.

Monitoring

Azure Monitor

Azure Resource Manager: new metrics in Azure Monitor

Azure Resource Manager (ARM) introduces enhanced integration with Azure Monitor Metrics at the subscription level, enabling deeper visibility into traffic, latency, and throttling of control-plane operations. Metrics are accessible via REST API, SDKs, or directly from the Azure portal, with no opt-in required. New dimensions are also available for advanced analysis and filtering: operation type (read/write/delete), ARM request region, HTTP method, HTTP status code, status code class (2xx, 4xx, 5xx), resource type, and resource provider namespace.
These enhancements strengthen troubleshooting, capacity planning, and governance, simplifying granular monitoring of complex, distributed environments.

High Scale mode for Azure Monitor – Container Insights

Microsoft announces general availability of the High Scale mode in Container Insights, the Azure Monitor solution for collecting logs from Azure Kubernetes Service (AKS) clusters. Enabling High Scale applies a set of configuration optimizations automatically that significantly increase collection throughput, without requiring customer intervention or additional parameters. This mode supports higher telemetry loads in AKS clusters, improving observability and time-to-analysis in large-scale environments, including hybrid and multicloud scenarios integrated with Azure Arc.

Azure Managed Service for Prometheus: native Grafana dashboards in the Azure portal (preview)

Public Preview is available for the native, no-additional-cost integration of Grafana dashboards within the Azure portal for Azure Managed Service for Prometheus. With this update, you can quickly use and customize Grafana dashboards directly in the portal, avoiding the need to deploy and maintain dedicated Grafana instances or additional Azure resources. The integration streamlines observability and reduces administrative overhead, accelerating the creation of visualizations useful for monitoring and troubleshooting containerized and distributed workloads.

Conclusions

This month’s updates—from the retirement of App Service on Arc-enabled Kubernetes and the need to plan that migration in advance, to the Defender for Cloud improvements (automated remediation, more realistic attack paths, trusted IPs, and Exposure width in GA), and on to the resilience advancements with Azure Backup for Files Premium and ASR for Premium SSD v2—all converge on the same goal: reducing attack surface, increasing workload reliability, and simplifying operations at scale. On the monitoring front, the enriched ARM metrics, Container Insights’ High Scale mode, and the “native” Grafana dashboards in Managed Prometheus raise the bar for transparency and time-to-insight without adding complexity. My call to action is to turn these guidelines into concrete steps: assess and begin migrating off retiring assets, recalibrate security policies by leveraging the new prioritization and remediation capabilities, extend “in-vault” backup policies where needed, and standardize monitoring practices by adopting the latest metrics and dashboards.

Please follow and like us: