Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.
This monthly series aims to:
-
Provide an overview of the most relevant updates released by Microsoft;
-
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
-
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.
The main areas addressed in this series, together with the corresponding tools and services, are described in this article.
Hybrid and multicloud environment management
Azure Arc
Decommissioning of Windows Server 2022 on Azure Arc–enabled Azure Kubernetes Service
Microsoft has announced the decommissioning of Windows Server 2022 on Azure Kubernetes Service (AKS) enabled by Azure Arc, effective from October 2026. Following this change, customers who are using node pools based on Windows Server 2022 in Azure Arc–enabled AKS clusters are encouraged to proactively plan migration to supported alternatives before the retirement date. After October 2026, Windows Server 2022 on Azure Arc–enabled AKS will no longer receive updates or security fixes, and new deployments based on this operating system will no longer be supported.
The announcement confirms Microsoft’s focus on modern, cloud-ready platforms and operating system images optimized for containers, targeting Kubernetes scenarios both in Azure and in hybrid environments through Arc. Organizations therefore have a clear timeline to assess their containerized workloads, identify dependencies and constraints, and adopt supported Windows Server versions or other recommended options. This transition path is essential to preserve adequate levels of security, supportability, and compliance, while minimizing operational risk across distributed and Arc-enabled Kubernetes clusters.
New migration experience for SQL Server in Azure Arc
A new migration experience for Structured Query Language (SQL) Server instances managed through Azure Arc is now generally available. This approach integrates Azure Database Migration Service (DMS) with guided support from Copilot, providing an end-to-end path to Azure SQL Managed Instance that covers initial assessment, planning, migration execution, and post-cutover validation within a single flow.
The solution is designed for environments where SQL Server is still running on-premises or in other clouds, but is managed through Azure Arc to centralize governance and compliance. Thanks to automation and the guidance offered by Artificial Intelligence (AI), IT teams can reduce the risks associated with migration, standardize the process across multiple instances, and accelerate the transition to a managed Platform as a Service (PaaS) model, aligned with data estate modernization strategies.
Azure Kubernetes Fleet Manager for Azure Arc–enabled clusters (preview)
Azure Kubernetes Fleet Manager extends in public preview its support for Kubernetes clusters enabled with Azure Arc. Through a single control plane, organizations can register, govern, and deploy workloads consistently across Azure Kubernetes Service (AKS) clusters in Azure, on-premises Kubernetes clusters, and clusters running in other clouds.
The solution makes it possible to apply uniform configurations, update strategies, and security policies across all environments, reducing the operational complexity typical of hybrid and multicloud scenarios. This capability is particularly useful for managing distributed Artificial Intelligence (AI) workloads and deployments in edge locations, where standardizing management and security models is crucial to ensure reliability, scalability, and centralized control.
Security posture across hybrid and multicloud infrastructures
Microsoft Defender for Cloud
Native integration between Microsoft Defender for Cloud and GitHub Advanced Security (preview)
A native integration between Microsoft Defender for Cloud and GitHub Advanced Security is now available in preview, designed to protect cloud-native applications across the entire lifecycle, from code to runtime. In response to the increasing sophistication of software supply chain attacks, the solution introduces runtime context as a primary criterion for risk prioritization, enabling development and security teams to focus on truly exploitable vulnerabilities and remediate them more quickly through Artificial Intelligence (AI)–assisted remediation mechanisms.
Key capabilities include real-time visibility across the entire application lifecycle and the ability for security teams to launch remediation campaigns that notify GitHub owners directly, open GitHub issues from within Defender for Cloud, and monitor their status. By linking runtime context back to the code, developers can quickly map threats to the relevant repository, while security teams gain full traceability from code to execution. The use of Copilot Autofix and the GitHub Copilot coding agent makes it possible to automatically generate remediation suggestions, significantly reducing time to fix and improving the quality of applied remediations.
New Azure Copilot agents integrated into the portal and operational tools (preview)
The new phase of Azure Copilot introduces specialized agents, available in private preview, integrated directly into the Azure portal, PowerShell, and the Command Line Interface (CLI). These agents are designed to support customers in migration, day-to-day operations, and ongoing modernization of workloads running anywhere, enabling end-to-end lifecycle management of resources. Azure Copilot evolves the chat experience into a full-screen command center, powered by advanced reasoning capabilities based on GPT-5, artifact generation, and scenarios driven by Azure Resource Manager (ARM).
Users can invoke Copilot within existing workflows through contextual, personalized experiences that include conversation history and inline actions in the Azure portal. The new capabilities honor existing Role-Based Access Control (RBAC) mechanisms, Azure Policy, and compliance frameworks, and they always require explicit confirmation before applying changes.
Among the agents’ capabilities are: Deployment, to simplify the planning and rollout of infrastructure aligned with the best practices of the Well-Architected Framework; Migration, to accelerate migration and modernization with automated discovery and AI-driven Infrastructure as a Service (IaaS) / Platform as a Service (PaaS) recommendations, integrating with GitHub Copilot to modernize .NET and Java applications; Optimization, to highlight high-impact actions in terms of cost and sustainability, comparing financial results and carbon emissions and automating execution through agentic workflows; Observability, which leverages metrics, traces, and logs from Azure Monitor Application Insights or Service Groups to investigate and diagnose full-stack applications and provide mitigation steps; Resiliency, with recommendations for zonal resilience, auto-remediation scripts, orchestration of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets, built-in ransomware protection, and contextual insights for more robust configurations; Troubleshooting, which enables users to start troubleshooting sessions, obtain root cause analyses and mitigation suggestions for virtual machines, Kubernetes, databases, and other resources, including the automatic creation of support tickets when escalation is required.
Security posture management for serverless resources in Microsoft Defender for Cloud (preview)
At the end of November, Microsoft Defender for Cloud will introduce, in preview, security posture management for serverless resources. As the adoption of serverless solutions in multicloud environments increases at the expense of purely Infrastructure as a Service (IaaS) models, potential entry points multiply and lateral movement becomes easier for attackers, making these resources particularly exposed.
The new serverless coverage in Defender for Cloud provides deeper visibility into compute environments and application platforms based on managed functions and components. By integrating serverless posture information into attack paths, the solution strengthens end-to-end security with comprehensive protection for workloads and services. In preview, organizations will have access to Cloud Security Posture Management (CSPM) insights for resources such as Azure Functions, Azure Web Apps, and Amazon Web Services (AWS) Lambda; they will be able to identify and visualize risk, analyze attack paths, continuously monitor misconfigurations, and detect vulnerable instances. The result is a strengthened security posture across the entire lifecycle of modern applications, aligned with the evolution toward cloud-native and serverless architectures.
Unified posture management and threat protection for AI agents in Microsoft Defender (preview)
Preview capabilities for unified security posture management and threat protection for Artificial Intelligence (AI) agents are now available in Microsoft Defender as part of Microsoft Agent 365. With the growing adoption of agentic applications across pro-code, low-code, and no-code environments, the complexity and attack surface of digital estates increase significantly. Both AI developers and security administrators need a unified view of AI assets to govern security posture and reduce risk, while Security Operations Center (SOC) analysts must be able to correlate AI security signals with contextualized alerts to speed up remediation.
The new capabilities address these needs in three main areas: complete visibility into the posture of AI agents through a unified experience that offers visibility, posture management, and threat protection for agents distributed across pro-code, low-code, and no-code platforms, reducing issues such as shadow agents and agent sprawl; risk reduction through security recommendations and attack path analysis specific to agentic applications, helping teams identify and fix vulnerabilities before compromise; and advanced protection that enables detection, investigation, and response to threats targeting AI agents—such as prompt injection, exposure of sensitive data, and malicious use of tools—across models, agents, and cloud apps. The new detections correlate signals with threat intelligence, delivering a complete view of alerts. The distinctive element of Defender’s AI security offering is its end-to-end approach, from build-time to runtime, with unified protection that covers models, agents, Software as a Service (SaaS) applications, and cloud infrastructure.
Unified cloud security with Microsoft Defender in hybrid and multicloud environments (preview)
A new unified cloud posture management experience for Microsoft Defender for Cloud (MDC) customers is now available in preview. Security teams increasingly have to manage risk in complex hybrid and multicloud environments, where fragmented signals, siloed tools, and disjointed views slow down threat detection and response. The new native integration will bring Microsoft Defender for Cloud into the Defender portal dedicated to security roles, eliminating silos and enabling SOC teams to see and manage threats across all environments from a single console.
The experience will include a cloud security dashboard that unifies posture management and threat protection, offering a comprehensive view of the environment; unified cloud posture capabilities within Exposure Management, to display assets, vulnerabilities, attack paths, security scores, and prioritized recommendations in a single view; and a centralized asset inventory, with a consolidated view of code and cloud resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), supporting posture validation and logical segmentation of environments.
Complementing this integration, granular RBAC controls will help reduce operational risk and simplify compliance in multicloud contexts. With threat protection already deeply integrated into the Defender portal, extending it to posture management will deliver a complete cloud security model within a unified experience. The Azure portal will nonetheless remain a key reference point for DevOps personas and for onboarding new resources covered by Defender for Cloud.
New Microsoft Defender capabilities for proactive actions during attacks (preview)
Microsoft Defender is introducing, in preview, several innovations designed to strengthen the ability to detect and counter ongoing attacks. Among these, Predictive Shielding represents an evolution of the automatic attack disruption capability: once a compromised resource has been contained, it leverages threat intelligence and insights derived from the relationship graph to predict potential lateral movements by attackers and apply targeted, just-in-time hardening actions, such as changes to Group Policy Objects (GPOs) or disabling Safe Boot.
This approach drastically reduces the number of potential attack paths, concentrating risk on a much smaller set of trajectories and optimizing operational continuity. Microsoft is also extending automatic attack disruption capabilities—previously limited to Defender solutions—to third-party environments such as AWS, Proofpoint, and Okta when their signals are ingested via Microsoft Sentinel. In this way, threats such as phishing, adversary-in-the-middle attacks, and identity compromise can be detected and contained in near real time even on federated accounts and external cloud environments.
Finally, a new Threat-Hunting Agent will allow analysts to orchestrate threat hunting sessions in natural language, asking questions such as “Which devices have communicated with this domain in the last 24 hours?” and receiving summarized answers, the underlying Kusto Query Language (KQL) queries, and dynamic suggestions for further investigation—all within a chat interface. The agent will also provide contextual insights and visualizations, such as timelines, making advanced hunting capabilities accessible even to those without deep query expertise.
Integrated threat detection in Azure Backup for virtual machines, powered by Microsoft Defender for Cloud (preview)
Azure Backup is introducing, in public preview, integrated threat detection capabilities for backups of Azure virtual machines (VMs), powered by Microsoft Defender for Cloud. Restore points are analyzed for malicious indicators such as traces of malware or ransomware, allowing teams to assess the security state of backups before using them in a recovery operation.
Suspicious activities are surfaced through Defender for Cloud, enabling security and operations teams to avoid restoring compromised images and to react more quickly to attacks that might otherwise remain hidden within backup data. This integration strengthens alignment between data protection strategies and security practices, transforming backup from a simple recovery mechanism into an active component of defense against threats and improving the overall resilience of Azure environments.
Backup & Resilience
Azure Backup
Vaulted backup for Azure Data Lake Storage Gen2
Vaulted backup for Azure Data Lake Storage (ADLS) Gen2 is now generally available through Azure Backup, providing organizations with secure, off-site protection for data stored in their storage accounts. This capability allows you to create an independent copy of ADLS Gen2 data in a backup vault, isolated from the source account, thereby mitigating the risk of accidental deletions, malicious activity, and ransomware. Customers can also restore data to alternative storage accounts, enabling “clean recovery” scenarios and increasing the overall resilience of the environment.
The solution supports flexible, automated schedules, with daily or weekly backup policies and the option to run on-demand backups when needed. Long-term retention of backups is also supported, for up to 10 years, helping organizations meet compliance and archival requirements. Security aspects are built in by design, thanks to features such as soft delete, immutability, encryption, and multi-user authorization to protect the data stored in the vault. At the time of general availability, vaulted backups can be configured for block blobs in ADLS Gen2 accounts and are available in a subset of regions compared to the public preview, with an expanded geographic coverage planned over the coming months.
Monitoring
Azure Monitor
Unified onboarding experience in Azure Monitor for AKS and virtual machines
Azure Monitor now offers a unified onboarding experience for Azure Kubernetes Service (AKS) clusters and virtual machines (VMs). Instead of having to follow separate procedures and flows, with different extensions depending on the type of workload, organizations have a single streamlined path that deploys the latest Azure Monitor capabilities with one click.
This approach significantly reduces the risk of configuration drift across environments, accelerates the adoption of common monitoring baselines, and makes it easier to standardize observability in mixed contexts that rely simultaneously on AKS clusters and VM-based workloads. From a centralized, AI-powered management perspective, having a consistent onboarding model is a key element to ensure telemetry data quality, uniform controls, and the ability to apply advanced analytics and automation at scale.
Advanced sampling and enriched data collection in the Azure Monitor OpenTelemetry Distro
The Azure Monitor OpenTelemetry (OTel) Distro is now generally available with advanced sampling capabilities and richer data collection features. The solution provides more flexible sampling options—for example, rate-based or trace-aware strategies—and improves correlation across logs, metrics, and traces.
The goal is to enable organizations to reduce noise and the overall volume of telemetry while maintaining full visibility into critical transactions and the most business-relevant application scenarios. In environments characterized by distributed architectures, microservices, and hybrid or multicloud workloads, this evolution supports a more sustainable and effective observability model, and also facilitates the application of Artificial Intelligence (AI) algorithms for proactive anomaly detection, automated problem diagnosis, and prioritization of operational interventions.
Recommended alerts for Azure Monitor Workspace (preview)
Azure Monitor is introducing, in preview, a recommended alerts feature that can be enabled with one click in the portal for Azure Monitor Workspaces that collect managed Prometheus metrics. These are preconfigured alert rules designed to monitor workspace limits and ingestion quotas, with the goal of promptly identifying throttling conditions and preventing the loss of metrics or the creation of “blind spots” in the observability platform.
Thanks to these recommended alerts, teams can quickly establish a consistent monitoring posture across multiple environments without having to design every single rule from scratch. For architects managing distributed environments—often hybrid and multicloud—this capability is a practical way to raise the reliability level of monitoring, freeing up time to focus on optimizations and on introducing advanced analytics logic supported by Artificial Intelligence (AI).
New OpenTelemetry visualizations and advanced monitoring experience for Azure VMs and Azure Arc servers (preview)
Azure Monitor is introducing, in public preview, new OpenTelemetry (OTel)–based visualizations and a unified monitoring experience for virtual machines (VMs) in Azure and servers enabled with Azure Arc. This new mode consolidates key observability capabilities—metrics, logs, and a topology-style representation of dependencies—into a single view aligned with the OpenTelemetry data model.
This makes it easier to analyze end-to-end performance and identify points of failure, especially for organizations that are already standardizing application and infrastructure telemetry on OpenTelemetry. For hybrid and multicloud scenarios, the ability to have a consistent view across resources in Azure and servers managed via Azure Arc helps IT teams reduce tool fragmentation, simplify troubleshooting, and lay the groundwork for increasingly automated, AI-powered management models.
Conclusions
In conclusion, this month’s updates strongly confirm Microsoft’s trajectory toward a truly unified, hybrid, Artificial Intelligence (AI)–powered cloud management and security model, in which Azure Arc becomes the common thread connecting datacenters, edge locations, and public clouds. On the one hand, advancements on the management front—such as the new migration experience for SQL Server to Azure SQL Managed Instance, support for Azure Kubernetes Fleet Manager for Arc-enabled clusters, vaulted backup for Azure Data Lake Storage Gen2, and the new OpenTelemetry-based monitoring experiences—equip architects with the tools to rationalize distributed architectures, reduce technical debt, and improve observability and resilience. On the other hand, innovations in Microsoft Defender for Cloud and the broader Defender platform—including integration with GitHub Advanced Security, posture management for serverless resources and Artificial Intelligence (AI) agents, the new unified cloud security experience, and integrated threat detection capabilities in Azure Backup—make it possible to bring security “inside” development processes, DevSecOps pipelines, and business continuity plans, shifting the center of gravity toward a more proactive model focused on reducing real-world risk.
The practical recommendation is not to simply be aware of these capabilities, but to embed them into a concrete roadmap: plan ahead for the retirement of Windows Server 2022 on Azure Arc–enabled Azure Kubernetes Service, assess data estate modernization paths, standardize observability across environments, and experiment in a controlled way with the new Azure Copilot agents and Defender’s advanced capabilities. Only in this way will it be possible to turn these innovations into competitive advantage and prepare your organization for the next phase of AI-powered management.
