Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.
This monthly series aims to:
-
Provide an overview of the most relevant updates released by Microsoft;
-
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
-
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.
The main areas addressed in this series, together with the corresponding tools and services, are described in this article.
Hybrid and multicloud environment management
Azure Arc
Free hotpatching through Azure Arc for Windows Server 2025
Microsoft has made Azure Arc-enabled hotpatching available for Windows Server 2025 at no additional cost. This is a particularly relevant evolution for hybrid and multicloud environments, as it allows critical security updates to be applied without requiring an immediate system reboot, thereby reducing the operational impact of maintenance activities.
Hotpatching enables updates to be applied to the in-memory code of running processes, delivering fixes to a live system. This approach helps maintain high service availability, reduce maintenance windows, and deploy security updates more quickly, while still preserving the need for periodic full updates when deeper operating system changes are required.
With Windows Server 2025, this capability is no longer limited to Azure virtual machines only, but can also be extended to on-premises servers and multicloud environments through Azure Arc. Servers must be running Windows Server 2025 Standard or Datacenter, be connected to Azure Arc through the Azure Connected Machine agent, and have Virtualization-Based Security (VBS) enabled.
Once onboarding is complete, hotpatching can be enabled from the Azure Portal, PowerShell, Command-Line Interface (CLI), or REST API, while centralized update management is handled through Azure Update Manager.
This new capability further strengthens the role of Azure Arc as a unified control plane for managing distributed servers, enabling IT teams to improve their security posture, reduce exposure to vulnerabilities, and simplify patch management in complex scenarios, without introducing additional costs for using the feature.
Managing Azure Arc extensions with the new Ansible modules
Microsoft has introduced new modules in the azure.azcollection collection, available on Ansible Galaxy, with the aim of simplifying extension management for Azure Arc-enabled machines. With these updates, infrastructure and platform teams can deploy and manage Azure Arc machine extensions using declarative Ansible workflows that are already familiar in many enterprise environments.
The new modules include capabilities dedicated to managing Azure Arc extensions and retrieving information about installed extensions. This evolution makes it possible to automate the extension lifecycle at scale, promoting greater operational consistency, security, and control across hybrid, edge, and multicloud environments.
This announcement is particularly relevant because Azure Arc extensions enable key scenarios such as monitoring, security, update management, configuration, and compliance. Previously, managing these extensions often required the use of Azure Command-Line Interface (CLI) scripts, Azure Resource Manager (ARM) templates, or manual actions.
With the integration into Ansible, it becomes possible to include Azure Arc extension management directly in existing playbooks, apply consistent configurations across distributed servers, and reduce operational overhead through a declarative automation model.
For organizations that already use Ansible for operating system configuration, patching, or application deployment, this integration extends the same processes to Azure Arc management as well. This further strengthens Azure Arc as a unified control plane for distributed Windows and Linux servers, while Ansible becomes an even more effective tool for ensuring security, compliance, and operational consistency at scale.
AI and intelligent automation
Model Context Protocol (MCP) Server
Azure Resource Manager MCP Server (preview)
Microsoft has announced the Public Preview of the Azure Resource Manager Model Context Protocol (MCP) Server, a remote MCP server that enables Artificial Intelligence (AI)-based agents to interact with Azure infrastructure operations through Azure Resource Manager (ARM).
This new capability enables advanced AI-powered management scenarios by providing AI agents with native tools to generate, validate, and execute Azure Resource Graph (ARG) queries, as well as to deploy and manage ARM template-based deployments.
As a result, users can ask questions in natural language about their Azure environment and receive real-time answers supported by automatically generated ARG queries, without having to manually write Kusto Query Language (KQL) code.
The server also supports workflows related to ARM deployments, allowing agents to start deployments at the resource group level, monitor their status, detect potential issues, and cancel operations when needed.
This preview represents a significant step toward the creation of more advanced AI agents, capable not only of understanding and querying distributed Azure environments, but also of supporting their operational management in a more proactive and intelligent way.
Security posture across hybrid and multicloud infrastructures
Microsoft Defender for Cloud
Microsoft Defender for Cloud updates – May 2026
In May 2026, Microsoft Defender for Cloud introduced several updates that confirm the evolution of the platform toward an increasingly integrated Cloud-Native Application Protection Platform (CNAPP) model, extended to hybrid and multicloud scenarios.
The updates mainly focus on the unified experience in the Microsoft Defender portal, protection for containerized workloads, storage and database security, secure score improvements, and the integration between cloud security, application development, and managed Extended Detection and Response (XDR) services.
The main updates can be summarized as follows:
Unified experience in the Microsoft Defender portal: the integration of Microsoft Defender for Cloud into the Microsoft Defender portal is now generally available. This evolution enables security teams to benefit from a centralized view of security posture, recommendations, asset inventory, attack paths, vulnerabilities, and risk-based security score, covering Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments.
Cloud security reporting: new cloud reporting capabilities are now available in preview in the Microsoft Defender portal. These capabilities allow users to create, customize, export, and share reports such as the CNAPP Executive Summary and the Cloud Posture report. This feature makes it easier to communicate the status of cloud security to technical stakeholders, IT managers, and business leadership.
Advanced protection for containers and Kubernetes: Defender for Containers extends, in preview, support for private clusters for sensor-based capabilities such as gated deployment, binary drift detection, and malware detection. In addition, malware detection for Kubernetes nodes is expanded to Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE), strengthening coverage across multicloud scenarios.
Operational improvements for Defender for Containers: sensor installation through Helm has been updated with a model based on direct chart deployment, using specific commands for Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). This change simplifies sensor adoption across heterogeneous Kubernetes environments.
Vulnerability assessment for container images: the Defender for Cloud vulnerability scanner, powered by Microsoft Defender Vulnerability Management, introduces preview support for scanning Docker Hardened container images. This expands the coverage of supported container images and helps teams validate the security of container builds.
On-demand malware scanning for Azure Files: Microsoft Defender for Storage makes on-demand malware scanning for Azure Files generally available. Scans can be started from the Azure portal or through REST API, automated with Azure Logic Apps, Azure Automation, and PowerShell scripts, and rely on Microsoft Defender Antivirus with the latest malware definitions.
Protection for open-source databases on AWS RDS: Microsoft Defender for Open-Source Relational Databases for Amazon Web Services Relational Database Service (AWS RDS) becomes generally available on June 1, 2026. The capability provides threat protection and sensitive data discovery for databases such as Aurora PostgreSQL/MySQL, PostgreSQL, MySQL, and MariaDB on AWS RDS.
SQL Vulnerability Assessment Express Configuration: simplified SQL Vulnerability Assessment configuration is now available in preview for Azure SQL Managed Instance and Azure Synapse Analytics Workspaces. This model removes the need to configure a customer-managed storage account and provides a simpler experience, consistent with the one already available for Azure SQL Database.
Recommendations and secure score: individual Defender for Cloud recommendations are now generally available in the Azure portal and progressively replace the previous grouped recommendations, which will be removed on July 30, 2026. In addition, the daily calculation logic of the risk-based cloud secure score has been improved, and it is now represented as an end-of-day snapshot rather than an average value.
Integration with GitHub Advanced Security: the native integration between Microsoft Defender for Cloud and GitHub Advanced Security is now generally available. This integration enables correlation between Defender for Cloud runtime signals and vulnerabilities detected in code, supporting prioritization based on real risk, targeted remediation campaigns, bidirectional synchronization with GitHub, and AI-powered remediation through GitHub Copilot Autofix.
Microsoft Defender Experts for Servers: Defender for Cloud integrates with Microsoft Defender Experts for Servers, offering a managed Extended Detection and Response (XDR) option for server workloads protected by Defender for Servers Plan 1 or Plan 2 across Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments.
Overall, the May updates strengthen Microsoft’s vision of unified, proactive, and increasingly risk-driven cloud security, capable of covering infrastructure, containers, databases, storage, application code, and hybrid and multicloud environments from a single control point.
Backup & Resilience
Azure Backup
Bulk Restore for Azure Virtual Machines with Azure Backup (preview)
Azure Backup introduces, in Public Preview, the Bulk Restore capability for Azure Virtual Machines, designed to simplify and accelerate large-scale restore scenarios.
With this new capability, multiple Azure virtual machines can be restored in a single operation, up to a maximum of 100 Virtual Machines (VMs), while still maintaining an appropriate level of control over individual workloads.
Administrators can select multiple VMs, choose the relevant restore points, apply common restore parameters, and centrally monitor the progress of the activities.
This capability is particularly useful in scenarios such as widespread outages, ransomware recovery, or situations where it is necessary to reduce operational time and improve the efficiency of restore procedures. With Bulk Restore, Azure Backup further evolves toward a model that is better suited to the management of complex environments, where recovery speed and the ability to orchestrate large-scale operations are essential to ensuring resilience and business continuity.
Azure Site Recovery
Support for Managed Disks with Performance Plus (preview)
Azure Site Recovery introduces, in public preview, support for replicating virtual machines that use Managed Disks with the Performance Plus capability enabled.
This update makes it possible to protect, in Azure-to-Azure disaster recovery scenarios, workloads based on Premium SSD, Standard SSD, or Standard HDD disks configured with Performance Plus, which are designed to provide higher levels of IOPS and throughput.
Extending support to this type of disk represents an important improvement for environments that require business continuity without compromising performance.
Thanks to this evolution, Azure Site Recovery can provide greater performance consistency between the primary and secondary regions during replication, test failover, and full failover phases.
For architects and IT leaders, this means being able to include more demanding workloads in disaster recovery plans, while maintaining a centralized protection model integrated with Azure-native services.
Conclusions
The May 2026 updates confirm a very clear direction: IT environment management can no longer be approached through separate silos across cloud, datacenter, edge, and multicloud.
Azure Arc continues to strengthen its role as a unified control plane for extending governance, automation, patching, and security beyond Azure, while the introduction of new AI-based tools and protocols such as MCP opens increasingly concrete scenarios for intelligent and proactive management.
At the same time, Microsoft Defender for Cloud further evolves toward an integrated CNAPP platform, capable of correlating posture, threats, vulnerabilities, workloads, application code, and multicloud environments into a single operational experience.
On the resilience side, the Azure Backup and Azure Site Recovery updates also demonstrate Microsoft’s growing focus on faster, more scalable recovery scenarios that are aligned with the needs of modern workloads.
For organizations, the message is clear: it is no longer just about adopting new services, but about building a more centralized, automated, and risk-driven operating model, capable of simplifying daily management and increasing the ability to respond to vulnerabilities, incidents, and service disruptions.
