Archivi categoria: Azure Hybrid & Migration – 2025-2026

Azure Hybrid Management & Security: What’s New and Insights from the Field – October 2025

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

Provide an overview of the most relevant updates released by Microsoft;
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Microsoft recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure

Microsoft has once again been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure, for the third consecutive year, confirming the value delivered in running workloads across hybrid, edge, multicloud, and sovereign scenarios with Azure. At the heart of this result is Azure’s adaptive cloud approach, built on Azure Arc and Azure Local: the former extends Azure controls—through Azure Resource Manager—to on-premises, edge, and multicloud environments, enabling services such as Azure Kubernetes Service (AKS, Azure Kubernetes Service), Microsoft Defender for Cloud, Azure IoT Operations, and Azure AI Video Indexer; the latter brings Azure services and management into customer-owned environments, allowing local execution of cloud-native workloads, including virtual machines and Arc-enabled AKS clusters, and supporting the Sovereign Private Cloud strategy for isolated and compliant operations while maintaining consistency with Azure.

Firmware analysis enabled by Azure Arc

The firmware analysis capability enabled by Azure Arc is now available. The service provides deep visibility into the software powering Internet of Things (IoT, Internet of Things)/Operational Technology (OT, Operational Technology) devices and network appliances—systems often treated as “black boxes” with limited transparency into their security posture.
Users upload the device’s firmware image and receive a detailed report generated by automated security analysis, useful for identifying vulnerabilities, outdated components, and compliance risks in hybrid and multicloud environments governed with Arc.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

Outbound network requirements update for Microsoft Defender for Containers: Microsoft has updated the outbound network requirements for the Microsoft Defender for Containers sensor. The change affects all subscriptions using the sensor. Effective immediately, the sensor must be able to reach the Fully Qualified Domain Name (FQDN, Fully Qualified Domain Name) *.cloud.defender.microsoft.com on port 443 over the HTTPS protocol. It is recommended to add this FQDN (and related port) to your outbound restriction mechanisms—such as proxies or firewalls. If egress traffic from clusters is not blocked, no changes are required. To validate connectivity to Defender for Containers endpoints, you can run the dedicated test script from the cluster. To avoid service disruptions, any changes on Google Kubernetes Engine (GKE, Google Kubernetes Engine) and Elastic Kubernetes Service (EKS, Elastic Kubernetes Service) must be completed by September 30, 2026; otherwise, the sensor may not function as expected.
Microsoft Defender for Cloud: new permission for the GitHub connector (October 23, 2025). Microsoft Defender for Cloud is updating its GitHub connector to require the new artifact_metadata:write permission, needed to enable artifact attestation capabilities that ensure verifiable build provenance and strengthen software supply-chain security. The permission has a limited scope, aligned with the principle of least privilege, to facilitate swift and targeted approvals.

Backup & Resilience

Azure Backup

Vaulted Backup for Azure Data Lake Storage (preview)

Public Preview is available for Vaulted Backup for Azure Data Lake Storage (ADLS, Azure Data Lake Storage), extending in-vault protection to this service as well. The solution maintains an independent copy isolated from the source account to ensure business continuity and compliance, with restores to original or alternate accounts even in cases of accidental deletions, insider threats, or ransomware.
The solution includes flexible scheduling (daily/weekly and on-demand), long-term retention up to 10 years, and a security-first design with soft delete, immutability, encryption, and multi-user authorization to protect data in the vault.

Azure Site Recovery

Azure Site Recovery: support for Ultra Disks on virtual machines

Microsoft announces General Availability of support in Azure Site Recovery (ASR, Azure Site Recovery) for virtual machines with Ultra Disks, enabling organizations of any size to replicate, fail over, and fail back across Azure regions with minimal impact on production performance. The solution offers automated recovery orchestration, cost-optimized replication, and non-disruptive testing, helping companies increase operational resilience, meet compliance requirements, and minimize downtime. With this release, teams can reliably extend enterprise-grade protection and continuity to workloads using Ultra Disks. Ultra Disks are the highest-performance block storage option for Azure VMs, with consistent sub-millisecond latency and extremely high performance; they are therefore ideal for a broad range of mission-critical workloads, such as SAP High-Performance Analytic Appliance (HANA, High-Performance Analytic Appliance), high-end databases, and highly transactional systems that demand maximum performance.

Monitoring

Azure Monitor

Retirement of legacy authentication in Azure Monitor – Container Insights (deadline: September 30, 2026)

Microsoft will retire legacy authentication in Azure Monitor – Container Insights starting September 30, 2026. The model is being replaced by authentication via Managed Identity, which is more modern and secure and also enables capabilities not previously available, such as Syslog collection and High Scale mode.
Customers must migrate to Managed Identity by the specified date: the transition can be easily performed from the Azure portal or via CLI/PowerShell, along with bulk migration scripts provided in the official guidance.

Conclusions

The October 2025 updates outline a consistent path in the maturation of Azure’s adaptive cloud, where Azure Arc and Azure Local uniformly extend control and operational consistency across datacenters, edge, and multicloud. Microsoft’s recognition as a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure confirms this trajectory, highlighting an ecosystem capable of uniting governance, security, and data sovereignty. Within this framework, Arc-enabled firmware analysis introduces transparency into traditionally opaque IoT/OT domains; updates to Microsoft Defender for Cloud and Defender for Containers strengthen supply-chain integrity and security posture; Vaulted Backup for Azure Data Lake Storage (preview) expands protection options with isolated copies and extended retention; ASR support for Ultra Disks extends operational continuity to the most demanding workloads; and the evolution of Azure Monitor – Container Insights toward Managed Identity marks a further step toward more robust authentication models. Overall, a platform emerges that natively and distributively integrates management, protection, and observability, promoting shared standards and reducing friction across heterogeneous environments.

Azure IaaS and Azure Local: announcements and updates (November 2025 – Weeks: 43 and 44)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

Compute

RHEL Software Reservations Now Available on Azure with Updated Pricing

Red Hat Enterprise Linux (RHEL) software reservations are available again on Azure with updated billing meters and pricing. The revised structure addresses issues present in previous meters and aligns with Red Hat’s current pricing model, improving accuracy and transparency. With clearer pricing visibility and alignment to the latest licensing framework, customers can more easily plan and optimize RHEL deployment costs on Azure—purchasing reservations to reduce operational expenses while retaining enterprise-grade Linux capabilities.

VM vCore customization features disabling simultaneous multi-threading (SMT/HT) and constrained cores (preview)

Azure announces public preview of Virtual Machine (VM) customization features that provide granular control over virtual CPU (vCPU) configurations to optimize performance and licensing. Customers can disable Simultaneous Multi-Threading (SMT, also known as Intel Hyper-Threading (HT)) to run with one thread per core for latency-sensitive or single-threaded workloads, and select a custom vCPU count from validated options to lower per-vCPU licensing costs while preserving full memory, storage, and I/O bandwidth. The capabilities are available across a broad set of VM sizes in select regions during preview and can be used independently or together. They are well suited for database and High-Performance Computing (HPC) scenarios, and are accessible through the Azure portal, ARM templates, Azure CLI, and PowerShell.

Sharing Capacity Reservation Groups (preview)

Azure introduces public preview support for sharing Capacity Reservation Groups (CRGs) across subscriptions, expanding beyond the previous limitation of using CRGs only within a single subscription. By enabling on-demand CRGs to be shared, organizations can centralize capacity management, promote resource reuse, scale out more cost-effectively, and separate security responsibilities from capacity planning. This enhancement simplifies governance for enterprises operating multiple subscriptions while maintaining reserved capacity for planned Virtual Machine (VM) deployments.

Networking

Enhanced cloning and Public IP retention scripts for Azure Application Gateway migration

Azure Application Gateway provides two production-ready PowerShell scripts to accelerate migration from V1 (Standard or Web Application Firewall (WAF)) to V2 (Standard_V2 or WAF_V2). The cloning script automates end-to-end configuration replication—including front-end Transport Layer Security (TLS) and trusted root certificates—and supports private-only V2 gateways, while the Public IP retention script allows the existing V1 public IP to be preserved on the V2 gateway. With V1 retirement set for April 2026, these tools reduce downtime, minimize manual steps, and de-risk large-scale cutovers.

Azure WAF CAPTCHA Challenge for Azure Front Door

Azure Front Door now offers General Availability of a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge within Azure Web Application Firewall (WAF). This feature adds an adaptive, interactive layer to existing defenses—such as IP blocking and rate limiting—to distinguish legitimate users from automated traffic in real time. By verifying human interaction before granting access, the CAPTCHA challenge strengthens bot mitigation strategies and helps organizations protect web applications from scrapers, brute-force attempts, and other automated attacks.

High Scale Private Endpoints

Microsoft has introduced High Scale Private Endpoints (HSPE) to raise Azure Private Endpoint (PE) limits within a single Azure Virtual Network (VNet). Previously, VNets were capped at 1,000 private endpoints, and attempts to exceed that threshold triggered a PrivateEndpointsPerVnetLimitReached error that required deleting endpoints or opening a support request. With HSPE enabled, organizations can deploy up to 5,000 private endpoints in one VNet. Microsoft also recommends keeping the cumulative total across peered VNets to 4,000 to avoid potential connectivity issues; upgrading to HSPE lifts the cross-peering guideline to 20,000 endpoints. In addition, Azure Virtual Network Manager (AVNM) support for HSPE in mesh (connected groups) is now generally available, allowing enterprises to scale private connectivity across large, interconnected topologies with minimal complexity.

Storage

Cloud-to-Cloud migration made simple with Azure Storage Mover

Azure Storage Mover now offers a generally available Amazon Web Services (AWS) Simple Storage Service (S3) to Azure Blob Storage migration path, enabling direct, secure, and scalable cloud-to-cloud data transfers. As a fully managed service, it removes infrastructure overhead while delivering high, parallelized throughput for large datasets across regions or storage accounts. For cloud-to-cloud scenarios, no on-premises agent is required, simplifying setup and operations. Customers can automate end-to-end migrations in the Azure portal and gain real-time visibility into job status, eliminating the need for manual pipelines or third-party tooling.

Azure Storage Mover support for NFS source to Azure File Share (NFS 4.1) target

Azure Storage Mover now supports migrating Network File System (NFS) shares directly to Azure File Shares using NFS 4.1. The fully managed service enables organizations to move on-premises files and folders to Azure Storage with minimal downtime, leveraging just-in-time permission setting and Azure Key Vault to keep data protected end-to-end. In addition to the generally available capabilities—such as migrating from an on-premises NFS share to an Azure Blob container and from Server Message Block (SMB) sources to Azure File Shares or Azure Blob containers—this update adds NFS source to Azure File Shares (NFS 4.1) as a supported target, expanding options for secure and streamlined file migrations.

Instant Access Snapshots for Azure Premium SSD v2 and Ultra Disks (preview)

Microsoft has announced Public Preview of Instant Access Snapshots for Premium SSD v2 (Pv2) and Ultra Disks, enabling new disks to be restored immediately after a snapshot is created. Restored disks deliver full performance instantly while data hydration completes rapidly in the background. This capability accelerates common workflows such as taking instant backups before software updates for quick rollback, rapidly scaling stateful applications by cloning primary data for new instances (for example, adding read-only Microsoft SQL Server replicas), and performing fast, recurring refreshes of training or testing environments from production.

Azure Local

General

Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure

Microsoft has been recognized as a Leader in the 2025 Gartner Magic Quadrant for Distributed Hybrid Infrastructure for the third consecutive year. The recognition reflects Azure’s adaptive cloud approach, centered on Azure Arc and Azure Local, which brings the cloud operating model to datacenters, edge, multicloud, and sovereign environments. Azure Arc extends Azure management and governance—via Azure Resource Manager—to any infrastructure and enables services such as Azure Kubernetes Service (AKS), Microsoft Defender for Cloud, Azure IoT Operations, and Azure AI Video Indexer. Azure Local builds on Azure Arc to run cloud-native workloads, including virtual machines and Arc-enabled AKS, in customer-owned environments while supporting Microsoft’s Sovereign Private Cloud strategy. Together, these capabilities provide unified governance, security, and management across distributed estates, helping organizations innovate, remain secure, and scale with confidence.

Azure Local 2510 release

Microsoft has released Azure Local 2510, a milestone update that resolves 437 bugs and delivers multiple features aimed at improving performance, resilience, and operational efficiency. The release expands upgrade eligibility (11.2510/23H2 to 12.2510/24H2) for all customers without opt-in, and advances partner lifecycle consistency through SBE 5.0 support in the 2-Tier Program, raising the bar on capabilities like download, health checks, threat modeling, and custom Cluster-Aware Updating (CAU) plugins.

Ability to inject Hotfix during Deploy

The 2510 release adds the ability to inject hotfixes into deployment packages, allowing post-release fixes to be applied as part of a fresh deploy. This shortens time-to-resolution, reduces repeat incidents across customers, and lowers support overhead. Microsoft has already scheduled two hotfix waves for 2510 to improve reliability across deployment and upgrade paths.

Deployment using Local Identity (preview)

Azure Local now supports “AD-less” deployment using local identities. This approach reduces external dependencies for edge scenarios by using local accounts to set up the cluster. Node-to-node communications authenticate via certificates, while sensitive node secrets such as BitLocker keys are stored securely in Azure Key Vault, simplifying initial rollout without sacrificing security.

Enable upgrade to 12.2510 (24H2)

Beginning with this release, customers running solution version 11.2510 (23H2) can upgrade directly to 12.2510 (24H2). The broadened availability removes prior opt-in requirements, streamlining planning and enabling faster access to new capabilities.

SBE 5.0 support for 2-Tier Program

Azure Local 2510 introduces support for SBE 5.0 packages across both tiers of the program. By requiring all tiers—not only premier solutions—to meet key SBE capabilities (download, health checks, threat modeling, and custom CAU plugins), the release standardizes and strengthens lifecycle management, delivering a consistent, secure, and scalable experience.

Compute

Rack Aware Cluster (preview)

Rack-aware clustering enables customers to define local availability zones that map to physical racks within their datacenter. By spreading roles and data across rack boundaries, the feature increases fault tolerance and reduces the risk of downtime or data loss from a single rack failure.

Trusted Virtual Machine Guest Attestation (preview)

Trusted VM Guest Attestation allows customers to verify that a VM boots into a known-good state by validating the integrity of the full boot chain—including firmware, boot loader, and drivers. This preview enhances supply-chain and platform trust by detecting unexpected changes before workloads run.

KMSv2 encryption for AKS-HCI clusters

KMS v2 replaces the deprecated KMS v1 (in Kubernetes v1.28) and is enabled by default for new AKS-HCI clusters. The change improves security posture and operational continuity for edge environments with no workload disruption during cluster creation, while providing automatic key rotation and stronger compliance readiness.

Kubernetes v1.32 support on AKS Arc

Azure Local 2510 enables deployment of AKS Arc clusters running Kubernetes v1.32. The update delivers the latest upstream capabilities and performance improvements, helping customers maintain feature parity and modern security baselines across Arc-managed Kubernetes estates.

Networking

Software Defined Network with Network Security Groups

Software Defined Network (SDN) with Network Security Groups (NSGs) is now generally available for Azure Local. Customers can create and manage NSGs and granular security rules for Azure Local virtual machines, enabling improved segmentation, consistent policy enforcement, and defense-in-depth across on-premises deployments.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Local: announcements and updates (October 2025 – Weeks: 41 and 42)

Azure

General

Azure Integrated HSM (preview)

Azure is releasing Azure Integrated Hardware Security Module (HSM), a built-in HSM cache and cryptographic accelerator designed to improve both security and performance for cryptographic operations within virtual machines. Targeted at crypto-intensive workloads, the feature provides secure key storage with fast, in-boundary retrieval and uses specialized hardware engines for encryption, decryption, signing, and verification while keys remain protected inside the integrated HSM. Azure Integrated HSM is part of the AMD D- and E-series v7 preview, designed to meet Federal Information Processing Standards (FIPS) 140-3 Level 3 requirements, and is available on the Dasv7, Dadsv7, Easv7, and Eadsv7 series with 8 vCores and above. The preview initially supports Windows (Linux support is coming soon) and is offered at no additional cost.

Compute

Retirement of F, Fs, Fsv2, Lsv2, G, Gs, Av2, Amv2, and B-series VMs in 2028

Microsoft has announced that the F, Fs, Fsv2, Lsv2, G, Gs, Av2, Amv2, and B-series Azure Virtual Machines will retire on November 15, 2028, and will no longer be usable or purchasable after that date. Customers should plan migrations of affected workloads to newer VM series to ensure continuity. Three-year reserved instances for these series cannot be purchased or renewed starting November 15, 2025, and one-year reserved instances will not be available for purchase or renewal after November 15, 2027. Existing three-year reservations will continue to provide benefits until their contracted end date; after expiration, usage will be billed at pay-as-you-go rates. Customers are advised to review current reservations to identify impacted VMs and expiration timelines and to plan migration accordingly.

Networking

Prescaling in Azure Firewall

Azure Firewall now supports prescaling, enabling administrators to provision and reserve capacity units ahead of anticipated demand—such as seasonal peaks or planned business events—to maintain consistent throughput, accelerate scaling response, and gain tighter control over capacity. In addition, a new Observed Capacity metric surfaces current and historical capacity usage to inform planning, while flexible billing ensures organizations pay only for the provisioned capacity units and can adjust them as needs evolve. Prescaling is available for Azure Firewall Standard and Premium Stock Keeping Unit (SKU) tiers in all public regions.

Observed capacity metric in Azure Firewall

Azure Firewall introduces the Observed Capacity metric to help teams understand how their firewalls scale in real-world conditions by tracking the number of actively utilized capacity units over time. With this signal, operators can validate that prescaling or autoscaling configurations behave as expected, set proactive alerts as usage approaches defined thresholds, diagnose whether scaling is keeping pace with demand, and forecast future capacity requirements using both historical and current traffic trends.

Azure Firewall updates – Customer-provided public IP address support in secured hubs

Azure Firewall in Virtual WAN secured hubs now supports customer-provided public IP addresses, allowing organizations to “bring their own” IPs already allocated within their Azure subscription. This gives teams greater control over egress identity and simplifies compliance, security policy enforcement, and third-party integrations that depend on stable, preapproved public IPs. Instead of relying on Azure-managed addresses, customers can assign their own, enabling consistent addressing across environments and reducing operational friction.

Azure Firewall updates – IP Group limit increased to 600 per Firewall Policy

Azure Firewall Policy now supports up to 600 IP Groups per policy (previously 200), enabling administrators to better organize large rule sets and reduce rule complexity. With more IP Groups, enterprises managing extensive, segmented networks can model application tiers and subnets more cleanly, while named groups improve readability and speed up troubleshooting and audits by clarifying rule intent in logs and reviews.

Private Link Service Direct Connect (preview)

Azure is introducing Private Link Service Direct Connect, which extends Azure Private Link by allowing a private link service to connect directly to any routable destination IP address—removing the previous requirement to place applications behind a Standard Load Balancer. This enhancement preserves the same private and secure access model while simplifying architectures for publishing services to customers. The limited public preview is initially available in North Central US, East US 2, Central US, South Central US, West US, West US 2, West US 3, Asia Southeast, Australia East, and Spain Central, with additional regions to follow.

Storage

Azure NetApp Files short-term clones

Azure NetApp Files short-term clones are now generally available, providing space-efficient, instant read/write copies created from existing volume snapshots without requiring full data duplication. The clones persist for up to 32 days and consume capacity only for incremental changes, accelerating development, analytics, disaster recovery drills, and testing with large datasets. By enabling rapid refreshes from the latest snapshots and minimizing operational overhead, this capability improves workflow velocity, quality, and cost efficiency across data-intensive scenarios.

Azure Storage Discovery

Azure Storage Discovery delivers enterprise-wide visibility across the Azure Storage data estate, allowing organizations to deeply analyze used capacity and activity, optimize costs, strengthen security posture, and improve operational efficiency. Integrated with Azure Copilot, it lets stakeholders—from cloud architects to storage administrators and data governance leads—unlock insights with natural language prompts and quickly answer questions such as total data stored across all accounts, regions with the fastest growth, and where to reduce costs via tiering adjustments or cleanup of stale data. The service is offered in two plans—Free for basic insights and Standard for full capabilities—and can begin analyzing data across subscriptions within hours, providing some pre-deployment history and up to 18 months of retention to reveal long-term patterns like workload peaks and valleys.

Conclusion

Azure IaaS and Azure Local: announcements and updates (October 2025 – Weeks: 39 and 40)

Azure

Compute

Azure VMware Solution AV36 Node Retirement on June 30, 2028

Microsoft announces the retirement of the AV36 node type for Azure VMware Solution effective June 30, 2028. Existing AV36 Reserved Instance (RI) terms remain unchanged, but customers are advised to review their AV36 RI expiration timelines and coordinate next steps with their Microsoft account teams. To ease the transition, Microsoft will offer AV36 1-year RIs with VCF included until October 15, 2025, and AV36 VCF BYOL 1-year RIs until June 30, 2026 (requiring a portable Broadcom VCF subscription). Existing AV36 Pay-As-You-Go subscriptions will continue through September 30, 2027. This change impacts only AV36; AV36P, AV48, AV52, and AV64 remain available with AVS VCF BYOL options.

Retirement: NVv3-series Azure Virtual Machines will be retired on September 30, 2026

Microsoft will retire the NVv3-series VM sizes—Standard_NV12s_v3, Standard_NV12hs_v3, Standard_NV24s_v3, Standard_NV24ms_v3, Standard_NV32ms_v3, and Standard_NV48s_v3—on September 30, 2026. To avoid disruption, organizations should migrate workloads to newer sizes within the NV product line. Microsoft recommends NVadsA10_v5 VMs, which provide higher GPU memory bandwidth per GPU and are well suited for GPU-accelerated graphics, virtual desktops, visualization workloads, and smaller AI scenarios.

Networking

Using Server-Sent Events with Application Gateway

Azure Application Gateway now supports Server-Sent Events (SSE) in general availability, enabling real-time, server-to-client data streaming over a persistent HTTP connection. To adopt SSE, administrators must apply specific configurations on both the Application Gateway resource and the backend application so that server push updates flow reliably to connected clients.

Retirement: Azure VPN Gateway support for SSTP Protocol will be retired on March 31, 2027

Azure VPN Gateway support for the SSTP protocol will be phased out due to limited scalability and performance. Customers are advised to migrate to IKEv2 or OpenVPN, which provide significantly higher connection limits—up to 10,000 connections—and aggregate throughput up to 10 Gbps depending on the gateway SKU. Key dates include March 31, 2026, when enabling SSTP on VPN gateways will no longer be supported, and March 31, 2027, when existing SSTP-enabled gateways will no longer be able to establish SSTP connections. To avoid disruption, customers should complete migration to IKEv2 or OpenVPN before March 31, 2027.

New health check infrastructure for Azure Traffic Manager

Azure Traffic Manager has introduced new health check infrastructure designed to improve resiliency and horizontal scalability. Customers are being migrated to the new platform, which enhances the reliability of health probes. Because probes originate from updated IP addresses, environments with strict firewall controls should ensure health checks are allowed. The recommended approach is to use the AzureTrafficManager Service Tag in NSGs or Azure Firewall so rules stay current automatically. Where Service Tags are not feasible (such as custom appliances or non-Azure environments), administrators should manually update ACLs or firewall rules with the latest IP prefixes from the Azure IP Ranges and Service Tags JSON and refresh them periodically.

Storage

Azure NetApp Files Flexible Service Level

Azure NetApp Files introduces the Flexible service level, allowing independent configuration of storage capacity and throughput to optimize cost and performance without volume moves. Supported on manual QoS capacity pools, throughput can be tuned between 128 MiB/s and 640 MiB/s per provisioned TiB, with a baseline 128 MiB/s provided for every pool at no additional cost. This enables right-sizing for both capacity-heavy workloads with modest performance needs and demanding workloads—such as Oracle or SAP HANA—that require higher throughput on smaller capacity footprints. The Flexible service level is available for newly created pools only, is supported in all Azure NetApp Files regions, and works with cool access for additional savings.

Cross-tenant customer-managed keys for Azure NetApp Files volume encryption

Azure NetApp Files now supports cross-tenant Customer-Managed Keys (CMK) for volume encryption, enabling customers to manage their own encryption keys across different Azure tenancies. This capability gives SaaS providers and their end users greater control in multi-tenant scenarios by allowing end users to retain full key ownership while providers offer flexible key-management options. The feature is available in all Azure NetApp Files–supported regions, delivering secure, scalable, and compliant data protection across tenant boundaries.

Azure NetApp Files support for OpenLDAP, FreeIPA, and Red Hat Directory Server (preview)

Azure NetApp Files introduces public preview support for integrating with FreeIPA, OpenLDAP, and Red Hat Directory Server, enabling secure LDAP over TLS for NFSv3 and NFSv4.1 volumes alongside Microsoft Active Directory. This enhancement streamlines identity integration for hybrid environments and regulated industries, improving access control for NFS workloads. Key benefits include broader LDAP support, secure LDAP over TLS, seamless use with existing identity infrastructure, and greater flexibility for compliance-driven deployments. The preview is available in all Azure NetApp Files regions, with use cases spanning financial services, government, and enterprises standardizing identity across cloud and on-premises estates.

Azure Local

Arc Gateway for Azure Local

Arc Gateway for Azure Local is now generally available, delivering a single, centralized HTTPS egress point for all Azure-bound traffic from Azure Local instances and workloads. By consolidating outbound connectivity behind one “front door,” it reduces the need for sprawling firewall rules and eliminates wildcards, significantly simplifying configuration and strengthening security posture. The gateway cuts required endpoints from well over 100 to fewer than 28 and integrates seamlessly with enterprise proxies by routing outbound traffic through existing proxy infrastructure before reaching Azure. It provides comprehensive coverage for workloads: Azure Local VMs can use Arc Gateway whether or not the infrastructure enabled it during deployment—so long as an Arc Gateway resource exists and guest management is enabled; new VMs can also be deployed with the gateway. AKS clusters on Azure Local implicitly leverage the host-level Arc Gateway when it was enabled for the infrastructure at deployment; AKS with Arc Gateway remains in Public Preview until its future GA. Support for enabling Arc Gateway on existing Azure Local infrastructure is planned for a future release.

Conclusion

Azure Hybrid Management & Security: What’s New and Insights from the Field – September 2025

This monthly series aims to:

Provide an overview of the most relevant updates released by Microsoft;
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Starting September 30, 2025, Azure App Service on Azure Arc-enabled Kubernetes will be retired and it will no longer be possible to install the extension. To continue hosting application workloads, Microsoft recommends migrating to alternative solutions such as Azure Container Apps on Azure Arc-enabled Kubernetes, which also enables you to leverage Logic Apps Hybrid. A timely assessment and migration plan is recommended to ensure completion by the deadlines, minimizing risks and service disruptions in hybrid and multicloud environments.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

Malware automated remediation in Defender for Storage (preview): the automated remediation feature for Defender for Storage malware scanning is now available in public preview. When on-upload or on-demand scans detect malicious blobs, the contents can be soft-deleted automatically. This ensures immediate isolation while maintaining recoverability for forensic analysis purposes. The setting can be toggled at the subscription or storage account level from the Microsoft Defender for Cloud blade in the Azure portal, or via API.

Refined attack paths: attack paths have been improved to reflect realistic risks that an adversary could use to compromise the organization. The new experience emphasizes external entry points and the attacker’s progression toward business-critical assets, providing greater clarity, focus, and prioritization. This enables security teams to respond more quickly and confidently to the most critical exposures.

Trusted IPs for Internet exposure analysis: Defender for Cloud allows you to define trusted IP ranges to reduce false positives in Internet exposure analysis. Resources that are only accessible from trusted IPs are classified as trusted and, as a result, Defender for Cloud does not generate attack paths for those sources.

Exposure width for Internet exposure analysis (GA): the Exposure width metric is now Generally Available in Microsoft Defender for Cloud. This capability shows how a resource is exposed to the Internet based on network rules, helping security teams quickly identify and remediate the most critical attack paths.

Trivy dependency scanning for code repositories (update): Defender for Cloud now includes open-source dependency scanning based on Trivy in filesystem mode, to automatically detect operating system and library vulnerabilities in GitHub and Azure DevOps repositories.

Backup & Resilience

Azure Backup

Vaulted backup for Azure Files (Premium)

With Azure Backup, “in-vault” protection is now available for Premium shares as well, ensuring business continuity and compliance even in the event of accidental deletions, malicious activity, or ransomware. Vaulted backup keeps a secure, off-site copy of the data, independent of the source account.

Key capabilities of vaulted backup:

Off-site protection: stores an independent copy of data in the vault, enabling restore even if the source account is lost or compromised. You can restore to the original account or to an alternate account.
Resilience to deletions and attacks: isolated backups that protect against accidental deletions, insider threats, and ransomware, ensuring operational continuity.
Automatic and flexible backups: support for daily/weekly schedules, or on-demand backups when needed.
Long-term retention: ability to retain backup data for up to 99 years, meeting compliance and archiving requirements.
Security by design: safeguards such as soft delete, immutability, encryption, and multi-user authorization protect data in the vault from tampering or misuse.

Azure Site Recovery

Support for virtual machines with Premium SSD v2 disks

General availability has been announced for Azure Site Recovery (ASR) support for virtual machines that use Premium SSD v2 disks. ASR enables replication across Azure regions and from on-premises to Azure, automated failover, and non-disruptive disaster recovery testing, helping ensure business continuity with built-in security, compliance, and native integration with Azure services. Premium SSD v2 delivers low latency and consistent performance, with the flexibility to scale throughput and IOPS independently—an ideal combination for enterprise workloads such as SQL Server, Oracle, SAP, and big data.

Monitoring

Azure Monitor

Azure Resource Manager: new metrics in Azure Monitor

Azure Resource Manager (ARM) introduces enhanced integration with Azure Monitor Metrics at the subscription level, enabling deeper visibility into traffic, latency, and throttling of control-plane operations. Metrics are accessible via REST API, SDKs, or directly from the Azure portal, with no opt-in required. New dimensions are also available for advanced analysis and filtering: operation type (read/write/delete), ARM request region, HTTP method, HTTP status code, status code class (2xx, 4xx, 5xx), resource type, and resource provider namespace.
These enhancements strengthen troubleshooting, capacity planning, and governance, simplifying granular monitoring of complex, distributed environments.

High Scale mode for Azure Monitor – Container Insights

Microsoft announces general availability of the High Scale mode in Container Insights, the Azure Monitor solution for collecting logs from Azure Kubernetes Service (AKS) clusters. Enabling High Scale applies a set of configuration optimizations automatically that significantly increase collection throughput, without requiring customer intervention or additional parameters. This mode supports higher telemetry loads in AKS clusters, improving observability and time-to-analysis in large-scale environments, including hybrid and multicloud scenarios integrated with Azure Arc.

Azure Managed Service for Prometheus: native Grafana dashboards in the Azure portal (preview)

Public Preview is available for the native, no-additional-cost integration of Grafana dashboards within the Azure portal for Azure Managed Service for Prometheus. With this update, you can quickly use and customize Grafana dashboards directly in the portal, avoiding the need to deploy and maintain dedicated Grafana instances or additional Azure resources. The integration streamlines observability and reduces administrative overhead, accelerating the creation of visualizations useful for monitoring and troubleshooting containerized and distributed workloads.

Conclusions

This month’s updates—from the retirement of App Service on Arc-enabled Kubernetes and the need to plan that migration in advance, to the Defender for Cloud improvements (automated remediation, more realistic attack paths, trusted IPs, and Exposure width in GA), and on to the resilience advancements with Azure Backup for Files Premium and ASR for Premium SSD v2—all converge on the same goal: reducing attack surface, increasing workload reliability, and simplifying operations at scale. On the monitoring front, the enriched ARM metrics, Container Insights’ High Scale mode, and the “native” Grafana dashboards in Managed Prometheus raise the bar for transparency and time-to-insight without adding complexity. My call to action is to turn these guidelines into concrete steps: assess and begin migrating off retiring assets, recalibrate security policies by leveraging the new prioritization and remediation capabilities, extend “in-vault” backup policies where needed, and standardize monitoring practices by adopting the latest metrics and dashboards.

Is Your AI Safe? Protect It in Hybrid and Multicloud Environments with Microsoft Defender for Cloud

Security in hybrid and multicloud environments is no longer a marginal topic: it’s a strategic priority. The numbers are clear: the average cost of a breach has reached $4.44 million; 86% of decision-makers believe their cybersecurity strategy isn’t keeping pace with multicloud complexity; over 40% expect a skills shortage precisely in security administration roles. In this scenario, the attack surface expands, dependencies multiply, and SecOps teams must interpret fragmented signals coming from different platforms—often with limited resources.

A shift in perspective is needed, and AI itself makes it possible: an approach that combines real-time visibility, shared context, and intelligent automation, capable of keeping up with the speed of the cloud and the evolution of threats.

This article provides an overview of the evolutions of Microsoft Defender for Cloud and how the solution helps strengthen AI security in hybrid and multicloud environments.

How AI Enables a Paradigm Shift

AI is not simply a new tool: even in security, if adopted judiciously, it becomes an operational amplifier capable of transforming posture assessment, incident analysis, and collaboration across teams. In particular, it enables you to:

Continuously assess and improve security posture, with real-time visibility and context at “hyper-cloud” scale, thanks to automatic correlations between assets, identities, configurations, and risks.
Investigate and respond to threats with unprecedented speed and expertise, with AI-driven detections and strategies, risk-based prioritization, automated playbooks, and operational guidance.
Increase productivity and collaboration through natural-language workflows, using, for example, Copilot for triage, research, queries, runbooks, and reporting.

AI Attack Surface: Where Risks Lurk

Before implementing any controls, it’s essential to map the most exposed areas across the entire lifecycle of AI solutions—identities, network, data, models, supply chain, and operations—because that’s where risks accumulate and often go unnoticed.

Identity & access. Threats arise from unprotected keys, excessive privileges that pile up over time, and the absence of JIT/PIM mechanisms to limit access and permission duration.
Network. AI endpoints exposed to the internet, uncontrolled egress, and the lack of Private Endpoints open avenues an attacker can probe.
Data. In RAG architectures with unclassified sources, risk increases: loss of ACLs during indexing and leakage in prompts or logs can expose sensitive information.
Models. The use of unapproved families/versions, absence of content safety, and lack of anti-abuse testing expose you to harmful responses, jailbreaking, and non-compliant outputs.
ML supply chain. Dataset poisoning, unverified dependencies, and unsigned container images compromise upstream integrity, contaminating the entire training and release process.
Cost masking. Anomalous token/RPM usage, key scraping, and abuse by bots/scripts generate unexpected expenses and can mask fraudulent activity.
Operations. The lack of SLOs, absence of effective rollbacks, and weak BC/DR strategies make service continuity fragile and extend recovery times.

Mapping these weaknesses is not a theoretical exercise: it’s the prerequisite for designing targeted, measurable, and sustainable controls over time. It’s also about balancing costs and the level of security you aim to achieve.

How Microsoft Defender for Cloud Intervenes

To reduce risk and gain visibility in hybrid and multicloud environments, Defender for Cloud acts on multiple levels:

CSPM (Cloud Security Posture Management). It starts with posture: evaluates configurations, maps assets and dependencies, highlights deviations, and proposes concrete remediations. All with a unified multicloud view to compare criteria and priorities across different providers.
Workload protection (CWPP). Extends coverage to workloads—VMs, containers/Kubernetes, and PaaS services (databases, storage, app services)—combining hardening recommendations and detections on runtime and configurations.
AI detections and recommendations. Makes AI workloads visible and flags risks across configurations, identities, network, and logging, aligning with emerging best practices for AI security and governance.
SecOps integration. Closes the loop with operations: forwards events and alerts to Microsoft Sentinel and Defender XDR, enables automated playbooks, and supports guided investigations to reduce MTTD/MTTR.

The result is coordinated defense: from prevention to detection to response, with ready-to-use insights that speak the same language across all clouds.

AI Security Posture Management (CSPM): “Code-to-Cloud” Visibility for Generative AI

With the Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud, security spans enterprise on-premises environments and hybrid/multicloud scenarios (Azure, AWS, Google Cloud), covering the entire lifecycle of generative AI applications: from code, to pipelines, to production runtime.

AI Bill of Materials (AI BOM)

Defender for Cloud discovers AI workloads and reconstructs the AI BOM: application components, data, and AI artifacts, from code to cloud. This end-to-end visibility makes it possible to identify vulnerabilities, prioritize risks, and protect generative applications with targeted interventions.

Continuous discovery of AI workloads is available for major services:

Azure OpenAI Service
Azure AI Foundry
Azure Machine Learning
Amazon Bedrock
Google Vertex AI (Preview)

In addition, Defender for Cloud detects vulnerabilities in dependencies of generative AI libraries (e.g., TensorFlow, PyTorch, LangChain) by analyzing source code (IaC misconfigurations) and container images (vulnerabilities).

Contextual Insights and Recommendations

Defender CSPM provides recommendations on identities, data security, and internet exposure, helping identify and prioritize critical issues.

DevOps security & IaC misconfigurations intercept misconfigurations that expose generative apps (excessive permissions, unintentionally published services), reducing breaches, unauthorized access, and compliance problems.

Examples of IaC controls for AI

Use of Private Endpoints for Azure AI Service.
Restricting Azure AI Service Endpoints.
Managed Identity for Azure AI service accounts.
Identity-based authentication for Azure AI service accounts.

In addition, the attack path analysis feature detects and helps mitigate risks to AI workloads, even when data and compute are distributed across Azure, AWS, and GCP.

What’s New: Defender for AI Services (Runtime Protection for Azure AI Services)

Defender for AI Services introduces runtime protection for Azure AI services (formerly threat protection for AI workloads). It is designed for risks specific to generative AI and combines Microsoft Threat Intelligence and Azure AI Content Safety (Prompt Shields) with real-time analytics to detect data leakage, data poisoning, jailbreaks, credential theft, wallet abuse, suspicious access patterns, and other malicious behaviors.

Overview — Protection Against AI Threats

The solution makes it possible to identify threats to generative AI applications in real time and assists in response with context-rich alerts and recommendations. It provides coverage for endpoints and AI resources present in subscriptions, highlighting risks that can impact applications.

Integration with Defender XDR

Protection for AI services integrates with Defender XDR, allowing you to centralize alerts related to AI workloads in the XDR portal and correlate alerts and incidents with identities, endpoints, network, and applications along the entire kill chain.

Evidence from User Prompts

With the protection plan active, it is optionally possible to include in alerts suspicious segments of user prompts and/or model responses originating from apps or AI resources. This evidence is customer data and helps with triage, classification, and intent analysis. It is available in the Azure portal, Defender portal, and via specific integrations.

Application and User Context in Alerts

To maximize actionability, the solution propagates to API calls to Azure AI the context of the user and application (e.g., userId, userIp, sessionId, appId, environment, requestId). This makes it possible to block users, correlate incidents, prioritize, and distinguish suspicious activity from expected behavior for a specific app.

Data and AI Security Dashboard: Unified View, Faster Decisions

The Data and AI Security Dashboard in Microsoft Defender for Cloud offers a centralized platform to monitor and manage data and AI resources, associated risks, and protection status. It highlights critical issues, resources requiring attention, and internet-exposed assets, enabling proactive mitigation. It also provides insights on sensitive data within data services and AI workloads.

Key Benefits

Unified view of all data and AI resources in a single interface.
Insights into data location and the types of resources that host it.
Assessment of protection coverage for data and AI resources.
Attack paths, recommendations, and data threat analysis in one place.
Mitigation of critical risks and continuous posture improvement.
Security explorer highlighting useful queries to uncover insights.
Identification and synthesis of sensitive data in cloud resources and AI assets.

Data Security with Microsoft Purview

To rigorously manage data used in AI applications, you can enable integration with Microsoft Purview. This feature requires a Microsoft Purview license and is not included in the Microsoft Defender for Cloud plan for AI services.

By enabling Purview, you allow the platform to access, process, and store request and response data—including associated metadata—originating from Azure AI services. In this way, you enable key data security and compliance scenarios, such as:

Sensitive Information Type (SIT) classification.
Analysis and reporting with Microsoft Purview DSPM for AI.
Insider risk management.
Communications compliance.
Microsoft Purview auditing.
Data lifecycle management.
Electronic discovery (eDiscovery).

In practice, this integration makes it possible to govern and monitor AI-generated data in alignment with corporate policies and regulatory requirements, fostering responsible, traceable, and compliant use of AI throughout the entire information lifecycle.

Conclusions

AI security in hybrid and multicloud environments requires a continuous, measurable, risk-oriented posture. Microsoft Defender for Cloud provides the tools to move from visibility to operational protection: discovery of workloads and AI BOM, contextual recommendations and attack path analysis, through to runtime protection with Defender for AI Services and incident correlation in Defender XDR and Microsoft Sentinel. Integration with Microsoft Purview makes it possible to govern the data that fuel models, ensuring traceability and compliance throughout the entire lifecycle.

The recommended path is clear: map the AI attack surface; enable CSPM and essential IaC controls; extend coverage to key workloads (VMs, containers, PaaS); activate runtime protection for Azure AI services; and centralize detection and response. Only then does AI become a multiplier of resilience rather than a new vector of risk. Finally, remember that absolute security in IT does not exist (except for systems that are powered off and completely isolated): it is therefore essential to balance costs, operational impact, and the desired level of protection, based on the value of assets and acceptable risk.

Azure IaaS and Azure Local: announcements and updates (September 2025 – Weeks: 37 and 38)

Azure

General

Licensing changes for future Azure VMware Solution subscriptions starting October 16, 2025

Microsoft has announced licensing changes for Azure VMware Solution (AVS) following Broadcom’s updates to VMware licensing policies. Beginning October 16, 2025, customers purchasing new or additional AVS nodes must bring their own portable VMware Cloud Foundation (VCF) subscription from Broadcom or an authorized reseller. Existing AVS deployments with VCF included under Reserved Instance (RI) terms can continue operating without licensing or product changes through the end of the RI term, and customers may use the self-service exchange process to trade in an RI on or before October 15, 2025 for a later expiration date. For Pay-As-You-Go subscriptions that included VCF, customers are advised to contact their Microsoft account team for details and key dates. The AVS service itself is unchanged and remains a fully managed VCF private cloud in Azure.

At-cost data transfer between Azure and an external endpoint

Azure now provides at-cost data transfer for customers and Cloud Solution Provider partners in Europe who move data over the public internet between Azure and another data processing provider, supporting interoperable, multi-cloud architectures. Eligible organizations—those with billing addresses in the European Economic Area (EEA), European Free Trade Association (EFTA), or the United Kingdom—may request a credit for such cross-cloud transfers by following the documented Azure Support process and meeting the stated eligibility requirements.

Azure mandatory multifactor authentication: Phase 2 starting in October 2025

Microsoft confirmed the next phase of its mandatory multifactor authentication (MFA) rollout for Azure sign-ins, citing research that MFA can block more than 99.2% of account compromise attempts. Following the August 2024 announcement and the completion of Phase 1 in March 2025 (enforcement for Azure Portal, Microsoft Entra admin center, and Intune admin center sign-ins across 100% of tenants), Phase 2 will begin on October 1, 2025. This phase enforces MFA at the Azure Resource Manager layer for resource management operations across clients including Azure CLI, Azure PowerShell, the Azure Mobile App, REST APIs, SDK libraries, and Infrastructure-as-Code tools, with gradual application via Azure Policy under safe deployment practices. Notifications have been sent to Microsoft Entra Global Administrators through email and Azure Service Health. The change requires users to authenticate with MFA before executing resource management actions; workload identities such as managed identities and service principals are not impacted. To prepare, organizations are advised to enable MFA for users by October 1, 2025, assess potential impact using built-in Azure Policy definitions in audit or enforcement mode, and update clients to Azure CLI version 2.76 and Azure PowerShell version 14.3 or later. If MFA cannot be enabled by the start date, a Global Administrator can postpone enforcement in the Azure portal, with further communications to follow via established channels.

Compute

Retirement: Azure Kubernetes Service on VMware (preview) will be retired on March 16, 2026 (preview)

Azure Kubernetes Service on VMware (preview) will be retired on March 16, 2026. Customers are encouraged to transition to Azure Kubernetes Service on Azure Local before that date to take advantage of its enhanced capabilities. After March 16, 2026, deployments of AKS on VMware will no longer be possible and support will cease. For additional questions, Microsoft directs customers to AKS on Azure Local.

Azure D192 sizes in the Azure Dsv6 and Ddsv6-series VM families

Microsoft has added the D192 size to the Dsv6 and Ddsv6-series VMs, powered by 5th Gen Intel® Xeon® Platinum 8573C (Emerald Rapids). Dsv6 uses Azure managed disks only, while Ddsv6 offers local temporary storage. These sizes deliver 192 vCPUs and 768 GiB RAM, targeting general-purpose, memory-intensive, and enterprise workloads such as SAP, SQL, in-memory analytics, large relational databases, web/app servers under moderate-to-heavy traffic, batch processing, and dev/test. Azure Boost provides up to 400K IOPS and 12 GB/s remote storage throughput with NVMe-enabled local and remote storage, and up to 82 Gbps network bandwidth. Security is strengthened with Intel® Total Memory Encryption (TME), and the NVMe interface yields up to a 3× improvement in local storage IOPS for low-latency access.

DCa/ECa v6-series AMD-based confidential VMs now generally available

Microsoft is making the new DCa/ECa v6-series AMD-based confidential virtual machines generally available in UAE North, Korea Central, West Central US, South Africa North, Switzerland North, and UK South. Powered by 4th Gen AMD EPYC™ processors with Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), these VMs provide hardware-based memory encryption so that memory written by a VM can only be accessed by that VM, with encryption keys generated by a dedicated secure processor on the CPU and not retrievable from software. The lineup includes the general-purpose DCasv6-series and the memory-optimized ECasv6-series, offering improved performance and price-performance over prior AMD-based confidential VMs. Workloads can typically migrate without code changes, making these VMs well-suited for processing sensitive data such as PII and PHI within an attested trusted execution environment.

Azure HBv5-series VMs (preview)

Azure has introduced HBv5-series VMs in public preview in the South Central US region. Designed for memory bandwidth–intensive HPC workloads—including CFD, automotive and aerospace simulation, weather modeling, energy research, molecular dynamics, and computer-aided engineering—HBv5 features 6.7 TB/s of memory bandwidth across 450 GB (438 GiB) of HBM. Each VM provides 368 4th Gen AMD EPYC™ cores at 3.5 GHz base and up to 4.0 GHz boost with no simultaneous multithreading, 800 Gb/s NVIDIA Networking InfiniBand for supercomputer-scale MPI, and 15 TiB of local NVMe SSD delivering up to 50 GB/s reads and 30 GB/s writes.

Networking

Introducing the new Network Security Hub experience

Microsoft has expanded and rebranded the Azure Firewall Manager experience as the Network Security Hub, a centralized interface that unifies Azure Firewall, Web Application Firewall (WAF), and DDoS Protection. The refreshed experience simplifies the Azure Networking portfolio with improved navigation, consolidated service overviews, and enhanced visibility into security coverage. A redesigned landing page surfaces common use cases, documentation, pricing, and recommended scenarios to accelerate onboarding. Key highlights include a single hub to manage Firewall, WAF, and DDoS Protection, an enhanced coverage dashboard across virtual networks, hubs, and applications, Azure Advisor–driven recommendations for security and performance, and streamlined discovery of resources such as Virtual Hub deployments and Firewall Policies.

Enabling dedicated connections to backends in Azure Application Gateway

Azure Application Gateway v2 now supports dedicated connections from the gateway to backend servers. While the default behavior reuses idle backend TCP connections to optimize resource usage, the new setting maps each incoming client connection to its own distinct backend connection, enabling strict one-to-one communication between frontend and backend when required.

Backend TLS validation controls in Azure Application Gateway

Azure Application Gateway v2 announces the general availability of customer-controlled backend TLS validations. When HTTPS is selected in Backend Settings, operators can now enable or disable certificate chain and expiry verification and separately enable or disable SNI verification. These options allow teams to tailor TLS behavior to the needs of diverse environments while preserving secure, reliable connectivity to backend services.

Storage

Azure NetApp Files migration assistant

Azure NetApp Files migration assistant (using SnapMirror) is now generally available, enabling efficient, cost-effective data migration from on-premises environments or CVO/other cloud providers to Azure NetApp Files. Available via REST API, the capability leverages ONTAP replication to reduce network transfer for baseline and incremental updates, supports low-downtime cutovers to minimize business disruption, and preserves primary data protection with source volume snapshots while maintaining directory and file metadata, including security attributes.

Retirement: OS disks on Standard HDD will be retired on September 8, 2028

Microsoft announced that service for operating system (OS) disks running on Standard HDD will be retired on September 8, 2028, in alignment with evolving usage patterns and investments in disk performance and reliability. After that date, any remaining OS disks on Standard HDD will be converted to Standard SSD of equivalent size if not migrated beforehand, with further details to follow in public documentation. This change does not affect Standard HDD data disks (non-boot volumes) or Ephemeral OS disks. To mitigate risk, customers are expected to avoid deploying new VMs with HDD OS disks and to migrate existing HDD OS disks to Standard SSD or Premium SSD ahead of the retirement date.

Azure Data Box Next Gen expands general availability to additional regions

Microsoft has expanded general availability for Azure Data Box Next Gen to India, Qatar, South Africa, and Korea. With this update, both the 120 TB and 525 TB NVMe-based Data Box devices are generally available in the US, UK, Europe, US Gov, Canada, Japan, Australia, Singapore, India, and Qatar. The 120 TB model is also generally available in Brazil, UAE, Hong Kong, Switzerland, Norway, South Africa, and Korea. Announced earlier this year, the next-generation devices have already ingested several petabytes across multiple industries, with customers reporting up to 10× faster transfers. Organizations value the devices’ reliability and efficiency for large-scale migration projects, and can select the appropriate SKU and place orders directly from the Azure portal.

File share-centric management model for Azure Files (preview)

Azure Files now introduces a file share–centric management model via the Microsoft.FileShares resource provider, making file shares top-level Azure resources that no longer require a storage account. With this shift, file shares can be provisioned independently for capacity, IOPS, and throughput—removing contention with other shares and enabling granular networking and security controls. The model adopts the SSD provisioned v2 cost structure for predictable, flexible billing and brings ~2× faster provisioning, higher scale limits, and share-level billing for clearer cost attribution. This preview streamlines creation and lifecycle management while aligning performance and cost directly to each share.

Azure Local

Direct upgrade from Azure Stack HCI OS 22H2 to 24H2 via PowerShell

With the 2505 release, Azure Stack HCI administrators can now perform a direct in-place upgrade from version 20349.xxxx (22H2) to version 26100.xxxx (24H2) using PowerShell. This streamlined path removes an intermediate hop, reducing the number of reboots and simplifying maintenance planning ahead of the broader solution upgrade.

Conclusion

The 7 Pillars of AI Governance on Azure PaaS — A Practical Guide

AI is no longer theory; it’s everyday practice: pilot projects, enterprise chatbots, and new customer-facing features. Adoption is accelerating—often faster than an organization’s ability to govern it. In the midst of this race, Azure’s AI PaaS offerings provide a fast track to experiment and move services into production. But speed without guardrails comes at a cost: data exposure, unpredictable spend, opaque decision-making, and compliance risks that can slow innovation precisely when it should be accelerating.

Governance isn’t a brake on creativity—it’s the structure that lets AI become repeatable, safe, and measurable value. It means aligning investments with business goals, clarifying accountability, and defining controls, observability, and lifecycles; it means knowing where models live, who uses them, with what data, and at what cost. In Azure, where many capabilities are just “an API call away,” the line between a brilliant idea and an operational incident often comes down to the quality of your governance choices.

This article turns the Cloud Adoption Framework guidance into practical recommendations for governing Azure’s AI PaaS services. The journey is organized into seven complementary domains that together build a responsible AI posture: governing platforms, models, costs, security, operations, regulatory compliance, and data.

In the chapters that follow, we’ll dive into each domain with an operational focus. The goal is simple: to lay the foundation for a governance framework that unlocks innovation, reduces risk, and keeps AI aligned with the business—today and as it evolves.

Governing AI Platforms

If the foundation isn’t consistent, every team ends up “doing its own thing.” Platform governance exists precisely to prevent that: to apply uniform policies and controls to Azure AI services so security, compliance, and operations stay aligned as architectures evolve.

Put this into practice:

Leverage built-in policies. With Azure Policy you’re not starting from scratch: there are ready-made definitions covering common needs—security setup, spending limits, compliance requirements—without custom development. Assign these policies to Azure AI Foundry, Azure AI Services, and Azure AI Search to standardize identity, networking, logging, and required baseline configurations.
Enable Azure Landing Zone policy sets. Landing zones include curated, tested initiatives for AI workloads, already aligned with Microsoft recommendations. During deployment, select the Workload Specific Compliance category and apply the dedicated initiatives (e.g., Azure OpenAI, Azure Machine Learning, Azure AI Search, Azure Bot Service) to achieve broad, consistent coverage across environments.

Governing AI Models

A powerful but ungoverned model produces unpredictable results. Model governance ensures safe, reliable, and ethical outputs by setting clear rules for model inputs, outputs, and usage. Here’s what to implement:

Inventory agents and models.
Use Microsoft Entra Agent ID to maintain a centralized view of AI agents created with Azure AI Foundry and Copilot Studio. A complete inventory enables access enforcement and compliance monitoring.
Restrict approved models.
With Azure Policy, limit which model families/versions can be used in Azure AI Foundry. Apply model-specific policies to meet your organization’s standards and requirements.
Establish continuous risk detection. Before release and on a recurring basis:
- Enable AI workload discovery in Defender for Cloud to identify workloads and assess risks pre-deployment.
- Schedule regular red-team exercises on generative models to uncover weaknesses.
- Document and track identified risks to ensure accountability and continuous improvement.
- Update policies based on findings so controls stay effective and aligned with current risks.
Apply content-safety controls everywhere.
Configure Azure AI Content Safety to filter harmful content on both inputs and outputs. Consistent application reduces legal exposure and maintains uniform standards.
Ground your models.
Steer outputs with system messages and RAG (retrieval-augmented generation); validate effectiveness with tools like PyRIT, including regression tests for consistency, safety, and answer relevance.

Governing AI Costs

AI can burn through budget quickly if you don’t govern consumption, capacity, and usage patterns. The goal is predictable performance, controlled spend, and alignment with business objectives. Here’s what to put into practice:

Choose the right billing model for the workload.
For steady workloads, use commitment tiers / provisioned throughput. With Azure OpenAI, Provisioned Throughput Units (PTUs) offer more predictable costs than pay-as-you-go when usage is consistent. Combine PTU endpoints as primaries with consumption-based endpoints for spikes, ideally behind a gateway that routes traffic intelligently.
Select appropriately sized models—avoid overkill.
Model choice directly impacts cost; less expensive models are often sufficient. In Azure AI Foundry, review pricing and billing mechanics, and use Azure Policy to allow only models that meet your cost and capacity targets.
Set quotas and limits to prevent overruns.
Define per-model/per-environment quotas based on expected load and monitor dynamic quotas. Apply API limits (max tokens, max completions, concurrency) to avoid anomalous consumption.
Pick deployment options that are cost-effective and compliant.
Models in Azure AI Foundry support different deployment modes; prefer those that optimize both cost and regulatory requirements for your use case.
Govern client-side usage patterns.
Uncontrolled access makes spend explode: enforce network controls, keys, and RBAC; impose API limits; use batching where possible; and keep prompts lean (only the necessary context) to reduce tokens.
Auto-shut down non-production resources.
Enable auto-shutdown for VMs and compute in Azure AI Foundry and Azure Machine Learning for dev/test (and in production when feasible) to avoid costs during idle periods.
Introduce a generative gateway for centralized control.
A generative AI gateway enforces limits and circuit breakers, tracks token usage, throttles, and load-balances across endpoints (PTU/consumption) to optimize costs.
Apply cost best practices for each service.
Every Azure AI service has its own levers and pricing. Follow the service-specific guidance (e.g., for Azure AI Foundry) to choose the most efficient option for each workload.
Monitor consumption patterns and billing breakpoints.
Keep an eye on TPM (tokens per minute) and RPM (requests per minute) to tune models and architecture. Use fixed-price thresholds (e.g., image generation, hourly fine-tuning) and consider commitment plans when usage is steady.
Automate budgets and alerts.
In Azure Cost Management, set budgets and multi-threshold alerts to catch anomalies before they impact projects, maintaining financial control over AI initiatives.

Governing AI Security

Protecting data, models, and infrastructure requires consistent controls across identity, networking, and runtime. The goal: reduce attack surface and preserve the reliability of your solutions. Here’s what to put into practice:

Enable end-to-end threat detection.
Turn on Microsoft Defender for Cloud on your subscriptions and enable protection for AI workloads. The service surfaces weak configurations and risks before they become vulnerabilities, with actionable recommendations.
Apply least privilege with RBAC.
Start everyone at Reader and elevate to Contributor only when truly needed. When built-in roles are too permissive, create custom roles that limit access to only the required actions.
Use managed identities for service authentication.
Avoid secrets in code or config. Assign a Managed Identity to every service that accesses model endpoints and grant only the minimum permissions required on application resources.
Enable just-in-time access for admin operations.
With Privileged Identity Management (PIM), elevation is temporary, justified, and approved—reducing privileged account exposure and improving traceability.
Isolate AI endpoint networking.
Prefer Private Endpoints and VNet integration to avoid Internet exposure. Where supported, use service endpoints or firewalls/allow-lists to permit access only from approved networks, and disable public network access on endpoints.

Governing AI Operations

Operations are what keep AI stable over time: without controls on lifecycle, continuity, and observability, even the best model stalls at the first hiccup. The objectives: reliability, clear recovery times, and steady business value.

Define model lifecycle policies.
Standardize versioning and compatibility with mandatory pre-rollout tests (functional, performance, and safety). Plan release strategies (shadow/canary/blue-green), rollback procedures, and deprecation/retirement rules valid across platforms (Azure AI Foundry, Azure OpenAI, Azure AI Services). Document dependencies, feature flags, and the version compatibility matrix.
Plan business continuity and disaster recovery.
Set RTO/RPO and configure baseline DR for resources exposing model endpoints: replicate across paired regions, use Infrastructure as Code (Bicep/Terraform) for rebuild, and place a gateway in front for failover and cross-instance/region routing. Where possible, enable zone redundancy; snapshot/backup configurations (prompts, safety settings, embeddings/vector stores); and run periodic tests to validate plans.
Configure monitoring and alerting for AI workloads.
Enable Azure Monitor / Log Analytics / Application Insights and set recommended alerts for Azure AI Search, Azure AI Foundry Agent Service deployments, and individual Azure AI Services. Track key SLIs (latency, 4xx/5xx error rates, timeouts, throughput, HTTP 429) and surface degradation before it impacts users. Centralize logs, define SLOs, and create intervention runbooks with escalation paths and automated actions where feasible.

Governing Regulatory Compliance for AI

Regulatory compliance isn’t bureaucracy: it defines what’s acceptable, reduces legal risk, and builds trust. It requires a continuous, automated, and demonstrable process. Here’s what to put into practice:

Automate assessments and management.
Use Microsoft Purview Compliance Manager to centralize assessments and tracking, assign remediation actions, and maintain evidence. In Azure Policy, apply the Regulatory Compliance initiatives relevant to your sector to enforce controls and continuously monitor for deviations.
Build frameworks specific to your industry/country.
Rules differ by industry and geography: create targeted checklists and control mappings (privacy, security, transparency, human oversight). Adopt standards such as ISO/IEC 23053:2022 to audit policies applied to machine learning workloads, and define a cadence for periodic reviews.
Make compliance auditable by design.
Define responsibilities (RACI), exception handling with expirations (waivers), and an evidence repository (policy assignments, change history, RBAC logs). Tie compliance KPIs to shared dashboards to demonstrate alignment and continuous improvement.

Governing AI Data

Without clear data rules, risks, costs, and inconsistent results grow. Data governance protects sensitive information and intellectual property, and underpins output quality. Here’s what to activate:

Centralized discovery and classification.
Use Microsoft Purview to scan, catalog, and classify data across the organization (data lakes, databases, storage, M365). Define consistent taxonomies/labels and leverage Purview SDKs to enforce policies directly in pipelines (e.g., block ingestion of “Confidential” data into noncompliant endpoints).
Maintain security boundaries across AI systems.
Indexing can decouple native source controls: require a security review before data flows into models, vector indexes, or prompts. Preserve and enforce ACLs/access metadata at the chunk level, limit exposure with Private Endpoints/VNet, and apply least privilege to indexing workflows. Accept only data that’s already classified and meets internal standards.
Prevent copyright violations.
Apply filters with Azure AI Content Safety — Protected Material Detection — on generative inputs and outputs. For training/fine-tuning, use only lawful sources and appropriate licenses, maintaining provenance and evidence (contracts, terms of use) for audits and disputes.
Version training and grounding (RAG) data.
Treat datasets like code: snapshots, immutable versions, changelogs, and rollback. Align each model/endpoint version with the corresponding data version (documents, embeddings, filtering policies) to ensure consistency across environments and over time.

Conclusions

AI creates value when delivery speed is channeled within clear, measurable rules. Governance here doesn’t mean braking; it means scaling what works, knowing why it works, and proving it at every audit, incident, or business decision. The path is pragmatic: define a minimal, uniform baseline (identity, networking, policy, logging), measure outcomes with a small set of shared indicators, automate as much as possible, and evolve controls at the same cadence as models and data. You don’t need perfection on the first try: you need short cycles, explicit accountability, and infrastructure as code to quickly replicate choices that prove effective. In this context, Azure’s PaaS platforms become reliable accelerators because they operate within predictable boundaries: rapid experimentation, yes—but with guardrails, observability, and continuity plans already built in. The result is innovation that stays aligned with the business, reduces risk and reliance on chance, and turns AI into a repeatable, sustainable enterprise asset.

Azure IaaS and Azure Local: announcements and updates (September 2025 – Weeks: 35 and 36)

Azure

General

Microsoft to Tighten Cloud Security with Mandatory MFA for Azure Resource Management

Microsoft has announced that Multi-Factor Authentication (MFA) will be enforced for all Azure resource management actions starting October 1, 2025. The enforcement will apply to sign-ins via Azure CLI, PowerShell, SDKs, REST APIs, Infrastructure as Code tools, and the Azure mobile app, as part of the Secure Future Initiative (SFI). SFI focuses on Secure by Design, Secure by Default, and Secure in Operations across engineering pillars such as identity protection, network security, threat detection, and rapid vulnerability remediation. To prepare, administrators are advised to upgrade to Azure CLI v2.76+ and PowerShell v14.3+, migrate automation from user identities to workload identities, use Azure Policy in audit/enforcement mode to assess impact, and monitor MFA registration with built-in reports or scripts. Enforcement will roll out gradually across all tenants, with global administrators able to defer until July 1, 2026. Microsoft’s research indicates that accounts with MFA enabled are 99.99% resistant to hacking attempts, and that MFA reduces unauthorized access risk by 98.56% even when credentials are compromised.

Compute

Upgrade Existing Azure Gen1 VMs to Gen2 Trusted Launch

Microsoft has made generally available the ability to enable Trusted Launch on existing Azure Generation 1 virtual machines by upgrading them to Generation 2 with Trusted Launch. This capability strengthens foundational compute security by enabling Secure Boot and virtual TPM (vTPM), and by measuring the VM’s boot chain for attestation. By helping defend against bootkits and rootkits, the upgrade enhances the security posture of existing workloads without requiring full redeployment.

Retirement of Confidential VM SKUs DCesv5, DCedsv5, ECesv5, ECedsv5

Microsoft is retiring the Confidential VM SKUs DCesv5, DCedsv5, ECesv5, and ECedsv5, with the DCesv6 and ECesv6 sizes designated as their successors. The next-generation sizes—currently in public preview—introduce enhancements such as integration with OpenHCL and will be the primary focus going forward. As part of the transition, all new and existing deployments of the retiring series will be stopped by September 12, 2025. After that date, no new VMs can be created, and any VM from these series that is rebooted will no longer be available. Customers are encouraged to plan migrations to the v6 series to maintain continuity and benefit from the latest confidential computing capabilities.

Networking

Multiple Address Prefixes for Subnets in Azure Virtual Networks

Support for multiple address prefixes per subnet in Azure Virtual Networks is now generally available. Previously, a subnet could hold only a single prefix, which complicated scale-out when the address space was exhausted. The new capability allows additional prefixes to be added directly to a subnet, expanding available address space without emptying or resizing the subnet. This enables dynamic subnet growth with minimal disruption and more efficient use of address space, while preserving headroom for future expansion.

Retirement of Azure CDN in Azure China—migrate to Azure Front Door by December 1, 2025

Azure CDN operated by 21Vianet in Azure China will be retired on December 1, 2025. Because Azure CDN relies on local provider POPs via API integrations and lacks deep, native Azure integration, Microsoft is directing customers to Azure Front Door as the native, more integrated alternative with built-in security features such as WAF and Private Link to origins. Customers should complete migration and validation and delete Azure CDN resources by November 15, 2025. If migration is not completed by that date, the Azure Front Door team will attempt to migrate eligible CDN profiles. Profiles that are disabled, have had no active traffic in the prior three months, or are otherwise incompatible will not be migrated and will experience service disruption starting December 1, 2025. In such cases, customers should migrate to Azure Front Door or another CDN solution before November 15, 2025.

Azure Front Door Standard and Premium now available in Azure China

Azure Front Door Standard and Premium are now generally available in the Azure China regions (China North 3 and China East 3), operated by 21Vianet. With this release, customers can deliver secure, reliable, high-performance applications using a natively integrated platform that provides global load balancing with instant failover, edge caching and protocol optimizations for acceleration, and enterprise-grade security including WAF, DDoS protection, and TLS/SSL offload. The service supports local compliance requirements such as ICP filing for custom domains and offers end-to-end observability through Azure Monitor metrics, logs, and analytics, enabling reduced latency, improved resilience, and a consistent operational experience across global and China regions.

CNI Overlay for Application Gateway for Containers and AGIC

Azure CNI Overlay support with Application Gateway for Containers and the Application Gateway Ingress Controller (AGIC) is now generally available. With CNI Overlay, AKS clusters can assign pod IPs from a separate CIDR, conserving VNet IP space and simplifying multi-cluster deployments. When paired with Application Gateway and Application Gateway for Containers, this approach provides secure, efficient load balancing to designated services inside the cluster’s private overlay network while reducing external exposure. Network configuration (CNI Overlay or traditional CNI) is detected automatically by the platform, eliminating additional setup and streamlining deployment.

Custom block response code and body for Application Gateway WAF (preview)

Azure Web Application Firewall (WAF) integrated with Application Gateway now supports customizable response status codes and bodies for blocked requests in public preview. By default, WAF returns HTTP 403 with “The request is blocked” when a rule is triggered; with this preview, administrators can define a custom status code and message at the policy level so that all blocked requests receive a consistent, tailored response. This enhancement aligns Application Gateway WAF with the customization already available on WAF with Azure Front Door, giving teams greater flexibility and control over client-facing behavior during enforcement.

Storage

Azure NetApp Files short-term clones (preview)

Azure NetApp Files short-term clones are available in public preview, enabling space-efficient, instant read/write access by creating temporary thin clones from existing volume snapshots rather than full data copies. Suitable for development, analytics, disaster recovery scenarios, and testing of large datasets, these clones can be refreshed quickly from the latest snapshots and remain temporary for up to one month, consuming capacity only for incremental changes. The capability accelerates workflows, improves quality and resilience, and lowers costs by avoiding full-copy storage and reducing operational overhead, and is available in all Azure NetApp Files supported regions.

Entra ID and RBAC support for supplemental Azure Storage APIs

Support for Entra ID (OAuth 2.0) and Azure RBAC is now generally available for the following Azure Storage operations: Get Account Information, Get/Set Container ACL, Get/Set Queue ACL, and Get/Set Table ACL. With this change, REST responses for unauthorized access have been aligned with other OAuth-enabled Storage APIs: calls made with OAuth that lack required permissions now return 403 (Forbidden) instead of the previous 404, while anonymous requests for a bearer challenge return 401 (Unauthorized). For example, GetAccountInformation requires the RBAC action Microsoft.Storage/storageAccounts/blobServices/getInfo/action. Applications that depend on the old 404 behavior should be updated to handle both 403 and 404 responses, as SDKs will not automatically adjust this behavior.

Conclusion

Azure Hybrid Management & Security: What’s New and Insights from the Field – August 2025

This monthly series aims to:

Provide an overview of the most relevant updates released by Microsoft;
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Retirement of Microsoft Defender for Cloud in Microsoft Azure operated by 21Vianet

Microsoft has announced the retirement of Microsoft Defender for Cloud in the Microsoft Azure environment operated by 21Vianet (Azure in China) due to increasing infrastructure and operational complexity, which no longer allows the expected levels of stability and effectiveness to be ensured. All related features and services will be discontinued and removed on August 18, 2026; after that date, the Defender for Cloud portal and any associated services or features in that environment will no longer be accessible. To manage the transition effectively, customers are encouraged to work with their Azure (operated by 21Vianet) account representatives to assess operational impact and plan the necessary actions; further details are available in the official documentation.

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

Defender for Storage: Optional index tags for malware scan results. Defender for Storage introduces optional index tags to record the outcomes of malware scans, both on-upload and on-demand. With this capability, users can choose whether to publish results to Blob index tags (the default setting) or not use them. Enabling or disabling can be done at the subscription and storage account levels, via the Azure portal or APIs, simplifying metadata governance and integration with triage and auditing processes.
Defender for Storage available in Azure Government. The service helps U.S. federal and government agencies secure their storage accounts, offering in Azure Government the same functional coverage as the commercial cloud. This lets security teams adopt uniform controls aligned with public-sector compliance requirements.
Defender CSPM and Defender for Servers Plan 2 available in Azure Government. Microsoft has made both Defender Cloud Security Posture Management (CSPM) and Defender for Servers Plan 2 available in Azure Government. This enables the Department of Defense (DoD) and civilian agencies to manage cloud security posture, strengthen compliance, and benefit from advanced capabilities for server workloads. Feature coverage is aligned with the commercial cloud, facilitating consistent standards and procedures across hybrid and multicloud environments.
AKS Security Dashboard. Within the Azure portal, the AKS Security Dashboard provides a centralized view of security posture and runtime protection for AKS clusters. The dashboard highlights software vulnerabilities, compliance gaps, and active threats, helping teams prioritize remediations. It also enables real-time monitoring of workload protection, cluster configuration, and threat-detection signals, improving the continuous prevent–detect–respond cycle.
Aggregated storage logs in Microsoft Defender XDR Advanced Hunting (preview). The CloudStorageAggregatedEvents table is available in preview within the Advanced Hunting experience in Microsoft Defender XDR. The table brings aggregated storage activity logs from Defender for Cloud—covering operations, authentication details, access sources, and success/error counts—into a single queryable schema, reducing noise, improving query performance, and providing a high-level view of access patterns. These logs are included at no additional cost in the new Defender for Storage plan for storage accounts, enabling more effective investigations and detections.

Governance and policy management

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Monitoring

Azure Monitor

Azure Monitor: Tenant-level Service Health alerts (preview)

Microsoft is introducing tenant-level Service Health alerts in Azure Monitor (preview), a capability that delivers proactive notifications about service health issues that affect the entire tenant—not just individual subscriptions. Alert rules can be created with directory (tenant) scope directly from the Service Health page or via the alert-creation wizard in the Azure portal. This extension provides broader visibility and accelerates response to incidents involving tenant-scoped services; for full coverage, Microsoft recommends configuring both subscription-level and tenant-level Service Health alerts.

Log Analytics: Search Job now supports up to 100 million results

Search Job in Log Analytics enables asynchronous queries across all workspace data—including long-term retention—and can land the results in new Analytics tables for downstream analysis. The maximum size per result set has been increased from 1 million to 100 million records, enabling analysis of much larger datasets without splitting queries. This capability remains central for large-scale analytics, rapid investigations, and advanced log processing, delivering a more complete and accurate view of operational data.

Conclusions

This month strongly reaffirms the shift toward a centralized, proactive, AI-powered management model: from extending security posture across hybrid and multicloud scenarios with Defender for Cloud, to operational updates like the AKS Security Dashboard and aggregated storage logs in Advanced Hunting, through to tenant-level Service Health alerts in Azure Monitor. I urge architects and IT leaders to translate these updates into concrete actions now: plan the transition ahead of already announced deadlines (e.g., the retirement of Defender for Cloud in Azure operated by 21Vianet) and enable the new controls across your tenants and workspaces (AKS Security Dashboard, directory-scoped Service Health alerts). As always, the official documentation remains the authoritative source for details and prerequisites; in upcoming installments we will continue to follow the evolution of AI-powered management with practical guidance and field-tested best practices.