Archivi categoria: Azure Hybrid & Migration – 2026-2027

Azure Hybrid Management & Security: What’s New and Insights from the Field – April 2026

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

  • Provide an overview of the most relevant updates released by Microsoft;

  • Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

  • Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Secure automation of Azure Arc server onboarding at scale with Ansible

Microsoft has introduced a new Azure Arc onboarding role designed specifically for automation scenarios, such as those based on Ansible playbooks, with the goal of making it easier and more secure to connect servers to Azure Arc. This new approach follows the principle of least privilege, granting automation identities only the permissions required to perform onboarding, without relying on overly permissive service principals. This update addresses a common need in hybrid and multicloud environments, where large-scale onboarding is often hindered by manual steps, lack of standardization, and security-related risks. By integrating the new role into existing Ansible workflows, organizations can automate the entire process in a repeatable, consistent, and scalable way, reducing operational risk and simplifying the adoption of Azure Arc across distributed datacenters and infrastructures hosted on different clouds.

Azure Arc introduces support for SQL Server on Azure Virtual Machines as a migration target (preview)

Azure Arc now introduces, in Public Preview, support for SQL Server on Azure Virtual Machines as a destination for migration paths. With this enhancement, Azure Arc-enabled SQL Server instances can be migrated not only to Azure SQL Managed Instance, but also to SQL Server running on Azure infrastructure, using the same unified migration workflow. This extension provides greater flexibility for organizations planning SQL Server modernization initiatives, allowing them to choose the most suitable Azure destination based on application requirements, existing operating models, and compatibility needs. For many enterprise organizations, this capability represents a gradual approach to modernization, combining the benefits of cloud infrastructure with the operational and functional continuity required by applications that still heavily depend on traditional SQL Server.

Run the latest version of the Azure Arc agent with Automatic Agent Upgrade (preview)

Microsoft has introduced new ways to enable Automatic Agent Upgrade for the Azure Arc agent at scale, with the goal of simplifying the management of distributed environments consisting of large numbers of servers. In hybrid and multicloud scenarios, manually configuring each server individually is not sustainable and can lead to operational inconsistencies, delays in adopting new features, and reduced timeliness in applying security updates. To address this need, Microsoft has made available a built-in Azure Policy that can verify whether automatic agent upgrade is enabled within a specific scope and, where necessary, automatically remediate non-compliant configurations. In addition, for newly registered servers, this capability can now be enabled during onboarding by using the

--enable-automatic-upgrade
parameter in the
azcmagent connect
command. Currently available in Public Preview, this feature enables the Azure Connected Machine agent to be kept automatically up to date without manual intervention, with Microsoft handling the rollout of updates. This allows organizations to benefit more quickly from new features, bug fixes, and security updates, strengthening the consistency and operational resilience of the infrastructure managed through Azure Arc.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Anti-malware detection and blocking for containers

Microsoft has announced the availability of anti-malware detection and blocking capabilities for the container runtime in Microsoft Defender for Containers. The capability is now available for Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE) environments, strengthening the protection of containerized workloads also in hybrid and multicloud scenarios. This capability makes it possible to detect and block malware when a container attempts to execute a file identified as malicious. The inspection therefore takes place while the workload is running, providing an additional layer of defense compared to earlier stages of the application lifecycle, such as build, image scanning, and deployment. A key element is the ability to define custom anti-malware policies by configuring specific conditions for alert generation and blocking actions. This allows security teams to distinguish more accurately between legitimate activities and potentially dangerous behaviors, reducing operational noise and improving incident response effectiveness. For organizations managing Kubernetes clusters distributed across multiple clouds, this capability represents another step toward a more consistent, centralized, and scalable runtime protection model.

DNS Detection for Kubernetes

DNS Detection for Kubernetes is now generally available in Microsoft Defender for Containers for Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE) environments. This update strengthens runtime threat detection capabilities, with a specific focus on DNS traffic generated by pods and applications running in Kubernetes clusters. DNS Detection monitors DNS queries originating from containerized workloads to identify suspicious activities, such as communications with malicious domains or potential DNS tunneling techniques. Attackers can use the latter to exfiltrate data or maintain hidden communication channels by abusing the DNS protocol. To use this capability, the Defender sensor must be deployed through Helm. Once enabled, DNS Detection provides security and cloud operations teams with greater visibility into the network behavior of Kubernetes workloads, helping them identify potential indicators of compromise at an early stage. In hybrid and multicloud scenarios, the consistent availability of this capability across different platforms helps build a more uniform, governable, and integrated security posture.

Defender for Storage integration in the Azure portal Storage Center

Microsoft has made generally available the integration of Microsoft Defender for Storage within the Storage Center in the Azure portal. This integration brings security information directly into the native storage management experience, simplifying the analysis of the protection posture and the identification of areas for improvement. With this update, customers can view the protection status provided by Defender for Storage directly alongside their resources. The Storage Center therefore becomes a centralized and contextual point of observation, useful not only for the operational management of storage accounts but also for assessing their exposure to risk. The new experience makes it possible to quickly identify which storage accounts are protected, partially protected, or unprotected. It also allows customers to verify whether capabilities such as malware scanning, activity monitoring, and sensitive data discovery are enabled, providing a clearer view of active coverage and potential gaps. This integration is particularly useful in enterprise environments, where services such as Azure Blob Storage and Azure Files may be distributed across multiple subscriptions, business units, and workloads. The goal is to make storage security more accessible to operational teams by embedding it into day-to-day management processes and promoting a more proactive approach to data protection.

Container security capabilities in Azure Government cloud

Microsoft has announced the general availability of container security capabilities in Azure Government cloud. This development enables U.S. federal and government agencies, including Department of Defense (DoD) organizations and civilian agencies, to protect Kubernetes workloads through advanced Cloud Security Posture Management (CSPM), vulnerability assessment, and runtime threat protection capabilities.

Defender for SQL Server on machines plan update for Fairfax customers

Microsoft has announced an update to the Defender for SQL Server on machines plan in Microsoft Defender for Cloud for Fairfax customers. The plan protects SQL Server instances hosted on Azure machines, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments, offering a consistent protection model for hybrid and multicloud scenarios. The new solution uses the existing SQL infrastructure and no longer requires the deployment of the Azure Monitor Agent (AMA). This change reduces operational complexity and makes adoption of the plan easier, especially in distributed environments where agent management can represent a critical factor. Starting from an estimated date in May 2026, customers will also need to verify the protection status of SQL Server instances across the different environments to ensure that the new configuration has been applied correctly and that the instances are effectively protected. This update confirms Microsoft’s direction toward protection models that are easier to deploy and maintain, reducing dependency on additional components and improving centralized visibility into the security status of SQL Server instances, regardless of their infrastructure location.

Governance and policy management

Azure Policy

New “Local” Management Group for Azure Landing Zone and Sovereign Landing Zone

Microsoft has introduced a new dedicated Management Group, named “Local”, within the conceptual architecture of Azure Landing Zone (ALZ). This new node is positioned under the Landing Zones Management Group, alongside the existing Corp and Online Management Groups. Since the Sovereign Landing Zone (SLZ) extends and depends on the ALZ architecture, the SLZ hierarchy also automatically inherits this new Management Group in the same position. The main goal of this evolution is to provide a clear and consistent placement for scenarios related to Azure Local, both when workloads run directly on Azure Local clusters and when they are currently hosted in the Azure public cloud but need to be designed with portability requirements toward Azure Local disconnected operations (ALDO). In this way, organizations that must meet sovereignty, resilience, or business continuity requirements can define a dedicated governance perimeter from the outset, applying consistent controls, policies, and guardrails. The new “Local” Management Group therefore enables centralized application of governance and security policies to workloads that must be “exit-ready by construction”, meaning ready to be moved to a disconnected Azure Local environment should the need arise. This approach prevents portability from being managed manually or documented in external tools, instead relying on the platform to prevent incompatible configurations. To support this scenario, Microsoft has made available a new built-in Azure Policy in preview, designed to restrict resource types to only those Azure services supported in Azure Local disconnected operations mode. The policy can be used in Audit mode, to gain visibility into already deployed non-compatible resources, or in Deny mode, to prevent the deployment of services that would compromise the ability to move the workload to Azure Local in disconnected mode. It is important to highlight that the new “Local” Management Group is not intended as a generic container for all Azure Arc-enabled resources, such as servers connected through Azure Arc. Microsoft confirms that these resources should continue to be placed in their respective application subscriptions, following the standard Azure Landing Zone guidance, for example within Corp or Online landing zones. The “Local” Management Group should instead be interpreted as a dedicated scope for Azure Local scenarios and for workloads that require a structured exit-planning strategy toward Azure Local disconnected operations.

New sovereign policy initiatives for Sovereign Landing Zone

Microsoft has updated Sovereign Landing Zone (SLZ) by replacing the previous built-in initiatives named Sovereignty Baseline with a new set of sovereign policy initiatives, directly aligned with the three control levels defined by Microsoft’s sovereignty model. This update introduces greater consistency between the technical implementation of SLZ and the official documentation related to the controls and principles of the Sovereign Public Cloud. The new built-in initiatives are organized around three levels: Level 1, focused on data residency; Level 2, focused on encryption of data at rest and in transit; and Level 3, focused on encryption of data in use through Confidential Computing technologies. This structure allows organizations to apply more targeted controls based on data classification and the sovereignty requirements of different workloads. Previously, SLZ assigned two broader built-in initiatives: one related to global sovereignty policies, with controls for location restrictions and Trusted Launch, and one dedicated to confidential scenarios, with policies covering customer-managed keys, confidential compute, and restrictions on resource types and geographic regions. While useful as a general baseline, these initiatives were not designed to map precisely to the L1/L2/L3 model used by Microsoft to describe sovereign controls. The new approach provides several operational benefits. First, the policies assigned by SLZ become consistent with what is documented in Microsoft Learn, reducing the need for manual interpretation or mapping. In addition, each control level can be more naturally associated with data classification, allowing organizations to apply only the controls that are actually required for each scope. This simplifies governance, improves architectural readability, and makes the dialogue between cloud, security, compliance, and risk management teams more effective. A further benefit is the reduced maintenance burden. By using built-in initiatives managed directly by the Microsoft product group responsible for sovereignty scenarios, customers can benefit from future updates without having to maintain customized copies of the policies within their own SLZ implementation. Moreover, because these are built-in initiatives, the policies integrate natively with tools such as Azure Policy compliance reporting and Microsoft Defender for Cloud, facilitating auditing activities and the production of compliance evidence.

Deploying Ansible playbooks through Azure Policy and Machine Configuration (preview)

Microsoft has announced the private preview of a new capability that enables the deployment and execution of Ansible playbooks through Azure Policy by using Machine Configuration on Linux machines in Azure and on Azure Arc-enabled Linux servers. This update is part of the Azure Arc strategy to unify security, compliance, and management for Windows and Linux systems, regardless of whether they are located in on-premises datacenters, at the edge, or across public clouds. The new capability makes it possible to orchestrate playbook execution directly from the Azure control plane, without the need to provision a dedicated Ansible control node, while also integrating compliance reporting and automatic remediation mechanisms. In increasingly heterogeneous operating environments, many organizations use Ansible to configure operating systems and applications, but face challenges in ensuring configuration consistency, detecting drift over time, and integrating those automations into centralized governance processes. With this preview, Azure Policy becomes a single control point also for Ansible-based Linux automation, bringing these workloads into the same governance model already adopted for other environments. Playbook execution results and compliance status are made visible directly in the Azure Policy compliance dashboard, providing a unified management, security, and control experience while also preserving the value of the investments organizations have already made in the Ansible ecosystem.

Backup & Resilience

Azure Backup

Configuring AKS backup with a single command using Azure Backup

Microsoft has announced a new simplified Azure CLI-based experience that enables Azure Kubernetes Service (AKS) backup to be configured with a single command through Azure Backup. This update addresses the need to reduce the complexity of onboarding AKS clusters to data protection, a process that previously required coordination across multiple CLI domains and the execution of several separate steps, including extension installation, storage account provisioning, backup vault creation, policy definition, trusted access configuration, and backup instance initialization. With this new approach, platform teams can significantly accelerate the enablement of cluster protection, making it easier to integrate backup into automation processes and CI/CD pipelines. The initiative is part of a broader strategy aimed at making Azure Backup increasingly suitable for cloud-native scenarios, with the goal of extending a similar experience over time to other workloads supported by the service.

Azure Backup for Elastic SAN (preview)

Azure Backup introduces support for Elastic SAN in Public Preview, offering a fully managed solution for backing up and restoring Elastic SAN volumes. This new capability makes it possible to protect data from critical scenarios such as accidental deletion, ransomware incidents, or failed application updates by exporting Elastic SAN volumes to independent, incremental snapshots based on Managed Disks. The snapshots are stored in Locally Redundant Storage (LRS) and remain separate from the lifecycle of the original Elastic SAN volume, increasing the level of operational resilience. In this preview phase, the solution supports up to 450 recovery points with a backup frequency of every 24 hours, is available only in selected Azure regions, and supports volumes of up to 4 TiB. Microsoft also clarifies that, during the preview, long-term backups in vaults and hourly backup frequencies are not yet supported. Although no Azure Backup Protected Instance charges are applied during this preview phase, the standard costs associated with incremental Managed Disk snapshots still apply.

Azure Site Recovery

Azure Site Recovery supports Azure Windows VMs with NVMe disk controllers (preview)

Azure Site Recovery extends support for replication and disaster recovery of Azure Windows virtual machines running on second-generation VM families enabled for NVMe, currently in Public Preview. Supported scenarios include Azure-to-Azure protection for series such as Da/Ea/Fa v6 and Ebsv5/Ebdsv5, which allow high-performance and I/O-intensive workloads to run using the NVMe disk controller. This update significantly expands the service coverage for performance-sensitive virtual machines, offering new resiliency opportunities for critical applications and advanced enterprise scenarios. The capability is available in all Azure public cloud regions, within the churn limits supported by Azure Site Recovery.

Monitoring

Azure Monitor

Monitoring AKS applications with OpenTelemetry and Azure Monitor (preview)

Azure Monitor introduces, in Public Preview, support for monitoring applications running on Azure Kubernetes Service (AKS) by using OpenTelemetry for instrumentation and data collection. Customers can choose an auto-instrumentation approach by deploying the Azure Monitor OpenTelemetry distribution directly on their workloads, or adopt an auto-configuration mode to route OpenTelemetry Protocol (OTLP) signals from applications already instrumented with open-source, vendor-neutral SDKs to Azure Monitor. This evolution simplifies the implementation of observability in AKS environments while strengthening alignment with open standards in the cloud-native ecosystem, promoting greater interoperability and more consistent management of application telemetry.

Azure Monitor for Azure Arc-enabled Kubernetes environments based on OpenShift and Azure Red Hat OpenShift

Azure Monitor extends its availability, in General Availability, to Azure Arc-enabled Kubernetes environments based on OpenShift and Azure Red Hat OpenShift through Container Insights and Managed Prometheus. This evolution enables organizations to obtain a comprehensive monitoring experience for Kubernetes infrastructure layers and the applications running on them, strengthening observability capabilities in hybrid and cloud-native scenarios. Thanks to this integration, IT teams can collect, analyze, and visualize operational telemetry from OpenShift environments, improving troubleshooting, performance management, and health monitoring for distributed workloads. This is an important step toward an increasingly centralized management model, where Azure Monitor becomes the reference point also for Kubernetes platforms running outside the traditional Azure perimeter.

Azure Monitor pipeline

Azure Monitor pipeline is now generally available and introduces an advanced layer of control over telemetry collection, transformation, and resilience before data reaches Azure Monitor. This capability allows logs to be routed directly to Azure-native schemas through automatic schema mapping into tables such as Syslog and CommonSecurityLog. A particularly relevant element is the ability to reduce the risk of data loss in the presence of intermittent connectivity through local buffering on persistent storage and subsequent automatic backfill. Azure Monitor pipeline also enables organizations to optimize ingestion costs by applying centralized filtering, aggregation, and transformation logic before data is sent to the cloud. The solution is designed to support high and continuous telemetry volumes through a scalable architecture, and also includes capabilities for secure ingestion through Transport Layer Security (TLS) and mutual TLS (mTLS), automatic certificate provisioning, visibility into the health of the ingestion infrastructure, and sizing tools for large-scale planning.

Native ingestion of OpenTelemetry Protocol (OTLP) signals through Azure Monitor Agent (preview)

Azure Monitor introduces, in Public Preview, support for native ingestion of OpenTelemetry Protocol (OTLP) signals through Azure Monitor Agent (AMA). This capability enables applications instrumented with OpenTelemetry to send telemetry directly to Azure Monitor, with Azure Monitor Agent receiving OTLP signals from the applications and exporting them to the monitoring platform. Microsoft supports several OTLP ingestion mechanisms, including OpenTelemetry Collector, Azure Monitor Agent, and the Azure Kubernetes Service (AKS) add-on. The approach based on Azure Monitor Agent is designed in particular for applications running on Azure Virtual Machines, Virtual Machine Scale Sets, or Azure Arc-enabled servers. This evolution helps organizations standardize observability by adopting open standards, simplifying telemetry collection across cloud, hybrid, and distributed environments, and strengthening the path toward a more uniform and proactive management model.

Conclusions

The April 2026 updates confirm the evolution of Azure as a central platform for the management, security, governance, and observability of hybrid and multicloud environments. Azure Arc continues to strengthen its role as a key element for extending Azure control to distributed servers, databases, and workloads, with increased focus on automation, security, and continuous agent updates. At the same time, Microsoft Defender for Cloud expands its runtime protection capabilities, particularly for containers, Kubernetes, storage, and SQL Server, offering an increasingly consistent security posture across Azure, Amazon Web Services (AWS), Google Cloud, and on-premises environments. Governance is also taking a step forward, thanks to the evolution of Azure Landing Zones, the new sovereign initiatives, and the integration of Azure Policy with automation scenarios such as Ansible. These capabilities help organizations standardize configurations, reduce drift, and apply consistent controls across distributed infrastructures. On the resilience and monitoring side, Azure Backup, Azure Site Recovery, and Azure Monitor extend support to modern workloads such as Azure Kubernetes Service (AKS), Elastic SAN, NVMe virtual machines, OpenShift, and OpenTelemetry-based applications, simplifying protection, disaster recovery, and observability. Overall, the message is clear: the management of hybrid and multicloud environments must become increasingly automated, secure, and centrally governed. The recommendation is therefore to assess these updates as building blocks of an integrated strategy, starting from Azure Arc, Azure Policy, Defender for Cloud, Backup, and Monitor to build a more consistent, resilient, and scalable operating model.

Azure IaaS and Azure Local: announcements and updates (April 2026 – Weeks: 15 and 16)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Microsoft named a Leader in The Forrester Wave™ for Sovereign Cloud Platforms

Microsoft has been named a Leader in The Forrester Wave™: Sovereign Cloud Platforms, Q2 2026, an evaluation that assessed major sovereign cloud providers based on current offerings, strategy, and customer feedback. Microsoft presents this recognition as confirmation of its long-term commitment to helping organizations adopt cloud and Artificial Intelligence (AI) capabilities without compromising control, compliance, operational independence, or innovation. According to Microsoft, the report highlights an important reality of digital sovereignty: there is no single deployment model that fits every requirement, and organizations often combine public cloud, private cloud, and disconnected environments to balance regulation, risk, functionality, and cost. Microsoft states that its approach is based on delivering consistent sovereign controls across multiple environments rather than relying on a single isolated sovereign cloud model. The company also emphasizes that Microsoft Sovereign Cloud brings together public cloud controls such as data residency and access protections, private cloud and hybrid deployments enabled by Azure Local and Azure Arc, and partner-operated national clouds. Microsoft further notes that Forrester recognized its ability to extend sovereignty across cloud, AI, productivity, and security services, while maintaining consistency in management, governance, and deployment models across connected and disconnected environments.

Microsoft Azure now available from new cloud region in Denmark

Microsoft has announced the opening of a new Azure cloud region in Denmark, further expanding its global infrastructure footprint to support digital transformation and Artificial Intelligence (AI) innovation. The new Denmark East region provides Danish customers with local and secure cloud infrastructure, helping address requirements for data residency, low latency, and in-country cloud adoption.

Compute

Ephemeral OS Disk with full caching for VM and VMSS (preview)

Ephemeral OS Disk with full caching is now available in Public Preview for Azure Virtual Machines (VMs) and Virtual Machine Scale Sets (VMSS), delivering faster and more reliable operating system disk performance for supported workloads. This capability works by caching the entire OS disk image on local VM storage—including cache disk, resource disk, or NVMe disk—resulting in improved input/output (I/O) performance, consistently low latency, and greater resilience during remote storage disruptions. Microsoft highlights that this feature is especially well suited for I/O-sensitive stateless workloads, such as Artificial Intelligence (AI) scenarios, quorum-based databases, data analytics, real-time processing systems, and large-scale stateless services on general-purpose VM families. During the preview, the feature is available for most general-purpose VM SKUs, excluding 2-vCPU and 4-vCPU virtual machines, across a broad set of 29 Azure regions.

Networking

Rule impact analysis on Azure Network Watcher (preview)

Rule impact analysis in Azure Network Watcher is now available in Public Preview, enabling customers to preview the impact of security admin rules before applying them to their environments. This capability helps administrators better understand the potential effects of rule changes in advance, reducing the risk of unintended connectivity issues and improving change validation for network security configurations.

Unlock client-side configuration at scale with Azure App Configuration and Azure Front Door (preview)

Azure App Configuration now integrates with Azure Front Door in Public Preview, allowing customers to deliver dynamic configuration securely to client-side applications at Content Delivery Network (CDN) scale. This capability gives modern applications greater flexibility by enabling client-side configuration updates at global scale, while benefiting from Azure Front Door’s distribution and edge delivery capabilities.

StandardV2 NAT Gateway as an outbound type for AKS (preview)

Azure Kubernetes Service (AKS) now supports managed and user-assigned StandardV2 NAT Gateway as an outbound type for both AKS-managed and bring-your-own virtual networks (BYO VNets) in Public Preview. This update provides additional flexibility for outbound connectivity design in AKS, enabling customers to take advantage of the newer StandardV2 NAT Gateway option when planning egress architecture for Kubernetes workloads.

Storage

Granular encryption-in-transit controls for SMB and NFS on Azure Files

Azure Files now supports independent configuration of encryption-in-transit settings for SMB and NFS protocols at the storage account level. This capability allows customers to define protocol-specific security policies and apply more precise control over encryption requirements for each protocol without compromise. Microsoft positions this enhancement as especially useful for mixed-protocol workloads, where SMB and NFS may require different security configurations while still sharing the same storage environment.

Azure Storage Mover now available in Azure Government (US)

Azure Storage Mover is now available in Azure Government (US), enabling U.S. government customers and partners to securely migrate large-scale file data into Azure Government cloud environments by using a fully managed migration service. This availability expands Storage Mover’s reach to government scenarios that require stronger compliance and sovereign cloud alignment, while helping organizations simplify large-scale file migrations without relying on self-managed tooling.

Azure Data Box now supports Azure Files Provisioned v2

Azure Data Box now supports data ingestion into Azure Files Provisioned v2 storage accounts. This enhancement extends Azure Data Box compatibility to the newer billing and provisioning model for Azure Files, helping customers move data into Provisioned v2 environments as part of migration and large-scale data transfer scenarios.

Azure File Sync now available in Belgium Central, Malaysia West, and Indonesia Central

Azure File Sync is now available in Belgium Central, Malaysia West, and Indonesia Central, extending the service to additional regions and bringing it closer to organizations with hybrid file storage requirements. Azure File Sync enables seamless tiering of data from on-premises Windows Servers to Azure Files, supporting both hybrid use cases and simplified migration scenarios. With this regional expansion, customers can benefit from lower latency, improved performance, and support for local data residency requirements, while continuing to use the performance, flexibility, and compatibility of their on-premises file servers together with the scale and cost efficiency of Azure Files.

Encrypt Premium SSD v2 and Ultra Disks with cross-tenant customer-managed keys

Cross-tenant customer-managed keys (CMK) for Premium SSD v2 and Ultra Disks are now Generally Available (GA). This capability allows managed disks to be encrypted with a customer-managed key stored in an Azure Key Vault located in a different Microsoft Entra tenant from the disk resource itself. The feature is designed for scenarios where resource ownership and key ownership are intentionally separated across tenants, such as in multi-tenant or service provider environments, helping organizations enforce stronger separation of duties and more flexible encryption governance models.

Minimum billable object size for cooler storage tiers

Microsoft has announced a minimum billable object size for cooler storage tiers in storage accounts that use Azure Blob Storage or Azure Data Lake Storage (ADLS) Gen2. This update affects how objects stored in cooler tiers are billed, introducing a minimum billable size threshold for stored objects. Based on the available information, Microsoft has announced the change, but no additional publicly indexed details were available in the provided sources regarding the full scope or implementation specifics.

Smart Tier for Azure Blob and Data Lake Storage

Smart Tier for Azure Blob Storage and Azure Data Lake Storage (ADLS) is now Generally Available (GA) in nearly all zonal public cloud regions, with Israel Central, Qatar Central, and UAE North excluded from this announcement. Smart Tier is a fully managed and automated data tiering capability for object storage standard online tiers, designed to reduce the need for manual tier placement decisions. By automating data placement across supported tiers, Smart Tier helps customers simplify storage management and optimize data lifecycle handling for object storage workloads.

Azure Data Box enhances compliance with automatic Secure Erasure Certificates

Azure Data Box now automatically generates a downloadable Secure Erasure Certificate for every completed order, improving compliance and auditability for data transfer workflows. This enhancement provides customers with a more consistent way to document secure data removal after transfer operations, which can be especially useful for governance, regulatory, and audit requirements.

Azure Files assessments now available using Azure Migrate (preview)

Azure Migrate now supports Azure Files assessments in Public Preview, allowing customers and partners to more effectively plan migrations of on-premises SMB and NFS shares. With this capability, organizations can discover and review existing on-premises file shares, then group, tag, and assess them to support migration planning and improve visibility into file-based modernization scenarios.

User and group quota reports in Azure NetApp Files (preview)

User and group quota reports in Azure NetApp Files are now Generally Available (GA). This capability provides organizations using individual user and group quotas on NFS, SMB, and dual-protocol volumes with improved visibility into quota consumption by exposing key metrics such as quota limits, used capacity, and percentage utilization for each targeted user or group defined in a quota rule. With this reporting functionality, administrators can more easily monitor capacity usage, identify potential imbalances, and manage storage allocation more effectively across Azure NetApp Files environments.

Azure NetApp Files storage with cool access enhancement (preview)

Azure NetApp Files is introducing a storage with cool access enhancement in Public Preview for the Premium and Ultra service levels. This enhancement more precisely aligns throughput with data tiering by dynamically calculating maximum throughput based on the amount of data tiered to cool access storage, rather than applying a fixed reduction. With this model, hot data retains its configured performance, while throughput adjustments occur only for the data that has been moved to the cool tier, enabling more efficient performance management for tiered storage scenarios.

Azure Local

Foundry Local on Azure Local single-node deployments (preview)

Microsoft has announced the Public Preview of Foundry Local support for single-node Azure Local deployments, extending its edge Artificial Intelligence (AI) capabilities to industrial, manufacturing, and sovereign scenarios where inference must run locally without relying on cloud connectivity or multi-node clusters. Delivered both as a Kubernetes-native service and as an Azure Arc-enabled extension, this preview allows organizations to deploy, manage, and run advanced AI models directly on local infrastructure, such as servers on the factory floor, in remote plants, or in highly regulated and disconnected environments. Foundry Local provides REST and OpenAI-compatible APIs, enabling teams to use familiar cloud-aligned patterns for local AI workloads, while supporting built-in generative models from the Foundry Local catalog, custom predictive models such as Open Neural Network Exchange (ONNX) models from Open Container Initiative (OCI) registries, and multi-model orchestration for agent-style applications a single Kubernetes cluster. On Azure Local single-node systems, Foundry Local runs on Azure Kubernetes Service (AKS) enabled by Azure Arc, with Graphics Processing Unit (GPU) access enabled through the NVIDIA device plugin, providing a validated and supported edge AI foundation. Microsoft also offers two deployment paths: an Azure Arc-enabled Kubernetes extension for simplified lifecycle management through the Azure portal, and a Helm chart-based installation option for teams that require more granular control over deployment configuration, GPU allocation, storage, and GitOps workflows.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Local: announcements and updates (April 2026 – Weeks: 13 and 14)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Availability of Microsoft Azure and related services

Microsoft has announced several generally available updates related to the expansion of Azure infrastructure and storage services. First, Microsoft has opened its new cloud region in Denmark, Denmark East, to support digital transformation and AI innovation for customers in the country. This new region provides local, secure cloud infrastructure with support for data residency, low-latency access, and access to advanced cloud and AI services. In addition, Azure Premium SSD v2 is now available in US Gov Arizona, a region without Availability Zones, extending access to this next-generation general-purpose block storage option for Azure virtual machines in government environments. Azure Premium SSD v2 offers sub-millisecond latency and strong price-performance characteristics for IO-intensive workloads such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data and analytics platforms, and gaming workloads running on virtual machines or stateful containers. Azure Premium SSD v2 is also now available in South India, further expanding regional access to this storage option for enterprise production workloads that require high performance and cost efficiency.

Compute

Ephemeral OS Disk with full caching for VM/VMSS (preview)

Ephemeral OS Disk with full caching is now available in public preview for Azure Virtual Machines and Virtual Machine Scale Sets, delivering significantly faster and more reliable OS disk performance for supported workloads. This capability works by caching the entire OS disk image on local VM storage, including cache disk, resource disk, or NVMe disk, which results in improved I/O performance, consistently low latency, and greater resilience in scenarios involving remote storage disruptions. The feature is especially beneficial for stateless and I/O-sensitive workloads such as AI applications, quorum-based databases, data analytics platforms, and large-scale stateless services running on General Purpose VM families. It is currently available on most General Purpose VM SKUs, excluding 2-core and 4-core virtual machines, in Central US. Customers can enable it by setting the

enableFullCaching
flag to
true
for Ephemeral OS disks in ARM templates or REST API definitions when creating new virtual machines or virtual machine scale sets.

Networking

Unlock client-side configuration at scale with Azure App Configuration and Azure Front Door (preview)

Azure App Configuration, integrated with Azure Front Door, is now available in public preview and enables organizations to deliver dynamic configuration directly to client-side applications securely and at CDN scale. This new capability brings greater flexibility to modern application architectures and is particularly relevant for AI-powered and agentic client applications. It supports a wide range of client experiences, including Single Page Applications built with frameworks such as React, Vue, Angular, and Next.js, as well as mobile and desktop applications developed with .NET MAUI, browser-based JavaScript components, embedded widgets, and other web applications capable of running JavaScript. With this integration, customers can centrally manage feature flags and configuration settings and propagate updates to browsers and mobile apps in real time without redeploying applications. Azure Front Door provides low-latency delivery for large global audiences, while the design ensures that secrets are not exposed to clients, as only scoped configuration values are delivered through managed identity. This built-in approach also simplifies application architecture by removing the need for custom proxy layers.

Storage

Azure Data Box enhancements

Azure Data Box now includes two generally available enhancements designed to improve compliance, transparency, and data transfer flexibility. First, Azure Data Box automatically generates a downloadable Secure Erasure Certificate for every completed order, verifying that all data on the device has been securely erased in accordance with NIST 800-88 Revision 2 standards. The certificate is produced as part of the standard cleanup process and is available directly through the Azure portal, reducing audit complexity, eliminating the need for manual validation, and simplifying compliance requirements for organizations working with sensitive data, including those in government, law enforcement, and financial services. In addition, Azure Data Box now supports data ingestion into Azure Files Provisioned v2 storage accounts. This allows customers to transfer data directly into a storage model where capacity, IOPS, and throughput are provisioned independently, offering greater flexibility and cost control for file share workloads across most public Azure regions.

Azure NetApp Files storage with cool access enhancement (preview)

The cool access enhancement for Azure NetApp Files storage is now in public preview and introduces an updated Quality of Service (QoS) behavior for Premium and Ultra service levels. This enhancement improves the way Azure NetApp Files balances performance and cost for environments that combine hot and cool data workloads. As data moves to cool storage, throughput is automatically adjusted to preserve hot-tier performance while still allowing customers to take advantage of cool access at scale. The capability continuously optimizes pool and volume throughput according to changing cool access patterns, delivering a more seamless operational experience and reducing the need for manual tuning. As a result, organizations can better align storage performance with workload demand while improving cost efficiency for mixed-use datasets.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.