This month, Microsoft has introduced a series of significant updates related to Azure management services. Through this series of monthly articles, we aim to provide an overview of the most relevant updates. Our goal is to keep you constantly informed about these developments, offering essential information to further explore these topics.
The following diagram shows the different areas related to management, which are covered in this series of articles:
Figure 1 – Overview of Management Services in Azure
Monitor
Azure Monitor
Integration of Performance Diagnostics in Azure Monitor for VM Troubleshooting (Preview)
Microsoft has introduced a new integration between Azure Monitor and Performance Diagnostics, enhancing virtual machine (VM) performance troubleshooting capabilities. This feature is now available in the VM Overview Monitoring panel and the VM Insights section of Azure Monitor, providing a unified experience that combines monitoring and diagnostics in a single environment. Thanks to this integration, users can identify and resolve VM performance issues more efficiently within the Azure Monitor workflow, accessing detailed diagnostic data, recommendations, and continuous or on-demand insights. The continuous mode allows for timely identification of high resource utilization, providing useful indications for proactive performance management and reducing the risk of downtime. This evolution of Azure Monitor represents a step forward in ensuring the highest level of operational efficiency for cloud-based VMs, simplifying the diagnosis and optimization process.
Monitoring Azure Container Storage Metadata with Azure Monitor Managed Service for Prometheus (Preview)
Azure Container Storage offers a native experience for containers and is optimized for integration with Azure Kubernetes Service (AKS). With its launch in Public Preview, customers using Azure Container Storage in AKS clusters can now collect storage pool and disk metrics via Azure Monitor Managed Service for Prometheus. These metrics can be viewed and queried directly in Azure Managed Grafana. Once Azure Container Storage is enabled on an AKS cluster with managed Prometheus active, metrics will be automatically collected and integrated with other system metrics. This update enhances monitoring and simplifies storage resource management in AKS clusters.
Configure
Azure Automation
Revision of Service and Subscription Limits for Azure Automation
Starting January 15, 2025, Azure Automation will introduce a revision of service and subscription limits to ensure fair cloud resource distribution among all customers. This update aims to improve service reliability and performance while optimizing resource utilization. Given that organizations’ needs vary and evolve over time, customers will be able to configure their limits based on actual usage.
The resources affected by this revision include:
- The maximum number of automation accounts per subscription in a single region.
- The maximum number of concurrently running jobs per automation account.
Customers can check their current usage, review limits, and request quota changes by creating a support request under Service and Subscription Limits (Quotas) -> Azure Automation.
Retirement of Azure Automation Jobs on Agent-Based Hybrid Worker from April 1, 2025
Starting April 1, 2025, all Azure Automation jobs executed on Agent-Based Hybrid Worker (Windows and Linux) will be discontinued. This approach was officially retired on August 31, 2024, and no longer receives security updates, posing a potential security risk. Microsoft strongly recommends migrating to Extension-Based User Hybrid Runbook Worker (Windows and Linux) to continue running hybrid jobs.
The main advantages of the new solution include:
- Enhanced security through access control with system-assigned managed identities, eliminating the need for manually managed certificates.
- Improved operational productivity with automatic updates and large-scale VM management.
- Simplified installation, removing the need to install the Log Analytics agent.
Retirement of PowerShell Runbooks Using AzureRM Modules from February 1, 2025
As of February 1, 2025, Azure Automation will stop executing all runbooks using AzureRM modules. The PowerShell AzureRM module was retired on February 29, 2024, in favor of the Az PowerShell module, which offers greater security, stability, and advanced features.
To avoid disruptions, it is necessary to update all runbooks using AzureRM to the Az PowerShell module and remove AzureRM modules from automation accounts. This transition will ensure continuous support and access to the latest PowerShell features in the Azure Automation environment.
Blocking of Resources Interacting with Azure Automation Using TLS 1.0/1.1 Protocols from March 1, 2025
Starting March 1, 2025, resources interacting with Azure Automation via TLS 1.0 and TLS 1.1 protocols will no longer be supported. These protocols, used for establishing encryption channels, no longer meet modern security standards.
All interactions, including Webhooks, Hybrid Runbook Workers (Agent-Based and Extension-Based), and Automation DSC, using TLS 1.0 or 1.1 will be blocked. Scheduled or running jobs on Hybrid Workers using these protocols will not be completed.
To ensure continuity, it is recommended to update resources to use TLS 1.2 or higher. Microsoft has provided guidance for disabling obsolete TLS protocols and enabling TLS 1.2 or higher on Windows and Linux machines.
Secure
Microsoft Defender for Cloud
New features, bug fixes, and deprecated features of Microsoft Defender for Cloud
The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:
- Update to Container Registry Scanning Policies (Preview): Microsoft has updated image scanning policies for container registries, modifying the re-evaluation period for cloud and external registries, including Azure, AWS, GCP, Docker, and JFrog. Previously, Defender for Cloud scanned images for 90 days after their publication in the registry; with this change, the scanning period will now be limited to the last 30 days. This change only affects the preview recommendation for scanning images in registries and does not impact General Availability (GA) recommendations related to vulnerability assessment (VA) in container registries.
- New Permissions for the GCP Connector to Support AI Platforms: Microsoft has expanded the GCP connector’s permissions to enhance support for artificial intelligence platforms, particularly Vertex AI. With this update, Defender for Cloud can now monitor and protect AI workloads on Google Cloud more effectively. The new permissions introduced include privileges for managing batch prediction jobs, custom jobs, datasets, endpoints, models, pipeline jobs, and tuning jobs, as well as specific permissions for Discovery Engine and Google Notebooks. This update ensures broader protection for AI services hosted on GCP.
- Improvements to GC-Based Linux Baselines Recommendation: The GC-powered Linux Baselines feature has been enhanced to provide greater accuracy and coverage in analyzing Linux operating systems. Starting in February, Defender for Cloud will introduce a series of updates, including new rule names for existing checks and additional security controls. These improvements will ensure more precise and up-to-date assessments, allowing organizations to strengthen the security of their Linux environments. Users wishing to exclude this recommendation can do so by exempting their resources or removing the GC extension.
Azure Evaluation
For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.
