Category Archives: Azure Policy & Governance

Azure Management services: what’s new in October 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, the aim is to provide an overview of the most relevant new features. The goal is to keep you constantly informed about these developments, providing you with essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

VM Health Monitoring with VM Watch for Azure VMs (preview)

VM Watch, now available in public preview, is a lightweight and adaptable service for monitoring the health of virtual machines (VMs) and VM Scale Sets in Azure. This service performs health checks within the VM at configurable intervals, sending results to Azure via a uniform data model. The collected data is used by Azure’s AI Operations (AIOps) engines to detect and prevent regressions. VM Watch is deployed through the Application Health VM extension, simplifying management and adoption for customers, and it is offered at no additional cost. The service is compatible with both Linux and Windows environments, suitable for individual VMs or VMSS. Additionally, VM Watch ensures efficient monitoring without compromising system performance, thanks to limits on CPU and memory usage. The service includes a set of predefined tests, easily configurable for specific scenarios, making monitoring ready-to-use right out of the box.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Security Findings for GitHub Repositories without GitHub Advanced Security: Starting October 21, 2024, GitHub offers security findings for repositories even without GitHub Advanced Security. This new feature enables users to identify and fix Infrastructure-as-Code (IaC) misconfigurations, container vulnerabilities, and code weaknesses, providing greater protection and visibility without the advanced license. However, secret scanning, code scanning with CodeQL, and dependency scanning remain exclusive to GitHub Advanced Security.
  • Deprecation of Compliance Standards in Defender for Cloud: Starting November 17, 2024, three compliance standards will be removed from Defender for Cloud: SWIFT CSP-CSCF 2020 (replaced by version 2022), CIS Microsoft Azure Foundations 1.1.0 and 1.3.0 (updated to versions 1.4.0 and 2.0.0, respectively). These updates reflect the latest best practices, and users can consult the Defender for Cloud documentation for an overview of currently supported standards.
  • Deprecation of Defender for Cloud Standards for AWS and GCP: As of November 17, 2024, Defender for Cloud will deprecate three standards specific to AWS and GCP (AWS CSPM, GCP CSPM, and GCP Default). These checks have been integrated into the Microsoft Cloud Security Benchmark (MCSB), which becomes the default, unified standard for all multi-cloud security assessments.
  • Binary Drift Detection in Containers: Since October 9, 2024, binary drift detection is available for Defender for Containers. This feature detects any suspicious changes within containers in real-time, ensuring greater security for deployments on all versions of Azure Kubernetes Service (AKS).
  • Updated Recommendations for Container Runtime (Preview): Recommendations for addressing vulnerabilities in containers running on AWS, Azure, and GCP have been unified to reduce duplication and optimize result analysis.
  • Kubernetes Identity and Access View in the Security Graph (Preview): Kubernetes identities and access configurations are now visible in the security graph, showing nodes, service accounts, roles, and connections illustrating permissions among Kubernetes objects.
  • Identity-Based Kubernetes Attack Paths (Preview): Using RBAC data, Defender for Cloud can identify attack paths across Kubernetes clusters, detecting lateral movement.
  • Enhanced Attack Path Analysis for Containers: Attack path analysis now also supports containers, providing a more detailed view of potential attack patterns in cloud environments.
  • Complete Discovery of Container Images in Supported Registries: Defender for Cloud now detects all container images in supported registries, improving visibility and allowing in-depth searches through Cloud Security Explorer to identify images based on metadata.
  • Container Software Inventory with Cloud Security Explorer: Cloud Security Explorer now provides a comprehensive inventory of software installed within containers and images, facilitating the quick identification of potential vulnerabilities, including zero-day threats, before CVEs are published.

Protect

Azure Backup

Reduced Rates for SAP HANA Backup Protected Instances

As of September 1, 2024, Azure introduced a significant rate reduction for Protected Instances (PIs) related to the SAP HANA backup service on Azure VMs. This update is aimed at enhancing cost efficiency, offering a more affordable service for protecting critical data for companies without compromising quality or performance. Specifically, the backup streaming rate for SAP HANA has been set at a standard price of $80 per instance (in the East US2 region), with a standard regional surcharge, regardless of the HANA database size. For snapshot backups, the cost is $80 per 5 TB increment, with the same regional surcharge. This change allows enterprises to protect their data in a more economically sustainable way.

GRS and CRR Support for Azure VMs with Premium SSD v2 and Ultra Disk in Azure Backup

Azure has announced support for the backup of virtual machines on Premium SSD v2 and Ultra Disk using GRS (Geo-Redundant Storage) vaults. These offerings represent the most advanced storage solutions, designed to meet the needs of IO-intensive enterprise applications requiring sub-millisecond latencies, high IOPS, and throughput. With GRS support and cross-region restore capabilities, users can protect their virtual machines from data loss during disaster events, as well as perform periodic audits by restoring data on demand in the secondary region. Currently, GRS vault enablement for virtual machines using Premium SSD v2 and Ultra Disk is available in various regions, including Southeast Asia, East Asia, North Europe, West Europe, East US, West US, and West US 3. Support will be extended to other public regions in the coming months.

Immutable WORM Storage for Backups in Azure Recovery Services Vaults (preview)

Azure backup introduces the capability to use immutable WORM (Write Once, Read Many) storage for backups within Recovery Services Vaults. This option ensures that a recovery point, once created, cannot be deleted or altered during its retention period, up to the designated expiration date, helping to meet compliance requirements. WORM support will be applicable to all vaults, both new and existing, and is currently available in preview in specific regions.

Transition to Azure Business Continuity Center for Large-Scale BCDR Management (preview)

Starting October 3, 2024, Azure made the new “Azure Business Continuity Center” (ABCC) available in public preview, a centralized solution for large-scale backup and disaster recovery management. This tool arises from evolving customer needs, influenced by the growing threat of ransomware attacks, which have led many companies to seek out multiple vendors for data protection. The ABCC, which will replace the previous Backup Center, offers unified management for Azure and hybrid environments, integrating the functionalities of Azure Backup and Azure Site Recovery. The transition is immediate and at no additional cost: users can immediately view their protection status in the new center without needing to take specific actions. Simply log into the Azure portal and search for the Business Continuity Center. The Backup Center has been removed from global search results in the Azure portal but remains accessible through an option within the ABCC.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features. This month’s main update is that the import of the RVTools XLSX file enables reading storage data, where available, from the vPartition and vMemory sheets (for storage space required for unreserved memory).

Azure Database Migration

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in September 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, the aim is to provide an overview of the most relevant new features. The goal is to keep you constantly informed about these developments, providing you with essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Azure Monitor Metrics Export (preview)

Azure Monitor Metrics Export is now available in Public Preview and configurable via Data Collection Rules (DCR), allowing Azure resource metric data to be directed to Azure Storage Accounts, Azure Event Hubs, and Azure Log Analytics Workspaces for 18 types of resources and in 10 public Azure regions. Some of the key benefits of Azure Monitor Metrics Export include:

  • Scalability: DCR, the data collection configuration mechanism in Azure Monitor, allows you to configure collection once and apply it at scale to many resources, supporting management across multiple subscriptions.
  • Flexibility in data collection: Customers can select specific metrics or all metrics for a given set of resources, thus controlling volumes and associated costs.
  • Full-fidelity, low-latency export: Metric data is exported with dimensional information to facilitate correlation, significantly improving export latency (~70%) compared to diagnostic settings.

Configure

Update management

Retirement of Automated Patching and introduction of Azure Update Manager

As of September 15, 2027, the Automated Patching feature has been retired and replaced with Azure Update Manager. This decision was made to ensure a more efficient and centralized update management process. Azure Update Manager is an enterprise-level tool that offers several advanced features:

  • Centralized update management: Provides a unified dashboard to view and manage updates across the entire environment, including virtual machines, on-premises servers, and hybrid scenarios.
  • Custom scheduling: You can create custom update schedules based on business needs, whether they are weekly, monthly, or scheduled on specific dates.
  • Patch compliance reports: Azure Update Manager generates detailed reports on patch compliance, keeping users informed about the status of updates across the entire infrastructure.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Azure Arc

Azure Container Storage enabled by Azure Arc Edge Volumes (preview)

Microsoft has announced the Public Preview of Azure Container Storage enabled by Azure Arc Edge Volumes, a versatile new feature designed to improve data management in edge environments. Azure Arc Edge Volumes offers two main functionalities: Local Shared Volume and Cloud Ingest Volume. Local Shared Volume provides high-availability storage with failover capabilities, remaining operational even without cloud connectivity, making it ideal for temporary storage and local application state data. Cloud Ingest Volume, on the other hand, allows transparent ingestion of unlimited file data from edge environments into Blob Storage, including ADLSgen2 and OneLake. The storage capacity for ingestion is user-defined, ensuring available space even during disconnections, with the option to delete local data once uploading to Blob is complete. Both solutions are based on advanced features to maintain data integrity, optimize the use of local resources, and are ideal for IoT applications. With Edge Volumes, it is possible to write to a local file system using standard I/O APIs, simplifying application code.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Improvements to Cloud Security Explorer experience: Increased performance, enriched data for each cloud asset, and enhanced CSV export with more details on exported assets.
  • General Availability of File Integrity Monitoring (FIM): Now available as part of Defender for Servers Plan 2, allowing real-time monitoring of critical files and logs to comply with regulations and detect suspicious changes.
  • FIM migration experience: A new in-product feature has been released to migrate FIM configurations from the Log Analytics Agent (MMA) to Defender for Endpoint, easing the transition.
  • Deprecation of MMA auto-provisioning: Starting in September 2024, MMA auto-provisioning will be progressively disabled, with full deactivation by November 2024.
  • Integration with Power BI: Allows the creation of custom reports and dashboards to analyze security posture and compliance recommendations.
  • Updates to multicloud CSPM requirements: New IP addresses to improve multicloud discovery services, requiring IP whitelist updates by October 2024.
  • Deprecation of Defender for Servers features: Adaptive application controls and Adaptive network hardening are now deprecated.
  • Compliance with the Spanish ENS standard: Added the ability to monitor compliance with the National Security Scheme (ENS) standard in Defender for Cloud’s compliance dashboard.
  • Remediation of system updates and patches: It is now possible to apply update recommendations to Azure Arc machines and Azure VMs via Azure Update Manager.
  • Integration with ServiceNow: The integration now includes the configuration compliance module, enabling the identification and resolution of cloud asset configuration issues.
  • Deprecation of Defender for Storage (classic): As of February 5, 2025, transaction protection plans will no longer be available for new subscriptions.
  • General availability of Azure Policy guest configuration: Now available for multicloud customers of Defender for Servers Plan 2, offering unified management of security configurations on Windows and Linux machines.
  • Support for Docker Hub in Defender for Containers: In public preview, enabling the scanning of Docker Hub images to identify and mitigate security threats.

Protect

Azure Backup

Backup Center will no longer be available in Azure portal’s global search

The new Azure Business Continuity Center (ABCC), introduced in Public Preview in November 2023, offers centralized and simplified management for data protection and recovery in Azure and hybrid environments, progressively replacing the previous Backup Center. Designed as an advanced evolution of Backup Center, ABCC allows unified management of solutions like Azure Backup and Azure Site Recovery. Access to the service is immediate, with no prerequisites or additional costs. Even for Backup Center users, no specific actions are required: Azure Business Continuity Center is already available directly from the Azure portal.

Azure Site Recovery

Update Rollup 75 for Azure Site Recovery has been released, addressing various issues and introducing some improvements. The relevant details and procedure for installation can be found in the specific KB.

Automatic certificate renewal for Azure Site Recovery from on-premises to Azure

Azure Site Recovery has introduced a new feature that enables automatic certificate renewal for data protection from on-premises to Azure in disaster recovery scenarios. Certificates are crucial to ensure communication between the various components involved in the recovery process and must be regularly renewed to avoid interruptions in Azure Site Recovery operations, such as data replication. As of August 2024, certificates used for replication from VMware to Azure, introduced in the 2021 Public Preview, will begin to expire. Thanks to this new automatic renewal capability, customers can avoid interruptions during data replication as long as the mobility agent and components within the appliance are updated to the latest available version. If communications or updates are missed, automatic renewal may fail, generating errors in the health of the appliance or agent. Customers are encouraged to follow official documentation to manually renew certificates if needed.

Support for Azure Trusted Launch VMs – Linux OS (preview)

Support for Azure Site Recovery for Azure Trusted Launch virtual machines running Linux operating systems is available in Private Preview. Azure Trusted Launch VMs offer advanced security for Azure generation 2 VMs, enabling features such as Secure Boot and vTPM. This Private Preview focuses exclusively on supporting virtual machines with Linux operating systems, while support for Windows OS VMs is already in General Availability. This new feature provides enhanced protection and recovery options for businesses using virtual machines with advanced security requirements in Linux environments.

Retirement of Classic Alerts

Azure Site Recovery recently introduced a new and improved alert management solution based on Azure Monitor. This solution offers several advantages, including:

  • Notification configuration: Allows notifications to be sent using a wide range of channels.
  • Notification scenario selection: Enables you to choose which scenarios to receive notifications for.
  • Programmable alert management: Offers the ability to programmatically manage alerts and notifications.
  • Consistent alert management experience: Ensures consistent alert management across various Azure services, including backup.

The next step involves retiring the previous Classic Alerts solution for Azure Site Recovery, set for September 23, 2027. If you are using the old classic alert solution, it is recommended to migrate to Azure Monitor Alerts. A guided experience is available through the Business Continuity Center and the Recovery Services Vault to migrate to Azure Monitor Alerts in a few clicks.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in August 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, the aim is to provide an overview of the most relevant new features. The goal is to keep you constantly informed about these developments, providing you with essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Support for Operator and CRD with Azure Monitor managed service for Prometheus (preview)

Azure Monitor managed service for Prometheus introduces support for CRD (Custom Resource Definition) based configurations for scrape jobs, useful for collecting metrics from workloads running in the AKS cluster. With this update, the Managed Prometheus service configuration will distribute custom resource definitions for Pod and Service Monitor, allowing the creation of resources similar to the OSS Prometheus Operator. This functionality simplifies the configuration of scrape jobs in any namespace, eliminating the need to update the common ConfigMap in the kube-system namespace.

Dedicated Log Analytics tables for Application Gateway

Application Gateway now allows storing logs in dedicated Log Analytics tables. With this new feature, customers can choose to use resource-specific tables instead of the existing Azure Diagnostic table. In resource-specific mode, individual tables are created in the selected workspace for each category defined in the diagnostic settings. This new approach significantly improves log query capabilities while reducing ingestion latencies and query response times.

High Scale mode for Azure Monitor – Container Insights (preview)

The public preview of High Scale mode in Container Insights is designed to increase the log collection capacity from Azure Kubernetes Service (AKS) clusters. By enabling High Scale mode, Container Insights automatically makes configuration changes, significantly improving overall throughput. These optimizations occur in the background without requiring customer intervention or configuration, offering more efficient large-scale container log management.

Retirement of Azure Monitor Experience (preview) in HDInsight by February 1, 2025

As of February 1, 2025, Azure HDInsight will retire the use of Log Analytics in its Azure Monitor Experience (preview). Users who have already migrated from Classic Log Analytics to the new Azure Monitor Experience (preview) will have already made the necessary adjustments to the new table formats. In this case, it will be sufficient to recreate the cluster using image 2407260448 to switch to the Azure Monitor Agent (AMA) by January 31, 2025. Those who are migrating from Classic Log Analytics to Azure Monitor Agent (AMA), which replaces the Log Analytics agent, will need to make some changes to the new table formats to complete the transition.

Govern

Azure Policy

Azure Policy support for Azure Database for PostgreSQL – Flexible Server

Azure Policy now supports Azure PostgreSQL – Flexible Server, allowing you to easily apply and verify the compliance of Azure resources. With this functionality, it is possible to define, assign, and manage rules applicable to instances of Azure Database for PostgreSQL – Flexible Server, facilitating governance, improving security, and offering greater control over databases. Users can leverage predefined policies provided by Microsoft or create custom policies to meet specific business requirements.

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month, the main updates include:

  • Enabling Microsoft Defender for SQL Server at scale: It is now possible to enable Microsoft Defender for SQL Server at scale. This feature allows enabling Microsoft Defender for SQL on multiple servers simultaneously, simplifying the protection of SQL servers.
  • New version of File Integrity Monitoring (FIM) based on Microsoft Defender for Endpoint (preview): The new version of File Integrity Monitoring, based on Microsoft Defender for Endpoint, is now available in public preview. Part of the Defender for Servers Plan 2, this version helps meet compliance requirements by monitoring critical files and logs in real-time and auditing changes made. Additionally, it allows for identifying potential security issues by detecting suspicious changes in file contents. With the release of this version, the FIM experience via AMA will no longer be available in the Defender for Cloud portal, while the FIM experience on MMA will remain supported until the end of November 2024. Starting in September, an integrated experience will be released, allowing the migration of the FIM configuration from MMA to the new FIM version on Defender for Endpoint.
  • Retirement of the integration of Defender for Cloud alerts with Azure WAF: The integration of Defender for Cloud alerts with those of Azure WAF will be retired on September 25, 2024. No action is required from users. Sentinel customers can configure the connector for the Azure Web Application Firewall to continue monitoring their systems.

Protect

Azure Backup

Vaulted backup for Azure Blob Storage

The Vaulted Backup functionality for Azure Blob Storage is now generally available. This native, secure, managed backup solution offers an isolated copy of data, protecting critical business information stored in Azure Blob Storage from accidental deletions, corruption, and malicious attacks. With Vaulted Backup, customers can ensure rapid data recovery and maintain operational continuity, minimizing the impact of potential losses. Additionally, the solution supports regulatory compliance through long-term retention and improves backup security, making recovery possible even in the event of cyberattacks. Vaulted Backup uses blob object replication (OR) to copy data and create recovery points in storage accounts managed by Microsoft. These recovery points can be used by customers to restore data in case of loss. General availability includes new features such as prefix-based granular restores, automation tools for managing backups via PowerShell, CLI, REST API, or Bicep templates, and the ability to limit data replication exclusively to the Microsoft tenant for backup purposes, reducing the risk of data exfiltration.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in July 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, the aim is to provide an overview of the most relevant new features. The goal is to keep you constantly informed about these developments, providing you with essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Introduction of Agent and Gateway Extensions in Azure Monitor SCOM MI

Microsoft has announced the general availability (GA) of Agent and Gateway Server extensions in Azure Monitor SCOM MI. This new functionality enables large-scale, programmatic monitoring on Windows machines in Azure and Azure Arc-enabled machines. Now, it is possible to monitor virtual machines both in Azure and outside of Azure.

The Agent and Gateway extensions offer the following advantages:

  • Monitoring Anywhere: SCOM MI can monitor virtual machines and guest applications hosted both in and outside Azure through the Arc channel. Managed Gateways can monitor isolated virtual machines.
  • Large-scale Deployment: Users can enable large-scale virtual machine monitoring through the Azure portal or PowerShell scripts, improving operational efficiency.
  • Agile Transition: With multi-homing support, users can transition monitoring from on-premises SCOM to Azure Monitor SCOM MI at their own pace and needs.
  • Security and Automatic Updates: SCOM MI agents use managed identities and certificate-based authentication, providing a significant improvement over legacy Kerberos authentication. Agents are automatically updated, eliminating the need for frequent update management.

Thanks to these capabilities, Azure Monitor SCOM MI becomes easier to operate. During the Public Preview, over 20 customers deployed more than 1,200 agents, and their feedback has helped further streamline the experience.

As more SCOM customers are expected to transition to monitoring with SCOM MI, the goal is to make the process as smooth as possible through the following features:

  • Extended Onboarding Experiences: Onboarding monitoring agents at scale via ARM templates, Azure policies, and Azure Automation.
  • Scheduled Updates: Providing the flexibility to schedule agent updates according to the organization’s change management process.

New Azure Monitor Auxiliary Logs Plan (Preview)

Azure Monitor Logs introduces a new tiered strategy plan for optimal consumption and cost optimization: Auxiliary Logs. Auxiliary Logs are designed for verbose logs and are economical, while providing a range of functionalities to manage and consume data.

Azure Monitor’s multi-tier strategy now supports three plans – Analytics, Basic, and the new Auxiliary – allowing all logs to be stored in one place and different types of data to be retained for the desired time at a cost-effective price.

With Auxiliary Logs, you can:

  • Optimize Costs: Funnel low-value or verbose logs into the Auxiliary table.
  • Long-Term Data Retention: Retain data for up to 12 years at a low cost.
  • Query Access: Use queries to access the last 30 days of data or search for older data using search jobs.
  • Summary Rules (Preview): Aggregate data and ingest the results into a table with an Analytics plan for use in dashboards, alerts, or performing complex analysis on aggregated data.

During the initial preview period, billing for Auxiliary Logs (ingestion, long-term retention, query, and search jobs) is not yet enabled. The billing start date will be announced on Azure Updates, and current feature users will be given advance notice before billing begins. The Auxiliary Logs plan is currently in public preview and subject to certain limitations, including regional availability, as indicated in the Microsoft documentation.

New Features Added to Azure Monitor Basic Logs Plan

The Azure Monitor Basic Logs plan has seen widespread adoption by customers and continues to grow rapidly. To meet the increasing demand and customer needs, Microsoft is enhancing Basic Logs with additional features that provide greater benefits. The following improvements are being introduced for this plan:

  • Extended Interactive Retention Period: The interactive retention period has been increased from 8 to 30 days, with support for interactive queries throughout the period.
  • Enhanced Query Language Capabilities: Support for queries on Basic Logs has been extended from reduced KQL to full KQL on a single table, with the ability to search for additional data in Analytics tables.

VM insights based on Log Analytics agent: Migration Required by August 31, 2024

Microsoft has announced that by August 31, 2024, VM insights based on the Log Analytics agent will be retired. Users are encouraged to migrate to VM insights based on Azure Monitor agent. This new version offers several improvements, including enhanced security and performance, data collection rules that help reduce costs, and a simplified management experience that includes troubleshooting. It is essential to complete the migration by the specified date to continue using a supported version of VM insights

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs.This article reports some of the latest improvements and updates regarding this solution.

Azure Arc

Azure Arc-enabled Kubernetes Available in the Italy North Region

Azure Arc-enabled Kubernetes is now available in the Italy North region of Azure. This service allows users to manage and govern Kubernetes clusters distributed anywhere, leveraging the centralized management capabilities of Azure Arc.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Security Assessments for GitHub Without Additional License: Starting July 22, 2024, GitHub users in Defender for Cloud no longer need a GitHub Advanced Security license to view security assessments. This change covers code vulnerabilities, IaC misconfigurations, and container image vulnerabilities detected during the build phase. Users with a GitHub Advanced Security license will continue to receive additional assessments for exposed credentials, open-source dependency vulnerabilities, and CodeQL results.
  • End of Support for MMA in Defender for Servers Plan 2: The Log Analytics agent will no longer be supported from August 2024. Server protection will rely on integration with Microsoft Defender for Endpoint (MDE) and agentless capabilities provided by the cloud platform. Some functionalities will continue to be supported until November 2024: File Integrity Monitoring (FIM) and Security Baseline.
  • Public Preview of Binary Drift for Containers: The public preview of Binary Drift for Defender for Containers is available, identifying and reporting potentially malicious binary processes in containers.
  • Automatic Remediation Scripts for AWS and GCP: Automatic remediation scripts for AWS and GCP are available in GA, allowing programmatic correction of recommendations on a large scale.
  • Update GitHub Application Permissions: GitHub users need to update the Microsoft Security DevOps application permissions to include read permissions for GitHub Copilot Business.
  • New Compliance Standards: Compliance standards added in preview in March, such as CIS Google Kubernetes Engine Benchmark, ISO/IEC 27001 and 27002, and others, are now available in GA.
  • Inventory Experience Improvements: Starting July 11, 2024, the inventory experience has been improved with updates to the Azure Resource Graph query logic.
  • Default Running Container Mapping Tool in GitHub: From August 12, 2024, the container mapping tool will run by default as part of the Microsoft Security DevOps action in GitHub.

Protect

Azure Backup

Customer-Managed Key Encryption for Backup Vaults

Azure Backup now supports the use of customer-managed keys (CMK) for encrypting backup data in Backup Vaults. This functionality, already available for Recovery Services Vaults, is now accessible for all Backup Vaults in Azure public regions. Users can create new backup vaults or update the encryption settings of existing ones to use CMK.

Backup and Restore of Virtual Machines with Private Endpoint-Enabled Disks

Backup and restore of Azure virtual machines using disks with private endpoints enabled are now available. This support is available for both standard and enhanced backup policies and can be configured through standard Azure Backup experiences. During the restore, users can specify the network access settings for the restored disks, choosing from using the same network configuration as the source disks, access only from specific networks, or public access from all networks.

Azure Site Recovery

Support for Azure Trusted Launch VMs (Windows OS)

Microsoft announces the availability of support for Azure Site Recovery for Azure Trusted Launch VMs. Azure Trusted Launch VMs offer advanced security for Azure Generation 2 VMs, enabling Secure Boot and vTPM capabilities. This availability is specific to Windows operating systems.

Deletion or Reset of Azure Site Recovery Replication Appliance

Microsoft has announced the option to delete or reset the Azure Site Recovery replication appliance. If all components of the appliance are in a healthy state, it is possible to reset the appliance to factory state. If the appliance is in a critical state and there is no connectivity with the appliance, it can be deleted from the Azure portal.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in June 2024

This month, Microsoft introduced a series of updates related to Azure management services. Through this series of monthly articles, we aim to provide an overview of the most relevant updates. Our goal is to keep you constantly informed about these developments, providing you with essential information to explore these topics further.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Configure

Update management

Starting from August 31, 2024, Automation Update Management and the associated Log Analytics agent will be deprecated, making migration to Azure Update Manager essential for update management needs. Useful tools for this migration are detailed in the following paragraphs.

Tool for Migration from Update Management v1 to v2

Azure Update Manager introduces the v2 migration tool, now available in General Availability (GA), designed to facilitate the transition from Automation Update Management (Update Management v1). This tool simplifies the migration process by automatically moving machines and schedules to Azure Update Manager, minimizing manual intervention.

Tool for Migration from Automation Update Management to Azure Update Manager

Azure provides comprehensive guidance for migrating machines and schedules from the previous solution to Azure Update Manager. The migration tooling includes automated scripts that simplify the process, ensuring minimal disruption to production workloads.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs.This article reports some of the latest improvements and updates regarding this solution.

Azure Arc

Connecting to AWS with the Multicloud Connector in Azure Portal (Preview)

Azure Arc introduces the multicloud connector in preview, enabling the integration of AWS resources within Azure environments via the Azure portal. This feature expands Azure Arc’s capabilities, allowing unified management of AWS cloud environments alongside Azure services. To establish this connection, users must deploy a CloudFormation template within their AWS account, which automatically configures the necessary resources for integrated management via Azure Arc.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Copilot for Security in Defender for Cloud (Preview): the integration of Microsoft Copilot for Security in Defender for Cloud has been announced in public preview. The integrated Copilot experience in Defender for Cloud allows users to ask questions and receive answers in natural language. Copilot can help understand the context of a recommendation, evaluate the impact of its implementation, follow the necessary steps to implement it, assist in delegating recommendations, and correct misconfigurations in the code.
  • New DevOps Security Recommendations: new DevOps security recommendations have been announced to improve the security posture of Azure DevOps and GitHub environments. These recommendations provide the necessary steps for resolution when issues are detected. The new recommendations are available for environments connected to Microsoft Defender for Cloud via Azure DevOps or GitHub. All recommendations are included in the Foundational Cloud Security Posture Management.
  • IaC Scanning with Checkov in Defender for Cloud: the integration of Checkov for Infrastructure-as-Code (IaC) scanning via MSDO has been announced. As part of this release, Checkov will replace Terrascan as the default IaC analyzer run as part of the MSDO CLI. Terrascan can still be manually configured via MSDO environment variables but will not run by default. Security results from Checkov will be represented as recommendations for Azure DevOps and GitHub repositories.
  • Price Change for Defender for Containers in Multicloud: as Defender for Containers multicloud is now generally available, it is no longer free.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in May 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, we aim to provide an overview of the most relevant news. The goal is to keep you constantly informed about these developments, providing you with the essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Azure Log Analytics improves resilience with workspace replication across regions (preview)

Azure Log Analytics introduces workspace replication, a new feature that enhances resilience against regional incidents. By enabling replication, a copy of the workspace is created in another region. From that moment, new logs in the primary workspace are also replicated to the secondary workspace (existing logs are not copied). The secondary workspace cannot be managed or accessed directly and serves only to create an active-passive configuration: at any time, there is an active instance of the workspace and an inactive one updated in the background. In case of an interruption affecting the primary workspace, failover can be activated to switch to the secondary workspace. This operation redirects all ingestion and query requests to the secondary workspace, allowing continued monitoring of resources and applications. The secondary workspace maintains a copy of all logs from the time replication is enabled, allowing for a smooth transition and continued use of alerts, workbooks, and other services accessing the logs, such as Sentinel. During this period, the secondary workspace also replicates incoming logs to the primary workspace, allowing a return to the primary region when it is operational again and continuing to work normally. Workspace replication is billed per replicated GB, and replication can be applied to a subset of Data Collection Rules (DCRs) to limit the scope of replication and related costs.

Filtering Kubernetes metadata and logs in Azure Monitor Container Insights (preview)

Filtering Kubernetes metadata and logs enriches the ContainerLogsV2 schema with additional Kubernetes metadata such as PodLabels, PodAnnotations, PodUid, Image, ImageID, ImageRepo, and ImageTag. The log filtering feature provides filtering capabilities for both workload and platform logs (e.g., system namespaces) from containers. This feature enhances the Kubernetes metadata experience by leveraging the Grafana dashboard to visualize log levels, volume, rate, records, and more. Users gain a richer context and improved visibility into their workloads.

Monitoring applications with Java metrics in Azure Container Apps (preview)

It is now possible to monitor the performance and health of applications with Java metrics such as garbage collection and memory usage. These metrics are automatically collected and reported in Azure Monitor, where they can be viewed in an integrated dashboard. It is also possible to set alerts and troubleshoot issues based on these metrics.

Data analysis using Log Analytics Simple mode (preview)

Azure Monitor Logs introduces a significant improvement in the log analysis experience: Simple mode. This new feature offers users a powerful set of tools to explore their logs and gain meaningful insights from the data. Until now, Azure Monitor Logs relied on the Kusto Query Language (KQL) to formulate queries, a powerful and easy-to-learn language, but it still requires some knowledge to use effectively. Simple mode was developed to bridge this knowledge gap, allowing the use of the most common KQL operators and actions through a simple and intuitive point-and-click experience that requires no KQL knowledge. For advanced users, KQL mode continues to offer the full potential of the Kusto language to gain deeper insights from the logs. Currently, Simple mode is an optional experience: to try it, just select “Try the new Log Analytics”. It is possible to return to the classic Log Analytics experience at any time.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Remediate security baseline recommendation: Microsoft Defender for Cloud has enhanced the Center for Internet Security (CIS) benchmarks by offering security baselines supported by Microsoft Defender Vulnerability Management (MDVM). The new recommendation “Machine should be configured securely (powered by MDVM)” helps secure servers by providing suggestions to improve security posture.
  • Configure email notifications for attack paths: It is now possible to configure email notifications for attack paths in Defender for Cloud. This feature allows receiving email notifications when an attack path with a specified risk level is detected. This update helps security teams respond promptly to potential attacks, improving responsiveness and overall protection.
  • Integration of Defender for Cloud alerts and incidents with Microsoft Defender XDR: This integration allows security teams to access Defender for Cloud alerts and incidents within the Microsoft Defender Portal. Providing richer context for investigations involving cloud resources, devices, and identities, this feature improves response capabilities and the effectiveness of security operations.
  • Checkov integration for IaC scanning in Defender for Cloud (preview): The public preview of Checkov integration for DevOps security in Defender for Cloud has been announced. This integration improves both the quality and the total number of Infrastructure-as-Code (IaC) checks performed by the MSDO CLI command when scanning IaC templates. During the preview, Checkov must be explicitly invoked via the ‘tools’ input parameter for the MSDO CLI command.
  • Permissions management in Defender for Cloud: The general availability (GA) of permissions management in Defender for Cloud has been announced. This feature enables advanced permissions management, improving security and access control in cloud resources.
  • Security posture management for AI in Defender for Cloud: This feature provides security posture management capabilities for AI in Azure and AWS.
  • Threat protection for AI workloads in Azure (preview): Threat protection for AI workloads in Defender for Cloud provides contextual insights into threat protection, integrating with Responsible AI and Microsoft Threat Intelligence. Security alerts for AI workloads are integrated into Defender XDR in the Defender portal. This plan helps monitor Azure OpenAI-powered applications at runtime for malicious activities, identifying and mitigating security risks.
  • Updated security policy management: Cross-cloud (Azure, AWS, GCP) security policy management is now generally available (GA). This feature allows security teams to manage their security policies consistently and with new characteristics:
  • A simplified and uniform cross-cloud interface to create and manage the Microsoft Cloud Security Benchmark (MCSB) and custom recommendations based on KQL queries;
  • Management of regulatory compliance standards in Defender for Cloud across Azure, AWS, and GCP environments;
  • New filtering and export capabilities for reporting.

  • Public preview of Defender for open-source databases on AWS: The public preview of Defender for open-source databases on AWS has been announced, adding support for various Amazon Relational Database Service (RDS) instance types. This integration improves the security and management of open-source databases running on AWS instances.

Protect

Azure Backup

Migration of virtual machine backups to enhanced backup policies (preview)

Azure Backup now supports the migration of virtual machine backups from the standard backup policy to the enhanced backup policy. This migration offers several benefits:

  • Improved RPO: The recovery point objective (RPO) can be reduced to as little as 4 hours.
  • Retention of recovery points: Recovery points can be retained as snapshots for up to 30 days.
  • Multi-disk consistency: The enhanced policy ensures multi-disk crash consistency for protected VMs.
  • Zone-level resilience: Recovery points created with the enhanced policy are zone-resilient.
  • Trusted Launch security: Protected virtual machines can be converted to Trusted Launch security.
  • Use of premium SSDv2 or ultra-disk: Migration to the enhanced policy allows the use of premium SSDv2 or ultra-disk without interrupting existing backups.

These improvements make migrating to the enhanced backup policy an excellent choice for optimizing the protection and management of virtual machines on Azure.

Azure Site Recovery

Built-in Azure Monitor alerts for Site Recovery

Built-in Azure Monitor alerts for Azure Site Recovery (ASR) are now generally available. This innovation enables organizations using ASR to benefit from an advanced set of alerting and notification features offered by the Azure Monitor platform. Users can leverage standard Azure Monitor experiences and interfaces to manage ASR alerts at scale, using a single platform. This represents a significant step towards achieving a homogeneous and consistent set of monitoring and alerting experiences for all Business Continuity and Disaster Recovery (BCDR) scenarios on Azure.

Out of Box Reports for Azure Site Recovery (preview)

Out of Box Reports for Azure Site Recovery are now available in preview. This new reporting feature offers organizations using ASR a clear and detailed view of job and health status for protected items. Integrated into the Azure Business Continuity Center and Recovery Services Vault, this feature allows BCDR administrators to effectively monitor and manage all protected items in large-scale backup and site recovery processes.

Support for Azure Trusted Launch VMs (preview)

Microsoft has announced the Public Preview of Azure Site Recovery support for Azure Trusted Launch VMs. Azure Trusted Launch VMs provide security for second-generation Azure virtual machines, enabling Secure Boot and vTPM features. This public preview is currently available only for the Windows operating system.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in April 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, we aim to provide an overview of the most relevant news. The goal is to keep you constantly informed about these developments, giving you the essential information needed to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Support for Managed Identities for Alerts

Azure Monitor alerts are essential tools for monitoring data related to Azure and its applications. These alerts quickly identify issues that could affect service operations. Through log search alert rules, it’s possible to periodically run log data queries to receive notifications or trigger actions when potential problems are detected. A common challenge for developers is managing the credentials of applications accessing different resources. In this context, managed identities prove to be an effective solution, offering an identity automatically managed through Microsoft Entra ID. Applications can use these identities to obtain access tokens without directly managing credentials.

Log search alert rules support the use of managed identities for Azure resources, enhancing the visibility and control of permissions associated with these rules. Managed identities can be employed in log search alert rules in two main ways:

  • System-assigned managed identity: in this case, Azure creates a new identity specifically dedicated to the alert rule. After creating the rule, it is necessary to assign this identity the required permissions to access the workspace and the data sources needed to perform the query.
  • User-assigned managed identity: before establishing the alert rule, the user creates an identity and assigns the appropriate permissions. This identity can then be used for multiple alert rules, thus optimizing resource management.

This system not only simplifies credential management but also increases security and efficiency in the configuration and monitoring of applications and cloud resources.

Azure Monitor Agent Upload to Storage and Event Hubs (preview)

The Azure Monitor Agent is an advanced solution for collecting telemetry data from IaaS resources, like virtual machines. With the new upload feature, available in this preview version, it is possible to transfer logs directly from Log Analytics workspaces to Event Hubs and Storage services. These data destinations employ specific rules for data collection, allowing for a customized and optimized configuration of the collection infrastructure for agents.

Query Editor for Azure Monitor Metrics (preview)

The public preview of the Query Editor for Azure Metric Explorer within Azure Monitor Workspace (AMW) is now publicly available. This update allows customers to query Prometheus metrics directly from their Azure Monitor Workspace using PromQL. With this feature, users can analyze metric data more effectively by writing and executing PromQL queries directly in the Metric Explorer.

Azure Monitor Pipeline (preview)

Microsoft recently launched the preview version of the Azure Monitor Pipeline for edge environments. This new solution is designed to improve the ingestion and routing of large-scale data from edge environments to Azure Monitor, enhancing observability. Deployable as an extension of the Arc Kubernetes cluster on your own on-premises Kubernetes clusters, the pipeline supports a wide range of resources and can be scaled horizontally to handle large volumes of data. It also offers advanced capabilities for collecting data from resources in segmented networks without continuous cloud connectivity, storing logs locally during outages, and synchronizing them with the cloud once the connection is restored.

Govern

Azure Advisor


Changes to the Display of Savings Estimates on Azure Advisor

From September 30, 2024, Azure Advisor will no longer display the aggregated annual estimates of potential savings. Currently, these estimates are visible on the Azure portal under “Potential yearly savings based on retail pricing” in the cost recommendations pages. This feature will be discontinued on the specified date. Despite the removal of this aggregated display, it will still be possible to calculate specific annual potential savings through alternative procedures. Individual recommendations and their associated potential savings will remain available.

Resiliency Review (preview)

Microsoft has introduced the “Resiliency Review” in public preview on Azure Advisor, a new feature aimed at increasing the resilience of workloads through personalized recommendations. These recommendations, provided by Microsoft’s cloud solution architects, allow users to focus on the most critical aspects to ensure the resilience of their systems. Users have the opportunity to evaluate the recommendations (accepting or rejecting them), manage their lifecycle on Advisor, and collaborate with their Microsoft account team to monitor resolution. It is also possible to request a “Well Architected Reliability Assessment” to optimize the resilience and reliability of workloads by implementing the recommendations and monitoring their lifecycle on Advisor.

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • General Availability of Microsoft Defender for Containers on AWS and GCP: Microsoft has announced the general availability of Defender for Containers for AWS and GCP platforms. This service enhances container security through real-time threat detection and agentless container discovery. Notably, an advanced authentication feature on AWS optimizes the service provisioning process.
  • Risk Prioritization: Risk prioritization has become the default experience in Microsoft Defender for Cloud. This feature helps users focus on the most severe threats by organizing security recommendations based on the risk factors of each resource. The assessment criteria include the potential impact of a breach, risk categories, and the attack path associated with each security issue.
  • Update on Microsoft Defender for Server Plan 2: Microsoft has announced that the Qualys service integrated into Plan 2 of Microsoft Defender for Server will be retired on May 1, 2024. This change is part of a broader initiative to simplify and consolidate vulnerability assessments within Microsoft Defender for Cloud. Following this update, Plan 2 of Defender for Server will integrate Microsoft Defender Vulnerability Management as its new solution for vulnerability assessments.
  • Defender for Cloud Supports Azure Database for MySQL – Flexible Server: Microsoft Defender for Cloud can now protect Azure Database for MySQL – Flexible Server from threats without compromising the performance of the service. This solution reduces the risk of data breaches, attacks, and unauthorized access by monitoring unusual or suspicious activity in the database. This feature can be easily enabled from the Azure portal, to receive security alerts, insights, and recommendations on how to mitigate potentially harmful threats related to Azure Database for MySQL – Flexible Server.

Protect

Azure Backup

Backup and Restore of Virtual Machines with Private Endpoint Disks

Azure Backup now offers the capability to back up Azure virtual machines using disks with private endpoints. This functionality is available for virtual machines with both standard and advanced backup policies and can be implemented through the standard backup procedures of Azure. Additionally, during the restore process, it is now possible to configure network access settings for the restored disks. Users can choose to maintain the original network configuration of the disks, limit access to specific networks, or allow public access from all networks.

Backup for Azure Database for MySQL – Flexible Server (preview)

Azure Backup, in collaboration with Azure Database Services, has launched a preview backup solution for MySQL-Flexible servers that allows backups to be retained for up to 10 years. Features offered in this preview phase include: comprehensive data protection against various levels of data loss, from accidental deletions to ransomware attacks; the ability for users to control scheduled and ad-hoc backup operations; isolated backups stored in a separate security and fault domain; long-term backup retention; and centralized monitoring of all backup operations and jobs.

Azure Backup Introduces Vault Backups for Azure Files (preview)

Azure Backup now supports transferring backups of Azure Files into vaults to protect critical business data stored in Azure Files against severe data loss scenarios, such as ransomware attacks. These isolated backups ensure trouble-free recovery even if the source data is compromised. It’s easy to switch from snapshot-based backup, which offers protection from accidental deletions, to vault backup to safeguard File data against a broader range of tampering and data deletion scenarios. Capabilities include:

  • Enhanced backup security with features such as immutability, encryption with customer-managed keys (CMK), soft delete, and multi-user authorization (MUA).
  • Long-term data retention up to 99 years to meet compliance requirements in regulated sectors.
  • Business continuity in case of regional disruptions with the ability to restore from a backup copy replicated in the Azure paired region.
  • Guaranteed data recovery even if the production storage or subscription is compromised, with the option to restore in an alternative subscription.

Selecting the “vault” level in the backup policy can improve the security posture of Azure Files data with a native, managed, and secure offsite backup solution, strengthening the business continuity and disaster recovery strategy for mission-critical applications.

Azure Site Recovery

New Update Rollup

Update Rollup 73 has been released for Azure Site Recovery, bringing significant improvements to the latest service components. Notably, the Mobility Service now supports additional Linux operating systems, including Debian 12 and Ubuntu 18.04 Pro for Azure-to-Azure configurations and VMware/Physical migrations to Azure. This update also includes other optimizations and bug fixes.

Azure Site Recovery for Shared Disks (preview)

The public preview of Azure Site Recovery for managing Shared Disks is now available. This feature enhances the protection and recovery of workloads operating on Windows Server Failover Clusters (WSFC) deployed on Azure VMs. This development paves the way for the use of shared disks for mission-critical applications such as SQL FCI, SAP ASCS, and Scale-out File Servers, ensuring operational continuity and efficient recovery capability in disaster scenarios.

With Azure Site Recovery for shared disks, you can:

  • Replicate and recover WSFC clusters as a single entity throughout the Disaster Recovery (DR) lifecycle.
  • Generate cluster-level consistent recovery points.
  • Monitor the protection and health status of the cluster and its nodes from a single interface.
  • Manage cluster failover and recovery point selection.
  • Re-protect and restore the cluster in the main region minimizing data loss and reducing downtime.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

This month, the main updates include:

  • New Features for SAP (preview): Azure Migrate has recently expanded its capabilities by including support in preview for discovery and assessment of SAP systems. Thanks to this feature, users can now perform detailed assessments for on-premises SAP workloads.
  • Assessment of Java Web Applications (Tomcat) for Azure App Service and AKS (preview): Microsoft has introduced a new assessment capability for Java web applications (Tomcat) in preview, aimed at both Azure App Service and Azure Kubernetes Service (AKS). This feature allows developers and IT architects to examine and plan the migration of their existing Tomcat applications, leveraging Azure’s cloud capabilities to enhance the performance and scalability of applications.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in March 2024

This month, Microsoft announced a series of significant updates to the Azure management services. Through this sequence of monthly articles, we aim to provide a detailed overview of the most noteworthy new features. The primary goal is to keep readers up-to-date on these advancements, offering the crucial information needed to delve further into these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Expansion and improvements to the Azure Monitor for Prometheus service

The managed Azure Monitor for Prometheus service, which facilitates the collection and analysis of metrics through a monitoring solution compatible with the Prometheus project of the Cloud Native Computing Foundation, has announced significant updates:

  • The service is now available in 13 additional Azure regions, extending its geographical coverage.
  • Introduction of support for TLS (Transport Layer Security) and mTLS (Mutual TLS) based metrics scraping, aimed at Prometheus configurations that use TLS. This feature adds a significant layer of security for authenticated and protected communication between Azure Monitor and Prometheus instances, enhancing data protection in transit.

Billing for “stateful” log search alerts in Azure Monitor (preview)

Starting from May 1, 2024, “stateful” log search alerts in Azure Monitor will be subject to charges. These alerts allow for the execution of a log analysis query on monitored resources at regular intervals, triggering an alert based on the results obtained. The distinctive feature of “stateful” alerts is their ability to automatically resolve when the alert condition is no longer true, thus reducing alert noise and focusing on issues that require attention. This feature is currently in preview and will become publicly available in May. Details on the pricing for log search alert rules can be found on the Azure Monitor pricing page.

Govern

Azure Advisor

Assessment of the Well-Architected Framework on Azure Advisor (preview)

The introduction of the Well-Architected Framework (WAF) assessment on Azure Advisor (in preview) represents a significant step forward in providing users with a deep and holistic understanding of their architectures. This assessment allows for the examination and optimization of architectures across multiple crucial aspects, including resilience, security, cost optimization, operational excellence, and performance efficiency. Implementing and monitoring the recommendations from the WAF assessment through Azure Advisor are valuable tools for improving the effectiveness and efficiency of cloud infrastructures.

Azure Policy

New feature: simple assignment of regulatory compliance policies to the Azure Landing Zone (ALZ)

Microsoft has announced a new feature for the Azure Landing Zone portal accelerator that will make large-scale regulatory compliance more consistent and simpler to implement. Azure Policy initiatives can now be assigned to Management Groups at deployment with just a few clicks.

Azure Cost Management

Support for the AWS connector in Cost Management will end on March 31, 2025

The connector for AWS in Microsoft Cost Management, designed to consolidate cost data from Microsoft Azure and AWS, will be retired. Users are encouraged to consider an alternative solution before the retirement date to complete the transition in a timely manner. After March 31, 2024, it will no longer be possible to add new AWS Connectors in Cost Management for all users, and from March 31, 2025, access to the AWS Connector as well as cost reports that include AWS data will be discontinued. In addition, all AWS cost data present on Microsoft Cost Management will be deleted, except for Cost and Usage Report (CUR) files which will remain available in the user’s S3 bucket on the AWS console.

Cost analysis add-on for AKS (General Availability)

The cost analysis add-on for Azure Kubernetes Service (AKS) is now available. This native Azure experience offers visibility into the underlying infrastructure costs associated with AKS workloads, with a cost breakdown based on Kubernetes constructs like clusters and namespaces, as well as Azure asset categories. Additionally, cost allocation data can be viewed directly in the Azure portal’s cost management section. The add-on helps monitor, allocate, and optimize AKS costs.

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Secure

Microsoft Defender for Cloud

Azure Defender for Microsoft Azure Database for PostgreSQL – Flexible Server

Microsoft has made Defender for Cloud available for Azure Database for PostgreSQL – Flexible Server, thus enhancing database security with advanced detection capabilities. This sophisticated solution is designed to detect suspicious activities that may indicate unusual and potentially dangerous attempts to access or compromise databases. With its implementation, Defender for Cloud introduces an additional significant layer of protection for Azure Database for PostgreSQL – Flexible Server, complementary to the already integrated security measures, ensuring an even more robust defense against threats.

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Agentless scanning for VMs encrypted with CMK in Azure: this functionality, already available for AWS and GCP, is now present for Azure. It uses a unique approach to scan VMs encrypted with CMK without Defender for Cloud managing the keys or the decryption process, which is instead handled transparently by Azure Compute. The unencrypted VM disk data is not copied or re-encrypted with another key, and the original key is not replicated. During the public preview, this capability is not enabled automatically, but is available for those using Defender for Servers P2 or Defender CSPM with VM disks encrypted with CMK.
  • New recommendations for endpoint detection and response: announced new recommendations that discover and assess the configuration of supported endpoint detection and response solutions. These agentless recommendations are available for those who have activated Defender for Servers Plan 2 or the Defender CSPM plan, but do not support on-premises machines.
  • Custom security standards and recommendations based on KQL for Azure in public preview: it is now possible to create custom security standards and recommendations based on KQL for Azure, available in public preview and supported in all clouds.
  • Inclusion of DevOps recommendations in the Microsoft Cloud Security Benchmark (MCSB): it is now possible to monitor the security and compliance posture of DevOps in the MCSB, which provides prescriptive details on how to implement its security recommendations agnostic to the cloud.
  • General availability (GA) integration with ServiceNow: announced the general availability of the integration with ServiceNow.
  • Protection of critical assets in Microsoft Defender for Cloud (preview): Defender for Cloud now includes a feature to identify and protect critical assets through risk prioritization, attack path analysis, and cloud security explorer.
  • Enhanced recommendations for AWS and GCP with automatic remediation scripts: improved recommendations for AWS and GCP with automatic remediation scripts that allow for large-scale application of remedies.
  • Addition of compliance standards to the compliance dashboard (preview): based on user feedback, new compliance standards have been added in preview to the compliance dashboard for AWS and GCP resources protected by Defender for Cloud.
  • Retirement of the container vulnerability assessment by Defender for Cloud powered by Qualys: this assessment has been retired. Customers who were using this assessment should switch to the vulnerability assessments for Azure with Microsoft Defender Vulnerability Management.

Protect

Azure Backup

Azure Backup for VMs: agentless backup of multiple disks with crash consistency (preview)

Azure VM backup introduces support for agentless backup of multiple disks with crash consistency, currently in public preview. This feature allows for the backup of VMs without the need to install additional software, such as the VM agent or the snapshot extension, inside the VM itself. This feature can also be used if the operating system is not supported for backup with application-level consistency.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in February 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, we aim to offer an overview of the most relevant news. The goal is to keep you constantly informed about these developments, providing you with the essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Availability of the Azure Monitor Metrics Data Plane API

As of February, the Azure Monitor Metrics Data Plane API is available for use. This API allows for efficient management and monitoring of Azure resources, improving query efficiency and metric collection capability. It is possible to retrieve metric data for up to 50 resource IDs in the same subscription and region with a single API call, thus optimizing query throughput and reducing the risk of throttling.

Execution of the Azure Monitor Logs connector on an exact time range (preview)

The Azure Monitor Logs connector introduces a new preview feature: the ability to execute queries on an exact time range provided dynamically. This functionality allows for filtering the execution of queries in the Log Analytics workspace or Application Insights components for Logic App triggers or schedules, displaying relevant results. Until now, the time range could be set directly in the query or defined with a relative value, such as the last hour or the last 12 hours. With the exact time range option, it is now possible to dynamically pass the start and end time to respond to scenarios such as alarm diagnostics. When the connector is activated by an alarm, it can receive the alarm’s time range to replicate the results that triggered the alarm and allow for effective investigation.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Azure Arc

Azure SQL migration assessment enabled by Azure Arc (preview)

With the growing adoption of cloud computing, organizations embark on the path of migration to the cloud, facing a complex and articulated challenge that can extend for several months, varying based on the size and complexity of the projects involved. This transition period can result in a delay in accessing the benefits offered by Azure’s capabilities, temporarily limiting operational efficiency and innovation.

To overcome these challenges, Microsoft introduces an innovative solution: SQL Server enabled for Azure Arc. This revolutionary technology allows organizations to begin leveraging the benefits of the cloud from the early stages of the migration process. Through Azure Arc, it is possible to manage SQL Server instances, both on-premise and distributed across multiple clouds, using Azure’s control plane and management services. This approach enables consistent and efficient hybrid management of the SQL Server environment, bringing immediate benefits in terms of operational efficiencies and cost reduction, in addition to ensuring an optimal migration and modernization experience.

In addition to these benefits, Microsoft announces the public preview release of the Azure SQL migration assessment, powered by Azure Arc. This feature, once activated by linking one’s SQL Server to Azure Arc, automatically and continuously provides an assessment of readiness for migration to Azure SQL. This assessment takes into account the evolutions of the work environment and suggests the Azure SQL deployment option best suited to specific needs, optimizing costs. Furthermore, it identifies potential migration risks and proposes mitigation strategies, thus facilitating the transition path to the cloud and improving strategic alignment with business needs.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • Regulatory compliance management: through Defender for Cloud, the management of compliance standards is extended to Azure, AWS, and GCP environments, offering a unified experience in creating and managing personalized recommendations through KQL queries.
  • Cloud support for Defender for Containers: the threat detection capabilities specific to Azure Kubernetes Service (AKS) in Defender for Container are now extended to commercial clouds, Azure Government, and Azure China 21Vianet, with the list of supported features updated.
  • Update of the Defender FOR Container agent: a new version of the agent, which brings improvements in terms of performance and security, supports AMD64 and ARM64 architectures (Linux only) and employs Inspektor Gadget for process collection instead of Sysdig. This version is compatible exclusively with Linux kernel version 5.4 or higher, requiring updates for older kernels. ARM64 support is available starting from AKS V1.29.
  • Support for the OCI image format specification: vulnerability assessment now supports the Open Container Initiative (OCI) image format specification for AWS, Azure, and GCP clouds, thanks to Microsoft Defender Vulnerability Management.
  • Retirement of the AWS container vulnerability assessment powered by Trivy: this assessment has been replaced by a new solution powered by Microsoft Defender Vulnerability Management.
  • Recommendations for Azure Stack HCI: four new recommendations specific to Azure Stack HCI, currently in public preview, have been introduced, thus expanding the type of resources manageable through Microsoft Defender for Cloud.

Protect

Azure Backup

Support for Cross-Region recovery of PostgreSQL backups

Support for cross-region recovery of PostgreSQL backups through Azure Backup is now available to all. Using Read-Access Geo-Redundant Storage (RA-GRS), Azure Backup enables a high level of data resilience, allowing access to backups in disaster recovery scenarios and restoration operations from the secondary region at any time. This feature is now available for PostgreSQL backups in all public regions, offering a wide range of durability options for backup data.

Regional Disaster Recovery via Azure Backup for AKS (preview)

Azure Backup for AKS introduces a new feature in preview: Regional Disaster Recovery. This innovation provides advanced protection for containerized application workloads and data through scheduled backups and smooth restorations, ideal for addressing situations such as operational recovery, accidental deletion, and application migration. Thanks to Regional Disaster Recovery, organizations can anticipate and mitigate the impact of catastrophic regional events through the recovery of AKS clusters from backups located in a secondary region, leveraging Azure’s paired regions. This ensures operational continuity even in the face of regional disruptions, complying with the established 3-2-1 backup strategy and providing the resilience needed to ensure data recovery after tenant-compromising events, in addition to meeting compliance requirements imposed by heavily regulated sectors.

Extended support for VMs with Ultra and Premium SSD v2 disks

Azure has announced the general availability launch of extended support of Azure Backup for virtual machines (VMs) that use Ultra and Premium SSD v2 disks. This development represents a significant step forward in strengthening the resilience and recovery capabilities of businesses managing critical enterprise applications and high-intensity I/O in the cloud. Ultra disks, known for their ability to support enterprise-level applications such as SAP HANA, high-end SQL databases, and NoSQL databases, offer organizations the flexibility needed to run demanding workloads with ease. Simultaneously, Premium SSD v2 disks stand out as the most advanced block storage solution, optimized for IO-intensive production workloads that require latencies below one millisecond. The availability of these technologies in Azure Backup meets a fundamental customer demand, eager to ensure operational continuity of their VMs in the event of disasters or ransomware attacks. With the enablement of backup for VMs using both Ultra and Premium SSD v2 disks, Azure positions itself as a robust cloud platform capable of offering solid and efficient recovery solutions. These advanced backup options are designed for a wide spectrum of applications, including SQL Server, Oracle, MariaDB, SAP, Cassandra, Mongo DB, big data, analytics, and gaming, on virtual machines or stateful containers. The availability of these features in all regions that support the creation of Ultra and Premium SSD v2 disks highlights Azure’s commitment to providing reliable and cutting-edge backup solutions, thus promoting security, resilience, and operational efficiency for businesses globally.

Azure Site Recovery

Enabling replication for data disks added to VMware VMs

Azure Site Recovery now supports enabling replication for data disks added to a VMware VM already enabled for disaster recovery. Thanks to this update, users can ensure greater operational continuity and better data resilience management, extending disaster recovery protection to data disks added after the VM protection is enabled.

Support of Azure Site Recovery for Azure Trusted Launch VMs (preview)

Microsoft has announced the preview of Azure Site Recovery support for Azure Trusted Launch VMs, exclusively for Windows operating systems. These VMs provide basic security for Azure Generation 2 systems, enabling Secure Boot and vTPM capabilities.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure Management services: what’s new in January 2024

This month, Microsoft has introduced a series of significant updates for Azure management services. This is part of a series of monthly articles aimed at providing an in-depth and detailed analysis of the most relevant innovations. The goal is to keep users always informed about the ongoing evolutions of Azure, providing the essential information to explore these developments further.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Support for Azure Monitor VM Insights Dependency Agent for VM Linux RHEL 8.6

The Dependency Agent of Azure Monitor VM Insights is now supported for Linux Red Hat Enterprise Linux (RHEL) 8.6 VMs. This means that the Dependency Agent can be used to monitor network connections and processes of Linux RHEL 8.6 virtual machines and visualize the dependencies between them in the VM Insights Map function.

Integration of Azure Advisor with Azure Monitor Log Analytics Workspace

Azure Advisor is a cloud tool designed to help users follow best practices in optimizing their workloads in Azure. This solution analyzes resource configurations and telemetry data to provide targeted recommendations to improve four key areas: cost efficiency, performance, reliability, and security of Azure resources. Moreover, to support more effective management of Azure Monitor costs, Microsoft has implemented specific cost optimization recommendations and integrated Azure Advisor into the Log Analytics Workspace management interface.

Dedicated clusters in Azure Monitor logs now support different commitment levels

Microsoft has extended the capabilities of dedicated clusters in Azure Monitor Logs, now supporting any level of commitment, starting from a minimum of 100 GB per day. This new feature offers greater flexibility and customization for users who require specific solutions for their monitoring and logging needs. With this expansion, customers have the option to choose the service level that best fits their needs, ensuring more efficient and tailored data management.

Configure

Update management

Azure Update Manager on Azure Arc-enabled servers: new billing rules

From February 2024, Azure Update Manager will start generating consumption for Azure Arc-enabled servers. Azure Update Manager, formerly known as Azure Automation Update Management, has been available since September 2023. Customers who started using the service from that date will not be subject to costs until February 1, 2024.

Starting February 1, 2024, customers using Azure Update Manager on Azure Arc-enabled servers will be billed daily, with a specific rate per server per day, equivalent to about $5 USD per server per month.

An Azure Arc-enabled server is considered managed by Azure Update Manager on days when it meets both of the following conditions:

it has a connection status with Arc at any time of the day; an update operation is performed on it (patch on demand or via scheduled job, evaluation on demand or via periodic assessment) or it is associated with a schedule.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs.This article reports some of the latest improvements and updates regarding this solution.

Azure Arc

Preview of the Azure Arc extension for Visual Studio Code

Microsoft has announced the public preview of the Azure Arc extension for Visual Studio Code. This extension allows developers to easily manage Azure Arc resources and services directly from Visual Studio Code. With this integration, developers can expect greater efficiency and simplified workflows, as they will have the ability to access and manage Azure Arc resources without leaving the Visual Studio Code development environment.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

  • introduction of agentless container posture for GCP in Defender for Containers and Defender CSPM;
  • public preview of agentless malware scanning for servers;
  • integration of Defender for Cloud with Microsoft Defender XDR;
  • DevOps security annotations for Pull Requests enabled by default for Azure DevOps connectors.

Protect

Azure Site Recovery

Support for Azure VMs with Premium SSD v2

Azure Site Recovery now supports Azure VMs equipped with Premium SSD v2. This feature is available as a private preview in selected Azure regions. Premium SSD v2 disks represent Azure’s most advanced block storage solution, ideal for high I/O intensity enterprise workloads, offering sub-millisecond latencies, high IOPS, and throughput. This addition responds to a frequent customer request to be able to use Azure Site Recovery with Azure VMs on Premium SSD v2. Thanks to this feature, customers can ensure greater data security and operational continuity of applications and workloads, even in case of planned or unplanned interruptions.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.