Recent Discussions
Azure Virtual Desktop(AVD) - Enable Cloud Kerberos for storage accounts question
I need to enable Cloud Kerberos for storage accounts used for AVD host pool. I am thinking of following the following instruction. Is that correct steps and is that all that is required?:- After enabling AADKERB on the storage account :- 1a. Find the AADKERB Service Principal Use Azure CLI to log into correct tenant az login –tenant <tenantName> 1b. Find the AADKERB Service Principal Look up by display name pattern az ad sp list --filter "startswith(displayName,'[Storage Account]')" --query "[?contains(displayName,'<storageAccountName>')].{id:id,appId:appId,name:displayName}" -o table 1c. Grant Admin Consent The AADKERB SP requires the following delegated permissions on Microsoft Graph: openid profile User.Read ← This is often overlooked but required Get the Microsoft Graph SP ID $graphSpId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv) Get the AADKERB SP ID $aadkerbSpId=<from step 1a> Check existing grants az rest --method GET --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq '$aadkerbSpId' and resourceId eq '$graphSpId'" Create or update the grant az rest --method POST --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" --body "{ "clientId": "$aadkerbSpId", "consentType": "AllPrincipals", "resourceId": "$graphSpId", "scope": "openid profile User.Read" }"
Azure VM Persistent Route Setup
Hi I hope to get some advice on a routing issue from Azure to an on-premises system. A little background first, please bear with me: We have an on-premises VM that connects to an isolated Thirdparty network via an On-Prem Cisco ASA FW specifically for this purpose. ------------------------------------------------------------------------------- OnPrem VM's IP: 10.100.10.23/24 OnPrem dedicated FW - Local Inside Interface IP: 10.100.10.190 -------------------------------------------------------------------------------- OnPrem dedicated FW - 3rdParty Interface IP: 10.110.255.137 Thirdparty router IP: 10.110.255.138 - This routes to aditional devices on 10.10.227.10 and 20.10.227.10. -------------------------------------------------------------------------------- There are static routes configured for 3rd party FW interface using: 3rdParty Interface - 10.10.227.10 255.255.255.255 - 10.110.255.138 (Gateway IP) 3rdParty Interface - 20.10.227.10 255.255.255.255 - 10.110.255.138 (Gateway IP) -------------------------------------------------------------------------------- The on-premises VM (10.100.10.23) has persistent routes added to allow connectivity: Network Address Netmask Gateway Address Metric 10.10.227.10 255.255.255.255 10.100.10.190 1 20.10.227.10 255.255.255.255 10.100.10.190 1 10.110.255.136 255.255.255.252 10.100.10.190 1 --------------------------------------------------------------------------------- The above works fine on-prem but I now need to migrate the On-Prem VM service into Azure. Azure Side I have created a test Azure VM with a static IP in an isolated subnet (no other devices using it) in the Production subscription of our LZ (Hub and Spoke topology). We have a site-to-site VPN connected to our on-premises FW using a VPN Gateway configured in the Connectivity subscription of our LZ (as expected). We have defined subnets for on-premises address spaces in the Local Network Gateway: 10.100.10.0/24, 10.100.11.0/24, 10.100.13.0/24, 10.100.14.0/24 (Local Subnets) and 172.16.50.0 (VPN client Subnet) --------------------------------------------------------------------------------------- Main Problem that I'm requesting advice for: When I add the defined persistent routes on the Azure VM (IP address: 10.150.1.10/24) as is on the On-Prem VM Network Address Netmask Gateway Address Metric 10.10.227.10 255.255.255.255 10.100.10.190 1 20.10.227.10 255.255.255.255 10.100.10.190 1 10.110.255.136 255.255.255.252 10.100.10.190 1 I'm unable to ping the 10.10.227.10 and 20.10.227.10 addresses, even though the routes have been added by the 3rd party on their network side. All Network Objects, static routes, groups and rules are duplicated on the ASA FW for the Azure VM as is for the On-Prem VM and I can access/ping the ASA FW inside interface no problem . Is there a specific way I need to route the persistent routes from Azure side, have I missed something in the configuration above to get the connectivity I require? Please all advice is welcomed! Thank you Nitrox
directorySizeQuota not updated on new Business Premium tenant - cannot register apps
remium license assigned and a verified custom domain. The "Users can register applications" setting is enabled. The tenant has approximately 490 users and 137 service principals and no deleted objects. When attempting to register any application I receive the error: "Failed to create BitTitan application. Error detail: The directory object quota limit for the Tenant has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota. " I believe the tenant's directorySizeQuota has not been updated to the 300,000 object limit expected for a verified-domain Business Premium tenant. I have confirmed this via PowerShell using Get-MgOrganization. Microsoft 365 support (2603060010002144) directed me to Azure support. Azure support only allows billing tickets without a paid support plan. The paid support plan path gets me an unresponsive web page every time. I am unable to find any other route to get this resolved. Can anyone advise, or help escalate to the Entra backend team to recalculate this tenant's quota?Hi everyone!
Hi everyone! 👋 I’m new to this community and currently learning Azure Analytics. I’m really excited to be here and connect with people who have experience in this field. I believe the discussions and knowledge shared by members here are very valuable, and I’m looking forward to learning from all of you. If you have any advice, resources, or tips for someone starting with Azure Analytics, I’d really appreciate it. Happy to be part of this community! 😊
Deploying access packages as code
I know Microsoft graph can be used to automatically create access packages in Azure AD however it would be useful if a Terraform registry would eventually become available to deploy access packages using Terraform so you can manage your access packages in code. #AzureAD #IAC #accesspackagesRemote Attestation Attack on AMD SEV-SNP CVM in Azure
Following the 1st scenario ("request in separate workload") on this page ( https://learn.microsoft.com/en-us/azure/confidential-computing/guest-attestation-confidential-vms ), after step 2, is it not possible for a malicious guest OS to replace a valid attestation report with another attestation report (from a SEV machine with a good OS) to mask its presence from a relying party? How is this mitigated?Registering an application return quota limit error.
I have a brand new Microsoft 365 Business Premium tenant with approximately 490 users and 137 service principals. I am a Global Admin with a Business Premium license assigned. I have verified a custom domain. The "Users can register applications" setting is enabled. When attempting to register an application I receive: "The directory object quota limit for the Principal has been exceeded." I ran the following PowerShell to check the tenant quota: Connect-MgGraph -Scopes "Organization.Read.All" $org = Get-MgOrganization $org.AdditionalProperties["directorySizeQuota"] The total value returned is 500. This appears to be a provisioning issue where the tenant's directorySizeQuota has not been updated to the standard 300,000 object limit despite having a verified domain and Business Premium licensing. M365 support directed me to Azure support, and Azure support only allows billing tickets without a paid support plan. Paid support plan options do not populate and the portal goes non-responsive. Hoping someone here can advise or escalate.Azure Files Manage Access is missing
Good day, We have fully and correctly configured an Azure File Share and the associated permissions. All required Azure RBAC roles as well as the necessary data plane permissions are assigned. However, we are observing inconsistent behavior in the Azure Portal regarding the “Manage access” buttons: At times, the “Manage access” buttons are visible: - In the top menu bar of the file share - In the context menu (three‑dot menu) of individual directories At other times, these buttons are not displayed at all, even though: - The same user with the same permissions is used - The same storage account and the same file share are accessed The behavior is sporadic and not reproducible in a controlled manner. Already verified: Required Azure RBAC roles are assigned Required permissions for Azure Files are correctly configured Permissions are effective and functional No error messages are shown in the Azure Portal when the buttons are missing A screenshot showing the state when the functionality was working is here. We would appreciate your support in investigating this issue.Windows App - RDP channel crashes when printing on a redirected canon printer
Hey team, I would like to know, if anyone else struggles with the following scenario: A canon printer is installed on a local client. The user is working in the AVD environment. The printers are redirected into the AVD-Session via "printer redirect". Since the users are migrating to the new "Windows App", the AVD session breaks as soon as the user is printing on a redirected Canon-Printer. When printing on another printer, there is no issue. Also: With the "Microsoft-Remotedesktop" Application, everything works as it should. A Microsoft ticket is already raised. I would like to know if there are other environments, which are encountering the same issue.
Unable to delete tenant
I want to delete a single tenant I've created some time ago using my personal MS account (@outlook.com). The goal is to start fresh. In the Manage tenants page I see this 'All initial checks passed. Click 'Delete' to Delete tenant 'Default Directory'', meaning all the checks are passed. However, when I try to delete 'Default Directory' I am getting below error: 'Unable to delete tenant Default Directory. Known issues exist where some enterprise applications are not capable to delete within the portal. Click the notification title for more information and manual troubleshooting steps.' But I don't have any enterprise applications left in my tenant. Is it even possible to delete only tenant?Agentic AI in IT: Self-Healing Systems and Smart Incident Response (Microsoft Ecosystem Perspective)
Modern IT infrastructures are evolving rapidly. Organizations now run workloads across hybrid cloud environments, microservices architectures, Kubernetes clusters, and distributed applications. Managing this complexity with traditional monitoring tools is becoming increasingly difficult. https://dellenny.com/agentic-ai-in-it-self-healing-systems-and-smart-incident-response-microsoft-ecosystem-perspective/finops toolkit - missing clusterUri
I installed finops toolkit but I did not get any value in the clusterURI from my hub. Any thoughts on how to fix it? thanks instructions: Copy the Data Explorer cluster URI: Select the resource group where your FinOps hub instance was deployed. Select Settings > Deployments > hub > Outputs. Copy the clusterUri output value.Azure Build Issues >> Publish Through VS 2022 Community Edition is causing 404 Errors at Many Action
Hi everyone, Problem: My .NET Core App, hosted on Azure App Services, is encountering 404 Exceptions for various UI actions. App Overview: It's an ASP.NET Core App hosted on Azure (PaaS/Azure App Services). Publishing Details: We're using VS 2022 Community Edition and performing a manual publish. Local Testing: Everything works smoothly during local testing. Temporary Fix: The problem is sometimes resolved by publishing again or restarting the App Services. Seeking Help: Any insights into what might be causing this issue? Could there be any missing configurations either in Azure or Microsoft? Thanks! Ashish TripathiConvert Azure Files Storage account to AES256
Hi, Mild panic attack, so storage accounts used for Azure files were oriignally set up without AES256, looks like the hybrid join script now defaults to AES256. Which is great. So following this guide: Use Azure Active Directory Domain Services (Azure AD DS) to authorize user access to Azure Files over SMB | Microsoft Learn Looks like the original storage accounts were set up with RC4, we need to convert our existing storage accounts from RC4 to AES256. As a test, I created a new storage account on RC4, ran the PowerShell command to convert to AES256. Looks like it worked fine. Did this on the production AVD storage account. Lost access to the share, my heart sank. I can see KerberosEncryptionType was originally empty: Get-AdComputer avdprofilestorage -KerberosEncryptionType ran the command Set-AdComputer avdprofilestorage -KerberosEncryptionType AES256 few moments later, lost access. To revert there was no way to set a null command so ran: Set-AdComputer avdprofilestorage -KerberosEncryptionType RC4 then everything came back. Maximum compatibility is set on the storage account. Just wondering if there is anything else I have missed? Worst case scenario is being locked out of the share. ThanksLog Analytics query the logs that are not in IP range
Hi All, I'm struggling with writing a query that will find sign-ins in logs that are not in IP ranges. So we have Log Analytics Workplace which is collecting sign-in logs. And we want to trigger an alert when an account is signed in from an IP that is not in one of our IP ranges. We have a lot of known network rages and we have to use an external repository like github with a txt file of those rages. I've tried to use the function "ipv4_is_match()", but from my understanding, it's looking just like to like, but not looking foreach. That being said I've tried something like this, but it doesn't work. Does anyone experienced here can help with writing such a query, or even answer if it's possible? let ipList = externaldata (IPAddress:string) [ @"https://raw.githubusercontent.com/NameOfRepository/IPv4Range.txt" ]; SigninLogs | where UserPrincipalName contains "email address removed for privacy reasons" | where IsInteractive == true | where not (ipv4_is_match(IPAddress , ipList)How do I use Azure Data Studio with schemas?
I had thought that a database schema was the name of the structure on which tables are interconnected by primary keys and foreign keys. But in the tool, Azure Data Studio, the user is asked to select from a pre-defined set of schemas when creating a table. What is more is that when setting up or createing a database through Azure, we are given the opportuniityh to use a sample database and this is where "SalesLT" comes from and so there must be some place where we can define a schema with Azure Data Studio. Where would that be? It was generated when deciding to use a demo sample database. So there must be some way, using SQL code or otherwise, to generate a schema.How do I send Azure APIM product subscription approval to different email adresses
I am trying to identify if we have a Azure APIM instance shared between different teams then how can I send approval emails to different email addresses for different APIs/Products. I need to send approval emails for each product to the respective team's approver. How can this be achieved because by default APIM instance will send the approval to the APIM administrator's email address.
DFS referral taget on Azure VM
Hello guys, I've a problem on DFS. I've two entries as a target folder on DFS namespace, I set the second target as "Last among all targets" so users should never be referred to this target unless all other targets are unavailable. I don't understand why randomly on this shared folder I find some files duplicated ending with the name of the both target server, so it means that second target server was used due to the first one was not available (I think) But I am not sure of this, so there are logs to find out what's happaned to the first target? and why these files was been created? thanks for your support. Andrew
Events
Build, buy, or blend? Gain the insights you need as a manufacturer to scale AI apps and agents across the factory floor using Microsoft Marketplace. We’ll go beyond AI theory and focus on practical m...
Online
Tune in for updates, insights, and live Q&A to help you buy from the Microsoft Marketplace. Follow this page for updates on the topics that will be covered during this month's session. Note: Offic...
Online
Recent Blogs
- 4 MIN READThis blog explores how Azure Local, in partnership with NVIDIA, enables governments and regulated industries to build and operate Sovereign AI within their own trusted boundaries. From enterprise AI ...Mar 16, 2026
- March brings another milestone for AI Toolkit! Version 0.32.0 is packed with new capabilities designed to help you ship production ready AI agents. This release brings a unified tree view experience,...Mar 16, 2026
