Recent Discussions
Hub spoke design with NVA firewall
I have my Azure landing zone setup but it isn't working as i expected. So i have a vnet named vnet-lz-fw-001 with 2 subnets. External and Trusted. I then have a NVA Watchguard Firewall with an interface on each subnet. I then have 2 further vnets, vnet-lz-prod-001 and vnet-lz-id-001. Each of these vnets has peering to vnet-lz-fw-001 but no peering between each other. vnet-lz-prod-001 and vnet-lz-id-001 have user defined routes to point to each other via the trusted interface on the Watchguard NVA The Watchguard firewall has static routes to point to each subnet in the vnets via the Trusted interface gateway address. Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping each other, but when they do its not routing via the Watchguard firewall. Is this as expected behavior? Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping the trusted interface on the Watchguard Firewall okSolved43Views0likes1Comment
Unable to revert Azure DevOps user access level
I have a user that was assigned Visual Studio Subscriber a few years ago. We have an on-prem AD to assign the user to a Visual Studio licensing group that gets replicated to Entra ID so the system recognized that a license had been assigned and Azure DevOps shows the correct Visual Studio license (Visual Studio Enterprise subscription). After a few years the user no longer needs the Visual Studio license so the person was removed from the on-prem AD group which replicated the change to Entra ID. However, Azure DevOps still shows the user's access level as Visual Studio Enterprise subscription. I double-checked the Visual Studio license page and confirmed the user no longer has an assigned license. I changed the user's access level to Stakeholder manually but when the user logs back into Azure DevOps it changes back to Visual Studio Enterprise subscription. I completely removed the user from Azure DevOps (Remove from organization) and re-added them along with adding back all the original project permissions and assigning Stakeholder. Once the user logged in the access level changed to Visual Studio Enterprise subscription again (skipping the initial default Visual Studio Subscriber that a "new to DevOps" user would get). Is there something I am missing that will not allow me to set this person's access level back to Stakeholder?Solved64Views0likes2CommentsApp Permissions for Microphone
Hi all, I have found an issue with one of my users on a Windows 11 device that has the remote desktop app installed. When connecting to the avd Win11 multisession host and starting Teams the user was asked to confirm data privacy questions regarding microphone and camera which all of them were answered to allow access. Strangewise the Jabra Microphone did not work and when checking on the local device, the Microsoft Teams VDI app was not allowed to use the microphone. Here I noticed that multiple Microsoft Teams VDI apps exist. Is this a bug? Will each new Team Update create a new entry? Now, the question is how to force that such questions do not appear respectively that Microsoft Teams VDI app is always allowed.Solved188Views0likes1Comment
Terraform export template on Azure Portal
Hello, guys! I'm facing an issue during my export template by terraform. I Already registered on my subscription the Microsoft.AzureTerraform, the status is registered, i re-register again and did not change. Anyone else has faced the same issue? How do you solved it?Solved48Views0likes1CommentInstalling azure local os on a laptop
I don't know if it is possible but I would like to try installing azure local on a laptop that has a two terabyte SSD drive. it is an LG Gram laptop. the reason I would install it on the laptop is the laptop was damaged while being transported by an ambulance to hospital the laptop did they lowered the the gurney and the laptop was underneath and so the laptop was crushed into the shape of a 8th moon. if it is possible what I'd like to do is install the azure local os and then from the azure portal provision a Windows 11 operating system initially for testing purposes. if I can be successful at that then I would try installing Azure Local On one of several servers I have in my home that have multiple network cards I also have a bank of 56 public IP addresses So I think I have everything necessary but I'd like to start with the laptop any tips would be appreciated i've searched high and low maybe I'm just not good at searching but hoping somebody out there take a minute to tell me I'm parking up the wrong tree or maybe you can provide me with a link to a good article or just tell me what I need to do. In the end maybe I can use the laptop and it's drive for restoring data for insights or some or maybe have one BM running on it Anything I can do to use the on premise Hardware that I have would help from a cost standpoint. I am limited in what I can do as far as neurologically because of a spinal cord injury but that's not a crutch it's just an FYI. I'm pretty sure one of you is way smarter than me and way more experienced than I So thanks In advance we're taking the time to point me in whatever direction I need have a good afternoonSolved263Views0likes7Comments
Azure DevOps REST API - tag DeploymentGroups' target
Hello everyone, I am trying to setup a function in PowerShell to be able to set tags on specific targets of a deploymentgroup, and for that I am using this documentation page: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/targets/update?view=azure-devops-rest-7.0&tabs=HTTP#request-body I created the request body as described in the page like bellow: { "id": 541, "tags": [ "tag1-backendWithDb", "tag1-backendWithDb-active-node", "tag2-backendWithDb-database", "tag2-backendWithDb", "tag2-backendWithDb-active-node", "tag3-blazor", "tag3-blazor-active-node", "tag4-yarp", "tag4-yarp-active-node" ] } Than I do the following command : Invoke-RestMethod -Method Patch -Uri "$baseurl/distributedtask/deploymentgroups/$($DGid)/targets?api-version=6.0-preview.1" -Credential $cred -Body ($body | ConvertTo-Json) -ContentType 'Application/json' But then I get an error like this : Invoke-RestMethod: { "$id": "1", "innerException": null, "message": "Value cannot be null.\r\nParameter name: machinesToUpdate", "typeName": "System.ArgumentNullException, mscorlib", "typeKey": "ArgumentNullException", "errorCode": 0, "eventId": 0 } The problem is that the document is not specifying any parameter named 'machinesToUpdate'. What is it that I am missing here?Solved122Views0likes3CommentsShutdown notification webhook unable to access token
I am trying to implement the AVD-Shutdown notification webhook from fortytwoservices on GitHub (https://github.com/fortytwoservices/AVD-Shutdown). It is getting an error getting the access token. The invocation log is: I am assuming it is referring to accessing the Exchange Online mailbox that I am sending the mail through. The webhook is using MS Graph API to send the e-mail. I have set up a system assigned managed identity in the portal for the function app. Using the values in Entra for the application, I set it up in exchange as follows: Any wisdom would be appreciated. EricSolved95Views0likes3Comments
Container App - Dapr - Service Bus
Our app is running as Dapr enabled Container App in an Container Apps Environment using Dapr pubsub component for Service Bus messages. Our Service Bus is on the Standard plan without VNET integration. The built in Service Bus Firewall does not support ipv6 it just support ipv4, but the daprd sidecar try to access it over ipv6 and get "connection denied". I have tried to set DAPR_DISABLE_IPV6=true and DAPR_INET=4 environment variables in my container because Windsurf suggested it, but it does not help. Is there a way to force ipv4 for Dapr in Container Apps Environment? Or any other solution for our problem? Without setting "allow all networks" or changing to Premium tier for the Service Bus.Solved117Views1like3CommentsSending notifications with Azure Virtual Desktop Auto-Shutdown
We have several Virtual Desktops that are used during business hours. I know I can use the auto-shutdown feature to shut the VM down at a scheduled time at night to save costs. What I would like to do is notify the logged-on users (we use personal and pooled host pools) that their VM will be shut down in fifteen or thirty minutes and give them the chance to extend by an hour in case they are working late. I saw a webhook by fortytwoservices called avd-shutdown on github that may do what I want, but the documentation on implementing it is a bit unclear to me. Is there a solution, native or add on that would send notifications like this for me? Thanks, Eric.,Solved335Views1like11Comments
ACS protection
Hi, If we have an external application that is configured to send SMTP from a custom domain using Azure Communication Service and the application is compromised in some way, are there any built-in protections to filter spam or malicious emails from being sent? i.e. similar to the protections in defender/Exchange online...Solved81Views0likes1CommentBackup vaults Vs Recovery Service Vault
Hello Team, Microsoft has introduced multiple vault types, each serving different backup and disaster recovery needs. Below is a high-level differentiation: Recovery Services Vault (RSV) Supports Azure Backup (VMs, SQL, SAP HANA, Files) and Azure Site Recovery (disaster recovery). Offers backup policies, recovery points, replication, and failover management. Backup Vault A newer, streamlined vault designed for Azure Backup only. Supports Backup Short-Term Retention (Instant Restore) and Cross-region Restore. Primarily used with Azure Policy & Backup Center for better management at scale. Microsoft Continuity Center (MCC) A centralized disaster recovery hub in Azure. Integrates Azure Site Recovery (ASR) and backup services into a single pane of glass. Allows for failover, backup monitoring, and business continuity planning. Do we have any document talks about little deeper about the above topics.Solved684Views0likes1CommentAzure Arc Gateway and Azure Arc Proxy
Hi, I had an internal discussion regarding the purpose of the Azure Proxy. Can the Azure Arc Proxy A) take over the communication of other VMs, servers or Arc Agents that cannot access the internet. In other words, the Arc Proxy is a proxy for other Arc Agents on other servers. B) or does the Azure Arc Proxy only serve as a proxy on the VM itself for the extensions installed on the same machine, thus simplifying communication of the individual servers over an enterprise proxy server and reducing the URLs that need to be whitlisted. I think the graphic can be misinterpreted https://learn.microsoft.com/en-us/azure/azure-arc/servers/arc-gateway?tabs=portal I would be grateful for a brief confirmation and clarification. Many thanks in advanceSolved231Views1like2CommentsEntra External Identities - Sign In with LinkedIn using OpenID Connect error
Hi there, I would like to add LinkedIn as an identity provider in my Entra External Identities tenant. We have proceeded according to the following instructions (https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2) and used the LinkedIn Well-Known Config Endpoint (https://www.linkedin.com/oauth/.well-known/openid-configuration). When saving the configuration I get the following error message in the EntraId portal: Custom OIDC well-known endpoint validation error: Error when deserializing response Required property 'token_endpoint_auth_methods_supported' not found in JSON. Path '', line 12, position 1. In the JSON provided by the LinkedIn Well-Known Config Endpoint the field 'token_endpoint_auth_methods_supported' is missing. However, according to the OpenId Connect specification, the field is optional. Currently I cannot add LinkedIn as an identity provider via OIDC in EntraID. Has anyone here already solved a similar problem? Thanks!Solved308Views1like3Comments
Service Bus: Ip has been prevented to connect to the endpoint
Hi Since yesterday we are facing issues with our Azure Functions (ASP) connecting to the Azure Sevice Bus (Standard, not in VNET). This was working before without any issues and since yesterday it is not working anymore on all our environments so I wonder if there is any general issue. Message: Put token failed. status-code: 401, status-description: Ip has been prevented to connect to the endpoint.For more information see:Virtual Network service endpoints The Azure Functions are communication via Nat Gatway and the public Ip address is set in the IP Filter List of the SBN. As far as I deactivate the IP filter to allow any traffic, it is working again. I also can see, that the used outbound Ip is exactly the smae which is set in the ip filter list. We are susing the AMQP protocol. [Error] An unhandled exception occurred in the message batch receive loop (namespace='....servicebus.windows.net', entityPath='.../Subscriptions/...', singleDispatch='False', isSessionsEnabled='False', functionId='Host.Functions.ProcessTripsBc').System.UnauthorizedAccessException : Put token failed. status-code: 401, status-description: Ip has been prevented to connect to the endpoint.For more information see:Virtual Network service endpoints:Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044192Service Bus: https://go.microsoft.com/fwlink/?linkid=2044235IP Filters:Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044428Service Bus: https://go.microsoft.com/fwlink/?linkid=2044183TrackingId:0ac55176-7c9d-4577-bc35-246418724a7d_G0 Regards MichaelSolved289Views0likes1CommentFinalizing migration from Connect Sync to Cloud Sync
Hello, The Connect Sync server synchronizes multiple domains to the same tenant. We have followed the migration approach outlined in the article, for one of the domains: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp How best to remove that domain configuration from the Connect Sync without potentially impacting hybrid objects? Is it just as simple as removing the domain through the Connect Sync wizard? It looks like I do not have an option to disable that domain's sync configuration temporarily.Solved377Views0likes7CommentsSpecify which Entra ID Sign-in logs are sent to Log Analytics Workspace
Hi, as the title says I am curious if its possible if I can limit which login logs are sent to a Log Analytics Workspace. We currently have a couple of service accounts in use that generate a high amount of traffic (an issue being worked on separately) and would like to exclude the logs from these specific users from being sent to LAW.Solved107Views0likes1Comment
Events
Recent Blogs
- We are excited to release Image Customizer, an open-source tool, built and maintained by the Azure Linux team. Image Customizer lets you customize well-tested existing Azure Linux images for any scen...Sep 18, 202551Views0likes0Comments
- As organizations continue to scale containerized workloads in Azure Kubernetes Service (AKS), the need to secure network traffic between applications and services has never been more critical especia...Sep 18, 2025105Views0likes0Comments
