Azure | Microsoft Community Hub

Recent Discussions

Unable to backup APIM instance to storage account
I have a Standard V2 APIM instance and a storage account that has public access disabled but allows traffic from the Integration subnet of the APIM and the "Microsoft.ApiManagement/Service" resource type and the specific instance of APIM allowed access. It also has the "Allow trusted MIcrosoft Services to access this resource" selected. Integration subnet of APIM has the "Microsoft.Storage" service connection configured. I am following this MS KB to setup the backup:- https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore?tabs=powershell#back-up-an-api-management-service And using the "Access using managed identity" method. The Service principal that I am using in Powershell & Managed Identity of APIM has been given the "Storage Blob Data Contributor" role on the storage account. When I run the following 2 commands from a VM in the same VNET as the APIM Instance I get error: "Backup-AzApiManagement : Long running operation failed with status 'BadRequest'." $storageContext = New-AzStorageContext -StorageAccountName $storageAccountName Backup-AzApiManagement -ResourceGroupName $apiManagementResourceGroup -Name $apiManagementName -StorageContext $storageContext -TargetContainerName $containerName -TargetBlobName $blobName -AccessType "SystemAssignedManagedIdentity" Storage logs seems to indicate that it successfully does the "putblob" operation and within few milliseconds does the "DeleteBlob" operation. APIM activity logs have the following error for "Backup API Management Service":- "message": "Unable to backup API service at this time. Please, retry the operation.If the issue persists, please contact support providing correlation ID How can I troubleshoot this further or what needs to change in my setup to allow the backup?
Solved
curious7
Brass Contributor
May 14, 2026 Place Azure
61Views
0likes
2Comments
Two node Azure Local cluster updated to different versions
I'm not really sure how it's happened, but after trying to run an update against my Azure Local cluster, one of the two nodes has ended up at a higher version and now the update process is failing as it's detected that the nodes are at two different versions. Node 1 is at 26100.32690 Node 2 is at 26100.32522 Retrying the update process is failing as it's obviously detecting that the two nodes are at different update versions. Is there a way to update the node that has fallen behind to the the same version as the other?
Solved
MattENZ
Copper Contributor
May 06, 2026 Place Azure Stack
azure local
64Views
0likes
2Comments
Azure Automation Hybrid Runbook Worker Supported OS
Hi everyone, we are currently in the process of updating or environment to Server 2025. Since the mainstream support of Server 2022 ends October this year, we would also like to update our on-premise Azure Automation Hybrid Runbook Worker from 2022 to 2025. As far as I can see from the https://learn.microsoft.com/en-us/azure/automation/extension-based-hybrid-runbook-worker-install?tabs=windows%2Cps#supported-operating-systems, OS is only supported up to Server 2022, but not Server 2025. Since the mainstream support end is closing in, is there any information on official support for Server 2025 for Azure Automation HRWs? Do you already have one successfully running with Server 2025? Thanks!
Solved
PhilippZiemke
Copper Contributor
Apr 30, 2026 Place Azure
azure automation
73Views
0likes
2Comments
MFA required for Global Admin without Conditional Access or PIM enforcement
Hi, I'm analyzing a break-glass account scenario in Microsoft Entra ID and would like to validate a behavior I'm observing. The account: Has Global Administrator role (permanent assignment) Is excluded from all Conditional Access policies (fully validated) Is excluded from Authentication Methods policies and MFA Registration Campaign (fully validated) Has no per-user MFA enabled (disabled) PIM is not enforcing MFA (role is permanently active, no activation required) Security Defaults are disabled SSPR is not enforcing MFA All configurable sources that could require MFA have been reviewed and fully ruled out. However, when signing into Microsoft Admin Portals (Entra/Azure), MFA is still required and cannot be skipped. In Sign-in logs: Conditional Access → Not Applied Authentication Details show: "MFA required in Azure AD" "App requires multifactor authentication" Additionally, there is a Microsoft-managed policy: "Multifactor authentication for admins accessing Microsoft Admin Portals" but it is in Report-only mode. Question: Is Microsoft Entra ID enforcing MFA automatically for privileged roles (like Global Administrator) in admin portals, even when no Conditional Access or PIM policy requires it? And if so, is there any supported way to fully exclude a break-glass account from this behavior? Thanks in advance.
Solved
schiachris
Copper Contributor
Apr 28, 2026 Place Azure
azure
126Views
0likes
1Comment
Excluding break-glass account from MFA Registration Campaign – impact on existing users?
Hi everyone, I'm currently reviewing the configuration of a break-glass (emergency access) account in Microsoft Entra ID and I have a question regarding MFA registration enforcement. We currently have an Authentication Methods Registration Campaign enabled for all users for quite some time. We identified that the break-glass account is being required to register MFA due to this configuration. The account is already excluded from all Conditional Access policies that enforce MFA, so the behavior appears to be specifically coming from the registration campaign (Microsoft Authenticator requirement). Our goal is to exclude this break-glass account from the MFA registration requirement, following Microsoft best practices. My question is: If we edit the existing registration campaign and add an exclusion (user or group), could this have any impact on users who are already registered? Specifically, could it re-trigger the registration process or affect existing MFA configurations? We want to avoid any unintended impact, considering this campaign has been in place for a long time. Has anyone implemented a similar exclusion for break-glass accounts within an active registration campaign? Any insights or confirmation would be really helpful. Thanks in advance!
Solved
schiachris
Copper Contributor
Apr 16, 2026 Place Azure
azure
158Views
0likes
2Comments
AI-102 Develop computer vision solutions in Azure (deprecated)
I have my AI-102 certification exam next week, but Microsoft Learn shows the following: Develop computer vision solutions in Azure (deprecated) Does that mean that section won't be covered on the exam?
Solved
AnSoMo28
Copper Contributor
Mar 21, 2026 Place Azure
ai
ai-102
azure
210Views
1like
2Comments
Azure Virtual Desktop(AVD) - Enable Cloud Kerberos for storage accounts question
I need to enable Cloud Kerberos for storage accounts used for AVD host pool. I am thinking of following the following instruction. Is that correct steps and is that all that is required?:- After enabling AADKERB on the storage account :- 1a. Find the AADKERB Service Principal Use Azure CLI to log into correct tenant az login –tenant <tenantName> 1b. Find the AADKERB Service Principal Look up by display name pattern az ad sp list --filter "startswith(displayName,'[Storage Account]')" --query "[?contains(displayName,'<storageAccountName>')].{id:id,appId:appId,name:displayName}" -o table 1c. Grant Admin Consent The AADKERB SP requires the following delegated permissions on Microsoft Graph: openid profile User.Read ← This is often overlooked but required Get the Microsoft Graph SP ID $graphSpId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv) Get the AADKERB SP ID $aadkerbSpId=<from step 1a> Check existing grants az rest --method GET --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq '$aadkerbSpId' and resourceId eq '$graphSpId'" Create or update the grant az rest --method POST --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" --body "{ "clientId": "$aadkerbSpId", "consentType": "AllPrincipals", "resourceId": "$graphSpId", "scope": "openid profile User.Read" }"
Solved
curious7
Brass Contributor
Mar 15, 2026 Place Azure Virtual Desktop
108Views
0likes
1Comment
Slow response times in different regions
I have a website which is primarily for people in Asia and uses Front Door. Microsoft say that content served through Front Door is hosted in POPs all over the world but Grafana checks show consistently bad performance in Asia. The London ping response times are consistently low from London but around 150ms from Singapore, frequently spiking to over 500ms. While London is closer to where the origin is hosted, I wouldn't expect pings to go to the origin but be handled by Front Door? Is there any way I can verify that the site is being propagated to regional POPs in the APAC area?
Solved
LouisT
Copper Contributor
Feb 16, 2026 Place Azure
Front Door
monitoring
187Views
0likes
1Comment
Help ! - Hub Spoke Architecture and Routing via NVA
I have a classic example of routing. I want to force all traffic via Fortigate firewalls. EastWest and NorthSouth. However when large Supernet of Azure Vnet is used to route and force the traffic via UDR at gateway subnet, its not working. Because Routes learned at Hub Vnet via Vnet peering is taking precedence. To isolate, i have created multiple small subnet routes for Gateway subnet. Each pointing to spoke vnet and next hop as Fortigate firewall. However this is working, i want to make solution solid. Means if someone creates new vnet in future and peer with Hub, it should not get direct traffic. Is that possible? Or this is typical shortcoming of Azure where routing works with preference to vnet peeering.? Below is architecture -
Solved
Amolamolrev
Copper Contributor
Feb 06, 2026 Place Azure Networking
gateway
routing
UDR
virtual network
virtual network peering
302Views
0likes
2Comments
Azure passowrd protection
We have a hybrid Azure infrastructure with an AD Connector installed on-prem and configured for PTA. We installed the password protection server and registered it with the Azure tenant, then deployed the DC agent on all domain controllers. Both the proxy and agents are operational. We published a few banned words to block in case anyone uses them. For testing, I changed my password to include one of the banned words. To my surprise, I was able to change the password. I checked the corresponding logon server, and the DC event viewer showed that the password was validated, but the banned word was in the password list that Azure set to enforce. Why is it not blocking the change?
Solved
azuser
Copper Contributor
Dec 13, 2025 Place Azure
azure
Azure Friday
security
security & compliance
88Views
0likes
1Comment
PAAS resource metrics using Azure Data Collection Rule to Log Analytics Workspace
Hi Team, I want to build a use case to pull the Azure PAAS resources metrics using azure DCR and push that data metrics to log analytics workspace which eventually will push the data to azure event hub through streaming and final destination as azure postgres to store all the resources metrics information in a centralized table and create KPIs and dashboard for the clients for better utilization of resources. I have not used diagnose setting enabling option since it has its cons like we need to manually enable each resources settings also we get limited information extracted from diagnose setting. But while implementing i saw multiple articles stating DCR is not used for pulling PAAS metrics its only compatible for VM metrics. Want to understand is it possible to use DCR for PAAS metrics? Thanks in advance for any inputs.
Solved
zeenatparveen67
Copper Contributor
Dec 12, 2025 Place Azure
analytics
azure
Azure Essentials
Azure Resource Management
Azure Stack
157Views
0likes
2Comments
Azure File copy task v4 and later causes 403 error
I've configured a release pipeline in ADO which copies some files to a Storage Account. Using Azure File copy task version 6 consistently fails with a 403 error. RESPONSE Status: 403 This request is not authorized to perform this operation using this permission. After much wasted time checking IP restrictions, checking access and recreating service connections I tried using an earlier version of the task that some other pipelines which do the same thing were using. I found that using version 4 or later of the file copy task causes the issue. Setting the task version to 3 works. Are there any known issues around this?
Solved
LouisT
Copper Contributor
Dec 10, 2025 Place Azure
Azure devops pipeline
devops
108Views
0likes
1Comment
Container on App Service keeps getting stopped and terminated
I've got a .Net app running in a Docker container that I'm trying to run on a Linux App Service but as per the (sanitised) log output below from the Platform log stream, it's getting terminated only 4 seconds after it started. Where can I get information on why this is happening? Starting container: a0e3af0a_myapp-dev-as. Starting watchers and probes. Starting metrics collection. Container is running. Container start method finished after 1990 ms. Container is terminating. Grace period: 0 seconds. Stop and delete container. Retry count = 0 Timestamps removed as the forum doesn't seem to like log output?
Solved
LouisT
Copper Contributor
Dec 04, 2025 Place Apps on Azure
web apps
478Views
0likes
2Comments
Determine destinations to which traffic is being sent from Azure VM
I need to determine all the destinations where traffic is being sent from a Azure VM. What is the best way to achieve this.
Solved
curious7
Brass Contributor
Oct 30, 2025 Place Azure
azure
monitoring
166Views
0likes
1Comment
Azure Virtual Desktop External Identities
Hi. I was delighted to find out that External Identities are now supported in Azure Virtual Desktop (preview). https://learn.microsoft.com/en-us/azure/virtual-desktop/authentication#external-identity-preview I have attempted to set this up and test it as per the requirements and known limitations above. However, when I sign into the Windows app with my guest account, I do not have any AVD resources available. Are there any detailed setup instructions or is there anything not obvious that I might be missing? Thank you!
Solved
tadhgclifford
Brass Contributor
Oct 14, 2025 Place Azure Virtual Desktop
community
795Views
0likes
4Comments
Fixed ip address for outbound calls from Azure APIM Standard V2
Hi, I recently ran a PoC deployment of Azure APIM Standard V2 Sku instead of our current Premium Classic instance. This worked well! Performance is great and I am able to route calls to an on-prem network ok using vnet-integration. However, one of the features we currently make use of with the Premium Classic instance is a fixed ip address for calls from APIM to 3rd parties. Is there a way to achieve this using Standard V2? We have tried a nat gateway with fixed ip on the same vnet but this does not seem to help.
Solved
BizTalkers
Copper Contributor
Sep 29, 2025 Place Azure Integration Services
azure api management
408Views
0likes
1Comment
How to setup Internet access after All Basic IPs be retired on September 30, 2025
As subject, what can I do to maintain Internet access
Solved
JasonIp
Copper Contributor
Sep 22, 2025 Place Azure Networking
88Views
0likes
1Comment
How to update the proxyAddresses of a Cloud-only Entra ID user
I currently have a client with an Entra ID user (not migrated from on-premises) that is cloud-based, but has proxyAddresses values assigned. Now, I want to update the proxyAddresses through the Graph Explorer and have used this link as a guide: https://learn.microsoft.com/en-us/answers/questions/2280046/entra-connect-sync-blocking-user-creation-due-to-h. Now this guide is suggesting you can use the BETA model and this URL format... https://graph.microsoft.com/beta/users/%USERGUID% It states you can use that URL to do both 'GET' and 'PATCH' queries - the PATCH query being the one that will change the settings. You have to put forth a body for the proxyAddresses property in the PATCH query, which represents all of the addresses you want the user to utilise as proxy addresses. Now the GET query works... The PATCH query does not... Screenshot provided: Now, regarding the error message, I have applied ALL possible permissions in the 'Modify Permissions' tab. It is still erroring, Now I cannot use Exchange Online PowerShell, as the user does not have a mailbox! Aside from potentially using a license for Exchange Online or provisioning a mailbox for the user, and making the necessary changes, would the only other option be to delete/recreate the user?
Solved
JMSHW0420
Iron Contributor
Sep 17, 2025 Place Azure
api management
azure
entra id
Exhcange Online
graph explorer
1.1KViews
0likes
3Comments
Hub spoke design with NVA firewall
I have my Azure landing zone setup but it isn't working as i expected. So i have a vnet named vnet-lz-fw-001 with 2 subnets. External and Trusted. I then have a NVA Watchguard Firewall with an interface on each subnet. I then have 2 further vnets, vnet-lz-prod-001 and vnet-lz-id-001. Each of these vnets has peering to vnet-lz-fw-001 but no peering between each other. vnet-lz-prod-001 and vnet-lz-id-001 have user defined routes to point to each other via the trusted interface on the Watchguard NVA The Watchguard firewall has static routes to point to each subnet in the vnets via the Trusted interface gateway address. Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping each other, but when they do its not routing via the Watchguard firewall. Is this as expected behavior? Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping the trusted interface on the Watchguard Firewall ok
Solved
jlhall1000
Copper Contributor
Sep 10, 2025 Place Azure Networking
virtual network
159Views
0likes
1Comment
AZ-900
Please guide me on how to get trained and pass the Azure AZ-900 exam. Also, suggest the best free self-paced training resources.
Solved
Balu_Karande
Copper Contributor
Aug 21, 2025 Place Azure
azure
338Views
1like
2Comments

Recent Discussions

Unable to backup APIM instance to storage account

Two node Azure Local cluster updated to different versions

Azure Automation Hybrid Runbook Worker Supported OS

MFA required for Global Admin without Conditional Access or PIM enforcement

Excluding break-glass account from MFA Registration Campaign – impact on existing users?

AI-102 Develop computer vision solutions in Azure (deprecated)

Azure Virtual Desktop(AVD) - Enable Cloud Kerberos for storage accounts question

Slow response times in different regions

Help ! - Hub Spoke Architecture and Routing via NVA

Azure passowrd protection

PAAS resource metrics using Azure Data Collection Rule to Log Analytics Workspace

Azure File copy task v4 and later causes 403 error

Container on App Service keeps getting stopped and terminated

Determine destinations to which traffic is being sent from Azure VM

Azure Virtual Desktop External Identities

Fixed ip address for outbound calls from Azure APIM Standard V2

How to setup Internet access after All Basic IPs be retired on September 30, 2025

How to update the proxyAddresses of a Cloud-only Entra ID user

Hub spoke design with NVA firewall

AZ-900

Events

Marketplace office hour for customers: June 2026

Recent Blogs

Foundry Toolkit for VS Code at //build: Hosted Agents End-to-End, a Smarter Toolbox, and More

Build Enterprise-Ready Agents with Microsoft IQ and Oracle AI Database@Azure — now with Oracle MCP

Tags