Recent Discussions
Azure Event Grid Domain Creation: Overcoming AZ CLI's TLS Parameter Limitations with Workaround
Introduction: The Intersection of Security Policies and DevOps Automation In the modern cloud landscape, organizations increasingly enforce strict security requirements through platform policies. One common requirement is mandating latest TLS versions for example TLS 1.2 across all deployed resources to protect data in transit. While this is an excellent security practice, it can sometimes conflict with the available configuration options in deployment tools, particularly in the Azure CLI. This blog explores a specific scenario that many Azure DevOps teams encounter: how to deploy an Azure Event Grid domain when your organization has a custom policy requiring latest version considering TLS 1.2, but the Azure CLI command doesn't provide a parameter to configure this setting. The Problem: Understanding the Gap Between Policy and Tooling What Is Azure Event Grid? Azure Event Grid is a serverless event routing service that enables event-driven architectures. It manages the routing of events from various sources (like Azure services, custom applications, or SaaS products) to different handlers such as Azure Functions, Logic Apps, or custom webhooks. An Event Grid domain provides a custom topic endpoint that can receive events from multiple sources, offering a way to organize and manage events at scale. The Policy Requirement: Many organizations implement Azure Policy to enforce security standards across their cloud infrastructure. A common policy might look like this: { "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.EventGrid/domains" }, { "anyOf": [ { "field": "Microsoft.EventGrid/domains/minimumTlsVersion", "exists": false }, { "field": "Microsoft.EventGrid/domains/minimumTlsVersion", "notEquals": "1.2" } ] } ] }, "then": { "effect": "deny" } } } This policy blocks the creation of any Event Grid domain that doesn't explicitly set TLS 1.2 as the minimum TLS version. The CLI Limitation: Now, let's examine the Azure CLI command to create an Event Grid domain: az eventgrid domain | Microsoft Learn TLS property is unrecognized with the latest version of AZ CLI version. Current Status of This Limitation: It's worth noting that this limitation has been recognized by the Azure team. There is an official GitHub feature request tracking this issue, which you can find at => Please add TLS support while creation of Azure Event Grid domain through CLI · Issue #31278 · Azure/azure-cli Before implementing this workaround described in this article, I recommend checking the current status of this feature request. The Azure CLI is continuously evolving, and by the time you're reading this, the limitation might have been addressed. However, as of April 2025, this remains a known limitation in the Azure CLI, necessitating the alternative approach outlined below. Why This Matters: This limitation becomes particularly problematic in CI/CD pipelines or Infrastructure as Code (IaC) scenarios where you want to automate the deployment of Event Grid domain resources. Workaround: You can utilize below ARM template and deploy it through AZ CLI in your deployment pipeline as below: Working ARM template: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "domainName": { "type": "string", "metadata": { "description": "Name of the Event Grid Domain" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Azure region for the domain" } } }, "resources": [ { "type": "Microsoft.EventGrid/domains", "apiVersion": "2025-02-15", "name": "[parameters('domainName')]", "location": "[parameters('location')]", "properties": { "minimumTlsVersionAllowed": "1.2" } } ] } Please note I've used latest API version from below official Microsoft documentation : Microsoft.EventGrid/domains - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn Working AZ CLI command: az deployment group create --resource-group <rg> --template-file <armtemplate.json> --parameters domainName=<event grid domain name> You can store this ARM template in your configuration directory with replacement for Azure CLI command. It explicitly sets TLS 1.2 for Event Grid domains, ensuring security compliance where the CLI lacks this parameter. For example: az deployment group create --resource-group <rg> --template-file ./config/<armtemplate.json> --parameters domainName=<event grid domain name> Disclaimer: The sample scripts provided in this article are provided AS IS without warranty of any kind. The author is not responsible for any issues, damages, or problems that may arise from using these scripts. Users should thoroughly test any implementation in their environment before deploying to production. Azure services and APIs may change over time, which could affect the functionality of the provided scripts. Always refer to the latest Azure documentation for the most up-to-date information. Thanks for reading this blog! I hope you've found this workaround valuable for addressing the Event Grid domain TLS parameter limitation in Azure CLI. 😊
Error BCP036: The property "gateway" expected a value of type "string"
We're getting the error when we're trying to deploy On Premise Data Gateway API Connection: Error BCP036: The property "gateway" expected a value of type "string" but the provided value is of type "object" This was the initial properties file of the API connection we're trying to deploy We then updated the value of the gateway property into a string But got this error "ConnectionGatewayReferenceMissing","message":"The gateway reference connection parameter is missing for the on-premise connection request." Are we missing an attribute? This never happened before. It looks like there have been changes that happened some time this week to Azure API connection deployment
search/codesearchresults not able to get more than 2000 results?
when I send a POST API request to "https://MYAZUREINSTANCE/tfs/COLLECTION/MYPROJECT/_apis/search/codesearchresults?api-version=7.0" with this payload { "searchText": "ext:dll", "$skip": 1000, "$top": 1000, "filters": [ { "name": "ProjectFilters", "values": [ "MYPROJECT" ] }, { "name": "RepositoryFilters", "values": [ "$/MYPROJECT" ] } ], "searchFilters": { "ProjectFilters": [ "MYPROJECT" ], "RepositoryFilters": [ "$/MYPROJECT" ] } } the API returns the file data correctly. but I have more than 2000 such files. if I set "$skip": 2000, it returns an error stating that the $skip must be between 0 and 1000.... How do I get the rest of the files?
OUTLOOK Reverts to Classic every 24 hrs AVD
Hey All, I am looking for some support with AVD Windows 11 multi session... I have a series of inconsistences with user experiences. The major one is that Outlook (after upgrading to the new Outlook) reverts back to the Outlook Classic every day for users. Where did it go? why did it roll back - Here is the other issue is most of the users have to re authenticate every 24 hours with the Office 365 Apps, so after logging into AVD the are greeted with a message that there is something wrong with there work account and have to re authenticate and require to re-login Every day!
FSLogix issue with latest version break
Hi All, After upgrading the latest version of Fslogix i.e 3.25.401.15305. Getting error to only few users while logged in to Azure virtual desktop. User getting Recycle bin prompt even after closing that box it reappear after every 2-3 mins. It seems to be issue only with those user who are getting access to AVD after Fslogix upgrade. Is there is any fix for that? Also, Attached the error screenshot for the same.
Azure Devops Pipelines Stage Release
Hi! This is the problem I have! I'm making a process that collects many applications from a repository, which are eventually compiled into docker containers. And after assembly, I install them on various stands (dev, test, and so on). But I can’t select the branch in the releases from which the application will be built. Therefore, I thought that pipelines have such an opportunity at launch. Ability to select a Git branch. But I came across the fact that when I create a pipeline, not a release, my tasks are performed sequentially or with dependencies on each other. In this situation, I cannot restart the same pipeline only with different parameters. Let's say I have an assembly stage, a launch stage for a dev bench, and a launch stage for a test bench. If I start rolling on the dev stand, then I cannot restart the same pipeline and roll on the test stand. Maybe I don't know something? Have you encountered such a problem? Maybe there is a solution (it’s possible in Git Lab).Regarding changing the git push timestamp on azure repository
Hi! I had first used git rebase for editing the particular committer and saved and proceeded with GIT_COMMITTER_DATE="2025-04-10T15:30:00" git commit --amend --no-edit --date "2025-04-10T15:30:00" like this and used another code to make the author date and committer date to be same and then I pushed to the remote repository like azure devops. After changes I can see the committer date gets changed as expected and author date too changed and I made them the same .But my question is in azure devops there is showing three dates commitor date,author date,push date,In my case for example as per code commuter date is 2025-04-10T15:30:00;authored date is 2025-04-10T15:30:00 while the push date is not that and it was the time I pushed to devops. In devops in the commit history section the timestamp is changed while when I go to the push section of devops the timestamp is showing not the commit timestamp but the time when I actually pushed to there repo.My question is I have done the change for commt,author date but I cant do for the push date.Is there any way to change the git push date or devops push date timestamp in the repository. Hope I get the required information.Thank youAzure Storage Account feedback
Hey, After having a support case with the engineering team for Azure storage, I was encouraged to leave feedback here as well. Given the current state of Azure storage accounts, the website for Azure storage should be updated. An Azure Storage Account does not in any way replace an old-fashioned file server we have been using for shared drives for all users. The Azure storage account does not support metadata well, so the storage account won't work well to sharing containing metadata given that just about all files are placed on a file. The users will see delays when opening files and browsing file shares. I know a metadata caching add-on is on the way, but for now, that is only for premium accounts. Having a premium account for Excel, Word, PowerPoint, etc., is way too expensive and unnecessary.
Error 500 logging into ADO or Private Nuget feed
I have a long standing user who in the middle of last week lost his ability to login got ADO or connect to our private feeds getting an 500 Internal Server Error. The situation is complicated slightly in that we share an ADO Subscription amongst multiple tenants so this use is added as an ExternalAzureAD Guest. I dropped and recreated the user both in ADO and his guest account in the ADO joined tenant, waited half an hour and then re-added the user with to ADO, but still the same error. I have done the same with a scratch user and all this works without issue. When the user goes direct to the private feed and logs in, they get the error: {"$id":"1","innerException":null,"message":"TF400813: The user '66faf51b-bf86-6913-bd44-d1b38246c0ea' is not authorized to access this resource.","typeName":"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server","typeKey":"UnauthorizedRequestException","errorCode":0,"eventId":3000} When they try to login to ADO, the get the attached error: We tried this on a different machine and got the same behaviour, so it seems account related. How can I resolve this?
SSH connexion failed from Azure DevOps server 2020 agents to REHL9
Hi everyone ! with our new linux REHL9 servers we couldn't connect to them through SSH Service connexion (configured with Private Key/username/password). When we use SSH task in release pipeline we face this error message [error]Échec de la connexion à la machine distante. Vérifiez les détails de la connexion de service SSH. Erreur : Error: All configured authentication methods failed. On REHL9 server rsa-ssh connexion is deprecated and we need to use at least rsa-sha-256 algorithm. Can we do some configurations on Az DevOps server to allow that ? I mean use rsa-sha2-256 (or 512) for ssh communication. Someone have already face this error ? Thank you for your help !Issue with Optimisation Teams in AVD
Recently i have updated the teams version i.e 25060.205.3499.6849 to latest in pooled azure virtual desktop. While checking the behaviour of teams when i logged in via Windows App it shows AVD Slimcore optimised but when i connected via Windows App web url then it will shows AVD Slimcore media not connected or sometime it shows AVD media not connected. Is this the normal behaviour or there is some issue with that version i.e 25060.205.3499.6849? Also, I have updated the WebRTC and Microsoft WebView2 as well. Kindly suggest is it normal or there will be some issue. Attached the both screenshot.Printing from RDP session not working on macOS Sequoia 15.4
Hi, I just wanted to let you know that printing from a Microsoft Remote Desktop Beta session using a redirected printer does not appear to work on macOS Sequoia. The issue has been present since version 15.1.1 and continues in the latest 15.4 update. I’ve tested several versions of Microsoft Remote Desktop Beta, including 10.9.3, 10.7.5, 10.6.8, and others. In all of them, the printer appears inside the RDP session, and the print job briefly enters the queue before disappearing without printing. Additionally, in the new Windows App, as well as in Microsoft Remote Desktop Beta starting with version 10.9.4 (2160), no printers appear at all inside the RDP session — printer redirection seems to be completely absent. For comparison, on a MacBook Pro 13" (2017) running macOS Ventura 13.7.2 with Microsoft Remote Desktop 10.9.10 (2327), everything works as expected. Please let me know if this is a known issue or if a workaround is available.Backup vaults Vs Recovery Service Vault
Hello Team, Microsoft has introduced multiple vault types, each serving different backup and disaster recovery needs. Below is a high-level differentiation: Recovery Services Vault (RSV) Supports Azure Backup (VMs, SQL, SAP HANA, Files) and Azure Site Recovery (disaster recovery). Offers backup policies, recovery points, replication, and failover management. Backup Vault A newer, streamlined vault designed for Azure Backup only. Supports Backup Short-Term Retention (Instant Restore) and Cross-region Restore. Primarily used with Azure Policy & Backup Center for better management at scale. Microsoft Continuity Center (MCC) A centralized disaster recovery hub in Azure. Integrates Azure Site Recovery (ASR) and backup services into a single pane of glass. Allows for failover, backup monitoring, and business continuity planning. Do we have any document talks about little deeper about the above topics.
Ionic command task missing
Has any one encountered this error this morning. This was working fine till Friday. Our pipeline has stopped working and not able to find the ionic command task. "A task is missing. The pipeline references a task called 'IonicCommand'. This usually indicates the task isn't installed, and you may be able to install it from the Marketplace: https://marketplace.visualstudio.com. (Task version 1, j)"I am running into an issue trying to install 2022.1 RTW
When I try to upgrade my Azure DevOps 2022.1 RC to Azure DevOps 2022.1 RTW it takes a VERY LONG TIME, and ultimately stops with an error, but the error is not useful "the intallation did not complete sucessfully". yet, when I look at the installer logs I see the following dd_devops_server_20240218201745_001_devops_serverCore: MSI (s) (D4:90) [20:33:50:520]: Product: AzureDevOpsCore2022.1 -- Installation completed successfully. MSI (s) (D4:90) [20:33:50:521]: Windows Installer installed the product. Product Name: AzureDevOpsCore2022.1. Product Version: 19.225.34309. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0. dd_devops_server_20240218201745_002_devops_serverWeb: MSI (s) (D4:98) [21:15:09:936]: Product: AzureDevOpsWeb2022.1 -- Installation completed successfully. MSI (s) (D4:98) [21:15:09:937]: Windows Installer installed the product. Product Name: AzureDevOpsWeb2022.1. Product Version: 19.225.34309. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0. Why am I getting an error?Azure Migrate Appliance
Hi, We are planning to migrate 100 servers to Azure and are looking for guidance on deploying the Azure Migrate appliance. Due to space limitations on-premises, we do not have room to deploy the appliance locally. Is it possible to deploy the Azure Migrate appliance in an Azure virtual machine (VM) within our existing Azure subscription? if so we would like to deploy the VM, install the Azure Migrate appliance, and then use it to assess, discover, and perform dependency analysis for our on-premises virtual and physical servers. Additionally, we are considering using the "Physical Server" option by downloading the installer script from the Azure Migrate appliance. Can you please confirm if this approach is viable, are there any additional steps or considerations we should be aware of by deploying the appliance in Azure on a VM. Thanks
Gatewayauthenticationfailed/objectid does not have authorization to perform on scope.
Hello, this is about activating the eligible role using the ARM API. Created a custom role (only with admin login action) no read action- coz we do not want user to see the machines in the portal. We have a ps script that is used inside the virtual machine to activate the eligible role using ARM API the role is assigned on subscription level and activated on resource level, using inheritance. It was working great, but from couple of weeks, we get this errors. "code":"GatewayAuthenticationFailed","message":"Gateway authentication failed for 'Microsoft.Authorization' AuthorizationFailed Message: The client '******@xxx.com' with object id 'xxxxa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxa/resourcegroups/ResGrp0213' or the scope is invalid. If access was recently granted, please refresh your credentials rest api used- PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/{roleAssignmentScheduleRequestName}?api-version=2020-10-01 it's a random issues on the random users.. #Azure #AVD #AzureVirtualMachines.Azure Event Grid CLI Identity Gaps & Workarounds with Python REST and ARM Templates
Azure Event Grid has become a cornerstone service for building event-driven architectures in the cloud. It provides a scalable event routing service that enables reactive programming patterns, connecting event sources to event handlers seamlessly. However, when working with Event Grid through the Azure CLI, developers often encounter a significant limitation: the inability to configure system-assigned managed identities using CLI commands. In this blog post, I'll explore this limitation and provide practical workarounds using Python REST API calls and ARM templates with CLI to ensure your Event Grid deployments can leverage the security benefits of managed identities without being blocked by tooling constraints. Problem Statement: Unlike many other Azure resources that support the --identity or ---assign-identity parameter for enabling system-assigned managed identities, Event Grid's CLI commands lack this capability while creating event subscription for system topic at the moment. This means that while the Azure Portal and other methods support managed identities for Event Grid, you can't configure them directly through the CLI in case of system topic event subscriptions For example you can add managed identity for delivery through portal but not through AZ CLI: If you try to use the following CLI command: az eventgrid system-topic event-subscription create \ --name my-sub \ --system-topic-name my-topic \ --resource-group my-rg \ --endpoint <EH resource id> --endpoint-type eventhub \ --identity systemassigned You'll run into a limitation: The --identity flag is not supported or unrecognized for system topic subscriptions in Azure CLI. Also, --delivery-identity is in preview and under development Current Status of This Limitation: It's worth noting that this limitation has been recognized by the Azure team. There is an official GitHub feature request tracking this issue, which you can find at Use managed identity to command creates an event subscription for an event grid system topic · Issue #26910 · Azure/azure-cli. Before implementing any of the workarounds described in this article, I recommend checking the current status of this feature request. The Azure CLI is continuously evolving, and by the time you're reading this, the limitation might have been addressed. However, as of April 2025, this remains a known limitation in the Azure CLI, necessitating the alternative approaches outlined below. Why This Matters: This limitation becomes particularly problematic in CI/CD pipelines or Infrastructure as Code (IaC) scenarios where you want to automate the deployment of Event Grid resources with managed identities. Solution 1: Using Azure REST API with Python request library: The first approach to overcome this limitation is to use the Azure REST API with Python. This provides the most granular control over your Event Grid resources and allows you to enable system-assigned managed identities programmatically. System Topic Event Subscriptions - Create Or Update - REST API (Azure Event Grid) | Microsoft Learn You can retrieve Azure Entra token using below CLI command: az account get-access-token Sample working code & payload: import requests import json subscription_id = <> resource_group = <> system_topic_name = <> event_subscription_name = <> event_hub_resource_id = <> access_token = <> url = f"https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.EventGrid/systemTopics/{system_topic_name}/eventSubscriptions/{event_subscription_name}?api-version=2024-12-15-preview" payload = { "identity": { "type": "SystemAssigned" }, "properties": { "topic": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.EventGrid/systemTopics/<>", "filter": { "includedEventTypes": [ "Microsoft.Storage.BlobCreated", "Microsoft.Storage.BlobDeleted" ], "advancedFilters": [], "enableAdvancedFilteringOnArrays": True }, "labels": [], "eventDeliverySchema": "EventGridSchema", "deliveryWithResourceIdentity": { "identity": { "type": "SystemAssigned" }, "destination": { "endpointType": "EventHub", "properties": { "resourceId": "/subscriptions/<>/resourceGroups/rg-sch/providers/Microsoft.EventHub/namespaces/<>/eventhubs/<>", "deliveryAttributeMappings": [ { "name": "test", "type": "Static", "properties": { "value": "test", "isSecret": False, "sourceField": "" } }, { "name": "id", "type": "Dynamic", "properties": { "value": "abc", "isSecret": False, "sourceField": "data.key" } } ] } } } } } headers = { "Authorization": f"Bearer {access_token}", "Content-Type": "application/json" } response = requests.put(url, headers=headers, data=json.dumps(payload)) if response.status_code in [200, 201]: print("Event subscription created successfully!") Remember that these tokens are sensitive security credentials, so handle them with appropriate care. They should never be exposed in logs, shared repositories, or other insecure locations. Solution 2: Using ARM Templates & deploying it through CLI Another solution is to use Azure Resource Manager (ARM) templates, which fully support system-assigned managed identities for Event Grid. This approach works well in existing IaC workflows. Microsoft.EventGrid/systemTopics/eventSubscriptions - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn Here's a sample ARM template that creates an Event Grid topic with a system-assigned managed identity: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "systemTopicName": { "type": "string", "metadata": { "description": "Name of the existing system topic" } }, "eventSubscriptionName": { "type": "string", "metadata": { "description": "Name of the event subscription to create" } }, "eventHubResourceId": { "type": "string", "metadata": { "description": "Resource ID of the Event Hub to send events to" } }, "includedEventType": { "type": "string", "defaultValue": "Microsoft.Storage.BlobCreated", "metadata": { "description": "Event type to filter on" } } }, "resources": [ { "type": "Microsoft.EventGrid/systemTopics/eventSubscriptions", "apiVersion": "2024-06-01-preview", "name": "[format('{0}/{1}', parameters('systemTopicName'), parameters('eventSubscriptionName'))]", "identity": { "type": "SystemAssigned" }, "properties": { "deliveryWithResourceIdentity": { "destination": { "endpointType": "EventHub", "properties": { "resourceId": "[parameters('eventHubResourceId')]" } }, "identity": { "type": "SystemAssigned" } }, "eventDeliverySchema": "EventGridSchema", "filter": { "includedEventTypes": [ "[parameters('includedEventType')]" ] } } } ] } How to deploy via Azure CLI: az deployment group create \ --resource-group <your-resource-group> \ --template-file eventgridarmtemplate.json \ --parameters \ systemTopicName=<system-topic-name> \ eventSubscriptionName=<event-subscription-name> \ eventHubResourceId="/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.EventHub/namespaces/<namespace>/eventhubs/<hub>" Disclaimer The sample scripts provided in this article are provided AS IS without warranty of any kind. The author is not responsible for any issues, damages, or problems that may arise from using these scripts. Users should thoroughly test any implementation in their environment before deploying to production. Azure services and APIs may change over time, which could affect the functionality of the provided scripts. Always refer to the latest Azure documentation for the most up-to-date information. Thanks for reading this blog! I hope you've found these workarounds valuable for addressing the Event Grid identity parameter limitation in Azure CLI. 😊Web access error in Hostpool in new feature
https://windows365.microsoft.com When accessing https://windows365.microsoft.com and using AVD, a connection loss error occurs. It wasn't due to conditional access or any other policy. When deploying Azure Virtual Desktop with the Multiple Desktop Assignments to a Single User feature, web access is not possible. However, the original AVD access URL, https://client.wvd.microsoft.com/arm/webclient/index.html, is available. I'm sharing this in hopes that the issue will be fixed.
Events
Robust security is crucial at every stage of your cloud and AI journey. Take a closer look at the importance of embedding security from the initial consideration of Azure to the ongoing management of...
Online
With security threats evolving across every layer, it is critical to have a cloud platform that is designed to safeguard your data and applications from the inside out. Join this session to explore t...
Online
Recent Blogs
- We're halfway through our first season of the Azure Communication Services Fundamentals series, and we are excited to invite you to our next session - Maximizing Email Insights with Logs and Events o...Apr 15, 2025
- 5 MIN READMonitoring your applications is now easier than ever with the public preview release of Auto-Instrumentation for Azure Kubernetes Service (AKS). You can now easily monitor your Java and Node deployme...Apr 15, 2025
