<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.threads-in-node</title>
    <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ct-p/cis</link>
    <description>rss.livelink.threads-in-node</description>
    <pubDate>Wed, 01 Jul 2026 00:39:30 GMT</pubDate>
    <dc:creator>cis</dc:creator>
    <dc:date>2026-07-01T00:39:30Z</dc:date>
    <item>
      <title>Authenticating AWS Workloads to Azure Functions using Workload Identity Federation</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/authenticating-aws-workloads-to-azure-functions-using-workload/ba-p/4531603</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="none"&gt;What you will learn:&lt;/SPAN&gt;&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;What Workload Identity Federation is and how it works&lt;/LI&gt;
&lt;LI&gt;How to set up trust between AWS and Microsoft Entra ID&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;How to exchange AWS identity tokens for Azure access tokens&lt;/LI&gt;
&lt;LI&gt;How to securely call an Azure Function from AWS without storing credentials&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;This approach improves security, removes secret management overhead, and aligns with Zero Trust principles.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;Let’s start by understanding why this approach is needed in a multi-cloud environment.&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="none"&gt;Why this approach is needed&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;In today’s multi-cloud landscape, organizations&amp;nbsp;frequently&amp;nbsp;need to connect services across cloud providers like AWS and Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Traditionally, this required storing long-lived Azure client secrets within AWS environments. While functional, this introduces:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="48" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Security risks (secrets can leak or be misused)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="48" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Operational overhead (secret rotation and storage)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="48" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Increased maintenance complexity&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Microsoft Entra ID&amp;nbsp;provides&amp;nbsp;a modern alternative:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Workload Identity Federation&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;, which&amp;nbsp;eliminates&amp;nbsp;the need for static credentials entirely.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="none"&gt;What is Workload Identity Federation?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Workload Identity Federation is a feature in Microsoft Entra ID that allows you to trust identities from external providers like AWS, GCP, or GitHub. Instead of a secret, Azure&amp;nbsp;validates&amp;nbsp;the identity of the AWS resource based on its own native OIDC (OpenID Connect) token.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;This approach is particularly useful for:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="28" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;Securing Cross-Cloud Pipelines&lt;/STRONG&gt;:&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Enabling AWS Lambda or EC2 to call Azure APIs without managing keys.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="28" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Eliminating&amp;nbsp;Secret Rotation:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Removing the need to update expired secrets across different cloud providers.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="28" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Enhancing Security:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Using short-lived, verifiable claims that automatically expire.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;In this blog, we will cover the configuration for&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;service-to-service&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;&amp;nbsp;authentication&lt;/STRONG&gt; and&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;user-led validation&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;for troubleshooting. The following guide outlines the complete technical configuration&amp;nbsp;required&amp;nbsp;to implement this architecture.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;An overview of what we will be doing:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Generate AWS Token:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Your AWS resource (Lambda, EC2,&amp;nbsp;etc) generates a short-lived OIDC token signed by AWS.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Exchange for Azure Token:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;The AWS token is sent to Microsoft Entra ID. Azure&amp;nbsp;validates&amp;nbsp;the AWS signature using your Federated Credential and issues a native Azure Access Token in return.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Attach Verified Permissions:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;We configure an&amp;nbsp;App Role&amp;nbsp;on the&amp;nbsp;Function&amp;nbsp;App&amp;nbsp;and link it to our Caller App. This helps Azure&amp;nbsp;identify&amp;nbsp;the correct permissions to inject into the token, confirming the caller is officially&amp;nbsp;permitted&amp;nbsp;to access your API.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Authorize Azure Function:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt; The AWS resource calls the Function URL with the Azure token. The Function's authentication layer verifies the token's claims and grants access.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="auto"&gt;Section 1: AWS side setup&lt;/SPAN&gt;&lt;/H4&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-10"&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 1–Enabling Outbound Identity Federation&lt;/SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt; Go toIdentity and Access Management (IAM)-&amp;gt; Access Management-&amp;gt;Account Settings&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt; Scroll down to the Outbound Identity Federation section and enable it. Note down the &lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Token Issuer URL&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;—we will use it later to set up the Issuer claim in the federated credentials on the Azure side.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 2– Create a role for your AWS resource (Lambda, EC2)&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to Identity and Access Management (IAM) -&amp;gt; Access Management-&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Roles&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click on the Create role button on the top right and select the trusted entity type, I selected AWS service. For use case I selected EC2. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Under Permissions, click Add permissions &amp;gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Create inline policy&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Switch to the JSON tab and paste this:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;curl -X POST 
"https://login.microsoftonline.com/&amp;lt;TENANT_ID&amp;gt;/oauth2/v2.0/token" \ 
-H "Content-Type: application/x-www-form-urlencoded" \ 
-d "client_id=&amp;lt;CLIENT_ID&amp;gt; " \ 
-d "scope=api://&amp;lt;APP_URI&amp;gt; /.default" \ 
-d "grant_type=client_credentials" \ 
-d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \ 
-d "client_assertion=&amp;lt;WebIdentityToken&amp;gt; "&lt;/LI-CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Review and Save (name it something like&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;AllowSelfWebIdentityToken&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;). This permission allows the role to&amp;nbsp;generate its own OIDC token for external exchange&amp;nbsp;(you can do this step after the creation of role as well by editing the role)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;I named the role&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;aws-federation-role&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;. Review and create the role. After the creation is complete note down the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ARN&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;for the role.&lt;/SPAN&gt;&amp;nbsp;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="auto"&gt;Section 2: Azure side setup&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H4&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;3&amp;nbsp;— Register the AWS Caller&amp;nbsp;App in Entra ID&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This&amp;nbsp;registration&amp;nbsp;represents&amp;nbsp;the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;AWS resource&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that will request a token and call your API&amp;nbsp;in the Azure side.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Portal → Microsoft Entra ID → App registrations → +&amp;nbsp;New registration&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Fill in the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Name:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;aws-caller-app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Supported account types:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Single tenant (your tenant)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Register&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Now&amp;nbsp;you’ll&amp;nbsp;see&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Application (client) ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Directory (tenant) ID&lt;/STRONG&gt;.&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Copy both —&amp;nbsp;you’ll&amp;nbsp;need them later.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 4— Create Federated Credentials&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This allows&amp;nbsp;AWS&amp;nbsp;to impersonate this application by&amp;nbsp;establishing&amp;nbsp;a trust with an external OpenID Connect (OIDC) identity provider&amp;nbsp;and&amp;nbsp;get tokens to access Microsoft Entra ID resources.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;In the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;aws-caller-app&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;that you just created, go to Manage-&amp;gt;Certificates and Secrets. Go to the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Federated credentials&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;section on the page.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Fill the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Federated credential scenario&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;:&amp;nbsp;Other&amp;nbsp;issuer&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Issuer&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;Add the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Token Issuer URL&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that we copied in Step 1 from AWS.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Type&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;: &lt;/STRONG&gt;Explicit&amp;nbsp;subject&amp;nbsp;identifier&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Value&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;Add the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;ARN&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;of the AWS resource that we copied in Step 2&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Name:&lt;/STRONG&gt; aws-federation &lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Add Description and leave the Audience claim as is. Click &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Add.&lt;/SPAN&gt;&lt;BR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 5— Register your Function App in Entra ID &amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This registration represents the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Function App resource&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that will receive a token and be called on the Azure side. My Function App is an API called&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;aws-entra-federation-api.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Portal → Microsoft Entra ID → App registrations → +&amp;nbsp;New registration&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Fill in the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Name:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;function-api-app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Supported account types:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Single tenant (your tenant)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Register&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Now&amp;nbsp;you’ll&amp;nbsp;see&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Application (client) ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Directory (tenant) ID.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Copy both —&amp;nbsp;you’ll&amp;nbsp;need them later.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;6– Create an App Role&amp;nbsp;in function-api-app&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;App roles&amp;nbsp;are custom role&amp;nbsp;templates which define&amp;nbsp;permissions&amp;nbsp;that can be assigned&amp;nbsp;to users or apps.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;In the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that you just created&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;, go to Manage → App Roles in the left menu.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Create a new Role&amp;nbsp;and fill the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Display Name:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;access_as_app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Allow Member Types:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Applications&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Value:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;access_as_app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Description:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Allow application to application access&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Do you want to enable this app role?:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;True (Checked)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Click "Apply".&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;7– Assign API Permissions to the&amp;nbsp;aws-caller-app&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;In the&amp;nbsp;previous&amp;nbsp;step we created a role on the function-api-app, now we will assign this role to the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;aws-caller-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;so that it is able to authorize and call the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;function-api-app&lt;/STRONG&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;In the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;, go to Manage → API Permissions in the left menu.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Click "+ Add a permission".&amp;nbsp;Click on the "APIs my organization uses" tab.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;In the search bar, enter the name of the app/service principal created before&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Select Application permissions and, under the Permissions section, choose the role created before&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;(&lt;STRONG&gt;access_as_app&lt;/STRONG&gt;)&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Click the "Add permissions" button.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Back in the Manage → API Permissions screen, click "&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Grant admin consent&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;&amp;nbsp;for Default Directory&lt;/STRONG&gt;".&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 8— Configure Authentication on the Azure Function resource&amp;nbsp;(aws-entra-federation-api)&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Enable authentication on your function resource&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;(&lt;STRONG&gt;aws-entra-federation-api&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;) and link it to the app registration (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;) you created earlier.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to your&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Function App resource&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;in the Azure Portal&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-contrast="auto"&gt;(&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;aws-azure-federation-api&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;On the left menu, select&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Authentication.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;+ Add identity provider.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Add the following details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Identity provider:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;Microsoft&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;App registration type:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Provide details of an existing app registration&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Client ID:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Paste the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Application (client) ID&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;of your&amp;nbsp;function-api-app from step 5(&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;APP_URI&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Issuer URL:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://login.microsoftonline.com/%3ctenant-id%3e/v2.0" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;https://login.microsoftonline.com/&amp;lt;tenant-id&amp;gt;/v2.0&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;(Replace &amp;lt;tenant-id&amp;gt; with your Directory (tenant) ID)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Client application requirement:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Allow requests from any application&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Identity requirement&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; Allow requests from any identity&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Tenant requirement&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; Allow requests only from the issuer tenant&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Under&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Restrict access&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, select&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Require authentication&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Unauthenticated requests&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; HTTP 401&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Any other field not listed should remain as default.&amp;nbsp;Click "Add" and refresh the&amp;nbsp;Settings&amp;nbsp;→ Authentication view.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;The new configured provider will appear. Click "Edit".&amp;nbsp;A list of fields will appear. Make the following changes:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Allowed token audiences&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;Lets&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;consider&lt;STRONG&gt; Application ID for&lt;/STRONG&gt; &lt;STRONG&gt;function-api-app&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;from step 5 as the value for variable&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;APP_URI&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;. Add the following three different audiences.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;&amp;lt;APP_URI&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;api://&amp;lt;APP_URI&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;api://&amp;lt;APP_URI&amp;gt;&amp;nbsp;/.default&lt;/SPAN&gt; &lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Any other field not listed should remain as default.&amp;nbsp;Save&amp;nbsp;the changes.&amp;nbsp;Now the Function App will&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;only accept calls with valid Azure AD access tokens&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Congratulations, you have successfully completed the setup&amp;nbsp;required&amp;nbsp;for using Federated Identity authentication. Now&amp;nbsp;let’s&amp;nbsp;test if the setup is working correctly.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="auto"&gt;Section 3: Validating the setup&lt;/SPAN&gt;&lt;/H4&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;9&amp;nbsp;–&amp;nbsp;Requesting Azure token and authenticating to the function app.&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In my case,&amp;nbsp;I’ve&amp;nbsp;logged&amp;nbsp;in to my AWS account using&amp;nbsp;my user account (not root user)&amp;nbsp;and then opened&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;AWS&amp;nbsp;CloudShell&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;. I will be&amp;nbsp;validating&amp;nbsp;the setup through user account as I have not deployed any AWS resource.&amp;nbsp;You should be able to request for Azure token through Lambda or other AWS resource in a similar manner.&amp;nbsp;&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;We will be using the following variable and values in the following steps:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ARN&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&amp;nbsp;&lt;/STRONG&gt;The ARN of the role created in step 2 on AWS.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;TENANT_ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;: &lt;/STRONG&gt;Your Azure tenant ID, you can find this by going to your Account-&amp;gt;All directories and copy the Directory ID&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;CLIENT_ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; The application (object) ID of the app registration created for the AWS caller app generated in step 3(&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;aws-caller-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, in this case).&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;APP_URI&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; The application (object) ID of the App registration created for the function app resource generated in step 5 (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, in this case).&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;DEFAULT_DOMAIN&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;You can find this in the overview section of your Azure Function app&amp;nbsp;resource (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;aws-entra-federation-api&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, in this case).&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;We&amp;nbsp;need to follow&amp;nbsp;a few extra steps because this validation uses a user account. In production, the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;AWS SDK performs the ‘identity proofing’&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;step (step 4) for you. In your code, you simply take that identity, exchange it for an Azure token at the Microsoft Entra endpoint, and use the token to call your Azure Function. As a result, a production workload typically doesn’t need the first four steps.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Assume the Role that was created earlier for the AWS resource in Step 2, we are logged in to the AWS&amp;nbsp;CloudShell&amp;nbsp;with the user&amp;nbsp;account&amp;nbsp;but we need to use the role that we created earlier to generate AWS token and exchange it for Azure token.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;aws sts assume-role --role-arn &amp;lt;ARN&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;As&amp;nbsp;output,&amp;nbsp;we get&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;accesskeyid,&amp;nbsp;secretaccesskey&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;sessiontoken&lt;/STRONG&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;We will be using these as variables in the next step.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Set these&amp;nbsp;values&amp;nbsp;as variables:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;export AWS_ACCESS_KEY_ID="&amp;lt;accesskeyid&amp;gt; " 
export AWS_SECRET_ACCESS_KEY="&amp;lt;secretaccesskey&amp;gt; " 
export AWS_SESSION_TOKEN="&amp;lt;sessiontoken&amp;gt;"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Generate the AWS OIDC Token&amp;nbsp;that is specifically formatted for Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;aws sts get-web-identity-token \ 
--audience "api://AzureADTokenExchange" \ 
--signing-algorithm "RS256" \ 
--duration-seconds 3600&lt;/LI-CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;We get the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;WebIdentityToken&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;in the output.&amp;nbsp;Store it as we will be using it in the next step.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Now we will exchange the AWS token (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;WebIdentityToken&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;) for an Entra ID token&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;curl -X POST 
"https://login.microsoftonline.com/&amp;lt;TENANT_ID&amp;gt;/oauth2/v2.0/token" \ 
-H "Content-Type: application/x-www-form-urlencoded" \ 
-d "client_id=&amp;lt;CLIENT_ID&amp;gt; " \ 
-d "scope=api://&amp;lt;APP_URI&amp;gt; /.default" \ 
-d "grant_type=client_credentials" \ 
-d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \ 
-d "client_assertion=&amp;lt;WebIdentityToken&amp;gt; "&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;We get the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;access_token&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;as the output of the last step. Store it as we will be using it in the next step.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Use the Entra ID token from the last step to send a request to&amp;nbsp;your&amp;nbsp;app—in this case, the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;curl -X GET "https://&amp;lt;DEFAULT_DOMAIN&amp;gt; " \ 
-H "Authorization: Bearer &amp;lt;access_token&amp;gt;" \ 
-H "Content-Type: application/json"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;You should get a&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;200 OK&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;response.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="none"&gt;Conclusion&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;By implementing&amp;nbsp;Workload&amp;nbsp;Identity Federation, you have moved away from the "Secret Management" era of cloud security. Instead of worrying about rotating client secrets or securing them in a vault, you are now using a short-lived, verifiable trust relationship between AWS and Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;What's Next?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Now that your authentication is secure, you can explore:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Fine-Grained Authorization&lt;/STRONG&gt;:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Use the claims inside the Azure Access Token to restrict specific actions within your Azure Function code.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Conditional Access Policies:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Layer on Azure Conditional Access to ensure requests only come from trusted locations, such as your specific AWS VPC or a designated IP range&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Automating with&amp;nbsp;Terraform/Bicep:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Now that&amp;nbsp;you've&amp;nbsp;done it manually, consider codifying this setup to ensure consistent security across all your environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jun 2026 04:38:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/authenticating-aws-workloads-to-azure-functions-using-workload/ba-p/4531603</guid>
      <dc:creator>kasturi</dc:creator>
      <dc:date>2026-06-29T04:38:32Z</dc:date>
    </item>
    <item>
      <title>Check This Out! (CTO!) Guide (May/June 2026)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-may-june-2026/ba-p/4529349</link>
      <description>&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/users/tysonpaul/322025" data-lia-auto-title="Member: TysonPaul | Microsoft Community Hub" data-lia-auto-title-active="0" target="_blank"&gt;Member: TysonPaul | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/triggering-azure-functions-from-blob-storage-using-event-grid/4518184" target="_blank" rel="noopener noreferrer"&gt;Triggering Azure Functions from Blob Storage Using Event Grid&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/andrewcoughlin/449905" target="_blank" rel="noopener noreferrer"&gt;AndrewCoughlin&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to trigger Azure Functions from Blob Storage events using Azure Event Grid for real-time file processing. It outlines a step-by-step approach: create and deploy an Azure Function with an Event Grid trigger, set up an Event Grid subscription for BlobCreated events, and validate the process by uploading a blob. The method minimizes latency and avoids polling, making it suitable for enterprise scenarios. Key pitfalls include creating subscriptions before the function exists and misconfigurations. The article provides sample code and emphasizes the solution's simplicity, reliability, and operational transparency.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/tls-certificate-pinning-and-best-practices-in-azure-open-source-relational-datab/4519531" target="_blank" rel="noopener noreferrer"&gt;TLS Certificate Pinning and Best Practices in Azure Open-Source Relational Databases&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/tameikal/394903" target="_blank" rel="noopener noreferrer"&gt;TameikaL&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/13/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt;&amp;nbsp;The article explains TLS certificate pinning and its implications for Azure open-source relational databases (PostgreSQL, MySQL). Certificate pinning enhances client-side security but increases operational risk, especially during certificate rotations, by causing connection failures if certificates change. Unlike Azure SQL, where certificate validation is platform-managed, Azure OSS databases use client-managed trust. The article advises against certificate pinning and recommends trusting documented root CAs, using standard TLS validation modes, and maintaining up-to-date trust stores to ensure secure and resilient client connections during certificate updates.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/azure-ddos-protection--azure-waf-a-layered-defense-for-modern-ddos-attacks/4523745" target="_blank" rel="noopener noreferrer"&gt;Azure DDoS Protection &amp;amp; Azure WAF: A Layered Defense for Modern DDoS Attacks&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/saikishor/2933317" target="_blank" rel="noopener noreferrer"&gt;saikishor&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how Microsoft Azure provides a layered defense against modern DDoS attacks by combining platform-level infrastructure protection, Azure DDoS Protection for network-level threats (Layers 3/4), and Azure Web Application Firewall (WAF) for application-layer (Layer 7) attacks. This multi-tiered approach ensures comprehensive mitigation by addressing both high-volume network floods and sophisticated application-level threats, using adaptive techniques, rate limiting, bot protection, and real-time analytics. The article emphasizes that a defense-in-depth strategy—leveraging both Azure DDoS Protection and WAF—is essential for safeguarding internet-facing applications and maintaining service availability.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/scaling-github-advanced-security-in-azure-devops-with-a-single-reusable-yaml-tem/4518410" target="_blank" rel="noopener noreferrer"&gt;Scaling GitHub Advanced Security in Azure DevOps with a single reusable YAML template&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azureinfrastructureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Infrastructure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/paulams732/3255182" target="_blank" rel="noopener noreferrer"&gt;Paulams732&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article describes how to streamline GitHub Advanced Security (GHAS) integration in Azure DevOps by using a single, reusable YAML pipeline template. This approach dynamically detects repository content, runs only relevant security scans for application code and infrastructure-as-code, and centralizes configuration and reporting. It eliminates the need for multiple pipelines, reduces maintenance, ensures consistent security coverage, and supports polyglot and mixed repositories, resulting in a scalable and efficient DevSecOps process. Key lessons include the importance of detection-driven execution, dynamic configuration, and unified workflows for effective security management across diverse codebases.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/building-ai-guardian-extension-ai-detection-and-enterprise-ai-security/4521125" target="_blank" rel="noopener noreferrer"&gt;Building AI Guardian Extension: AI Detection and Enterprise AI Security&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azureinfrastructureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Infrastructure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/ranjsharma/2999223" target="_blank" rel="noopener noreferrer"&gt;ranjsharma&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses the security and governance challenges posed by rapid enterprise adoption of generative AI tools, focusing on the risks of "Shadow AI"—the unauthorized use of AI platforms that can lead to data leakage and compliance violations. It introduces the AI Guardian Extension, a platform that autonomously detects and protects against Shadow AI by monitoring AI interactions, preventing sensitive data exposure, blocking risky prompts, and generating compliance reports, thereby enabling safe, compliant, and visible enterprise AI usage.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/public-preview-migrate-your-regional-virtual-machines-to-availability-zones/4517298" target="_blank" rel="noopener noreferrer"&gt;Public Preview: Migrate your regional virtual machines to availability zones&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/micahmckittrick/86476" target="_blank" rel="noopener noreferrer"&gt;micahmckittrick&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced a public preview feature enabling Azure users to migrate regional (nonzonal) Virtual Machines (VMs) and VM Scale Sets (VMSS Flex) into specific availability zones without rebuilding resources. The migration preserves VM names, disks, IPs, and other properties. This improves fault isolation, compliance, and disaster recovery. The process involves deallocating the VM, assigning it to a zone, and restarting it. Migration is one-way and must be done per VM. Certain configurations, like Basic SKU IPs and unmanaged disks, are not supported. Users are advised to roll out migrations in batches for production workloads.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/use-azure-container-registry-as-an-upstream-source-for-artifact-cache/4517102" target="_blank" rel="noopener noreferrer"&gt;Use Azure Container Registry as an Upstream Source for Artifact Cache&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/toddysm/931088" target="_blank" rel="noopener noreferrer"&gt;toddysm&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/05/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Container Registry (ACR) now supports using another ACR as an upstream source for artifact cache, enabling secure image promotion and distribution within organizations. This feature allows registries to cache images from other ACRs, with user-assigned managed identities (UAMI) supported for authentication, improving security by eliminating credential management. Common scenarios include promoting images between Dev and Prod registries and implementing hub-and-spoke registry topologies. The setup uses Azure CLI, requires proper RBAC permissions, and works best within the same tenant. Cross-tenant and some network configurations have limited support; portal integration is coming soon.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/how-to-use-instance-mix-with-azure-virtual-machine-scale-sets/4522574" target="_blank" rel="noopener noreferrer"&gt;How to use Instance Mix with Azure Virtual Machine Scale Sets&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/orinthomas/251291" target="_blank" rel="noopener noreferrer"&gt;OrinThomas&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/24/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Instance Mix for Azure Virtual Machine Scale Sets allows you to specify up to five compatible VM sizes in a single scale set (Flexible orchestration mode), enhancing scalability, cost optimization, and provisioning success. Azure selects VM sizes during scale-out based on your chosen allocation strategy (LowestPrice, CapacityOptimized, or Prioritized). Best for stateless, horizontally scalable workloads, Instance Mix requires similar VM types, compatible architectures, and pre-checked quotas. It’s configured via Azure CLI or portal, with operational tips for optimal use. Avoid mixing very different VM types, and always verify availability and quotas before production deployment.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/the-end-is-nigh-for-des-and-an-update-for-hunting-down-rc4/4499821" target="_blank" rel="noopener noreferrer"&gt;The End is Nigh for DES and an Update for hunting down RC4&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/askds" target="_blank" rel="noopener noreferrer"&gt;Ask the Directory Services Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/chris_cartwright/721086" target="_blank" rel="noopener noreferrer"&gt;Chris_Cartwright&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/08/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is finalizing the removal of DES and RC4 encryption types from Windows Kerberos authentication to enhance security. The article provides updated XML filters and event forwarding methods to help administrators identify and track the use of DES and RC4 in their environments. It also includes resources, scripts, and guidance for transitioning to stronger cryptography, with references to related Microsoft support articles and previous blog posts. Note: The described Event Forwarding methods are not yet compatible with Server 2025 but will be updated in the future.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/windows-365-for-agents-run-ai-agents-in-cloud-pcs-across-real-applications/4523433" target="_blank" rel="noopener noreferrer"&gt;Windows 365 for Agents: run AI agents in Cloud PCs across real applications&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Windows 365 for Agents, now in public preview, enables AI agents to autonomously execute real workflows across applications—including legacy and UI-based systems—within secure, policy-controlled Cloud PCs. This represents a shift from API-based automation, allowing agents to complete complex tasks like processing invoices or updating CRM data while maintaining enterprise security and control. Administrators can define boundaries and monitor agent activity, ensuring agents operate safely without impacting production systems. Windows 365 for Agents thus offers a secure, dedicated environment for scalable, autonomous AI workflow automation across diverse software environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/from-scale-to-breakthrough-azure-netapp-files-sets-a-new-cloud-benchmark-for-eda/4520890" target="_blank" rel="noopener noreferrer"&gt;From Scale to Breakthrough: Azure NetApp Files Sets a New Cloud Benchmark for EDA Performance&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/geertvanteylingen/222853" target="_blank" rel="noopener noreferrer"&gt;GeertVanTeylingen&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/22/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights Azure NetApp Files’ new “large volume breakthrough mode,” which sets a benchmark for cloud storage in Electronic Design Automation (EDA) workloads. Independently validated SPECstorage® 2020 benchmarks show this mode enables exceptional scalability and consistent sub-millisecond latency, supporting thousands of parallel EDA jobs without performance bottlenecks. Both single and scaled configurations demonstrated linear scaling in throughput and concurrency, empowering faster, more efficient chip design cycles. As a result, Azure NetApp Files transforms cloud storage from a limiting factor to a strategic enabler for modern, high-performance semiconductor design workflows.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/modernizing-azure-virtual-desktop-with-nerdio-and-azure-files/4516542" target="_blank" rel="noopener noreferrer"&gt;Modernizing Azure Virtual Desktop with Nerdio and Azure Files&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/vybava_ramadoss/70516" target="_blank" rel="noopener noreferrer"&gt;Vybava_Ramadoss&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/04/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how organizations scaling Azure Virtual Desktop (AVD) face challenges with user profile storage, identity management, and cost efficiency. Nerdio Manager streamlines AVD deployment by integrating compute, storage, and identity management, reducing complexity and configuration drift. Azure Files Provisioned v2 enhances storage performance and cost efficiency, while Entra ID authentication simplifies identity architecture. Together, Nerdio and Azure Files enable faster, more reliable, and cost-effective AVD environments with improved user experience, especially during peak loads, and ensure consistent, audit-ready governance at enterprise scale.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/cutover-strategy-for-azure-paas-services-a-step-by-step-guide-to-near-zero-downt/4517261" target="_blank" rel="noopener noreferrer"&gt;Cutover Strategy for Azure PaaS Services: A Step-by-Step Guide to Near Zero-Downtime Migrations&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/lapadman/3477420" target="_blank" rel="noopener noreferrer"&gt;lapadman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines a step-by-step cutover strategy for migrating enterprise applications to Azure PaaS with near zero downtime. Emphasizing phased parallel cutover, it recommends gradual traffic shifts, robust rollback plans, and continuous monitoring to minimize risk. High availability (HA) and disaster recovery (DR) must be integrated into each phase. Messaging systems, particularly Azure Service Bus, are highlighted as the most complex component. The guide details essential roles, tools, metrics, and checklists to ensure a safe, controlled migration, concluding that cutover and HA/DR should be treated as a unified process for successful Azure transitions.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/preview-cis-benchmarks-on-azure-now-for-windows-server/4523432" target="_blank" rel="noopener noreferrer"&gt;[Preview] CIS Benchmarks on Azure; Now for Windows Server&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/amirb/2954344" target="_blank" rel="noopener noreferrer"&gt;AmirB&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is announcing the preview of built-in CIS Benchmarks for Windows Server within Azure Policy and Machine Configuration, initially supporting Windows Server 2025. This expands their compliance offerings, which already cover Linux, to Windows environments managed by Azure and Arc. The solution allows flexible configuration, exportable compliance as code, and unified management across machine types. The preview starts in audit-only mode, with auto-remediation and enforcement planned. Future updates will add support for more Windows editions, granular rule enforcement, STIG baselines, and retire older, overlapping policies for streamlined compliance management in Azure.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/introducing-the-azure-resource-manager-mcp-server/4517521" target="_blank" rel="noopener noreferrer"&gt;Introducing the Azure Resource Manager MCP Server!&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/stevenbucher/1481362" target="_blank" rel="noopener noreferrer"&gt;stevenbucher&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article announces the public preview of the Azure Resource Manager MCP Server, a tool enabling AI agents to interact with Azure infrastructure via Azure Resource Manager. It allows agents to generate, validate, and execute Azure Resource Graph queries, deploy and manage ARM templates, and monitor deployments—all from natural language prompts. The server supports compliance audits, rapid provisioning, and policy checks, and integrates with GitHub Copilot. It respects Azure security policies and is initially available for VS Code, with more features and client support planned. Users can install and provide feedback during the preview phase.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/the-power-behind-ai-your-brain/4508109" target="_blank" rel="noopener noreferrer"&gt;The power behind AI: Your brain&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/nency_yera/3427044" target="_blank" rel="noopener noreferrer"&gt;Nency_Yera&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article shares Nency Yera’s journey as a neurodivergent professional with ADHD who, despite having no coding background, leveraged AI tools like GitHub Copilot and VS Code by customizing them to fit her thinking style. With supportive leadership and a personalized, step-by-step approach, she built practical solutions for her workplace. The story emphasizes that neurodivergent brains are assets, and that AI becomes powerful when adapted to individual needs, enabling anyone—regardless of technical background—to create impactful tools and unlock new potential.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/new-microsoft-certified-intelligent-applications-builder-associate-certification/4494118" target="_blank" rel="noopener noreferrer"&gt;New Microsoft Certified: Intelligent Applications Builder Associate Certification&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/libertymunson/50590" target="_blank" rel="noopener noreferrer"&gt;LibertyMunson&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced the Certified: Intelligent Applications Builder Associate Certification, aimed at professionals building AI-powered business solutions using Microsoft Power Platform, Copilot, and natural language tools. To earn the certification, candidates must pass Exam AB-410 (beta), which validates skills in creating intelligent applications, automation, data models, and integrating AI agents. The first 300 test-takers before June 17, 2026, receive an 80% discount. Candidates should have experience with Dataverse, Power Apps, Power Automate, and Copilot features. The certification becomes generally available in July 2026, with preparation resources and study guides provided by Microsoft.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/ansible--azure-arc-use-ansible-modules-to-deploy-and-manage-azure-arc-machine-ex/4521689" target="_blank" rel="noopener noreferrer"&gt;Ansible + Azure Arc: Use Ansible modules to deploy and manage Azure Arc machine extensions at scale&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alinetran/1972499" target="_blank" rel="noopener noreferrer"&gt;alinetran&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/20/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced new Ansible modules in the azure.azcollection for managing Azure Arc machine extensions at scale. These modules allow teams to automate the deployment, update, and removal of Azure Arc extensions through Ansible playbooks, streamlining extension lifecycle management across hybrid and multicloud environments. This integration eliminates the need for separate tools, enforces consistent configurations, supports compliance scenarios like centralized SSH access, and enhances visibility into extension states. The update strengthens Azure Arc’s position as a unified management platform for Windows and Linux servers using familiar automation workflows.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/simplified-access-to-hotpatching-enabled-by-azure-arc-for-windows-server-2025/4521251" target="_blank" rel="noopener noreferrer"&gt;Simplified access to Hotpatching enabled by Azure Arc for Windows Server 2025&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/sharmajyoti/2761878" target="_blank" rel="noopener noreferrer"&gt;sharmajyoti&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Windows Server 2025 introduces hotpatching enabled by Azure Arc, allowing security updates without reboots across hybrid and multicloud environments at no extra cost. Eligible servers must be connected to Azure Arc and have Virtualization-based Security enabled. Azure Update Manager and other tools enable centralized patch management, improving uptime and simplifying compliance. Hotpatching delivers monthly security updates, with quarterly cumulative updates requiring a restart. Existing enrolled machines continue receiving hotpatches without additional action, and hotpatching remains free for Azure-hosted servers. Azure Arc also provides unified governance, monitoring, and lifecycle management for diverse server environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/finopsblog/whats-new-in-finops-toolkit-14-%E2%80%93-april-2026/4519497" target="_blank" rel="noopener noreferrer"&gt;What's new in FinOps toolkit 14 – April 2026&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/finopsblog" target="_blank" rel="noopener noreferrer"&gt;FinOps&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/michael_flanakin/3099145" target="_blank" rel="noopener noreferrer"&gt;Michael_Flanakin&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/13/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; FinOps toolkit 14 introduces AI integration via a Copilot Studio agent template, enabling users to query FinOps hub data in natural language. It adds support for ingesting Azure Advisor and custom optimization recommendations, simplifies hub deployment options, and previews a new dataset for commitment discount eligibility. The release also delivers various fixes and enhancements across guides, Power BI, workbooks, and the PowerShell module. Looking ahead, the toolkit will deepen AI features, expand data support, and offer premium services to further help organizations optimize and manage cloud costs in Microsoft Azure environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuretoolsblog/azure-cli-on-macos-upcoming-installation-changes/4518596" target="_blank" rel="noopener noreferrer"&gt;Azure CLI on macOS: Upcoming Installation Changes&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuretoolsblog" target="_blank" rel="noopener noreferrer"&gt;Azure Tools&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alex-wdy/1467559" target="_blank" rel="noopener noreferrer"&gt;Alex-wdy&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is updating how Azure CLI is installed on macOS to better meet security and enterprise requirements. Starting with version 2.86.0 (Preview), Azure CLI will shift from Homebrew Core to new options: Homebrew Cask (recommended) and an offline tarball for air-gapped environments. These changes enable distribution of precompiled, signed, and notarized binaries, aligning with macOS security standards. Homebrew Core remains available during the transition, but users are encouraged to adopt the new methods and provide feedback. Full rollout details and installation instructions are available on Microsoft Learn.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuretoolsblog/from-prompt-to-production-open-in-vs-code-for-terraform-in-azure-copilot/4494931" target="_blank" rel="noopener noreferrer"&gt;From Prompt to Production: Open in VS Code for Terraform in Azure Copilot&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuretoolsblog" target="_blank" rel="noopener noreferrer"&gt;Azure Tools&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jingwei_wang/1561384" target="_blank" rel="noopener noreferrer"&gt;Jingwei_Wang&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/12/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced "Open in VS Code" for Terraform in Azure Copilot, enabling users to move seamlessly from AI-generated Terraform code in Azure Portal to real deployments within an integrated, guided workflow. This feature supports immediate editing, validation, and deployment in a browser-based VS Code environment, with built-in guidance for backend configuration and deployment. Users can select from Azure Storage, Terraform Cloud, or a temporary workspace for state management. The solution streamlines Infrastructure as Code processes for both beginners and enterprises, now in public preview, with future plans for enhanced CI/CD and editor integrations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/understanding-and-building-an-azure-hybrid-meshed-hub-spoke-topology/4516879" target="_blank" rel="noopener noreferrer"&gt;Understanding and building an Azure Hybrid Meshed Hub-Spoke Topology&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/svenbaeck/1876236" target="_blank" rel="noopener noreferrer"&gt;Svenbaeck&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/18/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to design a secure, scalable Azure hybrid network using a meshed hub-spoke topology. Centralized hubs control all traffic and security, preventing uncontrolled lateral communication between spokes and supporting hybrid connectivity. Key design principles include controlled routing in gateways and spokes, proper VNet peering, and meshing hubs for multi-region setups. Azure Firewalls or NVAs in the hub enable traffic inspection and policy enforcement. The approach simplifies management, enhances security, and supports regional independence and fault isolation, making it suitable for enterprise-scale Azure environments. Clear address planning and consistent configuration are emphasized for effective operation.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/simplify-virtual-wan-spoke-connectivity-at-scale-with-azure-virtual-network-mana/4523055" target="_blank" rel="noopener noreferrer"&gt;Simplify Virtual WAN Spoke Connectivity at Scale with Azure Virtual Network Manager&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jay-li/1197988" target="_blank" rel="noopener noreferrer"&gt;Jay-Li&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/26/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Virtual Network Manager (AVNM) integrates with Azure Virtual WAN to simplify and automate spoke connectivity, routing, and security policy management across large-scale hub-and-spoke network architectures. By grouping virtual networks and applying centralized connectivity and routing policies, AVNM reduces repetitive manual configuration, ensures operational consistency, and enables bulk onboarding, dynamic updates, and incremental deployments. This integration streamlines operations, enhances scalability, and provides robust security controls, making it easier for organizations to manage complex Azure networking environments confidently and efficiently.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurehighperformancecomputingblog/building-resilient-networks-for-ai-supercomputers/4516919" target="_blank" rel="noopener noreferrer"&gt;Building resilient networks for AI supercomputers&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurehighperformancecomputingblog" target="_blank" rel="noopener noreferrer"&gt;Azure High Performance Computing (HPC)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jithinjose/324164" target="_blank" rel="noopener noreferrer"&gt;jithinjose&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article details Microsoft’s networking innovations for the Fairwater AI supercomputer, focusing on resilience and efficiency at extreme GPU scale. Central to this is the Multipath Reliable Connection (MRC), a new, open-source transport protocol that distributes data across multiple paths, enabling robust, high-utilization GPU clusters even during routine network faults. Combined with a two-tier multiplane topology and static SRv6 routing, this approach minimizes disruptions, improves training throughput, and simplifies failure recovery. Microsoft, in partnership with industry leaders, is open-sourcing MRC and related tools to advance resilient AI infrastructure across the ecosystem.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurehighperformancecomputingblog/distributing-model-weights-to-your-ai-cluster-a-faster-pre-flight-on-aks-and-slu/4517294" target="_blank" rel="noopener noreferrer"&gt;Distributing model weights to your AI cluster: a faster pre-flight on AKS and Slurm&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurehighperformancecomputingblog" target="_blank" rel="noopener noreferrer"&gt;Azure High Performance Computing (HPC)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/pauledwards/363080" target="_blank" rel="noopener noreferrer"&gt;pauledwards&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces "azcp-cluster", a tool for efficiently distributing large AI model checkpoints across multi-node GPU clusters on Azure. Instead of each node downloading the full dataset separately—causing slowdowns, increased costs, and potential Azure storage throttling—azcp-cluster shards the download across nodes, then broadcasts data at high-speed over InfiniBand. This approach reduces egress costs, maximizes fabric speed, and simplifies cluster setup on Slurm and AKS. Practical deployment examples, Docker integration, and Kubernetes scheduling strategies are provided, with recommendations for both merged-image and init-container patterns. Benchmarks show significant speedups and cost savings.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/windowsosplatform/share-the-moment-listen-together-with-shared-audio/4522401" target="_blank" rel="noopener noreferrer"&gt;Share the Moment: Listen Together with Shared Audio&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows/blog/windowsosplatform" target="_blank" rel="noopener noreferrer"&gt;Windows OS Platform&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/steven%20ilami/234436" target="_blank" rel="noopener noreferrer"&gt;Steven Ilami&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/26/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces “Shared Audio,” a new Windows 11 feature that enables two users to wirelessly listen to audio from the same PC using separate Bluetooth LE Audio accessories, like headphones or hearing aids. This solves the longstanding limitation of one-audio-device connections, enhancing shared experiences during flights, study sessions, or road trips. Users can easily manage connections and individual volumes through Quick Settings. Shared Audio requires compatible LE Audio devices, Windows 11 (version 24H2 or newer), and suitable hardware. The feature aims to make group listening more accessible, convenient, and customizable for entertainment, productivity, and accessibility needs.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/how-to-secure-azure-databricks-without-public-exposure-using-waf--private-endpoi/4517721" target="_blank" rel="noopener noreferrer"&gt;How to Secure Azure Databricks without Public Exposure using WAF + Private Endpoints&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/faizaanmerchant/3432847" target="_blank" rel="noopener noreferrer"&gt;FaizaanMerchant&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines how to secure Azure Databricks using a Zero Trust Architecture by combining Azure Application Gateway with Web Application Firewall (WAF) and Private Endpoints. This approach eliminates public internet exposure, ensures all traffic is inspected and routed securely, and aligns with strict compliance requirements. The recommended architecture uses a Hub-and-Spoke model, disabling public access and enforcing internal and external access through WAF and private endpoints, respectively. Key considerations include proper DNS configuration, SSL setup, and custom WAF rules, ensuring secure, compliant, and seamless access for both internal and external users.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/cloud-native-platforms-evolve/4520195" target="_blank" rel="noopener noreferrer"&gt;Cloud Native Platforms: Evolve&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/kishorekumarpattabiraman/3426309" target="_blank" rel="noopener noreferrer"&gt;KishoreKumarPattabiraman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/21/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article argues that AI is transforming software engineering by augmenting workflows across the entire software development lifecycle—not just code generation. Success depends on disciplined adoption: turning individual AI prompts into reusable workflows, implementing robust guardrails, and maintaining clear boundaries for human judgment. Responsible AI, with practices ensuring fairness, transparency, safety, and accountability, is essential. Teams should measure AI by outcomes (like defect rates and lead time), not usage. The key is evolving engineering practices to leverage AI safely and effectively, making workflows, not individual suggestions, the core unit of value.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/new-platform-sso-with-registration-during-automated-device-enrollment-on-macos/4519846" target="_blank" rel="noopener noreferrer"&gt;New Platform SSO with registration during Automated Device Enrollment on macOS&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/14/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Intune now supports Platform Single Sign-On (PSSO) registration during Automated Device Enrollment (ADE) setup for macOS 26 and newer. With the new “Enable Registration During Setup” setting and Intune Company Portal version 5.2604.0+, users register their devices and sign in with Microsoft Entra credentials during Setup Assistant, enabling immediate access to work resources. This streamlines onboarding, reduces compliance gaps, authentication issues, and IT helpdesk tickets. The feature requires coordinated policies assigned to static user groups. Future updates aim to reduce multiple sign-in prompts for an even smoother enrollment experience.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/migrating-frontline-mobile-devices-aligning-stakeholders-before-real-world-testi/4516511" target="_blank" rel="noopener noreferrer"&gt;Migrating frontline mobile devices: Aligning stakeholders before real-world testing&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/01/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines the crucial steps for migrating frontline mobile devices by emphasizing the need to align stakeholders and processes before conducting real-world testing with Microsoft Intune. It highlights translating discovery findings into actionable decisions, identifying and aligning key operational and technical stakeholders, and ensuring readiness across licensing, identity, and device lifecycle areas. Real-world testing should validate end-to-end workflows, security, and supportability in operational conditions, not just device enrollment. Standardization can evolve post-testing, and clear ownership of success criteria is essential to achieve meaningful pilot outcomes and support future device management decisions.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;</description>
      <pubDate>Thu, 18 Jun 2026 21:36:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-may-june-2026/ba-p/4529349</guid>
      <dc:creator>TysonPaul</dc:creator>
      <dc:date>2026-06-18T21:36:23Z</dc:date>
    </item>
    <item>
      <title>Microsoft Security Copilot: AI-Driven Security Operations at Greater Scale</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-security-copilot-ai-driven-security-operations-at/ba-p/4528912</link>
      <description>&lt;P class="lia-align-justify"&gt;At its core, Security Copilot is &lt;STRONG&gt;built to enhance every facet of security operations at machine speed&lt;/STRONG&gt;. It translates a vast array of inputs (Microsoft’s cloud-scale telemetry, threat intelligence feeds, security best practices, and enterprise-specific data) into &lt;STRONG&gt;tailored recommendations and summaries&lt;/STRONG&gt;, helping security teams &lt;STRONG&gt;“catch what others miss,” respond faster, and strengthen their expertise&lt;/STRONG&gt;. In the sections below, I explore the key security benefits of Security Copilot, its extensibility via third-party plugins and skills, and the value of its deep integration with Microsoft’s security ecosystem.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Key Benefits for Security Operations&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P&gt;Security Copilot meaningfully improves &lt;STRONG&gt;threat detection, investigation, response, correlation of signals, and analyst productivity&lt;/STRONG&gt;. The table below summarizes these core security benefits and capabilities:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 98.1481%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Operations Aspect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Benefit with Security Copilot&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat Detection&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Augmented detection of elusive threats:&lt;/STRONG&gt; Security Copilot leverages broad threat intelligence and comprehensive signals to identify subtle threats, anomalies, and attack patterns that might be missed through manual analysis. By reasoning over Microsoft’s vast security graph and global threat telemetry, it helps analysts &lt;EM&gt;“catch what others miss,”&lt;/EM&gt; ensuring &lt;STRONG&gt;unique or stealthy threats are surfaced&lt;/STRONG&gt;.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident Investigation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Faster, context-rich investigations:&lt;/STRONG&gt; Security Copilot can swiftly &lt;STRONG&gt;summarize and analyze incident data&lt;/STRONG&gt; from multiple sources, enhancing incident details with additional context from logs, alerts, and threat intel. It correlates related events and highlights root causes, giving analysts a &lt;STRONG&gt;consolidated understanding of complex incidents in minutes&lt;/STRONG&gt;. This enables quicker triage and deeper insights, so investigators know what happened and where to focus next.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Response &amp;amp; Remediation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Guided response and remediation:&lt;/STRONG&gt; Security Copilot not only identifies issues but also &lt;STRONG&gt;provides prescriptive guidance&lt;/STRONG&gt; on how to respond. It can suggest &lt;STRONG&gt;remediation steps and mitigation strategies&lt;/STRONG&gt; in plain language, helping analysts act decisively. For example, it may outline containment steps or orchestrate automated actions through integrated tools, significantly &lt;STRONG&gt;reducing response time to incidents&lt;/STRONG&gt;.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Signal Correlation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Holistic cross-domain correlation:&lt;/STRONG&gt; Because it taps into signals across identities, endpoints, email, cloud workloads, and more, Security Copilot automatically &lt;STRONG&gt;connects the dots among disparate alerts and data streams&lt;/STRONG&gt;. It presents unified incident narratives by linking related indicators (e.g., matching an endpoint malware alert with identity login anomalies and cloud logs), &lt;STRONG&gt;eliminating manual cross-tool correlation and uncovering hidden attack paths&lt;/STRONG&gt;. Analysts get a &lt;STRONG&gt;single cohesive view&lt;/STRONG&gt; of an incident across the kill chain.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Analyst Productivity&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Boosted efficiency &amp;amp; skill elevation:&lt;/STRONG&gt; By automating repetitive tasks (like scanning logs, writing KQL queries, or summarizing reports) and supporting natural language interaction, Security Copilot &lt;STRONG&gt;reduces manual workload&lt;/STRONG&gt; and accelerates everyday tasks. This lets analysts focus on higher-value activities. In practice, teams using Security Copilot have seen &lt;STRONG&gt;significant productivity gains&lt;/STRONG&gt; – a recent study found &lt;STRONG&gt;23–47% improvement in SecOps task efficiency&lt;/STRONG&gt; after adoption. Junior analysts ramp up faster (learning from Copilot’s guidance), while senior analysts can handle more incidents with less fatigue.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;These improvements translate into &lt;STRONG&gt;measurable security outcomes&lt;/STRONG&gt;. &lt;STRONG&gt;Incident response becomes faster and more consistent&lt;/STRONG&gt;, with &lt;EM&gt;mean time to resolution&lt;/EM&gt; reduced by &lt;STRONG&gt;30% on average within a few months of use&lt;/STRONG&gt; according to early research. Security Copilot’s ability to &lt;STRONG&gt;accelerate investigations and streamline tasks&lt;/STRONG&gt; drives down risk exposure and helps organizations make the most of their security investments. Ultimately, it &lt;STRONG&gt;strengthens an organization’s security posture&lt;/STRONG&gt; by augmenting human analysts with AI-driven speed, scale, and intelligence.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Seamless Integration with the Microsoft Security Ecosystem&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P class="lia-align-justify"&gt;Another key strength of Security Copilot is its &lt;STRONG&gt;deep native integration with Microsoft’s security portfolio&lt;/STRONG&gt;. From day one, Security Copilot was &lt;EM&gt;“designed with integration in mind.”&lt;/EM&gt; It &lt;STRONG&gt;plugs directly into a broad range of Microsoft security products&lt;/STRONG&gt; — including &lt;STRONG&gt;Microsoft 365 Defender (XDR), Microsoft Sentinel (SIEM), Microsoft Entra (ID and access management), Microsoft Intune (endpoint management), Microsoft Purview (compliance), and more&lt;/STRONG&gt;. In practice, Security Copilot is available as both a &lt;EM&gt;standalone portal&lt;/EM&gt; and as an &lt;STRONG&gt;embedded side-by-side experience within these Microsoft security tools&lt;/STRONG&gt;. This means a security analyst working in Microsoft Sentinel or Defender can access Copilot’s capabilities without switching context: &lt;STRONG&gt;Copilot is right there in the workflow, ready to answer questions or assist with tasks in real time&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Because of this close integration, &lt;STRONG&gt;Security Copilot can access data and signals from across all Microsoft security solutions&lt;/STRONG&gt; that an organization uses. It operates over &lt;STRONG&gt;a unified security data estate&lt;/STRONG&gt; encompassing endpoints, identities, emails, applications, cloud workloads, data repositories, and beyond. The result is truly &lt;STRONG&gt;end-to-end visibility and protection&lt;/STRONG&gt;: Copilot can reason across diverse telemetry (e.g., correlating a device malware alert from Defender with cloud logs from Azure, or identity risk signals from Entra) to provide comprehensive insight. This unified approach &lt;STRONG&gt;eliminates silos and tool fragmentation&lt;/STRONG&gt; — analysts spend less time pivoting between separate consoles or manually stitching together information because Copilot synthesizes it automatically.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Moreover, &lt;STRONG&gt;leveraging the Microsoft ecosystem means Security Copilot can immediately add value without requiring a rip-and-replace of existing tools&lt;/STRONG&gt;. It acts as a &lt;STRONG&gt;“force multiplier” across the installed Microsoft Security stack&lt;/STRONG&gt;, maximizing the return on those investments by making them more effective and easier to use. For example, &lt;STRONG&gt;Copilot can turn a collection of raw alerts from different Microsoft products into a single, coherent incident storyline with actionable next steps&lt;/STRONG&gt;. This synergy leads to significant &lt;STRONG&gt;operational efficiency gains&lt;/STRONG&gt; and a more streamlined &lt;STRONG&gt;SOC workflow&lt;/STRONG&gt;, as analysts have a central AI assistant coordinating across all defenses on their behalf.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;By providing unified insights, reducing tool sprawl, and bringing together Microsoft’s best-in-class security technologies, &lt;STRONG&gt;Security Copilot emerges as a valuable asset for modern security teams&lt;/STRONG&gt;. It empowers organizations to practice &lt;STRONG&gt;“AI-first” security operations&lt;/STRONG&gt; – enabling defenders to work faster and smarter, while fully utilizing an integrated security ecosystem to protect the enterprise from evolving threats. In summary, Microsoft Security Copilot offers a &lt;STRONG&gt;compelling combination of advanced AI capabilities, extensibility, and seamless integration&lt;/STRONG&gt; that helps security teams achieve &lt;STRONG&gt;unprecedented speed, breadth, and efficiency&lt;/STRONG&gt; in defending their organizations. &lt;STRONG&gt;It enhances human expertise with machine-scale intelligence&lt;/STRONG&gt;, improving threat detection and response outcomes and transforming the way security operations centers operate for the better.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Open Extensibility with Third-Party Plugins and Skills&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P class="lia-align-justify"&gt;A standout capability of Security Copilot is its &lt;STRONG&gt;extensible plugin architecture&lt;/STRONG&gt;, which allows it to incorporate external data sources and integrate with third-party security tools. &lt;STRONG&gt;Plugins&lt;/STRONG&gt; in Security Copilot are modular connectors that bring in specific data or perform defined actions (each plugin encapsulates certain “&lt;STRONG&gt;skills&lt;/STRONG&gt;,” such as running a KQL query, calling an API, or searching threat intel). Microsoft provides numerous &lt;STRONG&gt;pre-installed plugins&lt;/STRONG&gt; out-of-the-box for common Microsoft security services and workflows, and administrators can easily &lt;STRONG&gt;add or develop custom plugins to connect 3rd-party systems or bespoke data sources&lt;/STRONG&gt;. This design ensures that Security Copilot’s capabilities can expand and adapt to different environments.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Through both &lt;STRONG&gt;Microsoft-built and third-party plugins&lt;/STRONG&gt;, Security Copilot can tap into a wide variety of security data beyond the Microsoft stack. For example, &lt;STRONG&gt;supported third-party plugins let Copilot pull context from external solutions such as IT service management tools (e.g., ServiceNow)&lt;/STRONG&gt;, vulnerability management platforms, identity providers, network security appliances, and others. Plugins feed &lt;STRONG&gt;additional logs, alerts, and intelligence&lt;/STRONG&gt; into Copilot’s analysis, thereby enriching its understanding of incidents with non-Microsoft data and events. This means a SOC can leverage &lt;STRONG&gt;existing investments in third-party security products by having Security Copilot analyze and correlate those systems’ outputs&lt;/STRONG&gt; alongside Microsoft’s telemetry.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft and its partners have already created an &lt;STRONG&gt;ecosystem of Security Copilot plugins&lt;/STRONG&gt;. For instance, Microsoft announced &lt;STRONG&gt;15+ new third-party plugins&lt;/STRONG&gt; at Ignite 2024, spanning categories like &lt;STRONG&gt;threat intelligence&lt;/STRONG&gt; (e.g., integrating feeds from providers like CrowdSec, Cybersixgill, GreyNoise) and &lt;STRONG&gt;device/network/identity management&lt;/STRONG&gt; tools (e.g., Red Canary, Netskope, Tanium, CyberArk, etc.). These plugins bring rich external data on threat actors, indicators of compromise, vulnerabilities, device health, user activity, and more, allowing Copilot to provide even more comprehensive analyses and recommendations.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Crucially, &lt;STRONG&gt;customers can build their own plugins and skills&lt;/STRONG&gt; if needed, using Security Copilot’s developer tools and APIs. This means an enterprise could integrate a proprietary threat feed, custom data store, or even trigger custom response workflows via Copilot, tailoring the AI assistant to their unique security environment. Thanks to &lt;STRONG&gt;secure design and admin controls&lt;/STRONG&gt;, organizations maintain full governance over which plugins are enabled and how they consume resources. In summary, Security Copilot’s open, plugin-based extensibility ensures that it can &lt;STRONG&gt;grow with an organization’s needs&lt;/STRONG&gt;, incorporating &lt;STRONG&gt;any relevant third-party data or workflow&lt;/STRONG&gt; to further &lt;STRONG&gt;enhance threat analysis and incident response&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Technical Resources:&lt;/SPAN&gt;&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/" target="_blank"&gt;Security Copilot Main documentation site&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/agents-overview" target="_blank"&gt;Security Copilot agents&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/plugin-overview" target="_blank"&gt;Security Copilot plugins&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/whats-new-copilot-security" target="_blank"&gt;What’s new for Security Copilot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/security-copilot-application-card" target="_blank"&gt;Responsible AI in Security Copilot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://github.com/Azure/Security-Copilot/tree/main" target="_blank"&gt;Official Security Copilot GitHub&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/operationalizing-microsoft-security-copilot-to-reinvent-soc-productivity/3944877" data-lia-auto-title="How to operationalize Security Copilot and increase SOC productivity" data-lia-auto-title-active="0" target="_blank"&gt;How to operationalize Security Copilot and increase SOC productivity&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jun 2026 20:49:10 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-security-copilot-ai-driven-security-operations-at/ba-p/4528912</guid>
      <dc:creator>edgarus71</dc:creator>
      <dc:date>2026-06-18T20:49:10Z</dc:date>
    </item>
    <item>
      <title>Security Copilot RBAC for Embedded Experience in Unified Security Platform</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/security-copilot-rbac-for-embedded-experience-in-unified/ba-p/4528833</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Introduction&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The evolution of Security Operations Centers (SOC) is increasingly driven by AI-powered capabilities that improve efficiency, accuracy, and response time. Microsoft Security Copilot represents a significant advancement in this space by embedding AI-driven assistance directly within security platforms such as Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra.&lt;/P&gt;
&lt;P&gt;The concept of &lt;STRONG&gt;embedded experience&lt;/STRONG&gt; is central to this transformation. Rather than operating as a standalone interface, Security Copilot is integrated within existing security tools, allowing analysts to invoke AI-generated insights directly during investigations. This reduces the need for tool switching and accelerates decision-making.&lt;/P&gt;
&lt;P&gt;The purpose of this document is to define and explain the &lt;STRONG&gt;Role-Based Access Control (RBAC) model&lt;/STRONG&gt; required to securely enable this embedded experience. It provides a structured understanding of how access is governed across multiple layers, how these layers interact, and how organizations can align permissions with SOC workflows while maintaining a least-privilege security posture.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Understanding Embedded Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot in embedded mode operates within the context of the host platform. When invoked from Defender or Sentinel, it does not function independently but instead consumes data already accessible to the user. This model ensures that Copilot enhances visibility without expanding access boundaries.&lt;/P&gt;
&lt;P&gt;This behavior is governed by an &lt;STRONG&gt;On-Behalf-Of (OBO) model&lt;/STRONG&gt;, where Security Copilot leverages the permissions of the authenticated user. It does not introduce new entitlements or override existing RBAC configurations.&lt;/P&gt;
&lt;P&gt;As a result, the insights generated by Copilot are always limited to what the user is already authorized to see, reinforcing Zero Trust principles and preventing unauthorized data exposure.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Prerequisites for Embedded Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;To enable Security Copilot in an embedded environment, organizations must establish foundational prerequisites that ensure seamless and secure operation.&lt;/P&gt;
&lt;P&gt;First, access to underlying platforms such as Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra must already be provisioned. Since Copilot is not a standalone data source, it cannot function without these integrations.&lt;/P&gt;
&lt;P&gt;Second, RBAC alignment across identity, platform, and service layers must be configured correctly. Misalignment can lead to incomplete results, restricted functionality, or inconsistent analyst experiences.&lt;/P&gt;
&lt;P&gt;Finally, governance processes such as access review, monitoring, and adherence to least privilege principles should be implemented. These controls ensure that Copilot usage remains compliant, auditable, and aligned with organizational security policies.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;RBAC Framework for Security Copilot&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot adopts a &lt;STRONG&gt;multi-layer RBAC model&lt;/STRONG&gt; consisting of three tightly integrated layers. These layers collectively determine whether a user can access Copilot features and what data they can retrieve.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;RBAC Layer Mapping&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;RBAC Layer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Role Type&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Purpose&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Example Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Access Impact&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Security Copilot Platform&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Feature access control&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Determines who can use Copilot capabilities&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Copilot Owner, Security Copilot Contributor&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enables use of Copilot features but does not grant data access&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Microsoft Entra ID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Identity and directory governance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Controls access to identity data and reports&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Reader, Reports Reader, Security Administrator&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Governs identity insights and directory visibility&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Service-Specific RBAC&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data access control&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defines access to security data within services&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender Security Reader, Sentinel Reader&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Determines what Copilot can retrieve and present&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;This layered approach ensures that no single role grants full access. All three layers must align for complete functionality.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Copilot Platform Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot platform roles control who can interact with the Copilot interface and execute AI-driven workflows.&lt;/P&gt;
&lt;P&gt;The &lt;STRONG&gt;Security Copilot Owner role&lt;/STRONG&gt; provides administrative control over Copilot configuration, including access management and platform-level settings. This role is typically assigned to administrators responsible for governance and operational enablement.&lt;/P&gt;
&lt;P&gt;The &lt;STRONG&gt;Security Copilot Contributor role&lt;/STRONG&gt; enables analysts to run prompts, perform investigations, and interact with Copilot features during daily SOC operations. However, this role does not grant visibility into security data by itself.&lt;/P&gt;
&lt;P&gt;This clear separation ensures that Copilot remains a controlled interface layer rather than a source of privilege escalation.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft Entra ID Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Microsoft Entra roles govern access to identity-related data, which is critical for security operations involving user behavior, sign-in logs, and directory insights.&lt;/P&gt;
&lt;P&gt;Roles such as &lt;STRONG&gt;Security Reader&lt;/STRONG&gt; provide read-only visibility into security data, while &lt;STRONG&gt;Reports Reader&lt;/STRONG&gt; enables access to reporting and analytics capabilities. In certain advanced cases, the &lt;STRONG&gt;Security Administrator role&lt;/STRONG&gt; may be required for configuration-level actions.&lt;/P&gt;
&lt;P&gt;The document emphasizes avoiding excessive privilege assignment, particularly the use of Global Administrator roles for daily operations, as this conflicts with least privilege principles.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Service-Specific RBAC Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Service-level roles determine the data sources that Security Copilot can access when embedded in platforms.&lt;/P&gt;
&lt;P&gt;In Microsoft Defender XDR, roles such as Security Reader allow access to alerts, incidents, and endpoint data. In Microsoft Sentinel, Sentinel Reader provides access to log data, analytics, and incidents. In Microsoft Entra, roles like Reports Reader provide access to identity insights.&lt;/P&gt;
&lt;P&gt;Copilot cannot retrieve or analyze data beyond what these roles permit. The output it generates is always constrained to the user’s effective permissions across these services.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Unified RBAC Behavior in Embedded Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;In an embedded scenario, all three RBAC layers are evaluated simultaneously.&lt;/P&gt;
&lt;P&gt;When a SOC analyst invokes Copilot in Defender, the system validates whether the user has permission to use Copilot, access identity data, and retrieve Defender-specific insights. Only when all these conditions are satisfied does Copilot provide a comprehensive output.&lt;/P&gt;
&lt;P&gt;This ensures that Copilot responses are both &lt;STRONG&gt;contextually rich and access-compliant&lt;/STRONG&gt;, eliminating the risk of unauthorized data exposure while maintaining operational efficiency.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Copilot Core Use Cases&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot enables a layered set of capabilities that span both analyst interaction patterns and agent-driven execution models. These use cases collectively enhance SOC efficiency, decision-making, and operational scalability.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Use Case Mapping Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Use Case&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Embedded / Agent Example&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value to SOC&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Summarization&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Transforms complex alerts, incidents, and telemetry into structured, human-readable insights by correlating signals across multiple sources&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Summarizing a Defender XDR incident involving endpoint, identity, and cloud alerts into a unified attack narrative&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reduces analyst fatigue and significantly accelerates triage by eliminating manual data aggregation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Guided Response&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Provides contextual, step-by-step investigative guidance and recommended remediation actions based on observed patterns and threat intelligence&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Suggesting investigation paths in Sentinel, including pivoting to identity logs, device timeline, and lateral movement indicators&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves consistency in investigations and enables less experienced analysts to operate effectively&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Script Analysis&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Evaluates scripts, queries, and command-line activities to identify malicious patterns, errors, or optimization opportunities&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Analyzing PowerShell scripts or KQL queries used in threat hunting scenarios to detect obfuscation or suspicious logic&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enhances detection accuracy and reduces the risk of missing critical indicators&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Reporting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Generates structured incident summaries, executive reports, and compliance-ready documentation with contextual insights&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Producing incident summaries for leadership or compliance teams with both technical and business context&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves communication, supports audit readiness, and reduces manual reporting overhead&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;Agent-Driven SOC Use Cases (Expanded Capabilities)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;With the introduction of Security Copilot agents, the platform extends beyond assistance into orchestrated, intelligence-driven operations across SOC workflows.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Agent-Based Use Case&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Real Agent Example&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC Impact&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dynamic Threat Detection&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Continuously analyzes telemetry to identify previously undetected or weak signals across the attack surface&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dynamic Threat Detection Agent&lt;/STRONG&gt; correlates signals across Defender workload telemetry to surface hidden threats&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves detection coverage and reduces the likelihood of missed attacks&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat Intelligence Correlation &amp;amp; Briefing&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Aggregates internal and external intelligence sources to generate contextual threat insights aligned to organizational risk&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat Intelligence Briefing Agent&lt;/STRONG&gt; produces structured intelligence reports based on attack patterns and exposure context&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enhances situational awareness and supports proactive defense strategies&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Advanced Threat Hunting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enables hypothesis-driven and AI-assisted threat hunting by generating queries, exploring telemetry, and correlating historical data&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Advanced Threat Hunting Agent&lt;/STRONG&gt; builds and executes queries across Defender and Sentinel datasets for proactive investigation and telemetry exploration&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Accelerates threat discovery and reduces reliance on manual query development&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Analysis &amp;amp; Threat Prioritization&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Performs AI-driven analysis of security telemetry to identify high-risk patterns, prioritize threats, assess risk exposure, and recommend investigative actions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Analyst Agent&lt;/STRONG&gt; analyses password spray attacks, ransomware activity, malware campaigns, identity abuse, and other security risks by generating telemetry-driven assessments and recommendations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves analyst productivity, prioritizes high-impact threats, and enables faster decision making&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Triage Automation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Automates alert prioritization and classification by adding contextual enrichment and reducing noise&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Triage Agent / Phishing Triage Agent&lt;/STRONG&gt; evaluates alerts and distinguishes between real threats and false positives&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reduces alert fatigue and improves prioritization accuracy in high-volume environments&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;End-to-End Investigation Orchestration&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Performs multi-step investigation by gathering signals, correlating activity, and building attack timelines&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Analyst Agent&lt;/STRONG&gt; investigates incidents across identity, endpoint, email, cloud, and data signals to produce a consolidated incident narrative&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reduces Mean Time to Investigate (MTTI) and ensures consistent investigation outcomes&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Cross-Domain Threat Correlation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Connects signals across identity, endpoint, cloud, email, and data domains to identify multi-stage attack chains&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agents operating across Defender, Entra, Sentinel, and Security Copilot correlate activities such as phishing leading to identity compromise and lateral movement&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Breaks down silos and enables holistic threat visibility across the environment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Remediation &amp;amp; Response Enablement&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Identifies vulnerable assets and supports remediation workflows through contextual recommendations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agents integrated with endpoint and policy systems suggest patching actions, containment actions, and configuration changes based on detected risks&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves response effectiveness and strengthens overall security posture&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Each of these use cases operates within the RBAC boundaries defined earlier, ensuring secure and context-aware outputs.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Mapping Use Cases to SOC Processes&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The four core use cases align directly with SOC operational stages, enabling a consistent and repeatable analysis model.&lt;/P&gt;
&lt;P&gt;Summarization plays a significant role during the &lt;STRONG&gt;detection and triage phase&lt;/STRONG&gt;, where analysts need quick clarity on incoming alerts. Instead of manually analyzing raw data, Copilot provides a structured overview, helping analysts determine priority and relevance.&lt;/P&gt;
&lt;P&gt;Guided response becomes critical during the &lt;STRONG&gt;investigation and response phase&lt;/STRONG&gt;, where decision-making speed is essential. By suggesting next steps and correlating data points, Copilot assists analysts in navigating complex attack scenarios.&lt;/P&gt;
&lt;P&gt;Script analysis supports both &lt;STRONG&gt;threat hunting and investigation&lt;/STRONG&gt;, allowing analysts to validate scripts, queries, or automation logic. This reduces the risk of overlooking malicious behavior embedded in scripts.&lt;/P&gt;
&lt;P&gt;Reporting aligns with the &lt;STRONG&gt;post-incident and compliance phase&lt;/STRONG&gt;, where structured documentation is required. Copilot generates summaries that can be shared with leadership or compliance teams, ensuring clarity and consistency.&lt;/P&gt;
&lt;P&gt;Together, these use cases create a continuous cycle of detection, investigation, response, and reporting, fully integrated with SOC workflows.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot’s embedded experience represents a transformative shift in how AI is integrated into security operations. By embedding intelligence directly within platforms such as Defender and Sentinel, it enhances analyst productivity while maintaining strict governance controls.&lt;/P&gt;
&lt;P&gt;The three-layer RBAC model, consisting of Security Copilot roles, Microsoft Entra roles, and service-specific roles, ensures that access is both secure and compliant with least privilege principles. The On-Behalf-Of model further guarantees that Copilot does not expand access beyond existing permissions.&lt;/P&gt;
&lt;P&gt;The inclusion of structured use cases such as summarization, guided response, script analysis, and reporting enables organizations to operationalize Copilot effectively across SOC processes.&lt;/P&gt;
&lt;P&gt;When RBAC is properly aligned and integrated with SOC workflows, Security Copilot becomes a powerful enabler of faster investigations, improved accuracy, and enhanced security posture—all while maintaining strict control over data access and governance.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jun 2026 11:10:30 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/security-copilot-rbac-for-embedded-experience-in-unified/ba-p/4528833</guid>
      <dc:creator>SantoshPargi</dc:creator>
      <dc:date>2026-06-17T11:10:30Z</dc:date>
    </item>
    <item>
      <title>Automating Daily MDE Compliance Monitoring Across Azure VMs</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/automating-daily-mde-compliance-monitoring-across-azure-vms/ba-p/4528274</link>
      <description>&lt;H2&gt;The Problem We’re Solving&lt;/H2&gt;
&lt;P&gt;Most security teams have no automated way to know when a VM silently falls out of MDE coverage, whether because the agent stopped, the VM was newly provisioned without onboarding, or the device stopped reporting. This Logic App closes that gap and puts the right information in front of the right people every day.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Disclaimer: This solution is designed for Azure Virtual Machines only. For non-Azure VMs onboarded to Microsoft Defender for Endpoint through Azure Arc, a separate companion blog will be published soon to cover that scenario.&lt;/EM&gt;&lt;/P&gt;
&lt;H3&gt;What changes once you deploy this&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Challenge Without This Logic App&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;How This Logic App Helps&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Security gaps go undetected for days or weeks&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Any VM that is not onboarded or has stopped reporting is caught within 24 hours of the daily run&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;No automated owner notification&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The VM's ServerOwner tag is read automatically, and the owner is emailed directly with full compliance details&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;VMs with no owner fall through the cracks&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Flagged explicitly in the IT summary report with instructions for how to assign the tag&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Manual compliance reporting is time-consuming&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Full CSV report auto-attached to every daily IT summary; no manual extraction needed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agents silently stop reporting after onboarding&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Detects "Onboarded, Not Reporting" as a distinct status, separate from "Not Onboarded"&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Large multi-subscription environments are hard to cover&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Paginated queries across all enabled subscriptions; every running VM is checked&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Compliance States Detected&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Compliance Status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Priority&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Means&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Not Onboarded&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;P2, High&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The VM is running in Azure but has never appeared in MDE. There is zero security telemetry for this machine.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Onboarded, Not Reporting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;P3, Medium&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The VM was previously enrolled but has not checked in within the configured window. The MDE agent may be stopped or the VM may have lost network connectivity to MDE.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Compliant&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No alert&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;VM is onboarded and checked in within the required time window. It is excluded from all notifications.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Running VMs Only: &lt;/STRONG&gt;This workflow queries Azure Resource Graph with a filter of powerState == "VM running". Deallocated, stopped, and powered-off VMs are intentionally excluded — they are not expected to report to MDE while offline. Only machines that are turned on are evaluated.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Workflow Architecture&lt;/H2&gt;
&lt;P&gt;The workflow runs as a sequential daily pipeline. All Azure VM data and MDE device data are collected into memory first, then each VM is evaluated in a single For Each loop.&lt;/P&gt;
&lt;H3&gt;Execution Pipeline&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;Recurrence trigger fires daily at 08:00 IST.&lt;/LI&gt;
&lt;LI&gt;CONFIG compose action reads MDE_LASTSEEN_HOURS (default 24). This defines the compliance window: how recently a VM must have reported to MDE to be considered Compliant.&lt;/LI&gt;
&lt;LI&gt;Init-varITTeamEmail and Init-varSenderEmail load the configurable email addresses used for sending and receiving notifications.&lt;/LI&gt;
&lt;LI&gt;Get-AllSubscriptions calls the Azure Management API to discover all subscriptions in the tenant.&lt;/LI&gt;
&lt;LI&gt;ForEach-Subscription runs a paginated Azure Resource Graph query per enabled subscription, collecting all running VMs along with Private IP, OS Type, Location, ServerOwner tag, and VM UUID.&lt;/LI&gt;
&lt;LI&gt;Init-MDEVariables then Paginate-MDEDevices call the MDE Security Center API in pages of 10,000 to load every enrolled device into the AllMDEDevices array.&lt;/LI&gt;
&lt;LI&gt;ForEach-AzureVM looks each Azure VM up in AllMDEDevices and determines compliance status and priority.&lt;/LI&gt;
&lt;LI&gt;Non-compliant handling builds HTML and CSV rows. If the VM has a ServerOwner tag, a compliance alert email goes to the owner with the IT Team CC'd. If there's no owner, the VM is appended to NoOwnerList.&lt;/LI&gt;
&lt;LI&gt;IT Summary email is sent once all VMs are processed. If any non-compliant VMs were found, the consolidated IT report is sent with the CSV attachment. Otherwise an All Clear email is sent.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H3&gt;How Azure VM Data is Matched to MDE Data&lt;/H3&gt;
&lt;P&gt;Each Azure VM is matched against the MDE device list using a two-level strategy. Both checks run for every VM on every run.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Match Method&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;How It Works&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Primary: Azure VM ID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compares azureVmId from the MDE device record (lowercase) against the VmId captured from Azure Resource Graph (lowercase). Immune to hostname changes; this is the preferred match.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Fallback: Hostname + IP&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Checks that MDE computerDnsName starts with the Azure VM name (case-insensitive) AND lastIpAddress matches the Azure Private IP. Both conditions must be true.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Not Found&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;A synthetic MDE record with onboardingStatus: "NotFound" is created. The VM is treated as Not Onboarded and a P2 High alert is raised.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Pagination Design&lt;/H3&gt;
&lt;P&gt;The workflow handles large environments through two independent pagination mechanisms that run before any compliance evaluation begins.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data Source&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Page Size&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Mechanism&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1,000 VMs per page&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Uses $skipToken from the response. The Until loop re-queries with the token until no token is returned (last page). Variables VMSkipToken and VMFetchComplete manage loop state per subscription. Supports up to 50,000 VMs (50 pages).&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;MDE Security Center API&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;10,000 devices per page&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Uses the $skip offset parameter. MDESkip is incremented by 10,000 each iteration. The loop stops when a page returns fewer than 10,000 records. Supports up to 500,000 MDE devices (50 pages × 10,000).&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Prerequisites&lt;BR /&gt;Azure Resources&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Resource&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Requirement&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Notes&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Azure Logic App&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Standard plan, Stateful workflow&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Consumption plan also supported&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Managed Identity&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;System-assigned on the Logic App&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enable under Logic App &amp;gt; Identity&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Sender mailbox (varSenderEmail)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Licensed Microsoft 365 account&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Emails are sent FROM this address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;IT Team email (varITTeamEmail)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Valid email address or distribution list&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Receives all reports; CC'd on owner alerts&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Azure VMs&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Running, with ServerOwner tag (recommended)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tag value must be a valid email address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;MDE licensing&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Defender for Endpoint P1 or P2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tenant must be enrolled in MDE&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;The ServerOwner Tag&lt;/H3&gt;
&lt;P&gt;Server owner notifications rely on a VM-level Azure tag. Without it, the VM is included in the IT summary, but no individual alert is sent to an owner.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tag Name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Expected Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Effect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ServerOwner&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Valid email, e.g. john@yourcompany.com&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compliance alert sent TO this address; IT Team CC'd&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;If the tag is missing or empty, the VM is flagged in the Action Required: No Owner Tag Found section of the IT summary email, with step-by-step instructions for tagging it in the Azure Portal.&lt;/P&gt;
&lt;H2&gt;Required Permissions &amp;amp; Why&lt;/H2&gt;
&lt;P&gt;The Logic App's Managed Identity must be granted three API permissions. These are Application permissions that cannot be assigned through the Azure Portal UI, so the PowerShell script in Section 4.3 must be used. Admin consent is required.&lt;/P&gt;
&lt;H3&gt;Permission Summary&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Permission&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;API / Service&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AppId&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Why It Is Required&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;user_impersonation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure Management&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;797f4846-ba00-4fd7-ba43-dac1f8f63013&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Allows the Managed Identity to call the Azure Resource Graph API to query VM inventory across all subscriptions. Without this, the workflow cannot discover VMs.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;WindowsDefenderATP.Read.All&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;MDE Security Center&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;fc780465-2017-40d4-a0c5-307022471b92&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Allows reading all device records from the MDE API (/api/machines). This returns onboarding status, last seen time, and health status — the core compliance data.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Mail.Send&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Graph&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;00000003-0000-0000-c000-000000000000&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Allows sending emails via the Graph /sendMail endpoint on behalf of the varSenderEmail mailbox. Without this, no alerts or reports can be sent.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Important: &lt;/STRONG&gt;The Azure Management and MDE permissions belong to separate service principals — they are NOT part of Microsoft Graph. Each permission must be assigned to its own service principal using the AppId shown above. The script in Section 4.2 handles this correctly.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Where to find the required values&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Parameter&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Where to find it in Azure Portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;$tenantID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure Portal &amp;gt; Microsoft Entra ID &amp;gt; Overview &amp;gt; Tenant ID&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;$managedIdentityObjectId&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Logic App &amp;gt; Settings &amp;gt; Identity &amp;gt; System assigned tab &amp;gt; Object (principal) ID&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Permission Assignment Script&lt;/H3&gt;
&lt;P&gt;Run this in Azure Cloud Shell or any terminal with the Microsoft.Graph PowerShell module installed. Update $tenantID and $managedIdentityObjectId before running.&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;# PowerShell # ── Update these two values before running ─────────────────────────── $tenantID = "&amp;lt;tenantID&amp;gt;" # Your Tenant ID $managedIdentityObjectId = "&amp;lt;objectID&amp;gt;" # MI Object ID # Install Microsoft.Graph if not already present if (!(Get-Module -ListAvailable -Name Microsoft.Graph)) { Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force } # Connect to Microsoft Graph Connect-MgGraph -TenantId $tenantID ` -Scopes "AppRoleAssignment.ReadWrite.All","Application.Read.All" # MDE Compliance Logic App needs 3 permissions across 3 different service principals $permissions = @( @{ Permission="user_impersonation"; AppId="797f4846-ba00-4fd7-ba43-dac1f8f63013" }, @{ Permission="WindowsDefenderATP.Read.All"; AppId="fc780465-2017-40d4-a0c5-307022471b92" }, @{ Permission="Mail.Send"; AppId="00000003-0000-0000-c000-000000000000" } ) foreach ($entry in $permissions) { $sp = Get-MgServicePrincipal -Filter "AppId eq '$($entry.AppId)'" $appRole = $sp.AppRoles | Where-Object { $_.Value -eq $entry.Permission } if ($appRole -ne $null) { New-MgServicePrincipalAppRoleAssignment ` -ServicePrincipalId $sp.Id ` -PrincipalId $managedIdentityObjectId ` -ResourceId $sp.Id ` -AppRoleId $appRole.Id Write-Host "Assigned: $($entry.Permission)" -ForegroundColor Green } else { Write-Host "Not found: $($entry.Permission)" -ForegroundColor Yellow } } Write-Host "All permissions assigned." -ForegroundColor Green&lt;/LI-CODE&gt;
&lt;H3&gt;Verify Permissions Assigned&lt;/H3&gt;
&lt;LI-CODE lang="powershell"&gt;# PowerShell # Run after the assignment script to verify all 3 permissions are present Get-MgServicePrincipalAppRoleAssignment ` -ServicePrincipalId $managedIdentityObjectId | Select-Object AppRoleId, PrincipalDisplayName | Format-Table -AutoSize&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Note: &lt;/STRONG&gt;You should see three assignment rows in the output — one for each permission. If any are missing, re-run the assignment script. An error saying the assignment already exists is normal and can be safely ignored.&lt;/P&gt;
&lt;H2&gt;Creating the Logic App&lt;BR /&gt;Create the resource&lt;/H2&gt;
&lt;OL&gt;
&lt;LI&gt;Azure Portal &amp;gt; search Logic Apps &amp;gt; + Create.&lt;/LI&gt;
&lt;LI&gt;Select your Subscription and Resource Group. Logic App name: la-mde-compliance-monitor.&lt;/LI&gt;
&lt;LI&gt;Plan type: Standard &amp;gt; Windows &amp;gt; select or create a Hosting Plan &amp;gt; Review + Create &amp;gt; Create.&lt;/LI&gt;
&lt;LI&gt;Once deployed, click Go to resource.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H3&gt;Enable System-assigned Managed Identity&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;Open the Logic App &amp;gt; left menu: Settings &amp;gt; Identity.&lt;/LI&gt;
&lt;LI&gt;On the System assigned tab, toggle Status to On.&lt;/LI&gt;
&lt;LI&gt;Click Save &amp;gt; Yes on the confirmation dialog.&lt;/LI&gt;
&lt;LI&gt;The Object (principal) ID appears. Copy this value for the PowerShell script.&lt;/LI&gt;
&lt;LI&gt;Run the Permissions Assignment script to assign all three permissions to this identity.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Why Managed Identity: &lt;/STRONG&gt;A System-assigned Managed Identity is automatically scoped to this Logic App and deleted when the Logic App is deleted. It authenticates to Azure Management API, MDE API, and Microsoft Graph without any stored passwords or client secrets.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;Create the workflow and import the JSON&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;Logic App &amp;gt; left menu: Workflows &amp;gt; + Add.&lt;/LI&gt;
&lt;LI&gt;Workflow name: MDEComplianceMonitor. State type: Stateful. Click Create.&lt;/LI&gt;
&lt;LI&gt;Click the workflow name &amp;gt; left menu: Code.&lt;/LI&gt;
&lt;LI&gt;Press Ctrl + A &amp;gt; Delete to clear the editor completely.&lt;/LI&gt;
&lt;LI&gt;Paste the complete workflow JSON from the companion file (see Appendix A).&lt;/LI&gt;
&lt;LI&gt;Click Save. It should succeed with no validation errors.&lt;/LI&gt;
&lt;/OL&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Important: &lt;/STRONG&gt;Always use Stateful. Stateless workflows do not support run history, have a 5-minute timeout, and do not retain intermediate state — all of which are required by this workflow's pagination loops.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H2&gt;Configuration: What You Can Change&lt;/H2&gt;
&lt;P&gt;After importing the JSON, update only the values described below. Everything else runs automatically.&lt;/P&gt;
&lt;H3&gt;Email Address Variables&lt;/H3&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Variable&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Where to Update&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;varITTeamEmail&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The IT Team email address. All IT Summary reports are sent TO this address. All per-VM owner emails CC this address.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;3000&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;varSenderEmail&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The Microsoft 365 licensed account that emails are sent FROM via Graph API. Must have Mail.Send permission granted to the Managed Identity.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;3000&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H3&gt;Compliance look-up window: MDE_LASTSEEN_HOURS&lt;/H3&gt;
&lt;P&gt;This setting in the CONFIG compose action defines how recently a VM must have reported to MDE to count as Compliant. Default is 24 hours.&lt;/P&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Behaviour&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;24 (default)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compliant if the VM checked in with MDE within the last 24 hours. Recommended starting point.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;12&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Stricter check; suitable for high-security environments requiring near-real-time coverage.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;48&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;More relaxed; suitable for environments with scheduled maintenance windows or intermittent connectivity.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H3&gt;Running VMs Only&lt;/H3&gt;
&lt;P&gt;The Azure Resource Graph query includes a filter for powerState == "VM running". This means:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Deallocated VMs are excluded (not expected to report to MDE while offline).&lt;/LI&gt;
&lt;LI&gt;Stopped (allocated) VMs are excluded.&lt;/LI&gt;
&lt;LI&gt;Newly started VMs are included and checked on the next daily run.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;To Change the Filter: &lt;/STRONG&gt;To change the power state filter, locate the "query" string inside the Build-VMQuery-Paged action and modify the | where powerState == clause. For example, removing the filter entirely will check all VMs regardless of state.&lt;/P&gt;
&lt;H2&gt;Sample Email Notifications&lt;/H2&gt;
&lt;P&gt;The screenshots below show actual emails generated by this workflow. All sensitive data (email addresses, VM names, subscription IDs, IP addresses) has been redacted.&lt;/P&gt;
&lt;H3&gt;Per-VM owner alert&lt;/H3&gt;
&lt;P&gt;Sent to the server owner (ServerOwner tag) when their VM is non-compliant. The IT Team is CC'd. The email contains full server details, compliance status, priority, last MDE check-in time, and resolution SLA.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Note: &lt;/STRONG&gt;If no ServerOwner tag is set the VM is skipped here and included in the "No Owner Tag Found" section of the IT summary instead.&lt;/P&gt;
&lt;H3&gt;IT Team Daily Summary Report&lt;/H3&gt;
&lt;P&gt;Sent once per day to the IT Team after all owner emails are dispatched. Shows up to 20 VMs inline with a full CSV attachment containing the complete list, plus a dedicated section for VMs with no owner tag.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Note: &lt;/STRONG&gt;The CSV attachment always contains the complete list of all non-compliant VMs regardless of count. The inline HTML table is limited to 20 rows to keep the email size manageable.&lt;/P&gt;
&lt;H3&gt;All Compliant VMs:&lt;/H3&gt;
&lt;P&gt;If all VMs are compliant, you’ll see email like this:&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Post-Deployment Checklist&lt;/H2&gt;
&lt;P&gt;Before you leave the workflow running unattended, walk through this checklist once.&lt;/P&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;#&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Item&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Logic App resource created (Standard plan, Stateful workflow)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;System-assigned Managed Identity enabled; Object ID copied&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;3&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;PowerShell script run; user_impersonation, WindowsDefenderATP.Read.All, and Mail.Send assigned&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;4&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Permissions verified using Get-MgServicePrincipalAppRoleAssignment (3 rows expected)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;5&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Workflow JSON pasted into Code view; saved without validation errors&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;6&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;varITTeamEmail updated to your IT security team or distribution list address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;7&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;varSenderEmail updated to a licensed Microsoft 365 mailbox&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;8&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;MDE_LASTSEEN_HOURS reviewed (default 24, adjust if needed)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;9&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;At least one Azure VM has the ServerOwner tag set with a valid email&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;10&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Manual run triggered: Logic App &amp;gt; Overview &amp;gt; Run Trigger &amp;gt; Run&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;11&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Run history shows Succeeded; no 401 or 403 errors on any HTTP action&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;12&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;IT Team received the daily summary email with CSV attachment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;13&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Server owner received a per-VM alert with the IT Team CC'd&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;14&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Recurrence trigger confirmed running daily at 08:00 IST&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Wrapping Up&lt;/H2&gt;
&lt;P&gt;What I love about this is how much it accomplishes with so little: a Logic App, a Managed Identity, and three permissions. No connectors, no secrets to rotate, no third-party services. Yet every morning, your security team starts the day knowing exactly which VMs are out of MDE coverage and which owners have already been notified.&lt;/P&gt;
&lt;P&gt;If you adopt this pattern, here are a few natural next steps to consider:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Hook into Microsoft Sentinel by writing non-compliant VMs to a custom table for trend analysis.&lt;/LI&gt;
&lt;LI&gt;Auto-create ServiceNow or Jira tickets for VMs that remain non-compliant for more than 48 hours.&lt;/LI&gt;
&lt;LI&gt;Extend the match logic to include Arc-enabled servers, not just Azure VMs.&lt;/LI&gt;
&lt;LI&gt;Add a Teams adaptive card notification alongside email for faster response.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;I'd love to hear how you're solving MDE coverage gaps in your environment.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Appendix A: Workflow JSON&lt;/H2&gt;
&lt;P&gt;The complete Logic App workflow definition is provided below. To import it: open the Logic App in Azure Portal, navigate to the workflow, click Code view, press Ctrl + A to clear the existing content, paste the entire JSON, then click Save.&lt;/P&gt;
&lt;LI-CODE lang="json"&gt;{ "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "triggers": { "Recurrence": { "recurrence": { "frequency": "Day", "interval": 1, "schedule": { "hours": [ "8" ], "minutes": [ 0 ] }, "timeZone": "India Standard Time" }, "evaluatedRecurrence": { "frequency": "Day", "interval": 1, "schedule": { "hours": [ "8" ], "minutes": [ 0 ] }, "timeZone": "India Standard Time" }, "type": "Recurrence" } }, "actions": { "CONFIG": { "runAfter": {}, "type": "Compose", "inputs": { "MDE_LASTSEEN_HOURS": 24 } }, "Set-ExcludedSubscriptions": { "runAfter": { "CONFIG": [ "Succeeded" ] }, "type": "Compose", "inputs": [] }, "Init-varITTeamEmail": { "runAfter": { "Set-ExcludedSubscriptions": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "varITTeamEmail", "type": "string", "value": "admin@contoso.onmicrosoft.com" } ] } }, "Init-varSenderEmail": { "runAfter": { "Init-varITTeamEmail": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "varSenderEmail", "type": "string", "value": "admin@contoso.onmicrosoft.com" } ] } }, "Get-AllSubscriptions": { "runAfter": { "Init-varSenderEmail": [ "Succeeded" ] }, "type": "Http", "inputs": { "uri": "https://management.azure.com/subscriptions?api-version=2022-12-01", "method": "GET", "headers": { "Content-Type": "application/json" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://management.azure.com" }, "retryPolicy": { "type": "fixed", "count": 3, "interval": "PT60S" } } }, "Parse-AllSubscriptions": { "runAfter": { "Get-AllSubscriptions": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get-AllSubscriptions')", "schema": { "type": "object", "properties": { "value": { "type": "array", "items": { "type": "object", "properties": { "subscriptionId": { "type": "string" }, "displayName": { "type": "string" }, "state": { "type": "string" } } } } } } } }, "Init-AllVMs": { "runAfter": { "Parse-AllSubscriptions": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "AllVMs", "type": "array", "value": [] }, { "name": "VMSkipToken", "type": "string", "value": "INIT" }, { "name": "VMFetchComplete", "type": "boolean", "value": false } ] } }, "ForEach-Subscription": { "foreach": "@body('Parse-AllSubscriptions')?['value']", "actions": { "Check-SubscriptionEnabled": { "actions": { "Reset-VMSkipToken": { "type": "SetVariable", "inputs": { "name": "VMSkipToken", "value": "INIT" } }, "Reset-VMFetchComplete": { "runAfter": { "Reset-VMSkipToken": [ "Succeeded" ] }, "type": "SetVariable", "inputs": { "name": "VMFetchComplete", "value": false } }, "Until": { "actions": { "Build-VMQuery-Paged": { "type": "Compose", "inputs": { "subscriptions": [ "@{items('ForEach-Subscription')?['subscriptionId']}" ], "query": "Resources | where type == 'microsoft.compute/virtualmachines' | extend VMName = tostring(name), ResourceGroup = tostring(resourceGroup), Location = tostring(location), OSType = tostring(properties.storageProfile.osDisk.osType), VMSize = tostring(properties.hardwareProfile.vmSize), ServerOwner = tostring(tags.ServerOwner), Environment = tostring(tags.Environment), SubscriptionId = tostring(subscriptionId), nicId = tolower(tostring(properties.networkProfile.networkInterfaces[0].id)), VmId = tolower(tostring(properties.vmId)) | join kind=leftouter (Resources | where type == 'microsoft.network/networkinterfaces' | extend privateIP = tostring(properties.ipConfigurations[0].properties.privateIPAddress) | project nicId = tolower(id), privateIP) on nicId | join kind=leftouter (Resources | where type == 'microsoft.compute/virtualmachines' | extend powerState = tostring(properties.extended.instanceView.powerState.displayStatus) | project id, powerState) on id | where powerState == 'VM running' | project VMName, ResourceGroup, Location, OSType, VMSize, ServerOwner, Environment = 'Azure', SubscriptionId, PrivateIP = privateIP, VmId, CloudEnvironment = 'Azure'", "options": { "$skipToken": "@if(equals(variables('VMSkipToken'), 'INIT'), '', variables('VMSkipToken'))" }, "$top": 1000 } }, "Get-VMs-Paged": { "runAfter": { "Build-VMQuery-Paged": [ "Succeeded" ] }, "type": "Http", "inputs": { "uri": "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": "@outputs('Build-VMQuery-Paged')", "authentication": { "type": "ManagedServiceIdentity", "audience": "https://management.azure.com" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "ForEach-VM-Result-Paged": { "foreach": "@body('Get-VMs-Paged')?['data']", "actions": { "Append-SingleVM-Paged": { "type": "AppendToArrayVariable", "inputs": { "name": "AllVMs", "value": "@items('ForEach-VM-Result-Paged')" } } }, "runAfter": { "Get-VMs-Paged": [ "Succeeded" ] }, "type": "Foreach" }, "Check-VMSkipToken": { "actions": { "Set-VMFetchComplete": { "type": "SetVariable", "inputs": { "name": "VMFetchComplete", "value": true } } }, "runAfter": { "ForEach-VM-Result-Paged": [ "Succeeded" ] }, "else": { "actions": { "Set-VMSkipToken": { "type": "SetVariable", "inputs": { "name": "VMSkipToken", "value": "@body('Get-VMs-Paged')?['$skipToken']" } } } }, "expression": { "or": [ { "equals": [ "@string(body('Get-VMs-Paged')?['$skipToken'])", "" ] } ] }, "type": "If" } }, "runAfter": { "Reset-VMFetchComplete": [ "Succeeded" ] }, "expression": "@equals(variables('VMFetchComplete'), true)", "limit": { "count": 50, "timeout": "PT1H" }, "type": "Until" } }, "else": { "actions": {} }, "expression": { "and": [ { "equals": [ "@items('ForEach-Subscription')?['state']", "Enabled" ] } ] }, "type": "If" } }, "runAfter": { "Init-AllVMs": [ "Succeeded" ] }, "type": "Foreach" }, "Init-MDEVariables": { "runAfter": { "ForEach-Subscription": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "AllMDEDevices", "type": "array" }, { "name": "MDESkip", "type": "integer", "value": 0 }, { "name": "MDEFetchComplete", "type": "boolean", "value": false } ] } }, "Paginate-MDEDevices": { "actions": { "Get-MDEDevices-Page": { "type": "Http", "inputs": { "uri": "https://api.securitycenter.microsoft.com/api/machines?$select=computerDnsName,id,osPlatform,lastSeen,onboardingStatus,healthStatus,lastIpAddress&amp;amp;$top=10000&amp;amp;$skip=@{variables('MDESkip')}", "method": "GET", "headers": { "Content-Type": "application/json" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://api.securitycenter.microsoft.com" }, "retryPolicy": { "type": "fixed", "count": 3, "interval": "PT60S" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "Parse-MDEPage": { "runAfter": { "Get-MDEDevices-Page": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get-MDEDevices-Page')", "schema": { "type": "object", "properties": { "value": { "type": "array", "items": { "type": "object", "properties": { "computerDnsName": { "type": [ "string", "null" ] }, "id": { "type": [ "string", "null" ] }, "osPlatform": { "type": [ "string", "null" ] }, "lastSeen": { "type": [ "string", "null" ] }, "onboardingStatus": { "type": [ "string", "null" ] }, "healthStatus": { "type": [ "string", "null" ] }, "lastIpAddress": { "type": [ "string", "null" ] }, "azureVmId": { "type": [ "string", "null" ] } } } } } } } }, "Append-MDEPage-ToArray": { "foreach": "@body('Parse-MDEPage')?['value']", "actions": { "Append-SingleMDEDevice": { "type": "AppendToArrayVariable", "inputs": { "name": "AllMDEDevices", "value": "@items('Append-MDEPage-ToArray')" } } }, "runAfter": { "Parse-MDEPage": [ "Succeeded" ] }, "type": "Foreach" }, "Check-PageSize": { "actions": { "Set-FetchComplete-True": { "type": "SetVariable", "inputs": { "name": "MDEFetchComplete", "value": true } } }, "runAfter": { "Append-MDEPage-ToArray": [ "Succeeded" ] }, "else": { "actions": { "Increment-MDESkip": { "type": "IncrementVariable", "inputs": { "name": "MDESkip", "value": 10000 } } } }, "expression": { "and": [ { "less": [ "@length(body('Parse-MDEPage')?['value'])", 10000 ] } ] }, "type": "If" } }, "runAfter": { "Init-MDEVariables": [ "Succeeded" ] }, "expression": "@equals(variables('MDEFetchComplete'), true)", "limit": { "count": 50, "timeout": "PT1H" }, "type": "Until" }, "Init-Variables": { "runAfter": { "Paginate-MDEDevices": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "EmailsSent", "type": "array", "value": [] }, { "name": "NoOwnerList", "type": "array", "value": [] }, { "name": "NonCompliantList", "type": "array", "value": [] }, { "name": "SummaryStats", "type": "object", "value": { "TotalNonCompliant": 0, "P1Critical": 0, "P2High": 0, "P3Medium": 0, "P4Low": 0, "EmailsSent": 0, "NoOwnerFound": 0 } }, { "name": "HTMLRows", "type": "string" }, { "name": "NonCompliantCount", "type": "integer", "value": 0 }, { "name": "CSVRows", "type": "string", "value": "@{concat('\"VM Name\",\"Private IP\",\"OS Type\",\"Location\",\"Server Owner\",\"MDE Status\",\"Last Seen\",\"Priority\",\"Action Taken\",\"Subscription ID\"', decodeUriComponent('%0A'))}" }, { "name": "HTMLRowCount", "type": "integer", "value": 0 } ] } }, "ForEach-AzureVM": { "foreach": "@variables('AllVMs')", "actions": { "Find-VMInMDE-Filter": { "type": "Query", "inputs": { "from": "@variables('AllMDEDevices')", "where": "@or(and(not(equals(item()?['azureVmId'], null)), not(equals(item()?['azureVmId'], '')), equals(toLower(item()?['azureVmId']), toLower(items('ForEach-AzureVM')?['VmId']))), and(or(equals(item()?['azureVmId'], null), equals(item()?['azureVmId'], '')), startsWith(toLower(item()?['computerDnsName']), toLower(items('ForEach-AzureVM')?['VMName'])), equals(item()?['lastIpAddress'], items('ForEach-AzureVM')?['PrivateIP'])))" } }, "Find-VMInMDE": { "runAfter": { "Find-VMInMDE-Filter": [ "Succeeded" ] }, "type": "Compose", "inputs": "@if(greater(length(body('Find-VMInMDE-Filter')), 0), first(body('Find-VMInMDE-Filter')), json('{\"computerDnsName\":\"NOT_FOUND\",\"onboardingStatus\":\"NotFound\",\"lastSeen\":\"1900-01-01T00:00:00Z\",\"lastIpAddress\":\"N/A\",\"healthStatus\":\"Unknown\"}'))" }, "Get-ComplianceStatus": { "runAfter": { "Find-VMInMDE": [ "Succeeded" ] }, "type": "Compose", "inputs": "@if(equals(outputs('Find-VMInMDE')?['computerDnsName'], 'NOT_FOUND'), 'Not Onboarded', if(equals(outputs('Find-VMInMDE')?['onboardingStatus'], 'Onboarded'), if(greater(outputs('Find-VMInMDE')?['lastSeen'], addHours(utcNow(), mul(-1, outputs('CONFIG')?['MDE_LASTSEEN_HOURS']))), 'Compliant', 'Onboarded - Not Reporting'), 'Not Onboarded'))" }, "Get-Priority": { "runAfter": { "Get-ComplianceStatus": [ "Succeeded" ] }, "type": "Compose", "inputs": "@if(equals(outputs('Get-ComplianceStatus'), 'Not Onboarded'), 'P2 - High', if(equals(outputs('Get-ComplianceStatus'), 'Onboarded - Not Reporting'), 'P3 - Medium', if(equals(outputs('Get-ComplianceStatus'), 'Compliant'), 'Compliant', 'P4 - Low')))" }, "Is-NonCompliant": { "actions": { "Append-CSVRows": { "type": "AppendToStringVariable", "inputs": { "name": "CSVRows", "value": "\"@{items('ForEach-AzureVM')?['VMName']}\",\"@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}\",\"@{items('ForEach-AzureVM')?['OSType']}\",\"@{items('ForEach-AzureVM')?['Location']}\",\"@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'No Owner Tag', items('ForEach-AzureVM')?['ServerOwner'])}\",\"@{outputs('Get-ComplianceStatus')}\",\"@{if(equals(outputs('Find-VMInMDE')?['onboardingStatus'], 'Onboarded'), if(equals(outputs('Find-VMInMDE')?['lastSeen'], '1900-01-01T00:00:00Z'), 'Never', concat(convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss'), ' (', string(div(sub(ticks(utcNow()), ticks(outputs('Find-VMInMDE')?['lastSeen'])), 864000000000)), ' days ago)')), concat(outputs('Find-VMInMDE')?['onboardingStatus'], ' - Last Seen: ', convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')))}\",\"@{outputs('Get-Priority')}\",\"@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'IT Team Notified', 'Email sent to Server Owner')}\",\"@{items('ForEach-AzureVM')?['SubscriptionId']}\"@{decodeUriComponent('%0A')}" } }, "Check-HTMLRowCount": { "actions": { "Append-HTMLRows": { "type": "AppendToStringVariable", "inputs": { "name": "HTMLRows", "value": "&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;font-weight:600;\"&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['OSType']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['Location']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'No Owner Tag', items('ForEach-AzureVM')?['ServerOwner'])}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;color:#c80000;\"&amp;gt;@{outputs('Get-ComplianceStatus')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(outputs('Find-VMInMDE')?['onboardingStatus'], 'Onboarded'), if(equals(outputs('Find-VMInMDE')?['lastSeen'], '1900-01-01T00:00:00Z'), 'Never', concat(convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss'), ' (', string(div(sub(ticks(utcNow()), ticks(outputs('Find-VMInMDE')?['lastSeen'])), 864000000000)), ' days ago)')), concat(outputs('Find-VMInMDE')?['onboardingStatus'], ' - Last Seen: ', convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')))}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{outputs('Get-Priority')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'IT Team Notified', 'Email sent to Server Owner')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-break:break-all;\"&amp;gt;@{items('ForEach-AzureVM')?['SubscriptionId']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;" } }, "Increment-HTMLRowCount": { "runAfter": { "Append-HTMLRows": [ "Succeeded" ] }, "type": "IncrementVariable", "inputs": { "name": "HTMLRowCount", "value": 1 } } }, "runAfter": { "Append-CSVRows": [ "Succeeded" ] }, "else": { "actions": {} }, "expression": { "and": [ { "less": [ "@variables('HTMLRowCount')", 20 ] } ] }, "type": "If" }, "Increment-NonCompliantCount": { "runAfter": { "Check-HTMLRowCount": [ "Succeeded" ] }, "type": "IncrementVariable", "inputs": { "name": "NonCompliantCount", "value": 1 } }, "Check-ServerOwner": { "actions": { "Send-OwnerEmail": { "type": "Http", "inputs": { "uri": "@{concat('https://graph.microsoft.com/v1.0/users/', encodeURIComponent(variables('varSenderEmail')), '/sendMail')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "message": { "subject": "[@{outputs('Get-Priority')}] MDE Compliance Alert - @{items('ForEach-AzureVM')?['VMName']}", "body": { "contentType": "HTML", "content": "&amp;lt;html&amp;gt;&amp;lt;body style=\"font-family:Segoe UI,Arial,sans-serif;color:#1a1a1a;\"&amp;gt;&amp;lt;div style=\"max-width:680px;margin:24px auto;border:1px solid #e0e0e0;border-radius:8px;overflow:hidden;\"&amp;gt;&amp;lt;div style=\"background:#c80000;padding:20px 28px;\"&amp;gt;&amp;lt;h2 style=\"color:#fff;margin:0;\"&amp;gt;MDE Compliance Alert&amp;lt;/h2&amp;gt;&amp;lt;p style=\"color:#ffcccc;margin:6px 0 0;font-size:13px;\"&amp;gt;Priority: @{outputs('Get-Priority')}&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;div style=\"padding:28px;\"&amp;gt;&amp;lt;p style=\"margin-top:0;font-size:14px;\"&amp;gt;Your server &amp;lt;strong&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/strong&amp;gt; has a Microsoft Defender for Endpoint compliance issue requiring immediate attention.&amp;lt;/p&amp;gt;&amp;lt;table style=\"width:100%;border-collapse:collapse;font-size:14px;\"&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#f5f5f5;\"&amp;gt;&amp;lt;th style=\"text-align:left;padding:10px 14px;border:1px solid #ddd;width:38%;\"&amp;gt;Field&amp;lt;/th&amp;gt;&amp;lt;th style=\"text-align:left;padding:10px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Value&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Server Name&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Private IP&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;OS Type&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['OSType']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Location&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['Location']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Compliance Status&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;color:#c80000;font-weight:700;\"&amp;gt;@{outputs('Get-ComplianceStatus')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Priority&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:700;\"&amp;gt;@{outputs('Get-Priority')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;MDE Onboarding Status&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{outputs('Find-VMInMDE')?['onboardingStatus']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Last Seen in MDE (IST)&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(outputs('Find-VMInMDE')?['lastSeen'], '1900-01-01T00:00:00Z'), 'Never', concat(convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss'), ' (', string(div(sub(ticks(utcNow()), ticks(outputs('Find-VMInMDE')?['lastSeen'])), 864000000000)), ' days ago)'))}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Resource Group&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['ResourceGroup']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Subscription ID&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-break:break-all;\"&amp;gt;@{items('ForEach-AzureVM')?['SubscriptionId']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;table style=\"width:100%;border-collapse:collapse;\"&amp;gt;&amp;lt;tr style=\"background:#fff8e1;\"&amp;gt;&amp;lt;td style=\"padding:10px 14px;border:1px solid #ffe082;font-size:13px;\"&amp;gt;&amp;lt;strong&amp;gt;Resolution SLA:&amp;lt;/strong&amp;gt; P1 Critical - 24hrs | P2 High - 48hrs | P3 Medium - 72hrs&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;p style=\"font-size:13px;color:#555;\"&amp;gt;For assistance contact IT Security: &amp;lt;a href=\"mailto:@{variables('varITTeamEmail')}\"&amp;gt;@{variables('varITTeamEmail')}&amp;lt;/a&amp;gt;&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;" }, "toRecipients": [ { "emailAddress": { "address": "@{items('ForEach-AzureVM')?['ServerOwner']}" } } ], "ccRecipients": [ { "emailAddress": { "address": "@variables('varITTeamEmail')" } } ] }, "saveToSentItems": "true" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" }, "retryPolicy": { "type": "fixed", "count": 2, "interval": "PT60S" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "Append-EmailsSent": { "runAfter": { "Send-OwnerEmail": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { "name": "EmailsSent", "value": "@{items('ForEach-AzureVM')?['VMName']} → @{items('ForEach-AzureVM')?['ServerOwner']}" } } }, "runAfter": { "Increment-NonCompliantCount": [ "Succeeded" ] }, "else": { "actions": { "Append-NoOwnerList": { "type": "AppendToArrayVariable", "inputs": { "name": "NoOwnerList", "value": "&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;font-weight:600;\"&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{outputs('Get-ComplianceStatus')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;font-weight:700;\"&amp;gt;@{outputs('Get-Priority')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;" } } } }, "expression": { "and": [ { "not": { "equals": [ "@items('ForEach-AzureVM')?['ServerOwner']", "" ] } } ] }, "type": "If" } }, "runAfter": { "Get-Priority": [ "Succeeded" ] }, "else": { "actions": {} }, "expression": { "and": [ { "not": { "equals": [ "@outputs('Get-ComplianceStatus')", "Compliant" ] } } ] }, "type": "If" } }, "runAfter": { "Init-Variables": [ "Succeeded" ] }, "type": "Foreach", "runtimeConfiguration": { "concurrency": { "repetitions": 1 } } }, "Check-AnyNonCompliant": { "actions": { "Send-ITSummaryEmail": { "type": "Http", "inputs": { "uri": "@{concat('https://graph.microsoft.com/v1.0/users/', encodeURIComponent(variables('varSenderEmail')), '/sendMail')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "message": { "subject": "MDE Compliance Report (Azure Workloads) - @{variables('NonCompliantCount')} Non-Compliant VMs Found", "body": { "contentType": "HTML", "content": "&amp;lt;html&amp;gt;&amp;lt;body style=\"font-family:Segoe UI,Arial,sans-serif;color:#1a1a1a;\"&amp;gt;&amp;lt;div style=\"max-width:1400px;margin:24px auto;border:1px solid #e0e0e0;border-radius:8px;\"&amp;gt;&amp;lt;div style=\"background:#0078d4;padding:20px 28px;\"&amp;gt;&amp;lt;h2 style=\"color:#fff;margin:0;\"&amp;gt;MDE Compliance Daily Report&amp;lt;/h2&amp;gt;&amp;lt;p style=\"color:#cce4ff;margin:6px 0 0;font-size:13px;\"&amp;gt;Generated: @{convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')} IST&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;div style=\"padding:28px;\"&amp;gt;&amp;lt;table style=\"border-collapse:collapse;font-size:14px;margin-bottom:28px;\"&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#f0f0f0;\"&amp;gt;&amp;lt;th style=\"padding:10px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Metric&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Value&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Total Non-Compliant VMs&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;font-weight:700;color:#c80000;\"&amp;gt;@{variables('NonCompliantCount')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Server Owners Notified&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;color:#107c10;font-weight:600;\"&amp;gt;@{length(variables('EmailsSent'))}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;No Owner Tag&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;color:#e65100;font-weight:600;\"&amp;gt;@{length(variables('NoOwnerList'))}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;p style=\"background:#fff3cd;border:1px solid #ffc107;padding:10px 14px;border-radius:4px;font-size:13px;margin-bottom:16px;\"&amp;gt;This report shows the first &amp;lt;strong&amp;gt;20 non-compliant VMs&amp;lt;/strong&amp;gt; only. &amp;lt;strong&amp;gt;Please check the attached CSV file&amp;lt;/strong&amp;gt; for the complete list.&amp;lt;/p&amp;gt;&amp;lt;table style=\"width:100%;table-layout:fixed;border-collapse:collapse;font-size:13px;\"&amp;gt;&amp;lt;colgroup&amp;gt;&amp;lt;col style=\"width:120px\"&amp;gt;&amp;lt;col style=\"width:90px\"&amp;gt;&amp;lt;col style=\"width:70px\"&amp;gt;&amp;lt;col style=\"width:100px\"&amp;gt;&amp;lt;col style=\"width:160px\"&amp;gt;&amp;lt;col style=\"width:110px\"&amp;gt;&amp;lt;col style=\"width:165px\"&amp;gt;&amp;lt;col style=\"width:80px\"&amp;gt;&amp;lt;col style=\"width:90px\"&amp;gt;&amp;lt;col style=\"width:195px\"&amp;gt;&amp;lt;/colgroup&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#0078d4;color:#fff;\"&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;VM Name&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Private IP&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;OS Type&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Location&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Server Owner&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;MDE Status&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Last Seen (IST)&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Priority&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Action Taken&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Subscription ID&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;@{variables('HTMLRows')}&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;h3 style=\"border-bottom:2px solid #e65100;padding-bottom:8px;\"&amp;gt;Action Required - No Owner Tag Found&amp;lt;/h3&amp;gt;&amp;lt;div style=\"background:#fff8f0;border:1px solid #ffccbc;padding:16px;border-radius:4px;font-size:13px;margin-bottom:16px;\"&amp;gt;&amp;lt;p style=\"margin:0 0 8px 0;\"&amp;gt;The following &amp;lt;strong&amp;gt;@{length(variables('NoOwnerList'))}&amp;lt;/strong&amp;gt; server(s) have no &amp;lt;strong&amp;gt;ServerOwner&amp;lt;/strong&amp;gt; tag assigned.&amp;lt;/p&amp;gt;&amp;lt;ol style=\"margin:0;padding-left:20px;\"&amp;gt;&amp;lt;li style=\"margin-bottom:6px;\"&amp;gt;Identify the owner of each server below&amp;lt;/li&amp;gt;&amp;lt;li style=\"margin-bottom:6px;\"&amp;gt;Go to the VM in Azure Portal → Tags → Add tag&amp;lt;/li&amp;gt;&amp;lt;li style=\"margin-bottom:6px;\"&amp;gt;&amp;lt;strong&amp;gt;Tag Name:&amp;lt;/strong&amp;gt; ServerOwner | &amp;lt;strong&amp;gt;Tag Value:&amp;lt;/strong&amp;gt; owner email address&amp;lt;/li&amp;gt;&amp;lt;li&amp;gt;Once tagged, the next daily report will automatically notify the owner&amp;lt;/li&amp;gt;&amp;lt;/ol&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;table style=\"width:100%;table-layout:fixed;border-collapse:collapse;font-size:13px;\"&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#e65100;color:#fff;\"&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;VM Name&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;Private IP&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;MDE Status&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;Priority&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;@{if(equals(length(variables('NoOwnerList')), 0), '&amp;lt;tr&amp;gt;&amp;lt;td colspan=\"4\" style=\"padding:12px;text-align:center;\"&amp;gt;None - All servers have owner tags assigned&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;', join(variables('NoOwnerList'), ''))}&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;" }, "toRecipients": [ { "emailAddress": { "address": "@variables('varITTeamEmail')" } } ], "attachments": [ { "@@odata.type": "#microsoft.graph.fileAttachment", "name": "@{concat('MDE-Compliance-Report-', convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy'), '.csv')}", "contentType": "text/csv", "contentBytes": "@{base64(variables('CSVRows'))}" } ] }, "saveToSentItems": "true" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } } }, "runAfter": { "ForEach-AzureVM": [ "Succeeded" ] }, "else": { "actions": { "Send-AllClearEmail": { "type": "Http", "inputs": { "uri": "@{concat('https://graph.microsoft.com/v1.0/users/', encodeURIComponent(variables('varSenderEmail')), '/sendMail')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "message": { "subject": "[@{convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy')}] MDE Compliance Report - All VMs Compliant", "body": { "contentType": "HTML", "content": "&amp;lt;html&amp;gt;&amp;lt;body style=\"font-family:Segoe UI,Arial,sans-serif;color:#1a1a1a;\"&amp;gt;&amp;lt;div style=\"max-width:600px;margin:24px auto;border:1px solid #e0e0e0;border-radius:8px;overflow:hidden;\"&amp;gt;&amp;lt;div style=\"background:#107c10;padding:20px 28px;\"&amp;gt;&amp;lt;h2 style=\"color:#fff;margin:0;\"&amp;gt;MDE Compliance Report&amp;lt;/h2&amp;gt;&amp;lt;p style=\"color:#c8e6c9;margin:6px 0 0;font-size:13px;\"&amp;gt;Generated: @{convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')} IST&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;div style=\"padding:28px;text-align:center;\"&amp;gt;&amp;lt;h2 style=\"color:#107c10;\"&amp;gt;All VMs Compliant&amp;lt;/h2&amp;gt;&amp;lt;p style=\"font-size:15px;color:#555;\"&amp;gt;All Azure Virtual Machines are onboarded to Microsoft Defender for Endpoint and reporting within the required 24-hour window.&amp;lt;/p&amp;gt;&amp;lt;p style=\"font-size:13px;color:#888;\"&amp;gt;No action required. The next report will be sent tomorrow at 08:00 IST.&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;" }, "toRecipients": [ { "emailAddress": { "address": "@variables('varITTeamEmail')" } } ] }, "saveToSentItems": "true" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } } } }, "expression": { "and": [ { "greater": [ "@variables('NonCompliantCount')", 0 ] } ] }, "type": "If" } }, "parameters": { "$connections": { "type": "Object", "defaultValue": {} } } }, "parameters": { "$connections": { "type": "Object", "value": {} } } }&lt;/LI-CODE&gt;</description>
      <pubDate>Mon, 15 Jun 2026 11:52:45 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/automating-daily-mde-compliance-monitoring-across-azure-vms/ba-p/4528274</guid>
      <dc:creator>SayanRoy</dc:creator>
      <dc:date>2026-06-15T11:52:45Z</dc:date>
    </item>
    <item>
      <title>Analyse Intune Diagnostics Logs with GitHub Copilot</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/analyse-intune-diagnostics-logs-with-github-copilot/ba-p/4527500</link>
      <description>&lt;P&gt;Hello everyone! I’m Stefan Röll, Cloud Solution Architect at Microsoft Germany for Cloud Endpoints. I work closely with IT Admins to improve their experience with everything around Intune, W365 and Windows. I know that troubleshooting an issue can be time consuming and challenging. In this blog I would like to show you how your troubleshooting skills can be supercharged with AI.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;TL;DR&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The way I troubleshoot issues has completely changed with GitHub Copilot. I just provide it with Intune Diagnostics Logs, network traces etc. and let the magic happen. The output still requires deep technical skills, but finding the root cause of an issue is just way faster and easier now.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;GitHub Copilot – not only for&amp;nbsp;&lt;/STRONG&gt;&lt;STRONG&gt;d&lt;/STRONG&gt;&lt;STRONG&gt;evelopers&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;GitHub Copilot is best known for helping developers to write and fix code.&lt;/P&gt;
&lt;P&gt;But it also has tremendous debugging and troubleshooting skills. And the best part is that it only takes two minutes to set up and you will never go back trying to manually find an issue if you must work through a lot of log files.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Getting started in two minutes&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Let’s get started:&lt;/P&gt;
&lt;P&gt;Go to &lt;A href="https://github.com/features/copilot/plans" target="_blank" rel="noopener"&gt;https://github.com/features/copilot/plans&lt;/A&gt; and get a GitHub Copilot Subscription. If you are interested in Business or Enterprise subscriptions, please reach out to your Customer Success Account Manager (CSAM) or sales team to get started. It is also likely that you company already has subscriptions that you can get internally.&lt;/P&gt;
&lt;P&gt;Once you’ve got your subscription, Install GitHub Copilot CLI via terminal:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;winget install GitHub.Copilot&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Now you can start Copilot via the command:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;copilot&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Next, type&amp;nbsp;&lt;/P&gt;
&lt;LI-CODE lang="powerquery"&gt;/login&lt;/LI-CODE&gt;
&lt;P&gt;and log in with your GitHub account.&lt;/P&gt;
&lt;P&gt;Now you should add the Microsoft Learn MCP Server and the included skills. This helps Copilot to search through the Microsoft documentation.&lt;/P&gt;
&lt;P&gt;You can do this with:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;/plugin install microsoftdocs/mcp&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Copilot is ready for your first troubleshooting session! 🎉&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Example &lt;/STRONG&gt;&lt;STRONG&gt;#1 – Why did our PCs restart during the day?&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Let’s start with a typical scenario: “All our PCs restarted during business hours. Can you please find the root cause for this?”&lt;/P&gt;
&lt;P&gt;Before Copilot, you had to manually check multiple places to find the root cause. Was it triggered by a Windows update, an app update, a driver issue, or another hidden background process?&lt;/P&gt;
&lt;P&gt;Now the only thing we need are Intune Diagnostics logs. Simply go to your Intune Console and collect diagnostics:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Once they are uploaded, download the .zip file to a local folder like C:\Temp\CopilotAnalysis.&lt;/P&gt;
&lt;P&gt;Next, open a command prompt and go to the folder with the extracted files and start Copilot&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;cd C:\Temp\CopilotAnalysis
copilot&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;With “Shift + TAB” we switch over to the “Autopilot” mode of GitHub Copilot. This will tell Copilot to do its magic without asking for confirmation for each step. You can find more information about this mode here: &lt;A href="https://docs.github.com/en/copilot/concepts/agents/copilot-cli/autopilot" target="_blank" rel="noopener"&gt;https://docs.github.com/en/copilot/concepts/agents/copilot-cli/autopilot&lt;/A&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;If you don’t want that, you can also continue in normal mode, but expect a lot of confirmation prompts.&lt;/P&gt;
&lt;P&gt;With a simple prompt, we can create a deep root cause analysis, and Copilot will use the provided diagnostics logs:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Based on the provided Intune Diagnostics logs, find out why the Windows 11 PC rebooted automatically during business hours. Once you have found the issue, confirm your findings with the configured Microsoft Learn MCP Server. Then create a Root Cause Analysis Report and save it as HTML in the same folder. Include a timeline with relevant events in the report. Extract all needed files like .zip, .cab that you need for the analysis.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;Now you can watch Copilot working through the logs and after some minutes you will get a report like this:&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;Here we go. You can see that the reboot was caused by a misconfigured Intune app deployment.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;⚠️Please be aware that AI can make mistakes. Never blindly trust the output, especially any recommendations for how to fix an issue. ⚠️&lt;/P&gt;
&lt;P&gt;However, now we have a fantastic starting point. In this case, Copilot correctly identified the root cause and we can fix this in Intune&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;It also created the requested timeline&lt;/P&gt;
&lt;img /&gt;
&lt;H4&gt;&lt;STRONG&gt;Example&amp;nbsp;&lt;/STRONG&gt;&lt;STRONG&gt;#2 – Why did the Autopilot deployment fail?&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;When Autopilot deployments fail, it can be hard to troubleshoot as you may not have the affected device in front of you. Therefore, it is great that Intune automatically uploads diagnostics logs when this happens. In this example, an Autopilot deployment failed, and we are going to analyse the logs with Copilot.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I downloaded the logs to a new folder, opened the terminal, navigated to the folder, and started Copilot:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Now I am going to analyse this with a different prompt:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Analyse the provided Intune Diagnostics logs and find out why this Windows 11 Autopilot deployment failed. Once you have found the issue, confirm your findings with the configured Microsoft Learn MCP Server. Then create a Root Cause Analysis Report and save it as HTML in the same folder. Include a timeline with relevant events in the report. Extract all needed files like .zip, .cab that you need for the analysis.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;After a beverage of choice, I had much more clarity on what happened:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Root cause:&lt;/STRONG&gt; Enrollment Status Page (ESP) remained blocked in &lt;STRONG&gt;Account setup&lt;/STRONG&gt; by a required &lt;STRONG&gt;user-targeted WinGet app&lt;/STRONG&gt; that did not complete download/install during the observed log window. The blocking app was &lt;STRONG&gt;Sysinternals Suite - Req - All Users&lt;/STRONG&gt; (Win32App_9c514d25-f55e-4177-af53-ca5ebbcf2619, package 9P7KNL5RWT25).&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Remarks&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;In this blog, I did not cover different models, credits, better prompting, and other improvements you can make to optimise the analysis. I wanted to give IT Pros a quick start with GitHub Copilot CLI.&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Summary&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;I highly recommend that you try GitHub Copilot yourself the next time you need to troubleshoot an issue. You will be amazed at how good it is at finding the root cause of an issue. This works with all kinds of log files, network traces, and more.&lt;/P&gt;
&lt;P&gt;GitHub Copilot does not replace endpoint expertise, but it can dramatically reduce the time needed to move from raw diagnostics to a validated root-cause hypothesis.&lt;/P&gt;
&lt;P&gt;I hope this blog helped you get started😊&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Stefan Röll&lt;/P&gt;
&lt;P&gt;Cloud Solution Architect – Microsoft Germany&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Helpful resources and references:&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/training/support/mcp" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/en-us/training/support/mcp&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/training/support/mcp-get-started" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/en-us/training/support/mcp-get-started&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://github.com/features/copilot/plans" target="_blank" rel="noopener"&gt;https://github.com/features/copilot/plans&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://github.com/features/copilot/cli" target="_blank" rel="noopener"&gt;https://github.com/features/copilot/cli&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Disclaimer:&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;This posting is provided "AS IS" with no warranties and confers no rights&lt;/P&gt;</description>
      <pubDate>Thu, 11 Jun 2026 12:15:59 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/analyse-intune-diagnostics-logs-with-github-copilot/ba-p/4527500</guid>
      <dc:creator>StefanRöll</dc:creator>
      <dc:date>2026-06-11T12:15:59Z</dc:date>
    </item>
    <item>
      <title>At-Scale Failure Reporting for Azure Update Manager</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/at-scale-failure-reporting-for-azure-update-manager/ba-p/4527378</link>
      <description>&lt;H3&gt;&lt;STRONG&gt;Introduction&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Update Manager simplifies patching across Azure virtual machines and Azure Arc-enabled servers by providing a centralized platform for patch assessment and installation. However, as environments scale, a key challenge emerges—&lt;STRONG&gt;efficiently identifying and troubleshooting patch failures across large fleets of machines&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;While Azure Update Manager surfaces detailed error messages in the Azure portal, this information is typically available &lt;STRONG&gt;only at an individual machine level&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;In enterprise environments managing hundreds or thousands of systems, drilling into each VM to find error details quickly becomes impractical.&lt;/P&gt;
&lt;P&gt;In this article, we walk through a real-world use case and demonstrate how to leverage &lt;STRONG&gt;Azure Resource Graph (ARG)&lt;/STRONG&gt; to extract &lt;STRONG&gt;failed machines along with their error details for a specific maintenance run&lt;/STRONG&gt;—using a single query.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;The Challenge: Scaling Patch Failure Visibility&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;In a large enterprise deployment, Azure Update Manager was configured to manage patching across:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Windows and Linux virtual machines&lt;/LI&gt;
&lt;LI&gt;Azure cloud VMs and Arc-enabled on‑premises servers&lt;/LI&gt;
&lt;LI&gt;Multiple regions and subscriptions&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;While patching operations were largely successful, a subset of machines experienced failures. The key challenges faced by the operations team were:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Error messages were visible &lt;STRONG&gt;only by drilling into each failed VM in the portal&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;No built‑in way to &lt;STRONG&gt;aggregate failures across all machines&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Lack of a simple mechanism to export:
&lt;UL&gt;
&lt;LI&gt;Failed VMs&lt;/LI&gt;
&lt;LI&gt;Error codes&lt;/LI&gt;
&lt;LI&gt;Error messages&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The team needed a &lt;STRONG&gt;scalable, query&lt;/STRONG&gt;‑&lt;STRONG&gt;driven approach&lt;/STRONG&gt; to analyze failures across an entire maintenance run.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Key Insight: Where Azure Update Manager Stores Data&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Update Manager does &lt;STRONG&gt;not&lt;/STRONG&gt; rely on Log Analytics to store operational results. Instead:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Patch assessment and installation results are stored in &lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Resource Graph acts as a &lt;STRONG&gt;centralized, queryable store&lt;/STRONG&gt; for update operations&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This design enables powerful querying without requiring additional ingestion, configuration, or cost overhead.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Understanding Maintenance Runs and Correlation IDs&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Each Azure Update Manager maintenance run generates a unique identifier:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;properties.correlationId&lt;/STRONG&gt; represents the maintenance (schedule) run ID&lt;/LI&gt;
&lt;LI&gt;All machines involved in the same patch cycle share this ID&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This allows all machines within a single patch execution to be correlated and queried collectively.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;The Solution: Query Failed VMs with Error Messages&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Resource Graph allows querying failures at scale using the &lt;STRONG&gt;maintenanceresources&lt;/STRONG&gt; dataset.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Core Query (Kusto Query Language)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; maintenanceresources&lt;/P&gt;
&lt;P&gt;2&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where type =~ "microsoft.maintenance/applyupdates"&lt;/P&gt;
&lt;P&gt;3&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.correlationId) contains "&amp;lt;YourMaintenanceRunID&amp;gt;"&lt;/P&gt;
&lt;P&gt;4&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.status) =~ "Failed"&lt;/P&gt;
&lt;P&gt;5&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | project properties.resourceId, properties.errorCode, properties.errorMessage&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;What This Query Delivers&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;All machines that &lt;STRONG&gt;failed&lt;/STRONG&gt; in a specific maintenance run&lt;/LI&gt;
&lt;LI&gt;Error codes for troubleshooting&lt;/LI&gt;
&lt;LI&gt;Full error messages that are otherwise visible only in the Azure portal&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Note:&lt;/STRONG&gt; Property names for error information can vary by environment. Validate available fields using Azure Resource Graph Explorer and adjust the project clause if required.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Sample Output (Conceptual)&lt;/STRONG&gt;&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Resource ID&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Error Code&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Error Message&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm-01&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0x80244007&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Windows Update API failed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm-02&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0x80072f8f&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Connectivity issue&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm-03&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1C&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;WSUS configuration issue&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Advanced Scenario: Automatically Detecting the Latest Failed Maintenance Run&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;In real-world scenarios, you may not always know the maintenance run ID. The following query dynamically identifies the &lt;STRONG&gt;most recent maintenance run that had failures&lt;/STRONG&gt;, and then retrieves all failed machines from that run.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; // Step 1: Identify the latest maintenance run ID with failures&lt;/P&gt;
&lt;P&gt;2&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; let lastFailedRun = toscalar(&lt;/P&gt;
&lt;P&gt;3&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;maintenanceresources&lt;/P&gt;
&lt;P&gt;4&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| extend runId = extract(@"applyupdates/(\d+)$", 1, properties.correlationId)&lt;/P&gt;
&lt;P&gt;5&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| where type =~ "microsoft.maintenance/applyupdates"&lt;/P&gt;
&lt;P&gt;6&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| where tostring(properties.status) =~ "Failed"&lt;/P&gt;
&lt;P&gt;7&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| order by tostring(properties.startDateTime) desc&lt;/P&gt;
&lt;P&gt;8&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| take 1&lt;/P&gt;
&lt;P&gt;9&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| project runId&lt;/P&gt;
&lt;P&gt;10&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; );&lt;/P&gt;
&lt;P&gt;11&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; // Step 2: Query all failed VMs from that run&lt;/P&gt;
&lt;P&gt;12&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; maintenanceresources&lt;/P&gt;
&lt;P&gt;13&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where type =~ "microsoft.maintenance/applyupdates"&lt;/P&gt;
&lt;P&gt;14&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.correlationId) contains lastFailedRun&lt;/P&gt;
&lt;P&gt;15&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.status) =~ "Failed"&lt;/P&gt;
&lt;P&gt;16&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | project properties.resourceId, properties.errorCode, properties.errorMessage&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This approach is ideal for automation, scheduled reporting, and dashboard scenarios.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Why This Approach Matters&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;Operational Efficiency&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Eliminates manual portal navigation&lt;/LI&gt;
&lt;LI&gt;Provides consolidated failure insights in seconds&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Scalability&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Works across large, distributed environments&lt;/LI&gt;
&lt;LI&gt;Supports both Azure and hybrid (Arc‑enabled) machines&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Automation Ready&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Can be integrated into scripts, dashboards, and reporting pipelines&lt;/LI&gt;
&lt;LI&gt;Enables proactive monitoring and alerting scenarios&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Best Practices for Enterprise Patch Reporting&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;To maximize the value of this approach:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Capture and track &lt;STRONG&gt;maintenance run IDs&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Use &lt;STRONG&gt;Azure Resource Graph as the primary reporting layer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Build reusable queries for different patch scenarios&lt;/LI&gt;
&lt;LI&gt;Export reports for compliance and auditing&lt;/LI&gt;
&lt;LI&gt;Correlate failures with root‑cause trends over time&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Conclusion&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;As organizations scale patching operations with Azure Update Manager, &lt;STRONG&gt;visibility, speed, and automation become essential&lt;/STRONG&gt;. While the Azure portal is effective for per‑machine troubleshooting, it is not optimized for fleet‑level analysis.&lt;/P&gt;
&lt;P&gt;Azure Resource Graph fills this gap by enabling a shift from &lt;STRONG&gt;manual troubleshooting&lt;/STRONG&gt; to &lt;STRONG&gt;automated, query&lt;/STRONG&gt;‑&lt;STRONG&gt;driven failure analysis at scale&lt;/STRONG&gt;. By adopting this approach, teams can significantly improve operational efficiency, reduce mean time to resolution, and build a more mature patch management strategy.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Final takeaway:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Don’t rely only on the portal&lt;/LI&gt;
&lt;LI&gt;Leverage &lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt; to operationalize patch insights at enterprise scale&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;References&lt;/STRONG&gt;&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;Azure Update Manager – Query resources with Azure Resource Graph&lt;BR /&gt;&lt;A href="https://learn.microsoft.com/azure/update-manager/query-logs" target="_blank"&gt;https://learn.microsoft.com/azure/update-manager/query-logs&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Update Manager – Troubleshooting guide&lt;BR /&gt;&lt;A href="https://learn.microsoft.com/azure/update-manager/troubleshoot" target="_blank"&gt;https://learn.microsoft.com/azure/update-manager/troubleshoot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Sample Azure Resource Graph queries for Azure Update Manager&lt;BR /&gt;&lt;A href="https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/update-manager/sample-query-logs.md" target="_blank"&gt;https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/update-manager/sample-query-logs.md&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 11 Jun 2026 06:32:42 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/at-scale-failure-reporting-for-azure-update-manager/ba-p/4527378</guid>
      <dc:creator>rajeshkumar30</dc:creator>
      <dc:date>2026-06-11T06:32:42Z</dc:date>
    </item>
    <item>
      <title>Redefining Security for an AI Driven World</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/redefining-security-for-an-ai-driven-world/ba-p/4521961</link>
      <description>&lt;P class="lia-align-justify"&gt;Vendors are being challenged to help customers address these challenges not as a point-solution vendor but as an &lt;STRONG&gt;end-to-end security and AI platform partner&lt;/STRONG&gt;. By integrating identity, data governance, threat protection, and AI services into a unified ecosystem, Microsoft can deliver coordinated defenses, continuous compliance monitoring, and operational efficiency gains that fragmented toolsets cannot match. The sections that follow examine each challenge in depth — why it persists, what makes it hard, and specifically how Microsoft helps organizations bridge the gap.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 1: Safeguarding Data Privacy in the AI Era&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;AI systems are voracious consumers of data, and their adoption is outpacing the governance structures meant to protect it.&lt;/STRONG&gt; More than &lt;STRONG&gt;80% of business leaders&lt;/STRONG&gt; cite leakage of sensitive data as their primary concern with generative AI, and nearly &lt;STRONG&gt;48%&lt;/STRONG&gt; have responded by banning all use of GenAI in the workplace entirely. Meanwhile, AI is raising the value of human-generated data as a critical training input while introducing entirely new avenues for potential data leakage through models and AI-powered applications.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Fragmented tooling&lt;/STRONG&gt; is the most immediate obstacle. Organizations are managing security, compliance, and data governance through disconnected platforms, creating siloed visibility that undermines cohesive protection. Only &lt;STRONG&gt;31%&lt;/STRONG&gt; of organizations have established a global data architecture, and just &lt;STRONG&gt;25%&lt;/STRONG&gt; maintain a global data quality program — two foundations essential for trustworthy AI innovation. Without enterprise-wide data classification and access controls, AI systems cannot distinguish what is too sensitive to surface.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At the same time, &lt;STRONG&gt;shadow AI&lt;/STRONG&gt; compounds the risk. When employees turn to unapproved AI tools to boost productivity, sensitive data can flow to services outside IT's purview. According to Microsoft's guide on securing the AI-powered enterprise, &lt;STRONG&gt;80% of business leaders worry that sensitive data could slip through the cracks due to unchecked AI use&lt;/STRONG&gt;. AI models also inherit the permissions of their users, meaning an over-permissioned employee can unknowingly expose critical data to an AI system. Gartner has estimated that by 2025, generative AI will account for&amp;nbsp;&lt;STRONG&gt;10% of all data produced&lt;/STRONG&gt;, further blurring the boundary between what is corporate-controlled and what is AI-generated.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Regulatory stakes add urgency: Gartner projects that by &lt;STRONG&gt;2027&lt;/STRONG&gt;, at least one global company will see its AI deployment banned by a regulator for non-compliance with data protection or AI governance legislation.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Microsoft Purview&lt;/STRONG&gt; provides a unified platform that combines data classification, data loss prevention (DLP), and AI-specific posture management to address fragmentation head-on. Its &lt;STRONG&gt;Data Security Posture Management (DSPM) for AI&lt;/STRONG&gt; centralizes visibility into how AI applications interact with sensitive data across the organization — including Microsoft 365 Copilot, enterprise AI apps, and third-party AI tools. Security teams can see, for example, how many unlabeled files were referenced by Copilot and where the greatest concentrations of unprotected data reside.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Sensitivity labels&lt;/STRONG&gt; created in Purview travel with documents and are enforced at inference time: when an AI app retrieves a file labeled "Highly Confidential," the system ensures the requesting user holds the required EXTRACT and VIEW usage rights before returning data. In practice, an executive running a Copilot query on a labeled strategy document would see the sensitivity label clearly marked alongside the response. Purview's DLP policies now extend to AI scenarios directly, including &lt;STRONG&gt;inline browser protection&lt;/STRONG&gt; that can block or warn users attempting to paste sensitive data into third-party generative AI sites such as ChatGPT in Microsoft Edge, Chrome, or Firefox.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For organizations handling the most sensitive workloads, &lt;STRONG&gt;Azure Confidential Computing&lt;/STRONG&gt; protects data even while it is being processed, using hardware-based Trusted Execution Environments (TEEs) that keep information encrypted in memory — invisible even to cloud operators. This capability is especially relevant for AI training and inference on regulated data, where customers need verifiable proof that their information was never exposed in plaintext during processing.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The net result is defense-in-depth for data: &lt;STRONG&gt;discover&lt;/STRONG&gt; where sensitive information lives, &lt;STRONG&gt;classify&lt;/STRONG&gt; it so AI systems respect boundaries, &lt;STRONG&gt;enforce&lt;/STRONG&gt; policies at the point of AI interaction, and &lt;STRONG&gt;encrypt&lt;/STRONG&gt; data in use for the highest-risk scenarios — all governed through a single compliance surface.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 2: The AI-Weaponized Threat Landscape&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Adversaries are using AI to accelerate, scale, and personalize attacks faster than traditional defenses can respond.&lt;/STRONG&gt; In the past year, &lt;STRONG&gt;67% of all phishing attacks&lt;/STRONG&gt; employed some form of AI, and organizations now face an average of &lt;STRONG&gt;66 data security alerts per day&lt;/STRONG&gt; — up from &lt;STRONG&gt;52 in 2023&lt;/STRONG&gt;. Under this pressure, &lt;STRONG&gt;73% of cybersecurity experts&lt;/STRONG&gt; admit they have missed, ignored, or failed to respond to high-priority security alerts.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;The speed differential&lt;/STRONG&gt; is the core problem. AI-enabled threat actors can now use models to autonomously discover, chain, and exploit vulnerabilities, compressing the window from discovery to exploitation &lt;STRONG&gt;from months to hours&lt;/STRONG&gt;. Attackers leverage generative AI for malware generation, automated vulnerability scanning, customized exploits, password cracking, sophisticated phishing and social engineering, and deepfake-based impersonation of data, email, and voice.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At the same time, &lt;STRONG&gt;AI systems themselves introduce novel attack surfaces&lt;/STRONG&gt;. A staggering &lt;STRONG&gt;88% of organizations&lt;/STRONG&gt;, according to a Gartner Peer Community survey of 332 participants, are concerned about indirect prompt injection attacks — where malicious instructions embedded in data manipulate an AI's behavior to reveal confidential information or bypass controls. AI models are also susceptible to fabrications, initially known as hallucinations, in essence biased outputs, and data poisoning — risks that traditional vulnerability management frameworks were never designed to address.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;From an &lt;STRONG&gt;operational standpoint&lt;/STRONG&gt;, SOC analysts already spend &lt;STRONG&gt;nearly three hours per day on incidents&lt;/STRONG&gt;, accumulating costs that reach billions in aggregate. Layering AI-driven attacks on top of this existing overload threatens to break conventional security operations entirely.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft counters the asymmetry with &lt;STRONG&gt;AI-powered defense at cloud scale&lt;/STRONG&gt;, grounded in threat intelligence no single organization could replicate alone. Microsoft processes &lt;STRONG&gt;more than 100 trillion security signals per day&lt;/STRONG&gt; from endpoints, cloud services, identity systems, and the edge, and tracks &lt;STRONG&gt;1,500 unique threat actor groups&lt;/STRONG&gt; — including &lt;STRONG&gt;600 nation-state actors, 300 cybercrime groups, and 200 influence operations groups&lt;/STRONG&gt;. This intelligence feeds directly into detection models and product updates, ensuring customers benefit from patterns observed across billions of users and devices worldwide.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Microsoft Security Copilot&lt;/STRONG&gt; is the most visible expression of this strategy. A generative AI security assistant combining advanced OpenAI models with a Microsoft-developed security-specific model, it helps analysts investigate and remediate incidents in natural language — from triaging complex alerts into actionable summaries, to reverse-engineering malicious scripts, to generating KQL queries for threat hunting. Early deployment data shows that Defender XDR customers using Security Copilot experienced a &lt;STRONG&gt;30% reduction in incident resolution time&lt;/STRONG&gt; in just three months.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For &lt;STRONG&gt;securing AI models themselves&lt;/STRONG&gt;, Microsoft Defender for Cloud now offers &lt;STRONG&gt;AI model security&lt;/STRONG&gt; (in public preview since March 2026), which scans custom AI models in Azure Machine Learning registries and workspaces for embedded malware, unsafe operators, and exposed secrets — integrated directly into CI/CD pipelines so risky models are stopped before reaching production.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The Microsoft Digital Defense Report 2025 reinforced this posture with seven top recommendations, led by managing cyber risk at the boardroom level, prioritizing identity protection, and investing in people alongside tools. Microsoft's approach treats AI threats not as a separate domain but as an intensification of the broader threat landscape that demands coordinated, platform-level defense.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 3: Identity and Access Governance for AI Agents&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;AI is creating an entirely new class of digital actors that most identity systems were never designed to manage.&lt;/STRONG&gt; According to IDC, there will be approximately &lt;STRONG&gt;1.3 billion AI agents&lt;/STRONG&gt; operating across enterprises by 2028. These agents — which range from simple automation bots to fully autonomous decision-making systems — require resource access, generate data, and interact with users and services in ways that fundamentally differ from traditional applications or human users.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Most organizations &lt;STRONG&gt;lack lifecycle management, ownership models, and policy controls&lt;/STRONG&gt; for non-human identities, and AI agents amplify these gaps significantly. Industry analysts argue that AI agents should not be treated as just another non-human identity; they introduce &lt;STRONG&gt;complex delegation chains&lt;/STRONG&gt; between humans, agents, and services that require distinct identity, accountability, and audit models. Traditional human-in-the-loop controls may not scale for agentic systems, yet new identity-centric governance mechanisms are only beginning to emerge.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Compounding the issue, the &lt;STRONG&gt;indeterministic nature of large language models&lt;/STRONG&gt; means that an AI agent with broad access privileges may behave unpredictably — potentially taking actions its developers did not anticipate. Without proper controls, forgotten or orphaned agent identities can become easy targets for attackers, and the resulting security incidents may be difficult to attribute or contain.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft extends its identity-first Zero Trust architecture to AI through &lt;STRONG&gt;Microsoft Entra Agent ID&lt;/STRONG&gt; (in public preview). The core idea: every AI agent receives a &lt;STRONG&gt;unique, first-class identity&lt;/STRONG&gt; — discoverable, manageable, and securable alongside human users, applications, and devices. Once registered, an agent's access can be scoped using the same enterprise-grade controls as any other identity: conditional access policies, role-based access control, lifecycle governance, and risk-based protection.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Conditional Access for Agents&lt;/STRONG&gt; allows organizations to evaluate an agent's context and risk level before granting a token. Policies can enforce controls such as restricting agents to specific network locations or blocking access when risk signals are elevated. Microsoft is also developing&amp;nbsp;&lt;STRONG&gt;RBAC guardrails&lt;/STRONG&gt; specifically tailored to AI agent behaviors, acknowledging that LLM-based agents present heightened risk when granted broad role assignments.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For lifecycle management, Microsoft provides mechanisms for IT administrators to create &lt;STRONG&gt;automated lifecycle policies for agent identities&lt;/STRONG&gt; — including periodic attestation by designated sponsors, automated cleanup of unmonitored agents, and notifications when agent identities approach expiration. This directly addresses the "agent sprawl" problem identified by CISOs and security architects.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At a broader level, &lt;STRONG&gt;Microsoft Agent 365&lt;/STRONG&gt; delivers a unified control plane for agents, aggregating posture, and real-time risk signals from Defender, Entra, and Purview into a single dashboard — providing discovery of both Microsoft and third-party agents, AI posture tracking, and governance controls to delegate remediation tasks to the appropriate teams. The &lt;STRONG&gt;Security Dashboard for AI&lt;/STRONG&gt; (in GA now) answers the executive-level questions: &lt;EM&gt;Which AI assets exist in our environment? What is their current security posture? Where must we take action? —&lt;/EM&gt;&amp;nbsp;covering Microsoft 365 Copilot, Copilot Studio agents, Foundry apps, and third-party AI including Google Gemini, OpenAI ChatGPT, and MCP servers&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 4: Regulatory Compliance and Ethical AI Governance&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;The regulatory landscape for AI is evolving faster than most organizations can track, and the stakes — legal, financial, and reputational — are escalating.&lt;/STRONG&gt; More than &lt;STRONG&gt;52% of business leaders&lt;/STRONG&gt; admit they are unsure how to navigate rapidly evolving AI regulations. Frameworks like the&amp;nbsp;&lt;STRONG&gt;EU AI Act&lt;/STRONG&gt; (whose first obligations took effect on &lt;STRONG&gt;February 2, 2025&lt;/STRONG&gt;), GDPR, and sector-specific rules such as DORA are converging to create a compliance environment that demands continuous adaptation.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;The EU AI Act alone adopts a &lt;STRONG&gt;risk-based approach&lt;/STRONG&gt; to AI regulation, classifying systems by their potential impact on health, safety, and fundamental rights and imposing corresponding obligations for documentation, transparency, human oversight, and testing. Organizations must map every AI deployment to the correct risk category — and misclassification can lead to regulatory violations. Simultaneously, the &lt;STRONG&gt;responsibilities of security leaders are expanding&lt;/STRONG&gt; to include governance and regulatory compliance oversight that traditionally belonged to legal or compliance teams.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The NC State University Executive Perspectives on Top Risks survey of &lt;STRONG&gt;1,540 board members and C-suite executives&lt;/STRONG&gt; ranked &lt;STRONG&gt;regulatory uncertainty and fragmentation&lt;/STRONG&gt; as the eighth-highest near-term risk (2026–2028), and &lt;STRONG&gt;AI implementation risks&lt;/STRONG&gt; as sixth. Among AI-specific concerns, &lt;STRONG&gt;24% of respondents&lt;/STRONG&gt; identified lack of governance and accountability for AI deployments as a top three worry. Culturally, building internal consensus around what constitutes "responsible" AI use — across diverse business units with different risk appetites — remains a persistent organizational challenge.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's &lt;STRONG&gt;Responsible AI program&lt;/STRONG&gt;, anchored by six durable principles established in &lt;STRONG&gt;2018&lt;/STRONG&gt; — Fairness, Reliability &amp;amp; Safety, Privacy &amp;amp; Security, Inclusiveness, Transparency, and Accountability — provides a governance blueprint that has proven stable even as AI technology evolves rapidly. These principles shape design, deployment, and oversight choices across Microsoft's products, and the company shares the lessons openly through its &lt;STRONG&gt;2025 Responsible AI Transparency Report&lt;/STRONG&gt; and customer guidance.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;In preparing for the EU AI Act specifically, Microsoft has taken a &lt;STRONG&gt;proactive, layered approach to compliance&lt;/STRONG&gt;, conducting impact assessments and adversarial red teaming on high-risk models and systems, and extending its Sensitive Uses governance program to ensure additional oversight for the most consequential AI deployments. Microsoft has also documented its approach to EU AI Act implementation to help customers understand how its products and services are being built to comply.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Operationally, the &lt;STRONG&gt;Security Dashboard for AI&lt;/STRONG&gt; provides board-ready analytics and compliance insights, aggregating risk signals across Entra, Defender, and Purview into a single executive view with recommendations and direct remediation paths. This makes AI governance visible and actionable within the same tools security leaders already use for broader risk management.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft also fosters community-driven governance through initiatives like the &lt;STRONG&gt;Security for AI Accelerated Collaboration Forum (ACF)&lt;/STRONG&gt;, which brings together CISOs, security architects, SOC leaders, identity and data owners, and platform engineers to share challenges, shape roadmap priorities, and develop reusable governance frameworks.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 5: Integration Complexity and Workforce Readiness&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Even when the right AI security tools exist, most organizations struggle to integrate them into existing technology stacks and to equip their people to use them effectively.&lt;/STRONG&gt; Among executives surveyed by NC State University, &lt;STRONG&gt;31%&lt;/STRONG&gt; identified integrating AI with existing technologies, business processes, and workforce as a top-three AI concern, &lt;STRONG&gt;29%&lt;/STRONG&gt; pointed to equipping the workforce to realize AI's value proposition, and &lt;STRONG&gt;28%&lt;/STRONG&gt; flagged the inability to deploy AI at a competitive pace.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Years of tool proliferation have left enterprises with fragmented security architectures. Organizations rely on disconnected platforms for endpoint protection, cloud workload security, identity management, and data governance — and AI capabilities are now being added to each domain independently. Microsoft's own research notes that organizations using fragmented platforms across security, compliance, and data teams see &lt;STRONG&gt;exacerbated security outcomes&lt;/STRONG&gt;. When a data loss prevention alert in one system cannot be correlated with an identity anomaly in another, threats slip through.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At the same time, AI security as a discipline &lt;STRONG&gt;lacks comprehensive resources and seasoned experts&lt;/STRONG&gt;. Because major cloud AI platforms only became generally available in 2021–2023, organizations must often develop protective measures without much external guidance or established precedent. The cybersecurity workforce shortage is well documented; the additional demand for professionals who understand both machine learning and security compounds it further.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The broader threat environment amplifies the urgency: cyberthreats have grown &lt;STRONG&gt;5X&lt;/STRONG&gt; in scale, Microsoft now tracks over &lt;STRONG&gt;1,500 threat actor groups&lt;/STRONG&gt; (up from roughly 300 just a few years ago), and the median time for an attacker to access confidential data after a successful phishing attack is just &lt;STRONG&gt;1 hour 12 minutes&lt;/STRONG&gt;. Teams that cannot integrate and respond quickly are structurally disadvantaged.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's primary answer to integration complexity is a &lt;STRONG&gt;unified, cloud-native security platform&lt;/STRONG&gt; in which AI, identity, data governance, and threat protection work as a coordinated system. Security Copilot, for instance, is embedded within and integrates across &lt;STRONG&gt;Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, and Microsoft Purview&lt;/STRONG&gt;. An analyst can use a single natural language interface to investigate incidents drawing on data from any of these products, generate remediation steps, build reports for stakeholders, and automate routine tasks with autonomous Security Copilot agents — all without switching consoles.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The inclusion of Security Copilot in &lt;A href="https://learn.microsoft.com/en-us/copilot/security/security-copilot-inclusion" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Microsoft 365 E5 and E7&lt;/STRONG&gt;&lt;/A&gt; licensing simplifies adoption further. Customers receive &lt;STRONG&gt;a monthly allocation of SCUs or Secure Computing Units to empower Security Copilot&lt;/STRONG&gt;, eliminating the need for separate AI security procurement. This positions integrated, agentic AI-powered security as a default capability rather than an add-on.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For &lt;STRONG&gt;endpoint-level visibility into AI agent sprawl&lt;/STRONG&gt;, Microsoft Defender for Endpoint now automatically discovers supported AI coding agents on onboarded Windows 11 devices — including OpenClaw, Claude Code, Codex, Cursor, GitHub Copilot CLI, ChatGPT Desktop, Gemini CLI, and others — and surfaces them in the Defender portal inventory for investigation and correlation with existing device telemetry.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;On &lt;STRONG&gt;workforce enablement&lt;/STRONG&gt;, Microsoft operates the &lt;STRONG&gt;Security Copilot Adoption Hub&lt;/STRONG&gt;, which provides role-specific guidance for CISOs, threat intelligence analysts, IT admins, and data security administrators on how to embed AI into their daily workflows. The broader Microsoft Learn platform now offers modules on securing AI applications and responsible AI governance.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's role here is as a &lt;STRONG&gt;force multiplier&lt;/STRONG&gt;: by consolidating tools, reducing integration burden, and actively investing in customer readiness, Microsoft enables organizations to convert AI from a source of complexity into an operational advantage — without leaving security behind.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Conclusion: Turning AI Security into Competitive Advantage&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;The five challenges examined here — &lt;STRONG&gt;data exposure, adversarial threats, identity sprawl, regulatory uncertainty, and integration complexity&lt;/STRONG&gt; — will only intensify as AI adoption accelerates. Yet for organizations that address them proactively, the payoff extends well beyond risk mitigation. Robust AI security has become a source of trust with customers and regulators, a prerequisite for bold innovation, and a differentiator in markets where competitors may still be scrambling to catch up.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's contribution is structural: an integrated platform where identity, data governance, threat intelligence, and compliance converge — backed by principles of Responsible AI that have remained durable since 2018 and by threat visibility at a scale (more than &lt;STRONG&gt;100 trillion signals per day&lt;/STRONG&gt;, &lt;STRONG&gt;1,500+ tracked threat actor groups&lt;/STRONG&gt;) that no single enterprise can replicate. For executive leadership, the actionable imperative is to treat AI security not as a technical footnote but as a boardroom priority — one that spans the CIO, CISO, Chief Data Officer, and business-unit leaders working together. As Microsoft's own AI security guidance articulates, cross-team collaboration, employee training, and transparent governance are just as essential as firewalls and encryption in building a secure AI future. The organizations that internalize this lesson will be those best positioned to harness AI's full potential — securely, responsibly, and at scale.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Tech Resources:&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/?msockid=135fb85555cc6d1923eeaead54046cc6" target="_blank" rel="noopener"&gt;Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://www.microsoft.com/en-us/microsoft-cloud/blog/2025/04/23/securing-ai-navigating-risks-and-compliance-for-the-future/" target="_blank" rel="noopener"&gt;Securing AI and Navigating risks and compliance for the future&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/entra/agent-id/identity-professional/microsoft-entra-agent-identities-for-ai-agents" target="_blank" rel="noopener"&gt;Entra agent Identities for AI agents&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/security/security-for-ai/security-dashboard-for-ai" target="_blank" rel="noopener"&gt;Secure Dashboard for AI&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot" target="_blank" rel="noopener"&gt;Microsoft Security Copilot&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/faq-security-copilot" target="_blank" rel="noopener"&gt;Microsoft Security Copilot FAQ&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 22 May 2026 21:14:55 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/redefining-security-for-an-ai-driven-world/ba-p/4521961</guid>
      <dc:creator>edgarus71</dc:creator>
      <dc:date>2026-05-22T21:14:55Z</dc:date>
    </item>
    <item>
      <title>Build a Local Microsoft Sentinel Triage Agent in VS Code (Copilot + MCP)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/build-a-local-microsoft-sentinel-triage-agent-in-vs-code-copilot/ba-p/4520486</link>
      <description>&lt;P&gt;Modern SOC work is not limited by data—it’s limited by the friction of collecting it. This post shows a local-first workflow that lets you investigate Microsoft Sentinel incidents from inside VS Code using GitHub Copilot Chat for reasoning and a small, deterministic MCP toolset for evidence retrieval and (optionally) approval-gated writeback.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What you’ll take away:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;How to structure a Copilot + MCP triage loop that stays grounded in Azure evidence&lt;/LI&gt;
&lt;LI&gt;A reliability pattern: fall back to KQL when Sentinel subresource APIs are flaky&lt;/LI&gt;
&lt;LI&gt;A safety pattern: draft-first, explicit-approval writeback for incident comments&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Why This Exists&lt;/H2&gt;
&lt;P&gt;Sentinel triage is powerful but fragmented: you jump between the portal, KQL, entity pivots, and case notes just to answer “what happened?” The goal here is to collapse that into a single, repeatable loop inside the editor.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Resolve the incident and pull the underlying alerts/entities&lt;/LI&gt;
&lt;LI&gt;Pivot into AzureActivity (and other logs) to identify the actor and outcome&lt;/LI&gt;
&lt;LI&gt;Use threat intelligence (TI) for context—not as the decision&lt;/LI&gt;
&lt;LI&gt;Generate an evidence-backed narrative and draft comment; write back only on explicit approval&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Design Principles&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Evidence first:&lt;/STRONG&gt; every claim must be traceable to Sentinel APIs or Log Analytics results&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Small tool surface:&lt;/STRONG&gt; fewer tools, clearer prompting, easier hardening&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reliability by design:&lt;/STRONG&gt; if one API path fails, pivot to KQL and continue&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safety boundary:&lt;/STRONG&gt; investigation and writeback are separate, and writeback is approval-gated&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Architecture &amp;amp; Data Flow&lt;/H2&gt;
&lt;P&gt;A local TypeScript MCP server exposes a handful of triage tools to Copilot Chat in VS Code. Reads come from Sentinel + Log Analytics; writes (incident comments) are optional and require explicit approval.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Copilot Chat (VS Code)&lt;/STRONG&gt; decides the next step and summarizes outputs&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;MCP server&lt;/STRONG&gt; executes allowed tools: incident lookup, alert/entity retrieval, KQL queries, optional comment writeback&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Evidence sources&lt;/STRONG&gt;: Sentinel Incident APIs + Log Analytics tables (SecurityIncident, SecurityAlert, AzureActivity, TI tables)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safety gate&lt;/STRONG&gt;: writeback happens only after explicit approval; otherwise you get a draft&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Tool Surface&lt;/H2&gt;
&lt;P&gt;MCP is useful here because it separates reasoning from execution: Copilot can decide &lt;EM&gt;what&lt;/EM&gt; to do, but only the MCP server can do it—and only through tools you explicitly define and can audit.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;list_incidents&lt;/STRONG&gt; / &lt;STRONG&gt;get_incident&lt;/STRONG&gt; (ground the case)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;get_incident_alerts&lt;/STRONG&gt; / &lt;STRONG&gt;get_incident_entities&lt;/STRONG&gt; (fast path)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;run_incident_kql&lt;/STRONG&gt; (reliable fallback + pivots)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;add_incident_comment&lt;/STRONG&gt; (draft-first; writes only with approval)&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;The Investigation Loop (3 Steps)&lt;/H2&gt;
&lt;H3&gt;Prompt used&lt;/H3&gt;
&lt;LI-CODE lang="powershell"&gt;&lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2324605" data-lia-user-login="sentinel" class="lia-mention lia-mention-user"&gt;sentinel&lt;/a&gt;-triage-local Investigate Sentinel incident 1478 end to end in workspace Subscription ID/Resource Group/Workspace Name. Resolve the incident ID first, collect underlying alerts and entities, enrich with AzureActivity and TI, determine whether the activity is malicious or benign, and return:
1. Investigation summary
2. Key evidence
3. Entity analysis
4. TI enrichment result
5. Risk assessment
6. Recommended disposition
7. Final incident comment draft
Rules:
- Use tool output only, no guessing.
- If alert/entity subresource APIs fail, pivot to KQL and continue.
- Do not submit the comment unless I explicitly say: APPROVE COMMENT.
&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;1) Ground the incident&lt;/H3&gt;
&lt;P&gt;Resolve the human-friendly incident number to the Sentinel incident resource ID, then capture the metadata you need to drive every later pivot.&lt;/P&gt;
&lt;P&gt;Incident numbers are convenient for analysts, but the actual investigation flow depends on the underlying incident resource ID. Resolving that first gives the workflow a concrete anchor for:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Title&lt;/LI&gt;
&lt;LI&gt;Severity&lt;/LI&gt;
&lt;LI&gt;Owner&lt;/LI&gt;
&lt;LI&gt;Status&lt;/LI&gt;
&lt;LI&gt;Alert count&lt;/LI&gt;
&lt;LI&gt;Analytic rule IDs&lt;/LI&gt;
&lt;LI&gt;Incident URL&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This gives you the stable identifiers (and the URL) needed to retrieve alerts, entities, and supporting logs.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;2) Collect alerts and entities (fast path)&lt;/H3&gt;
&lt;P&gt;Pull the alerts behind the incident and the entities they reference. When the incident subresource APIs behave, this is the fastest way to assemble the working set.&lt;/P&gt;
&lt;P&gt;In the ideal path, the agent can call the incident alert and entity subresources directly. That gives fast access to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Alert IDs&lt;/LI&gt;
&lt;LI&gt;Alert names&lt;/LI&gt;
&lt;LI&gt;Timestamps&lt;/LI&gt;
&lt;LI&gt;Severities&lt;/LI&gt;
&lt;LI&gt;Entities&lt;/LI&gt;
&lt;LI&gt;Provider metadata&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;3) Stay reliable: pivot to KQL when APIs fail&lt;/H3&gt;
&lt;P&gt;In real environments, the incident subresource APIs for alerts/entities are not always dependable. When they fail, the workflow switches to Log Analytics and reconstructs the same evidence via KQL—so the investigation continues.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;SecurityIncident&lt;/STRONG&gt; to recover the incident record and alert IDs&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SecurityAlert&lt;/STRONG&gt; to retrieve alert details and entities&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;AzureActivity&lt;/STRONG&gt; to determine who or what performed the operation&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;ThreatIntelligenceIndicator&lt;/STRONG&gt; and &lt;STRONG&gt;ThreatIntelIndicators&lt;/STRONG&gt; for enrichment&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;The High-Signal Pivot: AzureActivity&lt;/H2&gt;
&lt;P&gt;In the incidents I tested, AzureActivity was the fastest way to classify “suspicious deployment” alerts: it tells you who did the action, what operation ran, and whether it succeeded.&lt;/P&gt;
&lt;P&gt;The evidence showed:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;The caller was a single Microsoft Entra ID object ID&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Claims_d.idtyp&lt;/STRONG&gt; = "app"&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Authorization_d.evidence.principalType&lt;/STRONG&gt; = "ServicePrincipal"&lt;/LI&gt;
&lt;LI&gt;The activity was tied to a policy assignment&lt;/LI&gt;
&lt;LI&gt;The operation was &lt;STRONG&gt;MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;The result was &lt;STRONG&gt;BadRequest&lt;/STRONG&gt; with &lt;STRONG&gt;InvalidTemplate&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;That pattern typically points to automation (service principal + policy-driven deployment) failing due to a bad template—not an interactive attacker.&lt;/P&gt;
&lt;H2&gt;Threat Intelligence: Use It as Context&lt;/H2&gt;
&lt;P&gt;Enrich observables against TI, but treat it as corroboration: a hit is not proof, and a miss is not a clean bill of health. In my test runs, TI mainly helped refine confidence after AzureActivity and alert evidence established the likely story.&lt;/P&gt;
&lt;H2&gt;Output: An Evidence-Backed Narrative (and a Draft Comment)&lt;/H2&gt;
&lt;P&gt;Once the tools return results, Copilot’s job is synthesis: turn structured evidence into a short narrative an analyst can paste into the case.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;What happened, who/what triggered it, and whether it succeeded&lt;/LI&gt;
&lt;LI&gt;Key supporting evidence (alerts, entities, AzureActivity pivots, TI context)&lt;/LI&gt;
&lt;LI&gt;A recommended disposition and a draft incident comment&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Incident comment written back automatically (after approval) (screenshot):&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Safety + Reliability: Approval-Gated Writeback&lt;/H2&gt;
&lt;P&gt;The agent can draft a comment automatically, but it cannot change incident state unless the analyst explicitly approves. That boundary is what makes the workflow usable in real operations.&lt;/P&gt;
&lt;P&gt;After approval, the tool submits the drafted comment directly to the Sentinel incident so the portal reflects the same evidence-backed narrative.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Default:&lt;/STRONG&gt; return the draft comment only&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;On approval:&lt;/STRONG&gt; acquire an ARM token via Azure CLI and submit via curl.exe (hardened with validation + retries)&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Why This Is Worth Building&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Less context switching:&lt;/STRONG&gt; investigation happens where you already work&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;More consistency:&lt;/STRONG&gt; the same loop runs every time, with deterministic tools&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Better classification:&lt;/STRONG&gt; AzureActivity pivots reduce false “user did X” assumptions&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safer automation:&lt;/STRONG&gt; drafts are automatic; writes are explicit and auditable&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Conclusion&lt;/H2&gt;
&lt;P&gt;AI is most useful in a SOC when it is constrained: deterministic tools fetch the evidence, the model synthesizes it, and humans keep control of state changes. A local Copilot + MCP workflow hits that sweet spot—faster triage for the SOC analysts.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 18 May 2026 04:28:02 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/build-a-local-microsoft-sentinel-triage-agent-in-vs-code-copilot/ba-p/4520486</guid>
      <dc:creator>absharan</dc:creator>
      <dc:date>2026-05-18T04:28:02Z</dc:date>
    </item>
    <item>
      <title>TLS Certificate Pinning and Best Practices in Azure Open-Source Relational Databases</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tls-certificate-pinning-and-best-practices-in-azure-open-source/ba-p/4519531</link>
      <description>&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;TLS certificate pinning in &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Azure Database for PostgreSQL and MySQL&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Transport Layer Security (TLS)&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;encrypts&amp;nbsp;data in transit between client applications and the&amp;nbsp;server and&amp;nbsp;authenticates&amp;nbsp;the service endpoint&amp;nbsp;in&amp;nbsp;client-server authentication.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Database server certificates are issued by well-known trusted public Certificate Authorities (CAs), including Microsoft-issued certificates, and are validated by clients during the TLS handshake. Customers do not manage certificates on the server side.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Certificate pinning&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;is&amp;nbsp;a&amp;nbsp;client-side&amp;nbsp;security technique where an application restricts trust to a specific certificate,&amp;nbsp;for example&amp;nbsp;by&amp;nbsp;thumbprint, public key, or CA,&amp;nbsp;rather than relying solely on the default OS or platform trust store. The trust store&amp;nbsp;contains&amp;nbsp;pre-installed root&amp;nbsp;CAs and may also include&amp;nbsp;additional&amp;nbsp;certificates configured by the client. During standard TLS validation, the client will trust any server certificate that chains to one of those root&amp;nbsp;CAs.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;When pinning is&amp;nbsp;used,&amp;nbsp;the client will only connect if the presented certificate chain matches&amp;nbsp;exactly&amp;nbsp;what it expects.&amp;nbsp;However, the server has no visibility into whether pinning is configured on the&amp;nbsp;client,&amp;nbsp;and&amp;nbsp;any&amp;nbsp;certificate&amp;nbsp;change (even a valid one) can cause connection failures.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Why detecting TLS certificate pinning is not possible by design&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Certificate pinning is entirely client-side logic&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;.&lt;/STRONG&gt; From the server’s&amp;nbsp;perspective,&amp;nbsp;the client either completes the TLS handshake or aborts it. The server never sees:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Which certificate(s) the client trusts&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Whether the client is comparing&amp;nbsp;root CA,&amp;nbsp;intermediate CA,&amp;nbsp;leaf&amp;nbsp;certificate&amp;nbsp;or SPKI hash&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Whether the trust decision was static or dynamic&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;TLS is designed so that trust evaluation happens entirely on the client, which is why the server has no visibility into the client’s software configuration or pinning behavior.&amp;nbsp;If the client rejects the certificate (for example, due to pinning or trust validation failures), the connection is&amp;nbsp;terminated&amp;nbsp;before any application-level error or authentication occurs.&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;What the server can see is TLS handshake failure patterns, TLS protocol, and cipher negotiation.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;TLS certificates in&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;Azure&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;OSS databases&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;&amp;nbsp;vs Azure SQL&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The way TLS certificates are handled in Azure OSS databases versus Azure SQL is a core architectural difference.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In Azure SQL (including Azure SQL Database and Azure SQL Managed Instance), the database engine does not directly present a certificate bound to a specific server or host instance. Instead, client connections&amp;nbsp;terminate&amp;nbsp;at a service-managed endpoint. This abstraction allows certificates to be issued and rotated centrally by the service.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;From the client’s perspective, it connects to a service-level endpoint (for example, &amp;lt;server&amp;gt;.database.windows.net), and the certificate chain&amp;nbsp;represents&amp;nbsp;the Azure SQL service rather than a specific machine. Clients are expected to trust the platform CA chain and&amp;nbsp;validate&amp;nbsp;the hostname. As a result, certificate pinning is&amp;nbsp;generally not&amp;nbsp;feasible&amp;nbsp;or useful for Azure SQL, because the TLS endpoint is abstracted and managed by the service.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This is also why Azure SQL client&amp;nbsp;configuration&amp;nbsp;guidance emphasizes using Encrypt=True and&amp;nbsp;TrustServerCertificate=False, ensuring that clients rely on standard TLS validation against the platform-managed certificate chain.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In contrast, Azure Database for PostgreSQL and MySQL expose a more traditional, database engine–level TLS surface where clients directly&amp;nbsp;validate&amp;nbsp;the server certificate chain, making certificate pinning possible. TLS is negotiated by the database engine itself, and the server presents a certificate chain anchored in public or regional certificate authorities.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This results in a fundamentally different trust model. In Azure OSS databases, TLS trust is primarily client-managed,&amp;nbsp;whereas&amp;nbsp;in Azure SQL it is platform-managed. While OSS customers have greater control over certificate validation, they are also responsible for&amp;nbsp;appropriately&amp;nbsp;managing trust configuration. Misconfigurations or overly rigid validation, such as pinning specific certificates, can increase operational risk, particularly during certificate rotations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;One of the most common complications during certificate rotations is certificate pinning.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Why certificate pinning is risky&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;While certificate pinning was historically used to reduce the risk of man-in-the-middle attacks, it introduces significant operational fragility in cloud environments, particularly during certificate rotations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Server certificates and certificate authorities (CAs) must be rotated periodically to&amp;nbsp;maintain&amp;nbsp;security and compliance. In Azure Database for PostgreSQL and MySQL,&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;when certificate pinning is used&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, clients bind trust to a specific certificate or CA. As a result,&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;any change to the server certificate chain—including CA updates—can cause connection failures&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, even when the new certificates are fully valid and secure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Recommended TLS certificate trust model for Azure OSS databases&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Instead of pinning, adopt a&amp;nbsp;CA&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;based&amp;nbsp;trust model that allows certificates to change safely.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Trust root CAs, not individual certificates&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Configure clients to use standard TLS validation against Azure-documented root CAs, rather than restricting trust to specific certificates or a narrowly scoped set of certificate authorities. Avoid configurations that effectively implement certificate pinning—such as trusting only a single certificate, public key, or limited CA set—unless explicitly&amp;nbsp;required.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Maintain a flexible and up-to-date trust store&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Clients rely on a trust store, key store, or equivalent certificate bundle to&amp;nbsp;validate&amp;nbsp;server certificates during TLS negotiation. While the exact format and configuration vary by client and environment, the same core principles apply across PostgreSQL and MySQL implementations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Include the&amp;nbsp;appropriate root&amp;nbsp;and intermediate certificate authorities (CAs)&amp;nbsp;required&amp;nbsp;to&amp;nbsp;validate&amp;nbsp;the server certificate chain&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Ensure that trust stores are periodically reviewed and updated in line with provider guidance and announced certificate authority changes.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For the current TLS certificates visit the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/postgresql/security/security-tls" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Database for PostgreSQL documentation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/mysql/flexible-server/security-tls" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Database for MySQL documentation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Use certificate validation modes that rely on standard CA-based trust rather than pinning&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;PostgreSQL&lt;/STRONG&gt; client&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;configurations, prefer:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;sslmode=verify-ca&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Validates the server certificate chain against trusted&amp;nbsp;CAs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;sslmode=verify-full&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Verifies CA and hostname match&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;MySQL &lt;/STRONG&gt;client&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;configurations, prefer:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ssl-mode=VERIFY_CA&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Validates the server certificate chain against trusted&amp;nbsp;CAs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ssl-mode=VERIFY_IDENTITY&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Validates CA&amp;nbsp;and&amp;nbsp;hostname (like PostgreSQL verify-full)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These modes ensure that clients&amp;nbsp;validate&amp;nbsp;the&amp;nbsp;server&amp;nbsp;certificate chain against trusted&amp;nbsp;CAs, and in stricter modes, verify hostname identity. They do not imply certificate pinning by themselves. They rely on standard CA-based trust.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Configurations only become rigid when trust is narrowly restricted,&amp;nbsp;such&amp;nbsp;as to&amp;nbsp;a single certificate or limited CA set,&amp;nbsp;often through custom or overly constrained trust stores. This effectively introduces certificate pinning.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;When properly configured, these modes authenticate the service endpoint and protect against spoofing, while&amp;nbsp;remaining&amp;nbsp;resilient to certificate rotations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Maintain a combined&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;&amp;nbsp;CA&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;&amp;nbsp;during&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;certificate&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;rotations&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure may rotate root or intermediate&amp;nbsp;CAs&amp;nbsp;over time.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;When Azure announces a CA&amp;nbsp;rotation:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Add&amp;nbsp;the&amp;nbsp;new root&amp;nbsp;and intermediate CAs&amp;nbsp;to&amp;nbsp;the client&amp;nbsp;trust store before the rotation&amp;nbsp;begins&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Retain&amp;nbsp;existing root&amp;nbsp;or intermediate&amp;nbsp;CAs&amp;nbsp;until the transition is&amp;nbsp;fully&amp;nbsp;complete&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Avoid removing older&amp;nbsp;certificates&amp;nbsp;prematurely&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This combined CA approach, using both the current and upcoming certificate authorities during the transition window, allows clients to continue&amp;nbsp;validating&amp;nbsp;the&amp;nbsp;server&amp;nbsp;certificate chain without interruption.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&lt;SPAN data-contrast="auto"&gt;As you review your current client configurations, ensure your applications rely on CA-based trust, avoid overly restrictive certificate configurations such as certificate pinning, and are prepared to handle routine certificate rotations without disruption.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 15 Jun 2026 13:42:38 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tls-certificate-pinning-and-best-practices-in-azure-open-source/ba-p/4519531</guid>
      <dc:creator>TameikaL</dc:creator>
      <dc:date>2026-06-15T13:42:38Z</dc:date>
    </item>
    <item>
      <title>Check This Out! (CTO!) Guide (April 2026)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-april-2026/ba-p/4519149</link>
      <description>&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/users/tysonpaul/322025" data-lia-auto-title="Member: TysonPaul | Microsoft Community Hub" data-lia-auto-title-active="0" target="_blank"&gt;Member: TysonPaul | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/announcing-public-preview-for-essential-machine-management/4502721" target="_blank" rel="noopener noreferrer"&gt;Announcing Public Preview for Essential Machine Management&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/meagan%20mccrory/73917" target="_blank" rel="noopener noreferrer"&gt;Meagan McCrory&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced the public preview of Essential Machine Management within Azure’s Compute Infrastructure Hub. This new feature streamlines onboarding and management of servers and VMs across Azure and multi-cloud environments by enabling core capabilities like monitoring, updates, inventory, and configuration at the subscription level. It offers out-of-the-box best practices, automatic enrollment, and consistent operational coverage. Azure VMs and certain Arc-enabled servers can use these features at no extra cost, while other Arc-enabled servers will be charged $9 per server per month once billing begins. The preview is available in the Azure Portal.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/new-local-management-group-for-alz--updated-sovereign-policies-for-slz/4515156" target="_blank" rel="noopener noreferrer"&gt;New Local Management Group for ALZ &amp;amp; Updated Sovereign Policies for SLZ&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jtracey93msft/1418804" target="_blank" rel="noopener noreferrer"&gt;jtracey93msft&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced a new ‘Local’ Management Group in both Azure Landing Zone (ALZ) and Sovereign Landing Zone (SLZ) architectures to better govern Azure Local workloads and facilitate exit planning to Azure Local disconnected operations. Additionally, SLZ now uses new built-in policy initiatives aligned to sovereign control levels 1 (Data Residency), 2 (Encryption-at-Rest/Transit), and 3 (Encryption-in-Use), replacing previous broad baselines for clearer mapping, simplified compliance, and reduced maintenance. These updates improve governance, portability, and policy alignment for customers with sovereignty or resiliency requirements.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/copilot-agents-are-scaling-faster-than-most-organizations-expected/4510366" target="_blank" rel="noopener noreferrer"&gt;Copilot agents are scaling faster than most organizations expected&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/17/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how Copilot agents are being adopted rapidly across organizations, moving from small pilots to broader enterprise use. While early adoption is smooth, scaling introduces new challenges, such as overlapping efforts, unclear ownership, and the need for coordination. The focus shifts from building agents to managing them effectively at scale, requiring clear frameworks and leadership alignment. Microsoft recommends a CIO-level framework to address these issues, helping organizations balance experimentation with coherence and guide responsible growth as Copilot agents become integral to business operations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/copilot-chat-in-financial-services-is-productivity-moving-faster-than-policy/4510910" target="_blank" rel="noopener noreferrer"&gt;Copilot Chat in financial services: Is productivity moving faster than policy?&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/13/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how financial services organizations adopting Copilot Chat are experiencing increased productivity, but this rapid progress is challenging existing governance and compliance policies. As usage expands beyond initial experimentation, leaders are seeking structured approaches to ensure responsible, repeatable adoption without increasing risk. Microsoft 365 Accelerator offers a planning kit to help organizations scale Copilot Chat while maintaining oversight, audit readiness, and governance, focusing on decision-making and risk management rather than just features. The article invites readers to reflect on their experiences and consider how to balance productivity with regulatory requirements.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/flexible-cooling-for-ai-growth-how-zonal-architecture-supports-diverse-hardware-/4514042" target="_blank" rel="noopener noreferrer"&gt;Flexible Cooling for AI Growth: How Zonal Architecture Supports Diverse Hardware Needs&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/stsolo/3447054" target="_blank" rel="noopener noreferrer"&gt;stsolo&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is introducing zonal cooling in its next-generation AI datacenters to address the diverse cooling needs of modern hardware, particularly AI accelerators requiring liquid cooling and general-purpose equipment relying on air cooling. Zonal cooling uses multiple independent water loops at different temperatures, improving energy efficiency, reducing carbon emissions, and supporting higher server density. This flexible architecture adapts to evolving hardware requirements, enhances performance, and aligns with Microsoft’s sustainability goals. Facility-level zonal cooling is expected to reduce Power Usage Effectiveness (PUE) by up to 10%, making datacenters more efficient and future-ready.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/running-diffusion-models-at-scale-on-aks/4513687" target="_blank" rel="noopener noreferrer"&gt;Running Diffusion Models at Scale on AKS&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/prabaldeb/3248371" target="_blank" rel="noopener noreferrer"&gt;PrabalDeb&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/29/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines best practices for running diffusion models at scale on Azure Kubernetes Service (AKS). It emphasizes separating API, dispatch, and GPU execution layers for flexible scaling, security, and observability. Key recommendations include isolating GPU workloads, leveraging Kubernetes-native or Service Bus/KEDA-based dispatch, using persistent storage for model caching, enforcing strong identity and secrets management, and instrumenting both application and hardware metrics. The architecture supports scalable, secure, and automated deployments, making AKS a robust platform for production-grade diffusion workloads beyond simple model hosting. Alternatives like KAITO suit less-customized scenarios.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/containers/announcing-log-monitor-v2-2-0-release-candidate/4511286" target="_blank" rel="noopener noreferrer"&gt;Announcing Log Monitor v2.2.0 Release Candidate&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/containers" target="_blank" rel="noopener noreferrer"&gt;Containers&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/bob_sira/2927623" target="_blank" rel="noopener noreferrer"&gt;Bob_Sira&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Log Monitor v2.2.0 Release Candidate introduces a switch from Boost.JSON to the lightweight nlohmann/json library, reducing dependencies and build complexity while remaining backward compatible. This version adds an IIS on AKS deployment example, fixes several configuration parsing bugs, and addresses a path traversal vulnerability. The build system now uses CMake and vcpkg. Upgrading from v2.1.x requires no config changes, but output paths have changed. Updated CI/CD pipelines support the new dependency. Release binaries and documentation are available on GitHub, and user feedback is encouraged.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/containers/simplifying-gmsa-for-windows-containers-on-aks-open-source-tooling-now-available/4512167" target="_blank" rel="noopener noreferrer"&gt;Simplifying gMSA for Windows Containers on AKS: Open-Source Tooling Now Available&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/containers" target="_blank" rel="noopener noreferrer"&gt;Containers&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/natashapolito/1956890" target="_blank" rel="noopener noreferrer"&gt;natashapolito&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/23/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has released an open-source tool, available on GitHub, to simplify configuring Group Managed Service Accounts (gMSA) for Windows containers on Azure Kubernetes Service (AKS). This tooling helps organizations modernize Active Directory-dependent Windows applications for Kubernetes without major code changes, enabling secure AD authentication without domain-joined nodes. The repository includes a PowerShell module, automation scripts, and documentation to streamline gMSA setup and validation. Aimed at teams running or modernizing AD-integrated workloads on AKS, the tool reduces manual configuration and invites community feedback to further improve usability.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/so-you%E2%80%99ve-disabled-windows-hello-for-business-but-the-user-can-still-sign-in-usi/4509318" target="_blank" rel="noopener noreferrer"&gt;So, You’ve disabled Windows Hello for Business, but the User can still Sign-in using a PIN&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/askds" target="_blank" rel="noopener noreferrer"&gt;Ask the Directory Services Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/brentcrummey/1728711" target="_blank" rel="noopener noreferrer"&gt;BrentCrummey&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Disabling Windows Hello for Business (WHfB) via Intune or Group Policy does not remove a user’s existing PIN sign-in if it was previously provisioned. The PIN option remains, and its removal button is greyed out due to policy design. To fully remove WHfB PIN sign-in, the user must manually delete their Windows Hello container using “certutil.exe -deleteHelloContainer,” after which they cannot re-enroll as long as the policy is disabled. This behavior is expected and documented by Microsoft.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/troubleshooting-tpm-certificate-how-to-fix-the-missing-stored-keyset-error/4515646" target="_blank" rel="noopener noreferrer"&gt;Troubleshooting TPM Certificate: How to Fix the "Missing Stored Keyset" Error&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/askds" target="_blank" rel="noopener noreferrer"&gt;Ask the Directory Services Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/mdhabibnawaz/1129389" target="_blank" rel="noopener noreferrer"&gt;mdhabibnawaz&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains the "missing stored keyset" error in TPM certificates, which occurs when applications can’t access necessary keys due to corrupted registry entries, permission issues, or misconfiguration. It provides a step-by-step troubleshooting guide: updating Windows and TPM firmware, verifying TPM status, checking certificate keysets, repairing certificates, resetting permissions, and re-enrolling certificates if needed. The article emphasizes maintaining backups, staying updated, and consulting official documentation or support if problems persist, highlighting the importance of proper TPM management for system security.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/ahead-helps-us-launch-the-strategic-azure-storage-services-partner-program/4516355" target="_blank" rel="noopener noreferrer"&gt;AHEAD helps us launch the Strategic Azure Storage Services Partner Program&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/karautenmsft/70874" target="_blank" rel="noopener noreferrer"&gt;karautenMSFT&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; AHEAD, a premier Microsoft Cloud and AI Partner, has helped launch the Strategic Azure Storage Services Partner (SASS) Program, leveraging its extensive expertise in infrastructure, storage, and cloud solutions. AHEAD provides assessments, migration services, and access to best-of-breed ISV partners, ensuring Azure Storage customers receive optimal solutions for their needs. With over 1,000 Microsoft certifications and global reach, AHEAD delivers tailored guidance and implementation, driving innovation and resiliency for Azure users. Their collaboration has shaped the SASS channel strategy, benefiting customers with enhanced consulting, design, and migration services.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/prefix-scoped-access-for-user-delegation-sas-is-now-generally-available-for-azur/4516010" target="_blank" rel="noopener noreferrer"&gt;Prefix-scoped access for User Delegation SAS is now generally available for Azure Blob Storage&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/despindola/3471420" target="_blank" rel="noopener noreferrer"&gt;despindola&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Prefix-scoped access for User Delegation SAS is now generally available in all Azure regions for Azure Blob and Data Lake Storage. This feature allows administrators to grant access to all blobs within a specific prefix or virtual directory, rather than at the container or individual blob level. This simplifies permission management, especially for multi-tenant or organized data structures, and reduces the need for multiple tokens. Prefix-scoped SAS incurs no additional cost and is supported in the latest REST API and .NET SDK versions. Microsoft recommends using prefix-scoped SAS for more granular access control when SAS is required.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/filecab/announcing-native-powershell-tooling-for-refs-snapshots/4516377" target="_blank" rel="noopener noreferrer"&gt;Announcing Native PowerShell Tooling for ReFS Snapshots&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/filecab" target="_blank" rel="noopener noreferrer"&gt;Storage at Microsoft&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/christina_curlette/3352446" target="_blank" rel="noopener noreferrer"&gt;Christina_Curlette&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has released an open-source PowerShell module for native ReFS snapshot management, streamlining scripting and automation tasks. The module wraps the refsutil streamsnapshot utility, offering cmdlets for creating, listing, deleting, comparing, restoring, and exporting file-level snapshots with pipeline support and structured error handling. Designed for Windows Server 2019+ and Windows 10+, it simplifies operational safety, automated comparison, maintenance, and development workflows. Documentation and examples are available on GitHub, enabling easier integration of ReFS snapshots into PowerShell-based storage management.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/public-preview-managed-identity-support-for-graphical-session-recording/4513139" target="_blank" rel="noopener noreferrer"&gt;Public Preview: Managed Identity support for graphical session recording&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/aarontsang/2719570" target="_blank" rel="noopener noreferrer"&gt;aarontsang&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Bastion now supports managed identities for graphical session recording in public preview. This feature allows Bastion to authenticate directly to an Azure storage account for saving session recordings using either a system-assigned or user-assigned managed identity, eliminating the need for manual credential management. Authentication is handled via Microsoft Entra ID, simplifying setup and aligning with Zero Trust principles. Administrators can centrally control access with Azure RBAC, streamlining management across multiple deployments. To use this feature, enable managed identity, assign appropriate roles, and configure the storage account as outlined in the Azure Portal.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/general-availability-of-default-ruleset-drs-2-2-for-web-application-firewall/4515762" target="_blank" rel="noopener noreferrer"&gt;General availability of Default Ruleset (DRS) 2.2 for Web Application Firewall&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/andrewmathu/1367090" target="_blank" rel="noopener noreferrer"&gt;andrewmathu&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/29/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Web Application Firewall (WAF) now supports Default Rule Set (DRS) 2.2 for Azure Front Door and Application Gateway, offering enhanced security based on OWASP CRS 3.3.4 and Microsoft Threat Intelligence. DRS 2.2 improves detection for web vulnerabilities, reduces false positives with configurable paranoia levels, and provides broader, modern protection. Upgrading resets customizations, so planning is advised. DRS 2.2 delivers consistent and advanced security for internet-facing applications, enabling organizations to better defend against evolving threats while maintaining operational flexibility.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/join-us-at-microsoft-azure-infra-summit-2026-for-deep-technical-azure-infrastruc/4509368" target="_blank" rel="noopener noreferrer"&gt;Join us at Microsoft Azure Infra Summit 2026 for deep technical Azure infrastructure content&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/pierre_roman/140097" target="_blank" rel="noopener noreferrer"&gt;Pierre_Roman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Azure Infra Summit 2026 is a free, virtual event for IT professionals, platform engineers, SREs, and infrastructure teams, held May 19-21, 2026. Focused on advanced, engineering-led sessions (L300-400), it offers deep technical content on Azure infrastructure topics like hybrid operations, networking, storage, observability, and governance. The event emphasizes practical guidance, real-world examples, and peer-to-peer learning, aiming to equip attendees with actionable insights for building and operating Azure environments. Register at https://aka.ms/MAIS-Reg.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/internet-information-services-learning-path/4511332" target="_blank" rel="noopener noreferrer"&gt;Internet Information Services Learning Path&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/orinthomas/251291" target="_blank" rel="noopener noreferrer"&gt;OrinThomas&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/14/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The "Internet Information Services Learning Path" provides a structured curriculum for learning to deploy, configure, manage, secure, and troubleshoot IIS on Windows Server and client systems. Covering both legacy and modern use cases, the modules include IIS installation, website and application configuration, administration, security best practices, and performance optimization. The learning path is relevant to most supported IIS versions and includes new features for Windows Server 2025, offering a comprehensive guide for effective IIS management and maintenance.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/from-discovery-to-executive-presentation-plan-your-migration-with-azure-migrate-/4508500" target="_blank" rel="noopener noreferrer"&gt;From Discovery to Executive Presentation: Plan Your Migration with Azure Migrate in Hours&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/shikher/934388" target="_blank" rel="noopener noreferrer"&gt;Shikher&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/03/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Migrate streamlines the migration planning process by consolidating environment discovery, workload tagging, application grouping, and executive reporting into a single workflow. Using the Azure Migrate Collector, organizations can quickly scan their infrastructure offline, classify assets, and auto-group workloads into applications. The tool generates executive-ready PowerPoint reports with modernization, migration recommendations, security insights, and cost analysis, replacing manual processes that previously took weeks. Application-level assessments provide detailed migration strategies, supporting informed decision-making. This approach accelerates Azure migration planning for IT teams and partners, enabling rapid, data-driven presentations to stakeholders.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/production-cutover-in-cloud-native-migrations/4509924" target="_blank" rel="noopener noreferrer"&gt;Production Cutover in Cloud-Native Migrations&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/dhruti/3444042" target="_blank" rel="noopener noreferrer"&gt;dhruti&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights that production cutover during cloud-native migrations, such as to Azure Kubernetes Service (AKS), involves more than just successful deployment—it requires coordinated runtime orchestration across compute, networking, storage, and integrations. Operational issues often arise only after traffic is routed, emphasizing the need for thorough validation and alignment of all dependencies, including disaster recovery, batch processing, and security. Effective cutover is an orchestrated event ensuring runtime readiness, not just deployment, with success dependent on continuous validation and system-wide coordination throughout the migration lifecycle.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackforazureblog/deploying-dns-private-resolvers-and-private-dns-zones-for-azure-ai-supported-ser/4515645" target="_blank" rel="noopener noreferrer"&gt;Deploying DNS Private Resolvers and Private DNS Zones for Azure AI Supported Services&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackforazureblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack for Azure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/munieswar_avulapalli/1127849" target="_blank" rel="noopener noreferrer"&gt;munieswar_avulapalli&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to deploy DNS Private Resolvers and Private DNS Zones for Azure AI-supported services within private networks. Private DNS Zones enable secure, internal domain resolution across global Azure VNets, while DNS Private Resolvers provide managed, regional DNS resolution between Azure and on-premises environments. It highlights the importance of linking VNets to DNS zones for name resolution and clarifies common misconceptions about VNet peering. The article includes a step-by-step end-to-end flow for DNS queries and emphasizes connectivity verification tools like PsPing. Public networks and DNS zones are mentioned but not discussed in detail.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/ai-powered-downtime-investigation-for-azure-vms-automating-root-cause-analysis/4513473" target="_blank" rel="noopener noreferrer"&gt;AI-Powered Downtime Investigation for Azure VMs: Automating Root Cause Analysis&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jon_andoni_baranda/3305512" target="_blank" rel="noopener noreferrer"&gt;Jon_Andoni_Baranda&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/22/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article describes how Microsoft Azure uses AI to automate and accelerate root cause analysis for virtual machine downtime. Leveraging the Model Context Protocol (MCP), the system automatically investigates incidents by querying live telemetry, analyzing logs, building recovery timelines, and generating structured reports. This reduces manual investigation time from up to an hour to under five minutes, ensures consistent, thorough analysis for every incident, and streamlines ownership assignment. The AI system encodes expert knowledge, allowing engineers to focus on decision-making rather than data gathering, significantly improving efficiency and incident response across Azure's infrastructure.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/designing-outbound-connectivity-for-private-subnets-in-azure/4514258" target="_blank" rel="noopener noreferrer"&gt;Designing Outbound Connectivity for "Private Subnets" in Azure&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alexeyn1/2185710" target="_blank" rel="noopener noreferrer"&gt;alexeyn1&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/23/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Private subnets in Azure disable default outbound internet access, requiring architects to deliberately design outbound connectivity. Three main patterns exist: NAT Gateway for scalable, predictable egress; Azure Firewall for secure, governed, and audited flows; and Load Balancer Outbound for legacy scenarios. Each has strengths and limitations, with NAT Gateway suited for simple, high-scale egress, Azure Firewall for compliance and security, and Load Balancer for transitional or legacy architectures. The key principle is to choose the outbound method based on workload risk and requirements, ensuring intentional, documented, and governed internet access.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/running-multimedia-ai-models-on-container-apps-with-serverless-gpu-a100--t4/4513063" target="_blank" rel="noopener noreferrer"&gt;Running multimedia AI models on Container Apps with Serverless GPU (A100 &amp;amp; T4)&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/houssemdellai/632520" target="_blank" rel="noopener noreferrer"&gt;HoussemDellai&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/20/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article guides users on deploying multimedia AI models, like ComfyUI, on Azure Container Apps using serverless GPU profiles (A100 &amp;amp; T4). It details infrastructure provisioning with Terraform, model downloading, and monitoring via Azure Log Analytics. Key notes cover storage setup, manual creation of GPU profiles, and protocol choices (SMB vs NFS). Cost optimization tips are provided by right-sizing resources. Users can run text-to-image and text-to-video workflows. The article includes disclaimers about the sample scripts' support and reliability, and highlights the need for manual steps due to Terraform limitations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/announcing-private-preview-deploy-ansible-playbooks-using-azure-policy-via-machi/4507848" target="_blank" rel="noopener noreferrer"&gt;Announcing Private Preview: Deploy Ansible Playbooks using Azure Policy via Machine Configuration&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alinetran/1972499" target="_blank" rel="noopener noreferrer"&gt;alinetran&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/01/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced a private preview allowing Ansible playbooks to be deployed via Azure Policy using Machine Configuration on Azure and Azure Arc-enabled Linux machines. This integration enables organizations to automate configuration management and compliance enforcement for Linux servers without needing an Ansible control node. The solution offers centralized policy-based governance, drift detection, and automatic remediation, with compliance results visible in Azure dashboards. This unifies management across Windows and Linux environments, whether in the cloud, on-premises, or at the edge, leveraging existing Ansible investments within Azure Arc’s unified security and compliance framework.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/automating-arc-enabled-sql-server-license-type-configuration-with-azure-policy/4500326" target="_blank" rel="noopener noreferrer"&gt;Automating Arc-enabled SQL Server license type configuration with Azure Policy&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/tomclaes/1562753" target="_blank" rel="noopener noreferrer"&gt;TomClaes&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/12/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to automate the configuration of SQL Server license types on Azure Arc-enabled resources using Azure Policy. It details steps for deploying and assigning policies via PowerShell, automating remediation tasks, and handling role assignments. The approach supports both existing (brownfield) and new (greenfield) environments, ensuring compliance and enabling pay-as-you-go billing. The policy can standardize, migrate, or selectively update license types at scale, and includes mechanisms for recurring billing consent. Tools for monitoring compliance, such as KQL queries and Azure Workbooks, are also provided.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurevirtualdesktopblog/app-attach-in-azure-virtual-desktop-now-supports-windows-server-2025-and-windows/4511729" target="_blank" rel="noopener noreferrer"&gt;App attach in Azure Virtual Desktop now supports Windows Server 2025 and Windows Server 2022&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurevirtualdesktopblog" target="_blank" rel="noopener noreferrer"&gt;Azure Virtual Desktop&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/michelle_moya/3222392" target="_blank" rel="noopener noreferrer"&gt;Michelle_Moya&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/16/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; App attach in Azure Virtual Desktop now supports Windows Server 2025 and 2022, allowing dynamic delivery of MSIX, AppX, and App-V applications to session hosts without embedding them in base images. This reduces image sprawl, simplifies management, and enables continued use of existing App-V packages as support for App-V Server ends in April 2026. Organizations can more easily onboard and update applications, manage a single golden image, and benefit from streamlined app delivery, especially in Azure Virtual Desktop Hybrid environments. For more details, users are encouraged to consult the App attach documentation.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurevirtualdesktopblog/announcing-public-preview-of-redundant-tcp-support-for-rdp-multipath-for-azure-v/4511241" target="_blank" rel="noopener noreferrer"&gt;Announcing public preview of redundant TCP support for RDP Multipath for Azure Virtual Desktop&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurevirtualdesktopblog" target="_blank" rel="noopener noreferrer"&gt;Azure Virtual Desktop&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/rinku_dalwani/1321337" target="_blank" rel="noopener noreferrer"&gt;Rinku_Dalwani&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/21/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Virtual Desktop (AVD) now supports redundant TCP transport paths for RDP Multipath, available in public preview. This enhancement improves session resiliency by enabling multiple network paths—both UDP and TCP—for reliable connectivity, even in restrictive or UDP-restricted environments. If a connection path degrades or fails, AVD automatically switches to the next best route without user intervention, ensuring session continuity. The feature is enabled by default for host pools in the validation ring and is supported on Windows App version 2.0.1069.0 or later. Users can opt out if needed.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurepaasblog/update-host-keys-to-use-sftp-on-azure-blob-storage/4515483" target="_blank" rel="noopener noreferrer"&gt;Update host keys to use SFTP on Azure Blob Storage&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurepaasblog" target="_blank" rel="noopener noreferrer"&gt;Azure PaaS&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/luisfilipe/741199" target="_blank" rel="noopener noreferrer"&gt;LuisFilipe&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Blob Storage users may receive alerts to update SFTP host keys, which are used to verify server identity for secure connections. To avoid disruptions, users should update their trusted hosts list with new host keys, either by pre-loading both current and next keys or by accepting the new key after rotation. The article provides guidance on listing SFTP-enabled storage accounts, identifying connected clients, and automating updates. Monitoring and diagnostic tools can help track SFTP connections, and users authenticating via SSH key must ensure their known_hosts file is updated to maintain uninterrupted access.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurepaasblog/leveraging-azure-resource-graph-queries-for-azure-redis-configuration/4509826" target="_blank" rel="noopener noreferrer"&gt;Leveraging Azure Resource Graph Queries for Azure Redis Configuration&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurepaasblog" target="_blank" rel="noopener noreferrer"&gt;Azure PaaS&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/soma_sekhara_raju/2181620" target="_blank" rel="noopener noreferrer"&gt;Soma_Sekhara_Raju&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/21/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines how Azure Resource Graph Explorer streamlines the review of Azure Redis configurations across subscriptions using Kusto Query Language (KQL). It details queries for SKU tier, Redis version, TLS settings, public network access, and Microsoft Entra authentication, offering rapid, centralized visibility without the need for custom scripts. This approach accelerates audits, supports security compliance, and simplifies management compared to traditional methods like PowerShell or Azure CLI. The same methodology can be applied to other Azure resource types by querying their schemas.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/ai-at-every-career-stage-start-grow-lead/4494109" target="_blank" rel="noopener noreferrer"&gt;AI at every career stage (start, grow, lead)&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/ashleymastershall/2703917" target="_blank" rel="noopener noreferrer"&gt;AshleyMastersHall&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explores how AI can support professionals at every career stage, from newcomers to senior leaders. It provides practical examples of using AI tools like Microsoft Copilot to accelerate learning, streamline workflows, and enhance decision-making. Early-career individuals can use AI for onboarding and communication; midcareer professionals can scale impact and manage complexity; experienced leaders can leverage AI for strategy, coaching, and process improvement. The article also recommends Microsoft’s AI Skills Navigator for tailored AI skill development, emphasizing that it’s never too early or late to adopt AI in your career.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/what%E2%80%99s-new-in-ai-skills-navigator-april-2026/4511273" target="_blank" rel="noopener noreferrer"&gt;What’s new in AI Skills Navigator: April 2026&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/priya_v/3438921" target="_blank" rel="noopener noreferrer"&gt;Priya_V&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/20/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The April 2026 update to AI Skills Navigator introduces improvements based on user feedback, including enhanced skilling playlists for clearer, scalable learning paths, and more flexible skilling sessions with better progress tracking and control for learners. The platform now features a directory for Microsoft Training Services Partners to support tailored, local training, and offers new certifications like AI Transformation Leader and AI Business Professional. All training and credentials are unified in one place, making it easier to build, track, and validate AI skills for individuals and organizations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/azure-vnet-data-gateway-for-secure-power-bi--power-platform-access-in-enterprise/4511410" target="_blank" rel="noopener noreferrer"&gt;Azure VNet Data Gateway for Secure Power BI &amp;amp; Power Platform Access in Enterprises&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/kirankumar_manchiwar04/2465236" target="_blank" rel="noopener noreferrer"&gt;kirankumar_manchiwar04&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/22/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The Azure VNet Data Gateway is a Microsoft-managed service that enables secure, private access to data sources for Power BI, Power Platform, and Microsoft Fabric without customer-managed infrastructure. Running within a delegated Azure Virtual Network subnet, it eliminates the need for VMs or manual maintenance, ensuring all data traffic stays on the Azure backbone. The gateway supports enterprise-scale deployments, enforces private-only connectivity, and aligns with Zero Trust and governance requirements, making it ideal for organizations prioritizing security and operational efficiency. Setup involves configuring the VNet, private endpoints, and integrating with Power Platform or Power BI.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/a-demonstration-of-virtual-network-tap/4479136" target="_blank" rel="noopener noreferrer"&gt;A demonstration of Virtual Network TAP&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/marc%20de%20droog/198661" target="_blank" rel="noopener noreferrer"&gt;Marc de Droog&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Virtual Network Terminal Access Point (VTAP), in public preview as of April 2026, enables agentless, out-of-band copying of full network traffic (including payloads) from designated Azure VMs to traffic analytics tools or collectors, using VXLAN encapsulation. Unlike VNET Flow Logs, which only capture metadata, VTAP provides full packet capture without impacting VM performance. The article demonstrates VTAP’s functionality by capturing and analyzing traffic from a source VM to a destination VM running Wireshark. VTAP integrates with third-party security and analytics solutions available on the Azure Marketplace.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/speed-where-it-matters-how-microsoft-intune-helps-it-prioritize-time-sensitive-a/4515942" target="_blank" rel="noopener noreferrer"&gt;Speed where it matters: How Microsoft Intune helps IT prioritize time-sensitive actions&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Intune prioritizes and accelerates time-sensitive device updates, with 90% of actions completed in under an hour. Contrary to the “8-hour latency” myth, this delay applies only to routine maintenance check-ins, not critical updates. Intune uses notification-based, priority-driven processing to ensure high-impact actions like security and compliance changes are delivered quickly. Recent improvements focus on prioritization, resilience during bursts of changes, timely notifications, and optimized maintenance check-ins, enhancing speed and predictability for IT admins and security teams without requiring workflow changes.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/unpacking-endpoint-management-is-back---and-we%E2%80%99ve-got-a-lot-to-talk-about/4514599" target="_blank" rel="noopener noreferrer"&gt;Unpacking Endpoint Management is back - and we’ve got a lot to talk about&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/24/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; "Unpacking Endpoint Management," a candid web series focused on practical strategies for managing and securing endpoints, is back with new episodes featuring Microsoft Intune experts and guest practitioners. Hosted by Danny Guillory and new co-host Rachelle Blanchard, the series offers live discussions, real-world insights, and answers to audience questions. Upcoming topics include policy transitions from hybrid to cloud-native. Episodes are streamed live on multiple platforms, and the community is encouraged to participate, submit questions, and suggest topics, ensuring content remains relevant and actionable for real-world endpoint management challenges.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;</description>
      <pubDate>Wed, 13 May 2026 03:25:05 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-april-2026/ba-p/4519149</guid>
      <dc:creator>TysonPaul</dc:creator>
      <dc:date>2026-05-13T03:25:05Z</dc:date>
    </item>
    <item>
      <title>Triggering Azure Functions from Blob Storage Using Event Grid</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/triggering-azure-functions-from-blob-storage-using-event-grid/ba-p/4518184</link>
      <description>&lt;H1&gt;Overview&lt;/H1&gt;
&lt;P&gt;Modern workloads increasingly rely on reacting to files as soon as they arrive in Azure Blob Storage. While Azure provides multiple ways to trigger computing from blob operations, choosing the right event-driven pattern is not always straightforward—especially in enterprise environments where latency, reliability, and operational transparency all matter.&lt;/P&gt;
&lt;H1&gt;Introduction&lt;/H1&gt;
&lt;P&gt;Hello everyone, Andrew Coughlin here, a Cloud Solution Architect specializing in Infrastructure as a Service on Azure.&lt;/P&gt;
&lt;P&gt;In this post, I am going to walk through how to implement a direct Event Grid to Azure Function pattern. This is the simplest and lowest-latency option when you want real-time reactions to blob uploads.&lt;/P&gt;
&lt;H1&gt;Scenario&lt;/H1&gt;
&lt;P&gt;Suppose you have a workload where files are continuously uploaded into Azure Blob Storage and you need to trigger downstream processing.&lt;/P&gt;
&lt;P&gt;Typical requirements include avoiding polling, achieving near real-time execution, and maintaining strong observability.&lt;/P&gt;
&lt;H1&gt;Architecture&lt;/H1&gt;
&lt;img /&gt;
&lt;P&gt;Blob Storage → Event Grid → Azure Function&lt;/P&gt;
&lt;H1&gt;The Process&lt;/H1&gt;
&lt;OL&gt;
&lt;LI&gt;Create and deploy the Azure Function&lt;BR /&gt;2. Validate the function&lt;BR /&gt;3. Create the Event Grid subscription&lt;BR /&gt;4. Upload a blob and validate the flow&lt;/LI&gt;
&lt;/OL&gt;
&lt;H1&gt;Step 1 — Create and Deploy the Azure Function (Function First)&lt;/H1&gt;
&lt;P&gt;The Function must exist before creating the Event Grid subscription because Event Grid validates the endpoint during creation.&lt;/P&gt;
&lt;P&gt;Steps:&lt;BR /&gt;1. Create a Function App (Consumption plan + storage account)&lt;BR /&gt;2. Open Function App → Functions → Create&lt;BR /&gt;3. Select Event Grid trigger&lt;BR /&gt;4. Provide function name&lt;BR /&gt;5. Create and save the function&lt;/P&gt;
&lt;P&gt;Note: A storage account is required for all Function Apps and is created or selected during app creation.&lt;/P&gt;
&lt;H1&gt;Implement the Function&lt;/H1&gt;
&lt;P&gt;Below are examples of the HandleBlobCreatedEvent.cs, EventGridListenerFunction.csproj, Program.cs, and host.json&lt;/P&gt;
&lt;P&gt;Example of &lt;STRONG&gt;HandleBlobCreatedEvents.cs&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="csharp"&gt;namespace EventGridListenerFunction
{
    public class HandleBlobCreatedEvent
    {
        private readonly ILogger _logger;

        public HandleBlobCreatedEvent(ILoggerFactory loggerFactory)
        {
            _logger = loggerFactory.CreateLogger&amp;lt;HandleBlobCreatedEvent&amp;gt;();
        }

        [Function(nameof(HandleBlobCreatedEvent))]
        public void Run([EventGridTrigger] string data)
        {
            // Event Grid sends events as a JSON array
            using var doc = JsonDocument.Parse(data);

            if (doc.RootElement.ValueKind == JsonValueKind.Array)
            {
                foreach (var ev in doc.RootElement.EnumerateArray())
                {
                    HandleOneEvent(ev);
                }
            }
            else
            {
                HandleOneEvent(doc.RootElement);
            }
        }

        private void HandleOneEvent(JsonElement ev)
        {
            if (ev.TryGetProperty("eventType", out var eventType))
                _logger.LogInformation("EventType: {EventType}", eventType.GetString());

            if (ev.TryGetProperty("subject", out var subject))
                _logger.LogInformation("Subject: {Subject}", subject.GetString());

            if (ev.TryGetProperty("data", out var dataObj)
                &amp;amp;&amp;amp; dataObj.ValueKind == JsonValueKind.Object
                &amp;amp;&amp;amp; dataObj.TryGetProperty("url", out var urlProp))
            {
                _logger.LogInformation("Blob URL: {Url}", urlProp.GetString());
            }
            else
            {
                _logger.LogWarning("No data.url found in payload.");
            }
        }
    }
}
&lt;/LI-CODE&gt;
&lt;P&gt;Example of &lt;STRONG&gt;Program.cs&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="csharp"&gt;var builder = FunctionsApplication.CreateBuilder(args);

builder.ConfigureFunctionsWebApplication();

builder.Services
    .AddApplicationInsightsTelemetryWorkerService()
    .ConfigureFunctionsApplicationInsights();

builder.Build().Run();
&lt;/LI-CODE&gt;
&lt;P&gt;Example of &lt;STRONG&gt;Host.json&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="json"&gt;{
    "version": "2.0",
    "logging": {
        "applicationInsights": {
            "samplingSettings": {
                "isEnabled": true,
                "excludedTypes": "Request"
            },
            "enableLiveMetricsFilters": true
        }
    }
}
&lt;/LI-CODE&gt;
&lt;P&gt;Example of&amp;nbsp;&lt;STRONG&gt;EventGridListenerFunction.csproj&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="csharp"&gt;&amp;lt;Project Sdk="Microsoft.NET.Sdk"&amp;gt;

  &amp;lt;PropertyGroup&amp;gt;
    &amp;lt;TargetFramework&amp;gt;net8.0&amp;lt;/TargetFramework&amp;gt;
    &amp;lt;AzureFunctionsVersion&amp;gt;v4&amp;lt;/AzureFunctionsVersion&amp;gt;
    &amp;lt;OutputType&amp;gt;Exe&amp;lt;/OutputType&amp;gt;
    &amp;lt;ImplicitUsings&amp;gt;enable&amp;lt;/ImplicitUsings&amp;gt;
    &amp;lt;Nullable&amp;gt;enable&amp;lt;/Nullable&amp;gt;
  &amp;lt;/PropertyGroup&amp;gt;

  &amp;lt;ItemGroup&amp;gt;
    &amp;lt;FrameworkReference Include="Microsoft.AspNetCore.App" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.23.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker" Version="2.51.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="2.50.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.EventGrid" Version="3.5.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="2.1.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="2.0.7" /&amp;gt;
  &amp;lt;/ItemGroup&amp;gt;

&amp;lt;/Project&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;You will still need to publish this to the function app, which is outlined: &lt;A href="https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows" target="_blank"&gt;Deployment technologies in Azure Functions | Microsoft Learn&lt;/A&gt;.&lt;/P&gt;
&lt;H1&gt;Step 2 — Create the Event Grid Subscription&lt;/H1&gt;
&lt;P&gt;Navigate to the &lt;STRONG&gt;Storage Account&lt;/STRONG&gt; → &lt;STRONG&gt;Events &lt;/STRONG&gt;→ Create Event Subscription and select BlobCreated events targeting the Function.&lt;/P&gt;
&lt;H1&gt;Step 3 — Validate&lt;/H1&gt;
&lt;P&gt;Upload a blob and confirm the Function triggers and logs event data.&lt;/P&gt;
&lt;H1&gt;Common Pitfalls&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;Creating the subscription before the function exists&lt;BR /&gt;• Storage account misconfiguration&lt;BR /&gt;• Networking restrictions preventing Function access to storage&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Conclusion&lt;/H1&gt;
&lt;P&gt;The direct Event Grid to Azure Function pattern provides a simple and reliable approach for real-time blob processing without additional infrastructure.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Disclaimer&lt;/P&gt;
&lt;P&gt;The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 20:24:17 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/triggering-azure-functions-from-blob-storage-using-event-grid/ba-p/4518184</guid>
      <dc:creator>AndrewCoughlin</dc:creator>
      <dc:date>2026-05-11T20:24:17Z</dc:date>
    </item>
    <item>
      <title>Purpose For Your PKI (Practical PKI Part 3)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/purpose-for-your-pki-practical-pki-part-3/ba-p/4512518</link>
      <description>&lt;P&gt;My name is Ron Arestia, and I am a Security Researcher with Microsoft’s Detection and Response Team (DART). We respond to customer cybersecurity incidents to assist with containment and recovery from threat actors. In this brief blog post, we will discuss the “why” behind your PKI. This is part 3 of a series on practical PKI implementation based on my experience with customer interactions working as a Microsoft engineer.&lt;/P&gt;
&lt;P&gt;Feel free to catch up on previous blog posts or jump right into this one&lt;/P&gt;
&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/secure-configuration-and-hardening-of-active-directory-certificate-services/4463240" target="_blank" rel="noopener"&gt;Secure Configuration and Hardening of Active Directory Certificate Services&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/implementing-and-managing-an-adcs-offline-root-certificate-authority-part-1/4468175" target="_blank" rel="noopener"&gt;Implementing and Managing an ADCS Offline Root Certificate Authority (Practical PKI Part 1)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/crl--aia-publishing-guidance-practical-pki-part-2/4485713" target="_blank" rel="noopener"&gt;CRL &amp;amp; AIA Publishing Guidance (Practical PKI Part 2)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;In Part 3 of our series, understanding why you are implementing and managing PKI is critical to understanding the level of effort you should endeavor to start using one or keep one going. This brief non-technical discussion is meant as a primer to determine if what you are about to implement is truly going to benefit your organization as a whole.&lt;/P&gt;
&lt;H1&gt;Determine Your Technical Outcomes&lt;/H1&gt;
&lt;P&gt;This subject is the target of much debate and disagreement across my peer groups. On the one side, you have engineers who argue for or against the very provisioning of a PKI while on the other side, you have engineers who argue that regardless of purpose, administration is more important. Far be it for me to be a fence-sitter, so I stand firmly in the former group arguing that if you do not need it, you should not bother standing it up in the first place.&lt;/P&gt;
&lt;P&gt;A few years ago, I was working with a customer with a substantial PKI presence: three issuing CAs, fully redundant HTTP CRL publishing, CEP/CES, and cross-forest publishing. When we were assessing their environment, I noticed immediately that they had a scant few templates published across those three issuers, but they had over 100,000 issued, active certificates. I dug deeper and noticed that every one of their templates except two were configured with autoenrollment. Every user and every computer in their organization was getting a certificate that was published to Active Directory. They were issuing server authentication certificates with enrollee-supplied Subject Alternative Names (SANs) without manager approval. And they were even issuing code signing certificates without manager approval albeit to a constrained group.&lt;/P&gt;
&lt;P&gt;After lengthy discussions with them about their reasons for managing a PKI, I discovered a few very telling things:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Despite aspirations to use 802.1x for user and computer authentication, the infrastructure was never implemented and remained in a state of development for the last few years.&lt;/LI&gt;
&lt;LI&gt;Despite a project to setup smart card authentication, they never moved past a pilot group of developers and administrators who were not bothering to leverage this powerful method of authentication across most of their enterprise anyway.&lt;/LI&gt;
&lt;LI&gt;Approximately 90% of their certificates issued for web endpoints were either development endpoints that never made it to production or misconfigured certificates that had to be reissued to correct spelling errors or to add or remove nodes from SANs that were not in the original configuration.&lt;/LI&gt;
&lt;LI&gt;More than 1,000 code signing certificates were issued, but no official code was signed by their recollection.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;By the end of the engagement, they realized how much administrative overhead was going into maintaining a massive solution with little actual value for the organization. They had short root CA CRL lifetimes requiring quarterly “signing parties,” and despite a very astute team of engineers maintaining the PKI, they had built in “automation” paths that left their environment vulnerable to attack if a threat actor ever found their way in. All told, we determined that less than 2% of the total number of issued certificates (approximately 2,500) were actively used for a regular production task.&lt;/P&gt;
&lt;P&gt;Even after discussing options to downsize, streamline, and harden their PKI infrastructure, we eventually discussed options to offload much of their certificate needs to third-party solutions. Why would I convince a customer to rid themselves of an in-house PKI?&lt;/P&gt;
&lt;H1&gt;Are You Experienced?&lt;/H1&gt;
&lt;P&gt;I believe the most important fundamental question to ask as an enterprise is if you have the staff to manage and maintain a PKI, and if so, to what extent? I would argue that having at least two engineers dedicated to this task is critical for personnel fault tolerance. If one engineer goes on vacation or suddenly resigns, you have someone who can continue to operate the environment to the same level of fidelity expected of it. This guidance scales upwards the larger your PKI grows. If you are a multinational enterprise with issuing CAs spread around the globe, you need, at the least, regional expertise to navigate administration and maintenance tasks. Ideally, you would have a resource local to each environment to ensure someone can put hands on the systems without relying on global networking.&lt;/P&gt;
&lt;P&gt;The second fundamental question you should ask: what is the primary purpose of my public key infrastructure? Are you using it to manage an 802.1x authentication scheme across your enterprise? Are you managing smart cards or certificate-based authentication for your organization? Are you looking to issue a large number of server authentication certificates to support internal web endpoints or development efforts? Or do you believe that by maintaining your own PKI you are maintaining some level of sovereignty over your cryptographic operations that you do not want to offload to a third-party or a cloud provider?&lt;/P&gt;
&lt;P&gt;All of these are perfectly valid reasons to maintain your own PKI, but each comes with challenges and interoperability requirements that should be documented and thoroughly understood. In 802.1x configurations, you should ensure all of your subordinate infrastructure is prepared and up to the task of handling authentication traffic and overall maintenance. One network appliance outage overnight could mean an entire office is unable to work the next morning. Smartcard and certificate-based authentication require a robust infrastructure and a team of individuals dedicated to the task of identity attribution for assignment and provisioning of those certificates. Web endpoint certificate management can quickly grow into a full-time role for an engineer in an environment with rapid iteration, and there is a delicate balance to be struck between reasonable validity periods and the possibility of regular revocation due to changes that can balloon a CRL. Finally, the decision to maintain sovereignty over certificates is often driven by cost. A true cost-benefit analysis can aid in reinforcing or diminishing from the need to stand up a dedicated PKI, and the reality is that having publicly-trusted certificates is often a much simpler solution than relying on visibility to internal publishing endpoints that require a number of security solutions.&lt;/P&gt;
&lt;H1&gt;Decisions, Decisions&lt;/H1&gt;
&lt;P&gt;The decision to stand up a dedicated, in-house PKI is not one that should be taken lightly. Sit down with your management and leadership team to outline the high-level outcomes expected of the solution and be the sober voice in the room to explain both the benefits and disadvantages of the proposed solution. If the determination to proceed is not grounded in realistic capabilities of the enterprise, do not be afraid to pull the security card, at a minimum. The security of your PKI is paramount. Without it, you are paying money to power infrastructure that is, at best, churning out unnecessary certificates, and at worst, putting your entire enterprise at risk of a cybersecurity incident.&lt;/P&gt;
&lt;P&gt;How do we secure and maintain your PKI once the decision is made to deploy one? In Part 4, we will get back into the technical discussions about your PKI security and how to maximize your security without compromising functionality.&lt;/P&gt;</description>
      <pubDate>Mon, 04 May 2026 04:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/purpose-for-your-pki-practical-pki-part-3/ba-p/4512518</guid>
      <dc:creator>RonArestia</dc:creator>
      <dc:date>2026-05-04T04:00:00Z</dc:date>
    </item>
    <item>
      <title>Hardening OpenClaw on AKS: Mitigating Container Escapes with Kata microVM Isolation</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/hardening-openclaw-on-aks-mitigating-container-escapes-with-kata/ba-p/4516030</link>
      <description>&lt;H2&gt;What is OpenClaw, and what security challenges does it pose with container escapes?&lt;/H2&gt;
&lt;P&gt;OpenClaw is an open-source autonomous AI agent designed for power users and developers to automate tasks, such as managing emails, files, and scheduling via chat apps like WhatsApp or Telegram.&lt;/P&gt;
&lt;P&gt;While OpenClaw functions as a powerful autonomous assistant, its &lt;STRONG&gt;runtime model&lt;/STRONG&gt; creates a massive security paradox: to be truly useful, the agent requires broad permissions to your filesystem and APIs, yet this "God Mode" access often lacks the rigorous &lt;STRONG&gt;containerized isolation&lt;/STRONG&gt; typical of enterprise workloads. Because many users run the framework natively rather than within a hardened sandbox, the primary &lt;STRONG&gt;security challenge&lt;/STRONG&gt; is that a single malicious "Skill" or an indirect prompt injection can escalate into full system compromise. This structural vulnerability, exemplified by high-profile exploits like &lt;STRONG&gt;CVE-2026-25253&lt;/STRONG&gt;, transforms the agent from a helpful tool into a high-risk entry point for lateral movement and data exfiltration within a private network.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why container escapes matter in OpenClaw-style deployments&lt;/STRONG&gt;: because containers share the host kernel, a successful container escape turns a single compromised container into a host compromise (or at least a compromise of other co-located workloads). This is especially important when OpenClaw runs code from many tenants, many teams, or varying trust levels on the same worker nodes. That soft isolation is often &lt;STRONG&gt;permeable&lt;/STRONG&gt; due to the following structural and configuration-based weaknesses:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Shared-kernel attack surface&lt;/STRONG&gt;: the container boundary is not a hypervisor boundary. Kernel vulnerabilities (e.g., privilege escalation bugs) can allow a process in a container to gain host-level privileges.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Excessive privileges / misconfiguration&lt;/STRONG&gt;: running with &lt;EM&gt;--privileged&lt;/EM&gt;, broad Linux capabilities, hostPath mounts, access to the Docker socket, or device passthrough (e.g., /dev/kvm, /dev/fuse) can provide direct paths to host control.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Filesystem and namespace boundary breaks&lt;/STRONG&gt;: mount namespace confusion, writable host mounts, or mistakes in chroot/pivot_root handling can expose host files and credentials.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Supply-chain and image risk&lt;/STRONG&gt;: a malicious image or dependency can execute within the container and then attempt escalation/escape.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Blast radius&lt;/STRONG&gt;: once the host is compromised, attackers can access node-level secrets (service account tokens, registry creds), tamper with the runtime, sniff traffic, or pivot to other containers and the broader cluster.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In short, OpenClaw’s security challenge is not that containers are inherently insecure, but that the isolation boundary is thinner than a VM boundary. When the threat model includes adversarial code execution, a “container-only” isolation strategy often requires additional hardening or a stronger sandbox.&lt;/P&gt;
&lt;H2&gt;What are MicroVMs and Kata Containers, and how do they help mitigate OpenClaw container-escape risks?&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;MicroVMs&lt;/STRONG&gt; are lightweight virtual machines optimized for running short-lived or container-like workloads with much lower overhead than traditional VMs. They use hardware virtualization (via a hypervisor such as KVM) but keep the device model and boot path minimal, reducing startup time and the overall attack surface compared to a full general-purpose VM.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Kata Containers&lt;/STRONG&gt; is an “OCI-compatible containers in a VM” approach: it runs each container (or pod sandbox) inside a dedicated microVM by default (implementation varies by runtime/config). To the orchestration layer (e.g., Kubernetes), it still looks like a container runtime, but isolation is provided by a hypervisor boundary rather than only namespaces/cgroups.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Stronger isolation boundary&lt;/STRONG&gt;: a container escape that relies on Linux kernel exploitation is far less likely to directly compromise the host, because the workload’s “host” kernel is typically the guest kernel inside the microVM.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reduced blast radius&lt;/STRONG&gt;: compromise is contained to the microVM/pod sandbox; lateral movement to other workloads on the same node becomes significantly harder.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Smaller and more controllable attack surface&lt;/STRONG&gt;: minimal device models, tighter default privileges, and fewer host mounts/devices exposed to the workload.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Defense-in-depth with container controls&lt;/STRONG&gt;: you still can (and should) apply seccomp, capabilities dropping, read-only root filesystems, and LSMs inside the guest, but the hypervisor boundary becomes an additional layer.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Better fit for hostile multi-tenant workloads&lt;/STRONG&gt;: when OpenClaw executes third-party jobs/plugins, Kata-style sandboxing aligns better with an adversarial threat model.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Solution overview&lt;/H2&gt;
&lt;P&gt;Figure 1 illustrates a Kubernetes-based sandboxing architecture for running OpenClaw workloads with stronger isolation. The design keeps the developer experience and packaging model of containers (OCI images, Kubernetes scheduling) while ensuring that untrusted agent code executes inside a microVM boundary using Kata Containers. This reduces the likelihood that a container escape can compromise the underlying node or other co-located workloads.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Key components&lt;/STRONG&gt;: (1) &lt;STRONG&gt;Application gateway &lt;/STRONG&gt;for HTTPS traffic to the backend, (2) &lt;STRONG&gt;Kubernetes&lt;/STRONG&gt; as the orchestration, scheduling and policy enforcement plane, (3) a &lt;STRONG&gt;container runtime&lt;/STRONG&gt; (e.g., containerd) configured with a &lt;STRONG&gt;Kata Containers runtime class&lt;/STRONG&gt;, (4) &lt;STRONG&gt;KVM-backed microVMs&lt;/STRONG&gt; that provide the isolation boundary for each untrusted workload and (5) &lt;STRONG&gt;Azure files &lt;/STRONG&gt;for persistent storage which allows scaling of OpenClaw.&lt;/P&gt;
&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 1: Solution architecture diagram&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;P&gt;&lt;STRONG&gt;End-to-end flow&lt;/STRONG&gt;:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Traffic Entry via Application Gateway&lt;/STRONG&gt;: Incoming user requests (e.g., from WhatsApp or Discord) first hit the &lt;STRONG&gt;Azure Application Gateway&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Orchestration in AKS&lt;/STRONG&gt;: The traffic is routed into an &lt;STRONG&gt;Azure Kubernetes Service (AKS)&lt;/STRONG&gt; cluster, which manages the lifecycle of the OpenClaw agent and its associated "Skills."&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Hardened Execution via Kata Containers&lt;/STRONG&gt;: Instead of running in standard shared-kernel containers, the &lt;STRONG&gt;OpenClaw agent&lt;/STRONG&gt;&amp;nbsp;runs inside &lt;STRONG&gt;Kata Containers&lt;/STRONG&gt;. This provides a dedicated lightweight VM for the agent, creating a hardware-level isolation boundary that prevents "container escapes" from compromising the host.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Stateful Storage in Azure Files&lt;/STRONG&gt;: The agent interacts with &lt;STRONG&gt;Azure Files&lt;/STRONG&gt; to read and write persistent data, such as conversation history, configuration files, and downloaded assets, ensuring data remains available even if the container is restarted.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Security posture&lt;/STRONG&gt;: by shifting isolation from “shared-kernel containers” to “containers inside microVMs,” the architecture limits the blast radius of kernel-level exploits and common escape paths. Even if an attacker achieves code execution within an OpenClaw container, they must additionally break the microVM/hypervisor boundary to affect the node or neighboring workloads, providing a strong defense-in-depth improvement over standard container alone.&lt;/P&gt;
&lt;H2&gt;Implement the solution&lt;/H2&gt;
&lt;P&gt;This section describes how to deploy the solution architecture.&lt;/P&gt;
&lt;P&gt;In this post, you’ll perform the following tasks:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Create a Kata VM-isolated AKS node pool&lt;/LI&gt;
&lt;LI&gt;Mount a NFS persistent storage&lt;/LI&gt;
&lt;LI&gt;Create the application ConfigMap&lt;/LI&gt;
&lt;LI&gt;Deploy the OpenClaw gateway&lt;/LI&gt;
&lt;LI&gt;Expose the gateway internally&lt;/LI&gt;
&lt;LI&gt;Set up TLS termination&lt;/LI&gt;
&lt;LI&gt;Route external traffic through the Azure application gateway for containers.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Ensure that you have the following prerequisites deployed before moving to the next section:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;An &lt;A href="https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-cli" target="_blank"&gt;AKS cluster&lt;/A&gt; provisioned in Azure&lt;/LI&gt;
&lt;LI&gt;An Azure NFS &lt;A href="https://learn.microsoft.com/en-us/azure/storage/files/create-file-share?tabs=azure-portal" target="_blank"&gt;File Share&lt;/A&gt; with private link enabled.&lt;/LI&gt;
&lt;LI&gt;An &lt;A href="https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/quickstart-create-application-gateway-for-containers-managed-by-alb-controller?tabs=new-subnet-aks-vnet" target="_blank"&gt;Application gateway for containers&lt;/A&gt; managed by ALB controller&lt;/LI&gt;
&lt;LI&gt;Kubectl configured and pointing to the cluster&lt;/LI&gt;
&lt;LI&gt;Az CLI authenticated with the correct subscription&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Initialise environment variables&lt;/H2&gt;
&lt;P&gt;In your Linux terminal, export these variables with your own values. They will be used in later commands.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;export cluster_name=&amp;lt;CLUSTER_NAME&amp;gt;
export resource_group=&amp;lt;RESOURCE_GROUP&amp;gt;
&lt;/LI-CODE&gt;
&lt;H2&gt;Create the AKS Node Pool with Kata VM Isolation&lt;/H2&gt;
&lt;P&gt;The OpenClaw gateway pods require Kata VM isolation (runtimeClassName: kata-vm-isolation). You must create a dedicated AKS node pool that supports this runtime before deploying any workloads.&lt;/P&gt;
&lt;P&gt;Use the Azure CLI to add a node pool with the Kata VM isolation workload runtime to your existing AKS cluster:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;az aks nodepool add \
  --resource-group $resource_group \
  --cluster-name $cluster_name \
  --name katanp \
  --node-count 2 \
  --node-vm-size Standard_D4s_v3 \
  --os-sku AzureLinux \
  --workload-runtime KataMshvVmIsolation \
  --labels agentpool=katanp
&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;**Important:**&lt;/STRONG&gt; The `--workload-runtime KataMshvVmIsolation` flag enables the `kata-vm-isolation` runtime class on the node pool. The VM size must support nested virtualization (D-series v3/v5, E-series v3/v5, etc.).&lt;/P&gt;
&lt;H2&gt;Create NFS Persistent Volume&lt;/H2&gt;
&lt;P&gt;The deployment uses an Azure Files NFS share for persistent workspace storage. The PersistentVolume must exist before the PVC can bind to it. Replace volumeHandle and volumeAttributes with your own Azure Files values.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolume
metadata:
  name: openclaw-nfs-pv
spec:
  capacity:
    storage: 100Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  mountOptions:
    - sec=sys
    - noresvport
    - actimeo=30
  csi:
    driver: file.csi.azure.com
    volumeHandle: &amp;lt;resource-group&amp;gt;#&amp;lt;storage-account&amp;gt;#&amp;lt;share-name&amp;gt;
    volumeAttributes:
      resourceGroup: &amp;lt;resource-group&amp;gt;
      shareName: &amp;lt;share-name&amp;gt;
      protocol: nfs
      server: &amp;lt;storage-account&amp;gt;.privatelink.file.core.windows.net
EOF
&lt;/LI-CODE&gt;
&lt;P&gt;Verify that the persistent volume is created.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;kubectl get pv openclaw-nfs-pv&lt;/LI-CODE&gt;&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 2: Persistent volume&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;H2&gt;Create the NFS PersistentVolumeClaim&lt;/H2&gt;
&lt;P&gt;The PVC binds to the PV created. The deployment references this PVC by name (`pvc-openclaw-nfs`).&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  # The name of the PVC
  name: pvc-openclaw-nfs
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      # The real storage capacity in the claim
      storage: 50Gi
  # This field must be the same as the storage class name in StorageClass
  storageClassName: ""
  volumeName: openclaw-nfs-pv
EOF
&lt;/LI-CODE&gt;
&lt;P&gt;Verify that the persistent volume claim is created successfully. The status should show bound.&lt;/P&gt;
&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 3: Persistent Volume Claim&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;H2&gt;Create the ConfigMap&lt;/H2&gt;
&lt;P&gt;The ConfigMap provides the openclaw.json configuration file to the gateway pods. It configures allowed CORS origins for the control UI and the gateway token. Replace the allowed origins with your own ALB frontend URL. The ConfigMap also stores the gateway auth token, so &lt;STRONG&gt;&lt;U&gt;DO NOT&lt;/U&gt;&lt;/STRONG&gt; hardcode your token here. Always keep it as a variable rather than storing it in plain text so that, if attackers gain access to this file, they cannot see the OpenClaw gateway auth token.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: openclaw-config
data:
  openclaw.json: |
    {
      "gateway": {
        "auth": {
          "token": "${AUTH_TOKEN}"
        },
        "controlUi": {
          "allowedOrigins": [
            "https://&amp;lt;YOUR ALB FRONTEND URL&amp;gt;.alb.azure.com"
          ]
        }
      }
    }
EOF
&lt;/LI-CODE&gt;
&lt;H2&gt;Create the Auth Token Secret&lt;/H2&gt;
&lt;P&gt;The OpenClaw gateway requires an authentication token to secure access. The deployment references a Kubernetes Secret named openclaw-auth-token and injects it into the container as the AUTH_TOKEN environment variable via secretKeyRef.&lt;/P&gt;
&lt;P&gt;Generate a random token (or use an existing one) and create the kubernetes secret.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;# Generate a random 32-byte hex token
AUTH_TOKEN=$(openssl rand -hex 32)
echo "$AUTH_TOKEN"   # save this — you'll need it to authenticate with the gateway

kubectl create secret generic openclaw-auth-token \
  --from-literal=token="$AUTH_TOKEN"
&lt;/LI-CODE&gt;
&lt;P&gt;If the secret does not exist when the deployment is applied, pods will fail with `CreateContainerConfigError`.&lt;/P&gt;
&lt;H2&gt;Deploy the OpenClaw Gateway&lt;/H2&gt;
&lt;P&gt;This is the main application deployment. It depends on all previous steps:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - &lt;STRONG&gt;Kata node pool&lt;/STRONG&gt;&amp;nbsp;(pods require runtimeClassName: kata-vm-isolation and nodeSelector: agentpool=katanp)&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - &lt;STRONG&gt;PVC&lt;/STRONG&gt;&amp;nbsp;(pvc-openclaw-nfs for persistent workspace data)&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - &lt;STRONG&gt;ConfigMap&lt;/STRONG&gt;&amp;nbsp;(openclaw-config for openclaw.json)&lt;/P&gt;
&lt;P&gt;Key details:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - Runs &lt;STRONG&gt;2 replicas&lt;/STRONG&gt;&amp;nbsp;with a rolling update strategy&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - Uses an &lt;STRONG&gt;init container&lt;/STRONG&gt;&amp;nbsp;to copy the config file to a writable volume&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - Exposes port &lt;STRONG&gt;18789&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - Includes liveness and readiness probes on /health&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - Resource requests: 500m CPU, 512Mi memory&lt;/P&gt;
&lt;P&gt;&amp;nbsp; - Resource limits: 2 CPU, 2Gi memory&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: openclaw-gateway
spec:
  replicas: 2
  selector:
    matchLabels:
      app: openclaw-gateway
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  template:
    metadata:
      labels:
        app: openclaw-gateway
    spec:
      runtimeClassName: kata-vm-isolation
      nodeSelector:
        agentpool: katanp
      securityContext:
        fsGroup: 1000
      initContainers:
        - name: copy-openclaw-config
          image: alpine/openclaw:latest
          env:
            - name: HOME
              value: /writable
          command:
            - sh
            - -c
            - |
              cp /config/openclaw.json /writable/openclaw.json \
              &amp;amp;&amp;amp; chown 1000:1000 /writable/openclaw.json \
              &amp;amp;&amp;amp; echo "--- Config file contents ---" \
              &amp;amp;&amp;amp; cat /writable/openclaw.json
          volumeMounts:
            - name: openclaw-config-volume
              mountPath: /config
            - name: openclaw-writable
              mountPath: /writable
      containers:
        - name: gateway
          image: alpine/openclaw:latest
          ports:
            - containerPort: 18789
          env:
            - name: NODE_OPTIONS
              value: "--max-old-space-size=4096"
            - name: AUTH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: openclaw-auth-token
                  key: token
          # Start gateway the way the tutorial indicates
          command: ["openclaw", "gateway"]
          args: ["run", "--allow-unconfigured", "--bind", "lan"]
          volumeMounts:
            - name: openclaw-writable
              mountPath: /home/node/.openclaw
            - name: openclaw-data
              mountPath: /home/node/workspace
              subPath: workspace
          resources:
            requests:
              cpu: "500m"
              memory: "2Gi"
            limits:
              cpu: "1000m"
              memory: "4Gi"
          livenessProbe:
            httpGet:
              path: /health
              port: 18789
            initialDelaySeconds: 60
            periodSeconds: 15
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /health
              port: 18789
            initialDelaySeconds: 10
            periodSeconds: 5
      volumes:
        - name: openclaw-data
          persistentVolumeClaim:
            claimName: pvc-openclaw-nfs
        - name: openclaw-config-volume
          configMap:
            name: openclaw-config
            items:
              - key: openclaw.json
                path: openclaw.json
        - name: openclaw-writable
          emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: openclaw-gateway-service
spec:
  type: ClusterIP
  selector:
    app: openclaw-gateway
  ports:
    - protocol: TCP
      port: 18789
      targetPort: 18789
EOF
&lt;/LI-CODE&gt;
&lt;P&gt;Verify that the deployment succeeds. Wait until all pods show `Running` and `READY 2/2`.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;kubectl get deployment openclaw-gateway
kubectl get pods -l app=openclaw-gateway
&lt;/LI-CODE&gt;&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 4: OpenClaw deployment&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;H2&gt;Create the TLS secret (for HTTPS)&lt;/H2&gt;
&lt;P&gt;The Application Gateway for Containers references a TLS secret (gateway-tls-secret) for HTTPS termination. This blog post uses a self-signed certificate; in a production environment, use a certificate signed by a certificate authority.&amp;nbsp;Replace `&amp;lt;path-to-tls-cert&amp;gt;` and `&amp;lt;path-to-tls-key&amp;gt;` with paths to your TLS certificate and private key files.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;kubectl create secret tls gateway-tls-secret \
  --cert=&amp;lt;path-to-tls-cert&amp;gt; \
  --key=&amp;lt;path-to-tls-key&amp;gt; 
&lt;/LI-CODE&gt;
&lt;H2&gt;Create the Gateway&lt;/H2&gt;
&lt;P&gt;The Gateway resource defines the HTTPS listener on the Azure Application Load Balancer (ALB). Update the &lt;STRONG&gt;`alb.network.azure.com/application-gateway-id&lt;/STRONG&gt;` annotation to match your ALB traffic controller resource ID. You will also need to reference the gateway-tls-secret to enable HTTPS.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: https
  annotations:
    alb.network.azure.com/application-gateway-id: /subscriptions/&amp;lt;subscription id&amp;gt;/resourceGroups/mc_openclaw_openclaw-cluster_centralus/providers/Microsoft.ServiceNetworking/trafficControllers/&amp;lt;alb id&amp;gt;
    alb.networking.azure.io/alb-namespace: default
    alb.networking.azure.io/alb-name: alb-openclaw
spec:
  gatewayClassName: azure-alb-external
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: All
      tls:
        mode: Terminate
        certificateRefs:
        - kind: Secret
          group: ""
          name: gateway-tls-secret
EOF
&lt;/LI-CODE&gt;&lt;LI-CODE lang=""&gt;kubectl get gateway https&lt;/LI-CODE&gt;
&lt;P&gt;Wait until the Gateway shows a `Programmed=True` condition.&lt;/P&gt;
&lt;H2&gt;Create the HTTPRoute&lt;/H2&gt;
&lt;P&gt;The HTTPRoute connects the Gateway to the backend Service. It routes all traffic (`/` prefix) from the HTTPS Gateway to `openclaw-gateway-service` on port 18789.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http-route
spec:
  parentRefs:
    - name: https
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /  
    backendRefs:
    - name: openclaw-gateway-service
      kind: Service
      namespace: default
      port: 18789
EOF
&lt;/LI-CODE&gt;
&lt;H2&gt;Test OpenClaw application&lt;/H2&gt;
&lt;P&gt;Get the external endpoint.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;kubectl get gateway https -o jsonpath='{.status.addresses[0].value}'&lt;/LI-CODE&gt;
&lt;P&gt;Paste the endpoint into your browser to reach the OpenClaw application. If you are using a self-signed certificate, you will see a “Not secure” warning; click &lt;EM&gt;Advanced&lt;/EM&gt; to proceed. In a production environment with a certificate signed by a certificate authority, you should not see that warning.&lt;/P&gt;
&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 5: OpenClaw Authentication&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;P&gt;Paste in your Gateway Token (the auth token created earlier). You will notice that even though the token is valid, it throws back a “pairing required” error. Pairing is required in OpenClaw whenever a new device, browser profile, or CLI client attempts to connect to the gateway for the first time, ensuring only authorized clients can control the AI agent.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;POD=$(kubectl get pod -l app=openclaw-gateway -o jsonpath='{.items[0].metadata.name}')
POD2=$(kubectl get pod -l app=openclaw-gateway -o jsonpath='{.items[1].metadata.name}')
TOKEN=$(kubectl get secret openclaw-auth-token -o jsonpath='{.data.token}' | base64 -d)

kubectl exec "$POD" -c gateway -- openclaw devices approve --latest --token "$TOKEN"
kubectl exec "$POD2" -c gateway -- openclaw devices approve --latest --token "$TOKEN"
&lt;/LI-CODE&gt;
&lt;P&gt;You should see a message like the one in the image below. You can now open the OpenClaw application and start using it.&lt;/P&gt;
&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 6: OpenClaw pairing success message&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Figure 7: OpenClaw Application&lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;P&gt;You have successfully deployed OpenClaw within a microVM hosted on Azure Kubernetes Service.&lt;/P&gt;
&lt;H2&gt;Test microVM kernel isolation&lt;/H2&gt;
&lt;P&gt;From within the OpenClaw pod, try to read the host’s root filesystem via /proc/1/root. You should see an error like: ls: cannot access '/proc/1/root/etc/kubernetes': No such file or directory.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;kubectl exec -it "$POD" -c gateway -- ls /proc/1/root/etc/kubernetes 2&amp;gt;&amp;amp;1&lt;/LI-CODE&gt;
&lt;P&gt;In a standard container deployment, PID 1 inside the container is still running on the&amp;nbsp;&lt;STRONG&gt;host kernel&lt;/STRONG&gt;, so traversing&amp;nbsp;/proc/1/root/&amp;nbsp;exposes the host's root filesystem — including sensitive paths like&amp;nbsp;/etc/kubernetes&amp;nbsp;(which holds kubelet credentials). With Kata VM isolation, the picture is completely different. When we run&amp;nbsp;ls /proc/1/root/etc/kubernetes from inside the OpenClaw pod, it returns&amp;nbsp;&lt;STRONG&gt;"No such file or directory"&lt;/STRONG&gt;. This is because PID 1 is no longer a process on the host — it's running inside a dedicated&amp;nbsp;&lt;STRONG&gt;guest VM with its own kernel&lt;/STRONG&gt;. The&amp;nbsp;/proc/1/root/&amp;nbsp;path leads to the microVM's root filesystem, not the host's, and that microVM has no knowledge of the node's Kubernetes configuration or machine identity. The host is simply invisible. This is the core security guarantee of Kata Containers: even if an attacker achieves a full container escape, there is nothing to escape&amp;nbsp;&lt;EM&gt;to&lt;/EM&gt; — they land inside a lightweight VM boundary, not on the shared host, making lateral movement to other pods or the node itself impossible.&lt;/P&gt;
&lt;H2&gt;Conclusion&lt;/H2&gt;
&lt;P&gt;This post discussed why running OpenClaw workloads in standard containers can be risky when the workload includes untrusted or semi-trusted code: containers share the host Linux kernel, so a single container escape or privileged misconfiguration can expand into node-level compromise and a much larger blast radius. To address this, we introduced microVM-based sandboxing with Kata Containers on Azure Kubernetes Service (AKS) and walked through an implementation approach (a node pool with Kata VM isolation, storage, gateway deployment, and ingress). Finally, we validated the isolation properties by demonstrating that common host-visibility techniques (for example, probing&amp;nbsp;&lt;EM&gt;/proc/1/root&lt;/EM&gt;) no longer reveal host paths when the workload runs inside a microVM.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Separate kernel boundary&lt;/STRONG&gt;: Kata runs the container inside a microVM, so the workload executes against a guest kernel rather than the shared host kernel—kernel exploits and escape attempts don’t directly translate into host control.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Host filesystem is no longer “in scope”&lt;/STRONG&gt;: paths that often leak host context in standard containers (for example, traversals via &lt;EM&gt;/proc&lt;/EM&gt;) resolve inside the microVM’s filesystem, not the node’s root filesystem.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reduced blast radius per workload&lt;/STRONG&gt;: each sandbox has its own VM boundary, making it much harder to pivot from one compromised workload to other pods/containers on the same node.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Stronger default device and privilege separation&lt;/STRONG&gt;: the hypervisor boundary and minimal virtual device model limit exposure to host devices and privileged interfaces that commonly enable breakouts.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Defense-in-depth still applies&lt;/STRONG&gt;: you can keep container hardening (seccomp, capability dropping, read-only filesystems, restricted mounts) while gaining an additional isolation layer that is independent of Linux namespaces/cgroups.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Overall, this post helps you deploy OpenClaw on AKS with Kata microVM isolation so you can run agent workloads with a significantly reduced risk of host-kernel compromise from container escape techniques.&lt;/P&gt;</description>
      <pubDate>Thu, 30 Apr 2026 01:57:02 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/hardening-openclaw-on-aks-mitigating-container-escapes-with-kata/ba-p/4516030</guid>
      <dc:creator>jianshn</dc:creator>
      <dc:date>2026-04-30T01:57:02Z</dc:date>
    </item>
    <item>
      <title>How to Manage RC4 Hardening – Definitive Guide</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-manage-rc4-hardening-definitive-guide/ba-p/4515923</link>
      <description>&lt;H1&gt;How to Manage RC4 Hardening – Definitive Guide&lt;/H1&gt;
&lt;P&gt;This article is a technical continuation of the RC4 deprecation / Kerberos hardening work I covered in my &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/what-changed-in-rc4-with-the-january-2026-windows-update-and-why-it-is-important/4504732" target="_blank" rel="noopener" data-lia-auto-title="previous article" data-lia-auto-title-active="0"&gt;previous article&lt;/A&gt; last month. If you already went through the “why” (risk of RC4, what changes Microsoft is rolling out, and the high-level migration approach), the goal here is to get hands-on and precise: what exactly changes across the three rollout phases, which registry keys and AD attributes drive KDC behavior, what you should expect to see in security logs, and how to turn those signals into concrete remediation steps.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Prerequisites:&lt;/STRONG&gt; ensure the January update that introduces the RC4/Kerberos hardening telemetry is installed on all Domain Controllers. Without that patch, the Security log will not emit the new KDC events (201–209) and the Domain Controllers will not evaluate the related registry keys (&lt;EM&gt;RC4DefaultDisablementPhase&lt;/EM&gt; and &lt;EM&gt;DefaultDomainSupportedEncTypes&lt;/EM&gt;).&lt;/P&gt;
&lt;P&gt;&lt;U&gt;Note: The information in this article applies only to supported operating systems released before 2025. I haven’t had the time to validate how these keys behave on 2025 versions.&lt;/U&gt;&lt;/P&gt;
&lt;H1&gt;Hardening Phases&lt;/H1&gt;
&lt;P&gt;Let's begin with a brief walkthrough of the hardening phases. For a detailed walkthrough of the rollout phases, see my previous article. Below is a technical summary of each phase of the RC4 hardening update.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 1 - Auditing - January 2026&lt;/STRONG&gt;:
&lt;UL&gt;
&lt;LI&gt;starting from the January update, you can create the &lt;EM&gt;RC4DefaultDisablementPhase &lt;/EM&gt;registry key. Set it to&amp;nbsp;&lt;STRONG&gt;1&lt;/STRONG&gt; to enable logging of the new events (&lt;STRONG&gt;201-209&lt;/STRONG&gt;) on domain controllers.&lt;/LI&gt;
&lt;LI&gt;Nothing else changes, for now, the KDC will continue to issue RC4-encrypted tickets.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 2 – Soft enforcement – April 2026&lt;/STRONG&gt;: the KDC will reject automatically requests that only support RC4 &lt;STRONG&gt;&lt;U&gt;if&lt;/U&gt;&lt;/STRONG&gt; the key DefaultDomainSupportedEncTypes has not been manually set to one of the available values to allow RC4 before applying the April update.&amp;nbsp;In this phase:
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;RC4DefaultDisablementPhase&lt;/STRONG&gt; is set to 2 but can be reverted to 1. &lt;U&gt;If the value was previously set to 1, the patch won’t override the value.&lt;/U&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;DefaultDomainSupportedEncTypes&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;: if the value of this key was not set when Phase 2 starts, the value is automatically set to&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x18&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt; by default (AES-only). You can roll it back to &lt;/SPAN&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x1C, &lt;/STRONG&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x24 or 0x3C &lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;(you will understand the difference between those two values later in this article) if needed. However, &lt;U&gt;if you had previously defined this key, Microsoft will not override it&lt;/U&gt;.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 3 – Hard enforcement – July 2026&lt;/STRONG&gt;, note that this phase won't disable RC4 completely, only the ability to default RC4 will be removed.
&lt;UL&gt;
&lt;LI&gt;the key &lt;EM&gt;RC4DefaultDisablementPhase&lt;/EM&gt; is no longer read&lt;/LI&gt;
&lt;LI&gt;In this phase, the only way to allow RC4 encryption is to manually set the&amp;nbsp;&lt;EM style="color: rgb(30, 30, 30);"&gt;msDS-SupportedEncryptionTypes&lt;/EM&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt; attribute to &lt;/SPAN&gt;&lt;EM style="color: rgb(30, 30, 30);"&gt;0x1C&lt;/EM&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt; (to allow RC4 only for the account) while having the GPO &lt;EM&gt;SupportedEncryptionTypes &lt;/EM&gt;set to support RC4. We can also set the&amp;nbsp;&lt;EM&gt;DefaultDomainSupportedEncTypes &lt;/EM&gt;to &lt;/SPAN&gt;&lt;EM style="color: rgb(30, 30, 30);"&gt;0x1C or 0x24&lt;/EM&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt; &lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;to allow RC4 for the entire environment.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Note that, if you want to apply the &lt;EM&gt;msDS-SupportedEncryptionTypes&lt;/EM&gt;&lt;STRONG&gt; &lt;/STRONG&gt;to allow RC4 at AD object level, but at the same time have the&amp;nbsp;&lt;EM&gt;DefaultDomainSupportedEncTypes&lt;/EM&gt; set to 0x18 you’ll need to set the &lt;EM&gt;SupportedEcryptionType &lt;/EM&gt;policy for the support of RC4 (more details in the scenarios section of this article).&lt;/P&gt;
&lt;H1&gt;Registry keys and attributes involved&lt;/H1&gt;
&lt;P&gt;In this section, you’ll find the list of all the registry keys, AD attributes, and GPOs involved in this hardening. The values shown are not exhaustive, I have listed only the specific values relevant to this hardening.&lt;/P&gt;
&lt;H3&gt;DefaultDomainSupportedEncTypes:&lt;/H3&gt;
&lt;P&gt;Path: &lt;EM&gt;HKLM\System\CurrentControlSet\Services\KDC&lt;/EM&gt; (Server 2016, Server 2019, Server 2022, 4B.26 Server 2025)&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &lt;EM&gt;HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\&lt;/EM&gt; (Windows Server 2025 only)&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;This key need to be created manually if needed&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Possible values:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;0x27&lt;/STRONG&gt;: enable DES, RC4 and AES session key (default before hardening for pre-2025 OSs)
&lt;UL&gt;
&lt;LI&gt;Flags enabled: DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC, AES256-CTS-HMAC-SHA1-96-SK&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x24&lt;/STRONG&gt;: Enable RC4 and AES session key:
&lt;UL&gt;
&lt;LI&gt;Flags Enabled: RC4-HMAC, AES256-CTS-HMAC-SHA1-96-SK&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x1C&lt;/STRONG&gt;: allow RC4 and AES:
&lt;UL&gt;
&lt;LI&gt;Flags enabled: RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x3C&lt;/STRONG&gt;: enable RC4, AES and AES session key
&lt;UL&gt;
&lt;LI&gt;Flags enabled: RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96-SK&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x18&lt;/STRONG&gt;: enable AES only (default value pre hardening for 2025)
&lt;UL&gt;
&lt;LI&gt;Flags enabled: AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x38&lt;/STRONG&gt;: enable AES and AES session key
&lt;UL&gt;
&lt;LI&gt;Flags enabled: AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96-SK&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Possible values and their meaning during all the phases:&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 1:&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;The value of this key won’t be changed during phase 1. if the key has not been manually set, you'll have the default value of you operating system during this phase&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;Phase 2:&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x18&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;: default value for this phase. Block the use of RC4 encryption, only AES-128 and AES-256 are allowed. &lt;/SPAN&gt;&lt;U style="color: rgb(30, 30, 30);"&gt;If this key was already explicitly set to any other value before the starting of phase 2, the patch won’t override its value&lt;/U&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x24, 0x1C and 0x3C&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;: these values can be used for manual rollback to allow RC4, I’ll advise using the value 0x1C for increased security. &lt;STRONG&gt;*&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 3:&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x18&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;: default value for this phase. Block the use of RC4 encryption, only AES-128 and AES-256 are allowed. &lt;/SPAN&gt;&lt;U style="color: rgb(30, 30, 30);"&gt;If this was already explicitly set to any other value, the patch won’t override its value&lt;/U&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x24, 0x1C and 0x3C&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;: these values can be used for manual rollback to allow RC4, I’ll advise using the value 0x1C for increased security. &lt;STRONG&gt;*&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;U&gt;Later in this article, you’ll find common scenarios to help you choose the right values based on your audit findings.&lt;/U&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;*&lt;/STRONG&gt; In our labs, setting the &lt;EM&gt;DefaultDomainSupportedEncTypes&lt;/EM&gt; to &lt;STRONG&gt;0x1C&lt;/STRONG&gt; caused login issues on &lt;STRONG&gt;Windows Server 2003&lt;/STRONG&gt; and &lt;STRONG&gt;Windows XP&lt;/STRONG&gt;. If you still have these operating systems, test this value carefully in your environment. We tried to set the key to &lt;STRONG&gt;0x24 &lt;/STRONG&gt;and we did not observe the same issues.&lt;/P&gt;
&lt;H3&gt;RC4DefaultDisablementPhase&lt;/H3&gt;
&lt;P&gt;Path: &lt;EM&gt;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters&lt;/EM&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Note that&amp;nbsp;&lt;U&gt;this key must be manually created and set &lt;/U&gt;and will be evaluated only after the installation of the January 2026 update.&amp;nbsp; &amp;nbsp;&lt;/P&gt;
&lt;P&gt;Here you can find all the &lt;STRONG&gt;possible values during all phases&lt;/STRONG&gt;:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;Phase 1&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;:&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;1&lt;/STRONG&gt;: audit mode enabled, the events &lt;EM&gt;201-209 &lt;/EM&gt;are logged onto the domain controller when RC4 is being used (see the table below for details)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;2&lt;/STRONG&gt;: Kerberos will start assuming that RC4 has been disabled and will start to negotiate AES encryption by default&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 2:&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;The values are the same reported for phase 1. With the April patch the value will change to 2 &lt;U&gt;only &lt;/U&gt;&lt;U style="color: rgb(30, 30, 30);"&gt;if the key was not explicitly set to 1 during phase 1&lt;/U&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;. Anyway, it can be reverted to 1&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Phase 3:&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;The key is no longer evaluated&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;msDS-SupportedEncryptionTypes&lt;/H3&gt;
&lt;P&gt;This attribute is found on all domain objects in the attribute editor tab.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Value available for the attribute&lt;/STRONG&gt;:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Null, not set or 0x0&lt;/STRONG&gt;: the encryption used depends on the value reported on the &lt;EM&gt;DefaultDomainSupportedEncTypes &lt;/EM&gt;key&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x3C&lt;/STRONG&gt;: enables RC4 AES and AES encryption key&amp;nbsp;
&lt;UL&gt;
&lt;LI&gt;Flags enabled: RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96-SK&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x1C:&lt;/STRONG&gt; Enables RC4 and AES:&amp;nbsp;
&lt;UL&gt;
&lt;LI&gt;RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x38&lt;/STRONG&gt;: enables AES and AES encryption key only
&lt;UL&gt;
&lt;LI&gt;Flags enabled: AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96-SK&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x18&lt;/STRONG&gt;: enables AES only
&lt;UL&gt;
&lt;LI&gt;Flags enabled: AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;U&gt;See the section reporting the common scenarios to understand how to correctly use this attribute in your environment.&lt;/U&gt;&lt;/P&gt;
&lt;H3&gt;SupportedEncryptionTypes&lt;/H3&gt;
&lt;P&gt;This registry key is populated by a &lt;STRONG&gt;GPO &lt;/STRONG&gt;on the DCs: “&lt;EM&gt;Network security: Configure encryption types allowed for Kerberos&lt;/EM&gt;”. The path of the GPO is "&lt;EM&gt;Computer Configuration &amp;gt; Policies &amp;gt; Windows Settings &amp;gt; Security Settings &amp;gt; Local Policies &amp;gt; Security Options"&lt;/EM&gt;.&lt;/P&gt;
&lt;P&gt;You can find the related registry key at the path:&amp;nbsp; &lt;EM&gt;HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\&lt;/EM&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;The values of the registry key depend on the GPO settings. &lt;STRONG&gt;The possible values are&lt;/STRONG&gt;:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;0x7FFFFFFC&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;: this configuration is needed to support RC4 in your environment&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Encryption type supported&lt;/STRONG&gt;: RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96-SK, FAST-supported, Compound-identity-supported, Claims-supported, Resource-SID-compression-disabled, Future encryption types&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;0x7FFFFFF8&lt;/STRONG&gt;: this is value for the recommended configuration
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Encryption types supported&lt;/STRONG&gt;: AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96-SK, FAST-supported, Compound-identity-supported, Claims-supported, Resource-SID-compression-disabled, Future encryption types&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;U&gt;See the section with the common scenarios to understand how to use this key&lt;/U&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Audit&lt;/H1&gt;
&lt;P&gt;This section lists the auditing events for this hardening and briefly explains what each one indicates. Starting in January 2026, some existing events were enhanced to surface additional encryption details, and new events were introduced that are available only after installing the January 2025 patch. Microsoft also made two really helpful scripts to collect and analyze events, you can find more details about those scripts at the end of this section.&lt;/P&gt;
&lt;H3&gt;Existing enhanced events&amp;nbsp;&lt;/H3&gt;
&lt;P&gt;Some existing events has been enhanced, and can be used for the auditing of RC4 usage, like:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;4768&lt;/STRONG&gt;: A TGT ticket has been requested&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;4769&lt;/STRONG&gt;: A Kerberos service ticket has been requested&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;Beyond identifying the client and account requesting the ticket, both events include several fields that are useful for analysis:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;msDS-SupportedEncryptionTypes&lt;/STRONG&gt;: show the value of this attribute for the account reported in the event&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Available keys&lt;/STRONG&gt;: shows all the available keys that has been found in AD for that object&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Ticket Encryption Type&lt;/STRONG&gt;: the actual ciphers used for the ticket encryption:
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;0x17&lt;/EM&gt; = RC4&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;0x12 &lt;/EM&gt;or &lt;EM&gt;0x13 &lt;/EM&gt;= AES&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Session Encryption Type&lt;/STRONG&gt;: the actual ciphers used for the session Encryption
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;0x17 &lt;/EM&gt;= RC4&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;0x12 &lt;/EM&gt;or &lt;EM&gt;0x13 &lt;/EM&gt;= AES&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Advertised Etypes&lt;/STRONG&gt;: lists the encryption types the client supports. If you see only RC4 or DES in this field, it means that we are looking at a legacy client; modern clients should advertise both RC4 and AES.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Note&lt;/STRONG&gt;: 4768 events are not correlated with any &lt;STRONG&gt;201-209&lt;/STRONG&gt; event, while for the 4769 events you can find the related 201-209 event to help you during the troubleshooting.&lt;/P&gt;
&lt;H3&gt;New events available&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;During the audit phase &lt;/STRONG&gt;we can see the system event log:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Event ID&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Type/Phase&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Meaning&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;201&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Warning&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The client only supports RC4 and the target service's&amp;nbsp;msDS-SupportedEncryptionTypes&amp;nbsp;is&amp;nbsp;&lt;STRONG&gt;not defined&lt;/STRONG&gt;. This will fail under enforcement.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;202&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Warning&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The target service account's&amp;nbsp;msDS-SupportedEncryptionTypes&amp;nbsp;is&amp;nbsp;&lt;STRONG&gt;not defined&lt;/STRONG&gt;&amp;nbsp;and the&amp;nbsp;&lt;STRONG&gt;service account only has insecure (RC4) keys.&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;205&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Warning&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The KDC detected that the domain controller has&amp;nbsp;DefaultDomainSupportedEncTypes&amp;nbsp;&lt;STRONG&gt;explicitly&lt;/STRONG&gt;&amp;nbsp;defined to include insecure encryption (RC4) Microsoft will&amp;nbsp;&lt;STRONG&gt;not&lt;/STRONG&gt;&amp;nbsp;automatically override this&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;206&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Warning&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The target service's&amp;nbsp;msDS-SupportedEncryptionTypes&amp;nbsp;is explicitly set to&amp;nbsp;&lt;STRONG&gt;AES-only&lt;/STRONG&gt;, but the client doesn't advertise AES-SHA1&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;207&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Warning&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The target service's&amp;nbsp;msDS-SupportedEncryptionTypes&amp;nbsp;is explicitly set to&amp;nbsp;&lt;STRONG&gt;AES-only&lt;/STRONG&gt;, but the service account&amp;nbsp;&lt;STRONG&gt;doesn't have AES-SHA1 keys&lt;/STRONG&gt;&amp;nbsp;(password not reset).&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;During the enforcement phase,&lt;/STRONG&gt; you can find these events in the system event log:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Event ID&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Type/Phase&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Meaning&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;203&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Error&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The KDC&amp;nbsp;&lt;STRONG&gt;blocked&lt;/STRONG&gt;&amp;nbsp;a service ticket because the client only supports insecure types and the service has no explicit encryption config.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;204&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Error&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The KDC&amp;nbsp;&lt;STRONG&gt;blocked&lt;/STRONG&gt;&amp;nbsp;a service ticket because the service account only has insecure keys and has no explicit encryption config.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;205&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Warning&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The KDC detected that the domain controller has&amp;nbsp;DefaultDomainSupportedEncTypes&amp;nbsp;&lt;STRONG&gt;explicitly&lt;/STRONG&gt;&amp;nbsp;defined to include insecure encryption (RC4) Microsoft will&amp;nbsp;&lt;STRONG&gt;not&lt;/STRONG&gt;&amp;nbsp;automatically override this&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;208&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Error&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The KDC&amp;nbsp;&lt;STRONG&gt;denied&lt;/STRONG&gt;&amp;nbsp;a service ticket because the client doesn't support AES-SHA1 and the service requires it.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;209&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Error&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The KDC&amp;nbsp;&lt;STRONG&gt;denied&lt;/STRONG&gt;&amp;nbsp;a service ticket because the service requires AES-SHA1 but has no AES keys.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Below is a list of possible remediation steps based on the events you observe:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;201 and 203&lt;/STRONG&gt;: these events usually indicate that we are looking to a legacy device. My advice is to correlate this finding to the related 4769 event. The goal is understand if the device is legacy or not:
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;The device is legacy&lt;/STRONG&gt;: the device does not support AES and needs to be updated. If the update is not feasible now, you can set the &lt;EM&gt;msDS-SupportedEncryptionTypes &lt;/EM&gt;to 0x1C to allow RC4&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;The device is not legacy&lt;/STRONG&gt;: investigate the reason why the device does not have any AES keys available. Maybe the password of the AD account has not been reset in a long time, or there may be a policy applied to this object to enforce the use of RC4 only&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;202 and 204&lt;/STRONG&gt;: these events usually indicate that the password for the account is too old, so the account cannot generate any AES key for encryption.
&lt;UL&gt;
&lt;LI&gt;Reset the password and try the authentication again to confirm the resolution of the problem.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;206 and 208&lt;/STRONG&gt;: these events usually indicate a mismatch between the client and the account configuration. The account may be set to allow AES only but the client may be legacy one.
&lt;UL&gt;
&lt;LI&gt;You need to update the client, if the update is not feasible now, you can set the &lt;EM&gt;msDS-SupportedEncryptionTypes &lt;/EM&gt;to 0x1C to allow RC4&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;207 and 209&lt;/STRONG&gt;: the account is set to AES but cannot generate an AES ticket.
&lt;UL&gt;
&lt;LI&gt;Usually, you'll need to reset the password of the account to solve this issue.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;See the &lt;STRONG&gt;common scenarios&lt;/STRONG&gt; section for more details&lt;/P&gt;
&lt;H2&gt;Scripts&lt;/H2&gt;
&lt;P&gt;Microsoft provided two scripts to help us investigate the RC4 usage in our environment:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;List-AccountKeys.ps1&lt;/STRONG&gt;&amp;nbsp;to query event logs to enumerate available encryption keys for accounts.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Get-KerbEncryptionUsage.ps1&lt;/STRONG&gt;&amp;nbsp;to identify Kerberos encryption types in use, with filtering options for specific algorithms like RC4.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The scripts are available in this repository: &lt;A href="https://github.com/microsoft/Kerberos-Crypto" target="_blank" rel="noopener"&gt;Microsoft's Kerberos-Crypto GitHub repository&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;Get-KerbEncryptionUsage.ps1&lt;/H4&gt;
&lt;P&gt;This script can identify the usage of RC4 encryption in the environment by analyzing the events recorded on the domain controllers. The info are collected primarily from the events 4768 and 4769. In the output you’ll find date and time of the event, the requestor and the type of ticket and session encryption used.&lt;/P&gt;
&lt;P&gt;Example:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;.\Get-KerbEncryptionUsage.ps1 -Encryption RC4 -Searchscope AllKdcs | Export-Csv -Path .\KerbUsage_DC01.csv -NoTypeInformation -Encoding UTF8&lt;/LI-CODE&gt;
&lt;H4&gt;List-AccountKeys.ps1&lt;/H4&gt;
&lt;P&gt;This script is useful to identify which key are available for an object (service account, user, computer account).&lt;/P&gt;
&lt;H2&gt;Event forwarding&lt;/H2&gt;
&lt;P&gt;If you have a SIEM available on your environment: lucky you! There is a wonderful article that explains how to collect and forward the event to the SIEM to analyze them: &lt;A href="https://techcommunity.microsoft.com/blog/askds/so-you-think-you%E2%80%99re-ready-for-enforcing-aes-for-kerberos/4080124" target="_blank" rel="noopener"&gt;So, you think you’re ready for enforcing AES for Kerberos? | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Common Scenarios&lt;/H1&gt;
&lt;P&gt;This section will cover the common scenarios that we may find in the customer’s environment and how to approach it&lt;/P&gt;
&lt;H3&gt;I have only few objects that are using RC4&lt;/H3&gt;
&lt;P&gt;Scenario:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;During the audit phase I found &lt;STRONG&gt;&lt;U&gt;few &lt;/U&gt;legacy devices and applications not compatible with AES&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;I cannot update those devices/applications before the July 2026 phase (enforcement phase)&lt;/LI&gt;
&lt;LI&gt;I need to leave RC4 enabled for only those objects&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;DOs:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;SupportedEncryptionTypes&lt;/STRONG&gt;: you need to set this key to&amp;nbsp;&lt;STRONG&gt;0x7FFFFFFC &lt;/STRONG&gt;to allow the support of RC4 using the GPO (see the "Registry keys and attributes involved" section of this article), otherwise even if the attribute &lt;STRONG&gt;msDS-SupportedEncryptionTypes &lt;/STRONG&gt;is set to support RC4, the authentication will break, because the KDC won't know how to interpret RC4.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;msDS-SupportedEncryptionTypes&lt;/STRONG&gt;: this attribute needs to be set to 0x1C to support RC4&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;DefaultDomainSupportedEncTypes&lt;/STRONG&gt;: can be set to 0x18, this sets AES as the default encryption type for the domain. So, all the account that have the msDS-SupportedEncryptionTypes not set, will use AES by dafault&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In this scenario, new accounts and computers will use AES by default, while accounts with the attribute &lt;STRONG&gt;msDS-SupportedEncryptionTypes&lt;/STRONG&gt; set to &lt;STRONG&gt;0x1C&lt;/STRONG&gt; will still use RC4. This works because the KDC is configured to allow RC4 even though AES remains the domain’s default.&lt;/P&gt;
&lt;P&gt;&lt;U&gt;Note that having devices and applications that rely on RC4, will lower the security posture of your environment, my advice would be to remediate those devices/applications asap&lt;/U&gt;.&lt;/P&gt;
&lt;H3&gt;Many services rely on RC4&lt;/H3&gt;
&lt;P&gt;Scenario:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;During the audit phase I found &lt;STRONG&gt;&lt;U&gt;many &lt;/U&gt;devices not compatible with AES&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;I cannot update those devices/applications before the July 2026 phase (enforcement phase)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;If there are too many devices to be remediated using the &lt;STRONG&gt;msDS-SupportedEncryptionTypes &lt;/STRONG&gt;attribute, you’ll need to keep RC4 enabled by default at the domain level:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;DefaultDomainSupportedEncTypes&lt;/STRONG&gt;: needs to be set to &lt;STRONG&gt;0x1C&lt;/STRONG&gt;&lt;EM&gt; &lt;/EM&gt;to allow both AES and RC4&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SupportedEncryptionTypes&lt;/STRONG&gt;: needs to be set to &lt;STRONG&gt;0x7FFFFFFC&lt;/STRONG&gt; (see the "Registry keys and attributes involved" section for more information about this setting)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;msDS-SupportedEncryptionTypes&lt;/STRONG&gt;: this attribute does not need to be changed in this scenario.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In this scenario you can evaluate the possibility to use the attribute &lt;STRONG&gt;msDS-SupportedEncryptionType &lt;/STRONG&gt;to secure some critical modern devices and applications by setting the attribute to &lt;STRONG&gt;0x18 &lt;/STRONG&gt;or &lt;STRONG&gt;0x38 &lt;/STRONG&gt;to allow only AES encryption for those objects.&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;No services rely on RC4&lt;/H3&gt;
&lt;P&gt;Congratulations!! This is the best scenario, you don’t have any legacy devices or applications that can rely only on RC4.&lt;/P&gt;
&lt;P&gt;DOs:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;DefaultDomainSupportedEncTypes&lt;/STRONG&gt;: you can leave it to the July 2026 default (&lt;STRONG&gt;0x18&lt;/STRONG&gt;)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SupportedEncryptionTypes&lt;/STRONG&gt;: can be set to &lt;STRONG&gt;0x7FFFFFF8 &lt;/STRONG&gt;(see the "Registry keys and attributes involved" section for more information about this setting)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;msDS-SupportedEncryptionTypes&lt;/STRONG&gt;: there is no need to change this attribute in this scenario&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Conclusion&lt;/H1&gt;
&lt;P&gt;The RC4 hardening rollout is one of those changes that looks simple on paper “move everything to AES”, but succeeds or fails based on how well you turn Kerberos telemetry into an inventory of real dependencies. Across the three phases (audit, soft enforcement, hard enforcement), the KDC gradually shifts from observing RC4 usage to actively rejecting it, and by Phase 3 the domain-wide “allow RC4” escape hatch is gone.&lt;/P&gt;
&lt;P&gt;Use Phase 1 and the first part of Phase 2 to build a remediation backlog from the new KDC events (201–209) and the enhanced 4768/4769 fields.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Also keep in mind the blind spots: the &lt;STRONG&gt;&lt;U&gt;absence of KDCSVC audit events does not guarantee that all systems will function correctly after enforcement&lt;/U&gt;&lt;/STRONG&gt;. These events focus on service ticket requests involving default/implicit encryption behavior; explicitly configured accounts, TGT requests, and non-Windows or embedded Kerberos stacks can still fail in ways that are not surfaced by 201–209 alone.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;FAQs&lt;/H1&gt;
&lt;H5&gt;Are there impacts in the forest trusts?&lt;/H5&gt;
&lt;P&gt;Test external trusts for impact. Trusts between domains in the same forest have used AES since the November 2022 patch. Before enforcing AES-only across a forest, validate that the trusted forest supports AES.&lt;/P&gt;
&lt;H5&gt;I don’t see any 201-209 events in my environment, does it means that my environment won’t be impacted?&lt;/H5&gt;
&lt;P&gt;No, the absence of KDCSVC audit events does not guarantee that all systems will function correctly after enforcement. These events focus on service ticket requests involving default/implicit encryption behavior; explicitly configured accounts, TGT requests, and non-Windows or embedded Kerberos stacks can still fail in ways that are not surfaced by 201–209 alone.&lt;/P&gt;
&lt;H5&gt;Is the msDS-SupportedEncryptionTypes key evaluated by Windows XP and Windows 2003 OSs?&lt;/H5&gt;
&lt;P&gt;No, those operating systems are not capable to read the msDS-SupportedEncryptionTypes key. In this case, to allow the use of RC4 you’ll need to use the DefaultDomainSupportedEncTypes set to 0x24&lt;/P&gt;
&lt;H1&gt;Useful Resources&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;Encryption Type Calculator: &lt;A href="https://strongwind1.github.io/Kerberos/security/etype-calculator.html?utm_source=copilot.com#msds=0x18" target="_blank" rel="noopener"&gt;Encryption Type Calculator - Kerberos in Active Directory&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/what-is-going-on-with-rc4-in-kerberos/4489365" target="_blank" rel="noopener"&gt;What is going on with RC4 in Kerberos? | Microsoft Community Hub&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Supported Encryption Types Bit Flags &lt;A href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919" target="_blank" rel="noopener"&gt;[MS-KILE]: Supported Encryption Types Bit Flags | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 &lt;A href="https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc?preview=true" target="_blank" rel="noopener"&gt;How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 - Microsoft Support&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Event 4769: &lt;A href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769" target="_blank" rel="noopener"&gt;4769(S, F) A Kerberos service ticket was requested. - Windows 10 | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;How to manage the Kerberos protocol changes related to CVE-2022-37966 &lt;A href="https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d" target="_blank" rel="noopener"&gt;KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Detect and remediate RC4 usage &lt;A href="https://learn.microsoft.com/en-us/windows-server/security/kerberos/detect-remediate-rc4-kerberos#use-powershell-to-audit-rc4-usage" target="_blank" rel="noopener"&gt;Detect and Remediate RC4 Usage in Kerberos | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Disclaimer&lt;/H4&gt;
&lt;P&gt;The content of this article is based on available public documentation and test performed on a personal lab environment. The information is provided AS IS without a warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use of the reported information contained in this documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the document be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the data in this documentation, even if Microsoft has been advised of the possibility of such damages.&lt;BR /&gt;&lt;U&gt;In short: Every environment is different, please test the changes before the implementation in your production environment&lt;/U&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 28 May 2026 12:20:17 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-manage-rc4-hardening-definitive-guide/ba-p/4515923</guid>
      <dc:creator>Elanor92</dc:creator>
      <dc:date>2026-05-28T12:20:17Z</dc:date>
    </item>
    <item>
      <title>Extracting and Auditing Azure DevOps Permissions at Scale with PowerShell</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/extracting-and-auditing-azure-devops-permissions-at-scale-with/ba-p/4515274</link>
      <description>&lt;H1&gt;Introduction&lt;/H1&gt;
&lt;P&gt;Azure DevOps organizations accumulate permissions over time. Groups are created, users are added, Entra (Azure AD) groups are nested into project groups, and team structures evolve. For organizations subject to compliance requirements, security reviews, or simply wanting to understand who has access to what, the Azure DevOps portal provides a per-group, per-namespace view that does not scale.&lt;/P&gt;
&lt;P&gt;The Azure DevOps REST APIs expose the underlying security model — security namespaces, Access Control Lists (ACLs), Access Control Entries (ACEs), and bitmask-encoded permissions — but consuming these APIs and translating raw data into actionable output requires significant effort.&lt;/P&gt;
&lt;P&gt;The blog post introduces &lt;STRONG&gt;ADO Permissions Output&lt;/STRONG&gt;, an open-source PowerShell toolset that extracts Azure DevOps security permissions across 30+ security namespaces, resolves cryptic tokens and GUIDs into human-readable names, and produces structured JSON and CSV output suitable for auditing, compliance, and import into Power BI.&lt;/P&gt;
&lt;P&gt;The toolset is available on GitHub: &lt;A class="lia-external-url" href="https://github.com/sckissel/ADO-Permissions-Output" target="_blank" rel="noopener"&gt;ADO-Permissions-Output&lt;/A&gt;&lt;/P&gt;
&lt;H1&gt;The Problem&lt;/H1&gt;
&lt;P&gt;Consider a typical Azure DevOps organization with multiple projects, dozens of custom groups, Entra-backed security groups, and permissions set at the repository, build pipeline, release pipeline, area path, and service endpoint levels. An auditor needs to answer questions like:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Which groups have &lt;STRONG&gt;Deny&lt;/STRONG&gt; permissions on a specific Git repository?&lt;/LI&gt;
&lt;LI&gt;Who has &lt;STRONG&gt;Edit build pipeline&lt;/STRONG&gt; access across all projects?&lt;/LI&gt;
&lt;LI&gt;Are there disabled Entra users still showing as members of ADO groups?&lt;/LI&gt;
&lt;LI&gt;Which users have access but have never logged in?&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The ADO portal answers these one group at a time. The REST APIs answer them in bitmasks and GUIDs. This tool bridges the gap.&lt;/P&gt;
&lt;H1&gt;What the Tool Does&lt;/H1&gt;
&lt;P&gt;At a high level, the tool:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Authenticates to Azure DevOps using a Personal Access Token (PAT)&lt;/LI&gt;
&lt;LI&gt;Enumerates all security namespaces in the organization&lt;/LI&gt;
&lt;LI&gt;Fetches all groups, users, and teams&lt;/LI&gt;
&lt;LI&gt;For each namespace, retrieves ACLs with extended info (effective and inherited permissions)&lt;/LI&gt;
&lt;LI&gt;Decodes bitmask permissions against the namespace action list&lt;/LI&gt;
&lt;LI&gt;Resolves security tokens (GUIDs, paths) to friendly names (project names, repo names, query paths, etc.)&lt;/LI&gt;
&lt;LI&gt;Outputs structured JSON per project with Allow, Deny, Effective, and Inherited permissions clearly labeled&lt;/LI&gt;
&lt;LI&gt;Optionally generates a group membership report with user entitlement status&lt;/LI&gt;
&lt;/OL&gt;
&lt;H1&gt;Architecture Overview&lt;/H1&gt;
&lt;img&gt;Flowchart of PowerShell and JSON files, their purposes, the REST API endpoints that are called, and the outputs files.&lt;/img&gt;
&lt;P&gt;The solution consists of three PowerShell files:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN lia-align-left"&gt;&lt;table border="1" style="width: 88.5185%; height: 213px; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;File&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Purpose&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;SecurityMain.ps1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Entry point — loads modules, sets up directories, orchestrates execution&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;SecurityHelper.psm1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Core engine — namespace enumeration, ACL fetching, bitmask decoding, token resolution&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ProjectAndGroup.psm1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Group membership reporting, user entitlement enrichment, directory setup&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 27.8582%" /&gt;&lt;col style="width: 72.1418%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;Configuration is driven by &lt;EM&gt;ProjectDef.json&lt;/EM&gt;, which specifies output directories, filenames, and which namespaces to extract.&lt;/P&gt;
&lt;P&gt;All REST API calls route through a centralized Invoke-AdoRestMethod wrapper that provides automatic retry with exponential back-off for HTTP 429 (throttle) and transient server errors.&lt;/P&gt;
&lt;H1&gt;Setting Up the Pipeline&lt;/H1&gt;
&lt;P&gt;The tool is designed for unattended execution in an Azure Pipelines pipeline. The included `main.yml` defines a parameterized pipeline that can be run manually from the ADO UI. Additionally, a trigger can be configured to run on a schedule.&lt;/P&gt;
&lt;H2&gt;Prerequisites&lt;/H2&gt;
&lt;OL&gt;
&lt;LI&gt;A &lt;STRONG&gt;Personal Access Token&lt;/STRONG&gt; with read permissions across security, graph, build, release, work items, service endpoints, dashboards, and analytics scopes&lt;/LI&gt;
&lt;LI&gt;A &lt;STRONG&gt;Variable Group&lt;/STRONG&gt; named ADOPermissions containing the PAT as a secret variable&lt;/LI&gt;
&lt;LI&gt;The &lt;STRONG&gt;Build Service&lt;/STRONG&gt; identity needs Contribute permission on the repository (for committing output back)&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;Running the Pipeline&lt;/H2&gt;
&lt;P&gt;When you run the pipeline, the "Run pipeline" dialog presents parameters for the organization name, project name, and optional features like the membership report and AAD group recursion.&lt;/P&gt;
&lt;img&gt;Azure DevOps Pipeline Run dialog from YAML configuration.&lt;/img&gt;
&lt;P&gt;The pipeline extracts permissions, commits the output back to the repository, and optionally publishes the output as a pipeline artifact.&lt;/P&gt;
&lt;H1&gt;Understanding the Permissions Output&lt;/H1&gt;
&lt;P&gt;The primary output is a JSON file per project. Each entry represents a single permission assignment:&lt;/P&gt;
&lt;LI-CODE lang="json"&gt;{
     "Namespace": "Git Repositories",
     "Project": "MyProject",
     "Object": "my-repo",
     "Type": "Group",
     "UserGroupName": "Contributors",
     "PermissionType": "Allow",
     "Permission": "Contribute",
     "Bit": 4
}&lt;/LI-CODE&gt;
&lt;P&gt;Permissions are reported as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Allow&lt;/STRONG&gt; — Explicitly granted&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Deny&lt;/STRONG&gt; — Explicitly denied&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Allow (Effective)&lt;/STRONG&gt; — Granted through inheritance&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Allow (Inherited)&lt;/STRONG&gt; — Inherited from a parent scope&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Deny (Effective)&lt;/STRONG&gt; and &lt;STRONG&gt;Deny (Inherited)&lt;/STRONG&gt; — Same patterns for deny permissions&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Token Resolution&lt;/H2&gt;
&lt;P&gt;One of the most valuable features is that raw security tokens are resolved inline. Instead of seeing &lt;EM&gt;repoV2/c847308e-d632-4e7f-a7fb-6f4db280bbaa/a1b2c3d4-...&lt;/EM&gt;, the output shows the actual repository name, build definition name, query path, area path, or service endpoint name.&lt;/P&gt;
&lt;P&gt;This resolution covers:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Project names&lt;/LI&gt;
&lt;LI&gt;Git repository names&lt;/LI&gt;
&lt;LI&gt;Build and release definitions&lt;/LI&gt;
&lt;LI&gt;Work item queries (including nested folder paths)&lt;/LI&gt;
&lt;LI&gt;Area paths and iterations&lt;/LI&gt;
&lt;LI&gt;Dashboards (project and team level)&lt;/LI&gt;
&lt;LI&gt;Service endpoints&lt;/LI&gt;
&lt;LI&gt;Variable groups and secure files&lt;/LI&gt;
&lt;LI&gt;Agent pools&lt;/LI&gt;
&lt;LI&gt;Environments&lt;/LI&gt;
&lt;LI&gt;Plans and process templates&lt;/LI&gt;
&lt;LI&gt;Analytics views&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;The Membership Report&lt;/H1&gt;
&lt;P&gt;When &lt;EM&gt;-IncludeMembership&lt;/EM&gt; is enabled, the tool generates a separate report showing who belongs to each group and what parent groups each group belongs to.&lt;/P&gt;
&lt;img&gt;JSON output of user and group memberships per Azure DevOps group.&lt;/img&gt;
&lt;H2&gt;Detecting Stale and Ghost Members&lt;/H2&gt;
&lt;P&gt;The membership report includes &lt;EM&gt;Status &lt;/EM&gt;and &lt;EM&gt;LastAccessedDate &lt;/EM&gt;from the User Entitlements API, along with a &lt;EM&gt;ResolvedVia&lt;/EM&gt; field that indicates how each member was discovered.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 99.2593%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;ResolvedVia&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;LastAccessedDate&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Meaning&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ADO Membership API&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;active&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Recent date&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Active user, using ADO&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ADO Membership API&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;active&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Null or very old&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Has access, never logged in&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ADO Membership API&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;disabled&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Any&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Admin disabled their ADO access&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ADO Membership API&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Null&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Null&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;ADO identity exists but entitlement removed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Hierarchy Group Expansion&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;active&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Recent date&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Active user, also in an Entra group&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Hierarchy Group Expansion&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Null&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Null&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Ghost member — visible in ADO UI via Entra group but has no ADO entitlement&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 20.3548%" /&gt;&lt;col style="width: 8.21662%" /&gt;&lt;col style="width: 14.4715%" /&gt;&lt;col style="width: 56.9571%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;AAD/Entra Group Recursion&lt;/H2&gt;
&lt;P&gt;When &lt;EM&gt;-RecurseAADGroups&lt;/EM&gt; is enabled, the tool resolves the actual members of Entra (Azure AD) groups that are nested inside ADO groups. This uses the ADO Contribution HierarchyQuery API — the same API that the ADO portal uses to display group members.&lt;/P&gt;
&lt;P&gt;This is significant because the standard ADO Graph Memberships API does not return individual members of Entra groups — it only shows the Entra group itself as a member. The HierarchyQuery approach reveals the real users, including those whose Entra accounts have been disabled or deleted but still appear in the ADO UI through group membership.&lt;/P&gt;
&lt;H1&gt;Importing into Power BI&lt;/H1&gt;
&lt;P&gt;The JSON output is directly importable into Power BI for visualization and analysis.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Open Power BI Desktop&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Get Data&lt;/STRONG&gt; &amp;gt; &lt;STRONG&gt;JSON&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Select the permissions or membership JSON file&lt;/LI&gt;
&lt;LI&gt;The data loads as a table ready for filtering, pivoting, and visualization&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Alternatively, use the &lt;EM&gt;-OutputFormat&lt;/EM&gt; &lt;EM&gt;CSV &lt;/EM&gt;parameter to produce CSV files for direct import via &lt;STRONG&gt;Data&lt;/STRONG&gt; &amp;gt; &lt;STRONG&gt;From Text/CSV&lt;/STRONG&gt;.&lt;/P&gt;
&lt;img&gt;Power BI Dashboard layout of Namespaces, project permissions, user and group names, and count of project permissions.&lt;/img&gt;
&lt;P&gt;Common Power BI analyses:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Permission heatmap by namespace and group&lt;/LI&gt;
&lt;LI&gt;Users with Deny permissions across all projects&lt;/LI&gt;
&lt;LI&gt;Group membership overlap between projects&lt;/LI&gt;
&lt;LI&gt;Stale users (active entitlement but no recent access)&lt;/LI&gt;
&lt;LI&gt;Ghost members from Entra group expansion&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Key Design Decisions&lt;/H1&gt;
&lt;P&gt;&lt;STRONG&gt;Sequential execution.&lt;/STRONG&gt; The tool processes namespaces sequentially rather than in parallel. This avoids the ADO API throttle penalty box (HTTP 429), which can delay an entire pipeline run. The retry wrapper handles transient 429s with &lt;EM&gt;Retry-After&lt;/EM&gt; header respect, but sequential processing prevents them from occurring in the first place.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;PAT authentication only.&lt;/STRONG&gt; The tool uses Personal Access Token authentication with Basic auth headers. This keeps the solution simple — no Entra app registrations, managed identities, or module dependencies. The PAT is stored in an ADO Variable Group marked as secret.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Read-only operation.&lt;/STRONG&gt; The tool does not modify any permissions, groups, or resources. All API calls are GET or POST (for subject lookups and HierarchyQuery). It is safe to run against production organizations.&lt;/P&gt;
&lt;H1&gt;Getting Started&lt;/H1&gt;
&lt;OL&gt;
&lt;LI&gt;Clone the repository: &lt;EM&gt;git clone https://github.com/sckissel/ADO-Permissions-Output.git&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;Create a PAT with the required scopes (see the &lt;A class="lia-external-url" href="https://github.com/sckissel/ADO-Permissions-Output/blob/main/README.md" target="_blank" rel="noopener"&gt;README&lt;/A&gt; for the full list)&lt;/LI&gt;
&lt;LI&gt;For pipeline execution, follow the setup instructions in the README to create the Variable Group and pipeline definition.&lt;/LI&gt;
&lt;LI&gt;For local testing:&lt;/LI&gt;
&lt;/OL&gt;
&lt;LI-CODE lang="powershell"&gt;./SecurityMain.ps1 `
-PAT "&amp;lt;your-pat&amp;gt;" `
-VSTSMasterAcct "yourorg" `
-projectName "YourProject" `
-allProjects "False" `
-DirRoot "C:\ADOSecurity" `
-IncludeMembership "True" `
-RecurseAADGroups "True" `
-OutputFormat "Both"&lt;/LI-CODE&gt;
&lt;H1&gt;Conclusion&lt;/H1&gt;
&lt;P&gt;Auditing Azure DevOps permissions at scale requires more than the portal provides. This toolset bridges the gap between the raw security APIs and actionable audit output, resolving cryptic tokens into readable names, surfacing effective and inherited permissions, and detecting stale or ghost group members through Entra group expansion.&lt;/P&gt;
&lt;P&gt;The tool is open source, requires only PowerShell 7 and a PAT, and is designed for unattended pipeline execution with output committed back to the repository for version-tracked audit history.&lt;/P&gt;
&lt;P&gt;Feedback, issues, and contributions are welcome on GitHub: &lt;A class="lia-external-url" href="https://github.com/sckissel/ADO-Permissions-Output" target="_blank" rel="noopener"&gt;ADO-Permissions-Output&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Thanks for reading!&lt;/P&gt;
&lt;H1&gt;Disclaimer&lt;/H1&gt;
&lt;P&gt;The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.&lt;/P&gt;</description>
      <pubDate>Tue, 28 Apr 2026 06:38:27 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/extracting-and-auditing-azure-devops-permissions-at-scale-with/ba-p/4515274</guid>
      <dc:creator>skissel</dc:creator>
      <dc:date>2026-04-28T06:38:27Z</dc:date>
    </item>
    <item>
      <title>Designing Outbound Connectivity for "Private Subnets" in Azure</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/designing-outbound-connectivity-for-quot-private-subnets-quot-in/ba-p/4514258</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Why Private Subnets Change Everything&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Historically, Azure virtual machines relied on &lt;EM&gt;default outbound internet access&lt;/EM&gt;, where the platform automatically assigned a dynamic SNAT IP from a shared pool. This was convenient but problematic:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;❌ No deterministic outbound IP addresses&lt;/LI&gt;
&lt;LI&gt;❌ No traffic inspection or filtering&lt;/LI&gt;
&lt;LI&gt;❌ No FQDN or URL governance&lt;/LI&gt;
&lt;LI&gt;❌ Difficult to audit for compliance&lt;/LI&gt;
&lt;LI&gt;❌ Susceptible to noisy neighbor SNAT exhaustion&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;With private subnets, outbound access is disabled by default. This shifts the responsibility to the architect — deliberately. The result is an environment where:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;✅ Every outbound flow is intentional&lt;/LI&gt;
&lt;LI&gt;✅ Every outbound IP is known and documented&lt;/LI&gt;
&lt;LI&gt;✅ Every egress path can be governed and logged&lt;/LI&gt;
&lt;LI&gt;✅ Compliance evidence is straightforward to produce&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The question is no longer &lt;EM&gt;"does my VM have internet access?"&lt;/EM&gt; but rather &lt;EM&gt;"how exactly does my VM reach the internet, and is that path appropriate for this workload?"&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The Three Outbound Patterns at a Glance&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Option&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Primary Role&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Inspection&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scale&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Cost&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Best For&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;NAT Gateway&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Managed outbound SNAT&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;❌ None&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;⭐⭐⭐ High&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;💲 Low&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Simple, scalable egress&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Firewall&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Secure governed egress&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;✅ Full L3–L7&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;⭐⭐⭐ High&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;💲💲💲 Higher&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security boundaries&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Load Balancer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Legacy SNAT&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;❌ None&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;⭐⭐ Limited&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;💲 Low&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Legacy / transitional&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario 1: NAT Gateway&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What is NAT Gateway?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Azure NAT Gateway is &lt;STRONG&gt;a &lt;/STRONG&gt;fully managed, zone‑resilient, outbound‑only SNAT service. It attaches at the subnet level and automatically handles all outbound flows from that subnet using one or more static public IP addresses or prefixes.&lt;/P&gt;
&lt;P&gt;It is purpose‑built for one thing: providing predictable, scalable outbound internet access — without routing complexity or inline devices.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Key flow are depicted below:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; VM → NAT Gateway: Automatic SNAT (no UDR required)&lt;/P&gt;
&lt;P&gt;&amp;nbsp; NAT Gateway → Internet: Static, deterministic public IP&lt;/P&gt;
&lt;P&gt;&amp;nbsp; Inbound: NOT supported (outbound only)&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;How it works (step by step)&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;VM initiates an outbound connection (e.g., HTTPS to an API)&lt;/LI&gt;
&lt;LI&gt;NAT Gateway intercepts the flow at the subnet boundary&lt;/LI&gt;
&lt;LI&gt;Source IP is translated to the NAT Gateway's static public IP&lt;/LI&gt;
&lt;LI&gt;The packet is forwarded to the internet&lt;/LI&gt;
&lt;LI&gt;Return traffic is automatically tracked and delivered back to the VM&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;No UDRs. No routing tables. No inline devices. &lt;STRONG&gt;It just works.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Strengths&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Massive SNAT scale&lt;/STRONG&gt; — no port exhaustion concerns at typical enterprise scale&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Deterministic outbound IPs&lt;/STRONG&gt; — easy to allowlist with external services&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Zone resilient&lt;/STRONG&gt; — survives availability zone failures&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Subnet scoped&lt;/STRONG&gt; — applies to all VMs in the subnet automatically&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;No routing configuration required&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Limitations&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;❌ No traffic inspection or filtering&lt;/LI&gt;
&lt;LI&gt;❌ No FQDN or URL policy enforcement&lt;/LI&gt;
&lt;LI&gt;❌ No threat intelligence integration&lt;/LI&gt;
&lt;LI&gt;❌ Cannot restrict &lt;EM&gt;which&lt;/EM&gt; internet destinations are allowed&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Best Fit Use Cases&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;✅ Application tiers calling external SaaS APIs&lt;BR /&gt;✅ VMs requiring OS updates and patch downloads&lt;BR /&gt;✅ CI/CD build agents and pipeline runners&lt;BR /&gt;✅ Spoke VNets in hub‑and‑spoke where east‑west goes through firewall, but simple internet egress is acceptable&lt;BR /&gt;✅ Dev/test environments&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario 2: Azure Firewall&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What is Azure Firewall?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Azure Firewall is a cloud‑native, stateful, L3–L7 network security service. When used for outbound egress, it transforms the egress path from a &lt;EM&gt;connectivity&lt;/EM&gt; function into a &lt;EM&gt;security enforcement boundary&lt;/EM&gt;.&lt;/P&gt;
&lt;P&gt;Unlike NAT Gateway, Azure Firewall inspects every packet, evaluates it against policy, and either allows or denies it based on network rules, application rules, and threat intelligence feeds.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;KEY Flow are depicted below:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; VM → UDR: Forces ALL outbound traffic to Firewall&lt;/P&gt;
&lt;P&gt;&amp;nbsp; Firewall: Evaluates against policy before allowing&lt;/P&gt;
&lt;P&gt;&amp;nbsp; Firewall → Internet: Only explicitly permitted flows pass&lt;/P&gt;
&lt;P&gt;&amp;nbsp; All denied flows: Logged and alertable&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;How it works (step by step)&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;VM initiates an outbound connection&lt;/LI&gt;
&lt;LI&gt;UDR intercepts the flow and redirects to Azure Firewall's private IP&lt;/LI&gt;
&lt;LI&gt;Azure Firewall evaluates the traffic:&lt;/LI&gt;
&lt;UL&gt;
&lt;LI&gt;Network rules (IP/port match)&lt;/LI&gt;
&lt;LI&gt;Application rules (FQDN/URL match)&lt;/LI&gt;
&lt;LI&gt;Threat intelligence (known malicious IPs/domains)&lt;/LI&gt;
&lt;/UL&gt;
&lt;LI&gt;If allowed: traffic is forwarded via Firewall's public IP&lt;/LI&gt;
&lt;LI&gt;If denied: traffic is dropped and logged&lt;/LI&gt;
&lt;LI&gt;All flows (allowed and denied) are logged to Log Analytics / Sentinel&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Strengths&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;Full L3–L7 inspection&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;FQDN and URL‑based filtering&lt;/STRONG&gt; (application rules)&lt;/LI&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;Threat intelligence integration&lt;/STRONG&gt; (Microsoft TI feed)&lt;/LI&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;TLS inspection&lt;/STRONG&gt; (Premium SKU)&lt;/LI&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;Centralized governance&lt;/STRONG&gt; across multiple VNets via Firewall Manager&lt;/LI&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;Rich logging&lt;/STRONG&gt; — every allowed and denied flow is recorded&lt;/LI&gt;
&lt;LI&gt;✅ &lt;STRONG&gt;IDPS&lt;/STRONG&gt; (Intrusion Detection and Prevention) available in Premium&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Limitations&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;❌ Higher cost (hourly + data processing charges)&lt;/LI&gt;
&lt;LI&gt;❌ Requires UDR configuration on each spoke subnet&lt;/LI&gt;
&lt;LI&gt;❌ Adds latency (small but non‑zero)&lt;/LI&gt;
&lt;LI&gt;❌ Requires careful SNAT configuration at scale&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Best Fit Use Cases&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;✅ Regulated industries (financial services, healthcare, government)&lt;BR /&gt;✅ Any workload where outbound internet is a &lt;STRONG&gt;security boundary&lt;/STRONG&gt;&lt;BR /&gt;✅ Environments requiring &lt;STRONG&gt;egress allowlisting&lt;/STRONG&gt; for compliance&lt;BR /&gt;✅ Hub‑and‑spoke architectures with centralized control plane&lt;BR /&gt;✅ SOC environments needing outbound flow telemetry&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario 3: Load Balancer Outbound&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What is Load Balancer Outbound?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Azure Load Balancer outbound rules were historically the primary mechanism for providing SNAT to VMs behind a Standard Load Balancer. While newer patterns (NAT Gateway, Azure Firewall) have largely replaced this approach for new designs, &lt;STRONG&gt;outbound rules remain valid in specific scenarios&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Key flows are depicted below:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; VMs → Load Balancer: Backend pool members get SNAT&lt;/P&gt;
&lt;P&gt;&amp;nbsp; LB Outbound Rules: Define port allocation per VM&lt;/P&gt;
&lt;P&gt;&amp;nbsp; ⚠️ Port exhaustion risk at scale&lt;/P&gt;
&lt;P&gt;&amp;nbsp; ⚠️ No inspection or policy enforcement&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;How it works (step by step)&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;VM in the backend pool initiates an outbound connection&lt;/LI&gt;
&lt;LI&gt;Load Balancer applies SNAT using the frontend public IP&lt;/LI&gt;
&lt;LI&gt;Ephemeral ports are allocated per VM from a fixed pool&lt;/LI&gt;
&lt;LI&gt;Return traffic is tracked and delivered back to the correct VM&lt;/LI&gt;
&lt;LI&gt;If port pool is exhausted: connections fail (SNAT exhaustion)&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Strengths&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Lower cost than NAT Gateway or Firewall&lt;/LI&gt;
&lt;LI&gt;Tightly integrated with existing load‑balanced workloads&lt;/LI&gt;
&lt;LI&gt;Familiar operational model for legacy teams&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Limitations&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;❌ SNAT port pool is fixed and must be manually managed&lt;/LI&gt;
&lt;LI&gt;❌ Risk of SNAT exhaustion at scale&lt;/LI&gt;
&lt;LI&gt;❌ No traffic inspection&lt;/LI&gt;
&lt;LI&gt;❌ Less flexible than NAT Gateway&lt;/LI&gt;
&lt;LI&gt;❌ Not recommended for new designs&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Best Fit Use Cases&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;✅ Existing architectures already built around Azure Load Balancer&lt;BR /&gt;✅ Low outbound connection volume workloads&lt;BR /&gt;✅ Transitional architectures during modernization to NAT Gateway&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Decision Framework: Choosing the Right Outbound Pattern&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Common Pitfalls to Avoid&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;⚠️ Pitfall 1: Forgetting SNAT scale limits&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Load Balancer outbound rules allocate a &lt;STRONG&gt;fixed number of ephemeral ports per VM&lt;/STRONG&gt;. At scale this exhausts quickly. Use NAT Gateway instead.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;⚠️ Pitfall 2: Over‑securing low‑risk workloads&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Not every workload needs Azure Firewall for outbound. Dev/test and patch traffic are better served by NAT Gateway — simpler, cheaper, faster.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;⚠️ Pitfall 3: Mixing outbound models in the same subnet&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;NAT Gateway and Load Balancer outbound rules &lt;STRONG&gt;cannot coexist&lt;/STRONG&gt; on the same subnet. NAT Gateway always takes precedence. Plan your subnet boundaries carefully.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;⚠️ Pitfall 4: Blocking Azure platform dependencies&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Many Azure services still use public endpoints (even when Private Link is available). Ensure your outbound policy allows required Azure service tags before enforcing egress controls.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;⚠️ Pitfall 5: Relying on platform defaults&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Default outbound access is &lt;STRONG&gt;retired for new VNets&lt;/STRONG&gt;. Do not assume VMs can reach the internet without explicit configuration.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary and Key Takeaways&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Best Choice&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Why&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Simple internet egress at scale&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;NAT Gateway&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Scalable, predictable, no complexity&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Security boundary for egress&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Firewall&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Inspection, FQDN rules, threat intel&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Legacy load‑balanced workloads&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Load Balancer Outbound&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Transitional only&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Regulated / compliance environments&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Firewall&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Audit logs, policy enforcement&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Dev / test / patch traffic&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;NAT Gateway&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Low cost, low friction&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;The core principle&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Private subnets make outbound access intentional. Choose the outbound pattern that matches the risk level of the workload — not the most complex option available.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;References&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;https://learn.microsoft.com/azure/nat-gateway/nat-overview&lt;/LI&gt;
&lt;LI&gt;https://learn.microsoft.com/azure/firewall/overview&lt;/LI&gt;
&lt;LI&gt;https://learn.microsoft.com/azure/load-balancer/outbound-rules&lt;/LI&gt;
&lt;LI&gt;https://azure.microsoft.com/blog/default-outbound-access-for-vms-in-azure-will-be-retired&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 23 Apr 2026 21:28:09 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/designing-outbound-connectivity-for-quot-private-subnets-quot-in/ba-p/4514258</guid>
      <dc:creator>alexeyn1</dc:creator>
      <dc:date>2026-04-23T21:28:09Z</dc:date>
    </item>
    <item>
      <title>Strengthening Identity Resilience: A Deep Dive into Microsoft Entra Backup and Recovery</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/strengthening-identity-resilience-a-deep-dive-into-microsoft/ba-p/4513401</link>
      <description>&lt;P&gt;In the modern security landscape, we often say that "Identity is the new perimeter." We spend significant resources on Conditional Access, Phishing-Resistant MFA, and Identity Protection to keep the "bad guys" out. But what happens when the threat is already inside, or when a legitimate administrative action goes sideways?&lt;/P&gt;
&lt;P&gt;If our identity data the "brain" of our Microsoft 365 and Azure ecosystem is corrupted or maliciously altered, usr entire security posture collapses. Today, we’re exploring the new &lt;STRONG&gt;Microsoft Entra Backup and Recovery&lt;/STRONG&gt; capability, a native safety net designed to ensure usr identity infrastructure remains resilient against both accidents and attacks.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why Native Backup Matters&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;For years, Entra ID&amp;nbsp; administrators relied on the &lt;STRONG&gt;Recycle Bin&lt;/STRONG&gt; for deleted objects. However, a major gap existed: &lt;STRONG&gt;Attribute Corruption.&lt;/STRONG&gt; If a script accidentally wipes the department and manager attributes for 10,000 users, or if a malicious actor modifies our most restrictive Conditional Access policies to create a backdoor, the Recycle Bin can't help us the objects aren't deleted; they are just &lt;EM&gt;wrong&lt;/EM&gt;. Restoring these specific states previously required complex PowerShell scripting or expensive third-party tools. Entra Backup and Recovery closes this gap by providing a native, automated way to "roll back" the state of usr objects.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Core Capabilities: How it Works&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The service is currently available in Public Preview for customers with &lt;STRONG&gt;Entra ID P1 or P2 licenses&lt;/STRONG&gt;. It operates on a simple yet powerful "Snapshot" model:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt; Automated Daily Snapshots&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The system automatically captures a point-in-time view of our tenant every day. Currently, the service maintains a &lt;STRONG&gt;5-day retention window&lt;/STRONG&gt;. This allows us to look back at the state of our environment from yesterday or earlier in the week to find a "known good" configuration.&lt;/P&gt;
&lt;OL start="2"&gt;
&lt;LI&gt;&lt;STRONG&gt; Visibility via Difference Reports&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;One of the most powerful features is the &lt;STRONG&gt;Difference Report&lt;/STRONG&gt;. Before committing to a restoration, we can compare a specific snapshot against the live state of our tenant. The report provides a granular view of:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Object ID:&lt;/STRONG&gt; Exactly which user, group, or policy is affected.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Attribute Changes:&lt;/STRONG&gt; A side-by-side comparison showing the "Old Value" (from the backup) versus the "Current Value" (live in the tenant).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Metadata Loading:&lt;/STRONG&gt; While the first report may take a moment to load metadata, subsequent reports are lightning-fast, allowing for quick triaging during an incident.&lt;/LI&gt;
&lt;/UL&gt;
&lt;OL start="3"&gt;
&lt;LI&gt;&lt;STRONG&gt; Granular Restoration&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We aren't forced into an "all or nothing" recovery. We can choose to restore:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;An entire object class (e.g., all Conditional Access Policies).&lt;/LI&gt;
&lt;LI&gt;Specific object types (e.g., only Service Principals).&lt;/LI&gt;
&lt;LI&gt;Individual Object IDs for targeted fixes.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The "Defense in Depth" Identity Strategy&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Entra Backup and Recovery is not a standalone silo; it is the third pillar of a complete identity resilience strategy. To truly harden our tenant, we must coordinate these three features:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Pillar 1: Soft Delete (The Recycle Bin)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Used for &lt;STRONG&gt;Deleted Objects&lt;/STRONG&gt;. If a user or Microsoft 365 group is deleted, it sits in the Recycle Bin for 30 days. We can restore these easily via the portal or Graph API to maintain the original Object ID and SID.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Pillar 2: Protected Actions (The Vault)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;To prevent an attacker from "hard deleting" our objects (purging them from the Recycle Bin so they can't be recovered), we must implement &lt;STRONG&gt;Protected &lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Actions&lt;/STRONG&gt;.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;How it works:&lt;/STRONG&gt; we assign a "Conditional Access Authentication Context" to sensitive actions like Microsoft.Directory/deletedItems/delete.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;The Result:&lt;/STRONG&gt; Even a Global Admin cannot permanently purge an object unless they meet strict requirements, such as using a &lt;STRONG&gt;Phishing-Resistant MFA&lt;/STRONG&gt; key or working from a &lt;STRONG&gt;Secure Access Workstation (SAW)&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Pillar 3: Backup and Recovery (The Time Machine)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Used for &lt;STRONG&gt;Corruption and Configuration Drift&lt;/STRONG&gt;. When the object exists but its properties are compromised, this is our "Time Machine" to revert attributes and policy logic to a functional state.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Real-World Scenario: Recovering from a Bulk Logic Error&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Imagine an admin runs a bulk update script intended to update the JobTitle for the Sales team. Due to a logic error in the CSV, the script instead clears the SecurityGroup memberships and ExtensionAttributes for the entire department.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Detection:&lt;/STRONG&gt; Users lose access to apps because their group memberships are gone.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Analysis:&lt;/STRONG&gt; The Admin generates a &lt;STRONG&gt;Difference Report&lt;/STRONG&gt; between today and yesterday’s snapshot.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Validation:&lt;/STRONG&gt; The report confirms that 500 users now have "null" values for the affected attributes.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Recovery:&lt;/STRONG&gt; The Admin selects those 500 User IDs and hits &lt;STRONG&gt;Restore&lt;/STRONG&gt;. Within minutes, the attributes are repopulated, and dynamic group memberships begin to recalculate automatically.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Conclusion and Next Steps&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The preview of Microsoft Entra Backup and Recovery is a significant step forward in native tenant protection. By combining it with &lt;STRONG&gt;Protected Actions&lt;/STRONG&gt; and the &lt;STRONG&gt;Recycle Bin&lt;/STRONG&gt;, organizations can finally achieve a "circular" protection model for identity.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Ready to try it?&lt;/STRONG&gt; Navigate to the &lt;STRONG&gt;Microsoft Entra Admin Center&lt;/STRONG&gt;, look for &lt;STRONG&gt;Backup and Recovery&lt;/STRONG&gt; in the left-hand navigation, and explore usr first snapshot today.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 21 Apr 2026 14:49:07 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/strengthening-identity-resilience-a-deep-dive-into-microsoft/ba-p/4513401</guid>
      <dc:creator>Farooque</dc:creator>
      <dc:date>2026-04-21T14:49:07Z</dc:date>
    </item>
    <item>
      <title>Running multimedia AI models on Container Apps with Serverless GPU (A100 &amp; T4)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/running-multimedia-ai-models-on-container-apps-with-serverless/ba-p/4513063</link>
      <description>&lt;P&gt;A video format is available for watching.&lt;/P&gt;
&lt;div data-video-id="https://www.youtube.com/watch?v=WMYlQNLkMJQ/1776705195051" data-video-remote-vid="https://www.youtube.com/watch?v=WMYlQNLkMJQ/1776705195051" class="lia-video-container lia-media-is-center lia-media-size-large"&gt;&lt;iframe src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FWMYlQNLkMJQ%3Ffeature%3Doembed&amp;amp;display_name=YouTube&amp;amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DWMYlQNLkMJQ&amp;amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FWMYlQNLkMJQ%2Fhqdefault.jpg&amp;amp;type=text%2Fhtml&amp;amp;schema=youtube" allowfullscreen="" style="max-width: 100%"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;H4&gt;Prerequisites&lt;/H4&gt;
&lt;P&gt;- An Azure account with sufficient permissions to create resources.&lt;/P&gt;
&lt;P&gt;- Terraform installed on your local machine.&lt;/P&gt;
&lt;H4&gt;Infrastructure Provisioning&lt;/H4&gt;
&lt;OL&gt;
&lt;LI&gt;Clone the &lt;A class="lia-external-url" href="https://github.com/HoussemDellai/ai-course/tree/main/555_comfyui_on_aca" target="_blank" rel="noopener"&gt;Github repository&lt;/A&gt; and navigate to the project directory.&lt;/LI&gt;
&lt;LI&gt;Initialize Terraform and apply the configuration to provision the necessary Azure resources, including a resource group, virtual network, log analytics workspace, container app environment, storage account, and container app for downloading models.&lt;/LI&gt;
&lt;/OL&gt;
&lt;LI-CODE lang=""&gt;terraform init
terraform apply --auto-approve&lt;/LI-CODE&gt;
&lt;P&gt;The following resources will be created:&lt;/P&gt;
&lt;img /&gt;
&lt;H4&gt;ComfyUI Deployment&lt;/H4&gt;
&lt;P&gt;The ComfyUI application is deployed as a containerized workload on Azure Container Apps. The deployment includes a job that downloads the necessary models for ComfyUI to function properly.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;The&amp;nbsp;&lt;STRONG&gt;aca_job_download_models.tf&lt;/STRONG&gt;&amp;nbsp;file defines a job that runs a container with the necessary commands to download the models for ComfyUI. The job is configured to run on Consumption worksload profile and has a timeout of 1200 seconds.&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;The&amp;nbsp;&lt;STRONG&gt;download-models-comfyui.sh&lt;/STRONG&gt;&amp;nbsp;script contains the commands to download the models from Hugging Face and save them to the appropriate directory in the ComfyUI application.&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H4&gt;Monitoring and Analytics&lt;/H4&gt;
&lt;P&gt;The Azure Log Analytics workspace is set up to collect logs and metrics from the container app environment. You can use Azure Monitor to view and analyze the logs and metrics for your ComfyUI deployment.&lt;/P&gt;
&lt;P&gt;To view the properties and the usage of the GPU behind Container Apps, the command &lt;STRONG&gt;nvidia-smi&lt;/STRONG&gt; is helpful.&lt;/P&gt;
&lt;img /&gt;
&lt;H4&gt;Start using ComfyUI&lt;/H4&gt;
&lt;P&gt;Now that ComfyUI is provisioned, accessible on the FQDN exposed by Container Apps and the models are downloaded, you can run the Text to Image workflow in ComfyUI. You can also change the parameters as needed like the prompt.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;When ready, click the Run blue button at the top right to start generating the image. It will take some time depending on the size of the image and the complexity of the prompt. Then you should see the generated image in the output node.&lt;/P&gt;
&lt;H4&gt;Using ComfyUI for Text to Video&lt;/H4&gt;
&lt;P&gt;To use ComfyUI for&amp;nbsp;&lt;STRONG&gt;Text to Video&lt;/STRONG&gt;&amp;nbsp;generation, you can select a Text to Video template from the Workflows section. Choose&amp;nbsp;&lt;STRONG&gt;Wan 2.2 Text to Video&lt;/STRONG&gt; as an example. This will open the workflow to generate a video based on a text input.&lt;/P&gt;
&lt;H4&gt;Important Notes&lt;/H4&gt;
&lt;P&gt;The storage account key is required to create the storage link in your Container Apps environment. Container Apps does not support identity-based access to Azure file shares. For that it is mandatory to disable &lt;STRONG&gt;Secure Transfer&lt;/STRONG&gt; at the Storage Account (&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/container-apps/storage-mounts-azure-files?tabs=bash#set-up-a-storage-account" target="_blank" rel="noopener"&gt;more details&lt;/A&gt;).&lt;/P&gt;
&lt;P&gt;Because of an issue with the Terraform provider, it won't create the Serverless GPU (A100 &amp;amp; T4) workload profiles. You will need to create them manually in the Azure Portal after running&amp;nbsp;&lt;STRONG&gt;terraform apply&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Azure File Shares supports both&amp;nbsp;&lt;STRONG&gt;SMB&lt;/STRONG&gt;&amp;nbsp;and&amp;nbsp;&lt;STRONG&gt;NFS&lt;/STRONG&gt;. Container Apps also supports both.&lt;/P&gt;
&lt;P&gt;To mount NFS Azure Files, you must use a Container Apps environment with a custom VNet. The Storage account must be configured to allow access from the VNet either using&amp;nbsp;&lt;STRONG&gt;Service Endpoint&lt;/STRONG&gt; or &lt;STRONG&gt;Private Endpoint &lt;/STRONG&gt;(&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/container-apps/storage-mounts?tabs=nfs&amp;amp;pivots=azure-resource-manager#configuration-1" target="_blank" rel="noopener"&gt;more details&lt;/A&gt;)&lt;/P&gt;
&lt;P&gt;The NFS protocol can only be used from a machine inside of a virtual network, that is why we use a Private Endpoint.&lt;/P&gt;
&lt;P&gt;🔍&lt;STRONG&gt; SMB vs NFS — What’s the Difference?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;SMB (Server Message Block) and NFS (Network File System) are two protocols used to provide shared file storage over a network.&lt;/P&gt;
&lt;P&gt;They serve similar purposes but have different strengths, performance characteristics, and typical use cases. NFS is native for Linux.&lt;/P&gt;
&lt;H4&gt;Consumption profile details&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 100%; height: 186.117px; border-width: 1px;"&gt;&lt;colgroup&gt;&lt;col style="width: 27.4209%" /&gt;&lt;col style="width: 12.5988%" /&gt;&lt;col style="width: 12.4135%" /&gt;&lt;col style="width: 12.9689%" /&gt;&lt;col style="width: 34.5546%" /&gt;&lt;/colgroup&gt;&lt;tbody&gt;&lt;tr style="height: 34.5333px;"&gt;&lt;td style="height: 34.5333px;"&gt;Profile names&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;vCPU range&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;Memory range&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;GPU type&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;Regions&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 34.5333px;"&gt;&lt;td style="height: 34.5333px;"&gt;Consumption&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;0.25 - 4&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;0.5 - 8 GB&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;N.A&lt;/td&gt;&lt;td style="height: 34.5333px;"&gt;All supported regions&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 58.525px;"&gt;&lt;td style="height: 58.525px;"&gt;Consumption-GPU-NC8as-T4&lt;/td&gt;&lt;td style="height: 58.525px;"&gt;0.25 - 8&lt;/td&gt;&lt;td style="height: 58.525px;"&gt;0.5 - 56 GB&lt;/td&gt;&lt;td style="height: 58.525px;"&gt;NVIDIA T4&lt;/td&gt;&lt;td rowspan="2" style="height: 117.05px;"&gt;To see a full list of available regions, see&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/container-apps/gpu-serverless-overview#supported-regions" target="_blank" rel="noopener" data-href="https://learn.microsoft.com/en-us/azure/container-apps/gpu-serverless-overview#supported-regions"&gt;serverless GPU supported regions&lt;/A&gt;&amp;nbsp;&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 58.525px;"&gt;&lt;td style="height: 58.525px;"&gt;Consumption-GPU-NC24-A100&lt;/td&gt;&lt;td style="height: 58.525px;"&gt;0.25 - 24&lt;/td&gt;&lt;td style="height: 58.525px;"&gt;0.5 – 220 GiB&lt;/td&gt;&lt;td style="height: 58.525px;"&gt;NVIDIA A100&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;In Serverless GPU profiles, the GPU cost is in addition to the active usage vCPU and RAM prices for your Container App. You pay for the entire GPU cost, even if your Container App only uses a fraction of the GPU's resources. But, for CPU and Memory, you only pay for the resources your Container App actually reserves. To reduce cost, it is very important to right-size the vCPU and Memory for your Container App when using Serverless GPU profiles. You can use Azure Monitor to track the actual resource usage of your Container App and adjust the vCPU and Memory accordingly.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;To get the supported profiles for a specific region, you can use the Azure CLI command:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;az containerapp env workload-profile list-supported --location swedencentral -o table
# Location       Name
# -------------  -------------------------
# swedencentral  D4
# swedencentral  D8
# swedencentral  D16
# swedencentral  D32
# swedencentral  E4
# swedencentral  E8
# swedencentral  E16
# swedencentral  E32
# swedencentral  Consumption
# swedencentral  Flex
# swedencentral  Consumption-GPU-NC24-A100
# swedencentral  Consumption-GPU-NC8as-T4&lt;/LI-CODE&gt;
&lt;P&gt;Here is the vCPU, Memory and GPU consumption for the NC A100 v4 and NC T4 v3 Serverless GPU profiles with ComfyUI when running typical workloads.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;You can notice that ComfyUI doesn't consume the entire compute power in terms of vCPU and Memory. That is why in Terraform, it is specified that the resource request is less than what the VM offers. That allows to reduce the cost.&lt;/P&gt;
&lt;H5&gt;Disclaimer&lt;/H5&gt;
&lt;P&gt;The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.&lt;/P&gt;</description>
      <pubDate>Mon, 20 Apr 2026 17:14:39 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/running-multimedia-ai-models-on-container-apps-with-serverless/ba-p/4513063</guid>
      <dc:creator>HoussemDellai</dc:creator>
      <dc:date>2026-04-20T17:14:39Z</dc:date>
    </item>
    <item>
      <title>Maintaining Azure Public IP Inventory by Retrieving Exact Deleted Public IP Using Activity Logs</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/maintaining-azure-public-ip-inventory-by-retrieving-exact/ba-p/4512403</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Activity Logs provide strong visibility into resource lifecycle operations across a subscription. Among these are lifecycle events related to &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Public IP addresses&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, including creation and&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;deletion&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;However, when a Public IP address is&amp;nbsp;deleted, the corresponding delete operation in Azure Activity Logs includes&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;only the Resource ID&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;of the Public IP — not the actual IP address that was assigned to the resource.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Once deletion is complete:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;The Public IP resource no longer exists&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;The Resource ID cannot be resolved&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;The assigned Public IP address is permanently unretrievable through Azure APIs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For organisations that rely on&amp;nbsp;accurate&amp;nbsp;IP inventory data for:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Security monitoring&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Compliance audits&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Incident response&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Network forensics&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This blog presents a&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;production&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;ready&amp;nbsp;implementation approach&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;that enables organisations to reliably capture and&amp;nbsp;retain&amp;nbsp;the assigned Public IP address of Azure Public IP resources — even after they are&amp;nbsp;deleted&amp;nbsp;— using Azure Activity Log alerts, Azure Automation, and a persistent resource mapping cache.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;The Core Challenge&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;When a Public IP resource is&amp;nbsp;deleted, Azure emits an Activity Log event&amp;nbsp;like:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;---&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;OperationName:&amp;nbsp;Microsoft.Network/publicIPAddresses/delete&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ResourceId:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;/subscriptions/&amp;lt;subscription-id&amp;gt;/resourceGroups/&amp;lt;rg-name&amp;gt;/providers/Microsoft.Network/publicIPAddresses/&amp;lt;pip-name&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;---&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The alert correctly&amp;nbsp;identifies&amp;nbsp;the operation and the affected resource.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;However:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;The Activity Log does not include the assigned Public IP address.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;After deletion, the associated Resource ID no longer resolves to a live Azure resource.&lt;/SPAN&gt; &amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Maintaining Accurate IP Inventory&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Enterprises rely on centralised Public IP inventories mapped to workloads and ownership. Since delete Activity Log events emit the Resource ID,&amp;nbsp;&lt;/SPAN&gt;inventory systems require the exact Public IP address associated with the deleted resource.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Preventing False Security Investigations&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Public IP addresses are globally reused. If a deleted IP&amp;nbsp;remains&amp;nbsp;recorded as owned internally, it may later be assigned to another tenant. This can lead to threat intelligence alerts and internal investigations against an IP address no longer under organisational ownership.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Supporting&amp;nbsp;High&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;Churn&amp;nbsp;Dynamic Workloads&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Ephemeral workloads such as Azure Machine Learning, CI/CD pipelines, and autoscaling deployments frequently create and delete Public IPs. In such environments, manual lifecycle tracking of assigned IP addresses is not operationally feasible.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Solution Overview&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The recommended approach is based on the following principle:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Capture and persist the assigned Public IP address&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;while the resource still&amp;nbsp;exists&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;retrieve the stored value later when only the Resource ID is available.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This can be implemented using:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Azure Activity Logs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Log Analytics alerts&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Azure Automation Runbooks&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Persistent mapping cache of Resource ID to IP address&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The solution comprises four primary components:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Azure Activity Logs routed to Log Analytics&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Log Analytics alert rules detecting Public IP lifecycle operations&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Azure Automation Runbooks triggered through webhook actions&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Persistent cache storing Resource ID → IP address mappings&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Implementation Guide&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240,&amp;quot;335572079&amp;quot;:6,&amp;quot;335572080&amp;quot;:1,&amp;quot;335572081&amp;quot;:4278190080,&amp;quot;469789806&amp;quot;:&amp;quot;single&amp;quot;}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 1&lt;/STRONG&gt;: Route Activity Logs to Log Analytics&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Public IP lifecycle events are published through the Azure Activity Log under the Administrative category.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To enable lifecycle detection through KQL queries:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt; &amp;nbsp;&lt;/SPAN&gt;Azure Monitor → Activity Log → Diagnostic Settings&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240,&amp;quot;469777462&amp;quot;:[720],&amp;quot;469777927&amp;quot;:[0],&amp;quot;469777928&amp;quot;:[0]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt; &amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Add Diagnostic Setting&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240,&amp;quot;469777462&amp;quot;:[720],&amp;quot;469777927&amp;quot;:[0],&amp;quot;469777928&amp;quot;:[0]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="%1." data-font="" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:0,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[65533,0],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;%1.&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Configure the following:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Category: Administrative&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Destination: Send to Log Analytics Workspace&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; 4.Select your target Log Analytics Workspace.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; 5.Click Save.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This allows lifecycle operations to be queried by alert rules from Log Analytics.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 2&lt;/STRONG&gt;: Deploy an Azure Automation Account&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Automation&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;will be used to execute runbooks that process Activity Log alerts and resolve Public IP address details during resource lifecycle operations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To begin:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Portal&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;In the search bar, search for&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Automation Accounts&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;Select &lt;STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-contrast="auto"&gt;Create, &lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-contrast="auto"&gt;provide the following details and &lt;/SPAN&gt;Select "&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Review + Create&lt;/STRONG&gt;"&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;to complete the deployment.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Subscription&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Resource Group&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Automation Account Name&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Region&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Once the Automation Account has been created:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Automation Account&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Identity&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;under the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Account Settings&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;section.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Enable&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;System&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;assigned&amp;nbsp;Managed Identity&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Save&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt; &amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This Managed Identity will later be used by the runbooks to securely retrieve Public IP metadata from Azure Resource Manager during alert execution.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 3&lt;/STRONG&gt;: Assign Managed Identity Permissions&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The Automation Account&amp;nbsp;requires&amp;nbsp;read&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;only&amp;nbsp;permissions to resolve Public IP resource information securely.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Subscription → Access Control (IAM) → Add Role Assignment&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Assign the following roles to the Automation Account Managed Identity:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Role&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Scope&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Reader&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Subscription&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Reader&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Log Analytics Workspace&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This ensures the runbooks&amp;nbsp;are able to:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="21" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Query Public IP resources&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="21" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Resolve resource metadata&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="21" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Interpret Activity Log–driven lifecycle operations&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 4&lt;/STRONG&gt;: Create a Persistent Cache Variable&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The assigned IP address must be captured and persisted in advance before it is deleted.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt; &amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;To&amp;nbsp;maintain&amp;nbsp;this mapping, create a persistent Automation variable to store the following relationship:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Public IP Resource ID → Assigned IP Address&lt;/SPAN&gt; &lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Within the Automation Account:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to: Shared Resources → Variables&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select + Add.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Configure the variable as follows:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Name:&amp;nbsp;PipLastKnownIps&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Type: String&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Value: {}&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Encryption: Disabled&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;4.Select Create.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;This variable will act as a persistent cache that is dynamically updated during Public IP lifecycle events.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 5&lt;/STRONG&gt;: Create Required Automation Runbooks&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Two Azure Automation Runbooks are&amp;nbsp;required&amp;nbsp;for this implementation.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Runbook Name&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Purpose&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;CacheSeedingRunbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Builds initial Resource ID → IP mapping&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;MainLifecycleRunbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Processes Activity Log alerts&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 5.1:&lt;/STRONG&gt; Create Cache Seeding Runbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Create Cache Seeding Runbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This runbook will&amp;nbsp;enumerate&amp;nbsp;all currently existing Public IP resources and populate the cache variable with their assigned IP address mappings.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Automation Account → Runbooks&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Create a runbook&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Provide the following details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Name:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;CacheSeedingRunbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Runbook Type:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;PowerShell&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Runtime Version:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;7.2&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; 4. After the runbook is created, paste the script here &lt;/SPAN&gt;&lt;A href="https://github.com/AswiniSurendran/Exact_IPAddress_Tracking_from_Activity_logs-/blob/main/CacheSeedingRunbook" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;CacheSeedingRunbook&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Publish&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;This runbook will initialise the cache by capturing the current state of all Public IP resources prior to enabling&amp;nbsp;lifecycle&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;based&amp;nbsp;Activity Log processing.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 5.2:&lt;/STRONG&gt; Create Main Lifecycle Runbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This runbook will be triggered via webhook whenever a Public IP lifecycle event is detected through Activity Logs.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Automation Account → Runbooks&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Create a runbook&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Provide the following details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Name:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;MainLifecycleRunbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Runbook Type:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;PowerShell&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Runtime Version:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;7.2&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;After the runbook is created, paste the required lifecycle processing script&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://github.com/AswiniSurendran/Exact_IPAddress_Tracking_from_Activity_logs-/blob/main/MainLifecycleRunbook" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;MainLifecycleRunbook&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;4. Select &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Publish&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;once configuration is complete.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This runbook will process Activity&amp;nbsp;Log&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;based&amp;nbsp;lifecycle events and dynamically update the&amp;nbsp;PipLastKnownIps&amp;nbsp;cache variable in response to Public IP creation or deletion.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 6:&lt;/STRONG&gt; Create Runbook Webhook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Configure Runbook Webhook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To allow Activity Log alerts to invoke the runbook:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to: Automation Account → Runbooks →&amp;nbsp;MainLifecycleRunbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to: Resources → Webhooks&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select Add Webhook.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Provide the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Webhook Name&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Expiration Date&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;5. Copy the generated Webhook URL.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This URL will be used by the Alert Action Group in a later step to trigger the runbook upon detection of Public IP lifecycle events.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 7&lt;/STRONG&gt;: Seed Cache with Existing Public IPs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Before activating the&amp;nbsp;alert&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;driven&amp;nbsp;workflow, populate the cache with currently active Public IP resources.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="%1." data-font="" data-listid="26" data-list-defn-props="{&amp;quot;335552541&amp;quot;:0,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[65533,0],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;%1.&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to:&lt;/SPAN&gt; CacheSeedingRunbook&amp;nbsp;→ Start&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240,&amp;quot;469777462&amp;quot;:[720],&amp;quot;469777927&amp;quot;:[0],&amp;quot;469777928&amp;quot;:[0]}"&gt;&amp;nbsp; and &lt;/SPAN&gt;Run the job once.&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This will initialise the&amp;nbsp;PipLastKnownIps&amp;nbsp;mapping with all existing Public IP resources.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt; &amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Future lifecycle events will update this cache dynamically.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 8&lt;/STRONG&gt;:&amp;nbsp;Create Activity Log Alert Rule&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to: Azure Monitor → Alerts → Create Alert Rule&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Scope the alert rule to the relevant Log Analytics Workspace.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Under&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Condition&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Select: Custom Log Search&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Use the KQL query available here:&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://github.com/AswiniSurendran/Exact_IPAddress_Tracking_from_Activity_logs-/blob/main/query.json" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;query.json&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Configure the following parameters as&amp;nbsp;required:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Evaluation Frequency&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Query Time Range&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This alert rule will detect Public IP lifecycle events and trigger the associated Action Group for downstream runbook execution.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Please find the configuration in the attached screenshot below:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 9&lt;/STRONG&gt;: Configure Action Group to Trigger Runbook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Create an&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Action Group&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;that invokes the Lifecycle Runbook webhook.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Add a new action.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Configure the action with the following details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;Action Type:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Webhook&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;Paste the previously generated&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Runbook Webhook URL&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;3.Enable: &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Use Common Alert Schema&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;(Optional)&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-contrast="auto"&gt;Add an&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Email Notification&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;action to receive lifecycle alerts for troubleshooting or monitoring purposes.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;4. Attach this &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Action Group&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;to the alert rule.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Step 10&lt;/STRONG&gt;:&amp;nbsp;Validate&amp;nbsp;the Implementation&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To&amp;nbsp;validate:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Create a Public IP resource.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Delete the same resource.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Navigate to:&lt;/SPAN&gt; Automation Account → Jobs →&amp;nbsp;MainLifecycleRunbook&lt;SPAN style="color: rgb(30, 30, 30);" data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240,&amp;quot;469777462&amp;quot;:[720],&amp;quot;469777927&amp;quot;:[0],&amp;quot;469777928&amp;quot;:[0]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Observe the runbook execution&amp;nbsp;output&amp;nbsp;related to:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Public IP creation&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Public IP deletion&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Although the&amp;nbsp;delete&amp;nbsp;alert&amp;nbsp;contains&amp;nbsp;only the Resource ID, the runbook retrieves the exact assigned Public IP address from the cache.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;See the sample output below:&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;You can extend this workflow using Azure Logic Apps to forward events to &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Email&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt; , &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;SIEM platforms&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt; or&amp;nbsp; &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;CMDB systems.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Conclusion&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;In addition to tracking Public IP deletions using Activity Logs, proactively capturing and persisting Resource ID–to–IP mappings through Automation‑driven lifecycle alerts, organisations can maintain an accurate Public IP inventory—ensuring traceability, reducing false‑positive security investigations, and strengthening audit and incident response readiness.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 17 Apr 2026 12:10:31 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/maintaining-azure-public-ip-inventory-by-retrieving-exact/ba-p/4512403</guid>
      <dc:creator>AswiniSurendran</dc:creator>
      <dc:date>2026-04-17T12:10:31Z</dc:date>
    </item>
  </channel>
</rss>

