rss.livelink.threads-in-node

Closing the loop on container security: From code to runtime in the AI era

mahersko — Tue, 16 Jun 2026 23:15:21 GMT

Containers are the backbone of modern cloud-native apps — and increasingly, the infrastructure powering AI, from AI assistants to a new wave of intelligent agents. They also blur the line between build, deploy, and runtime: a single code change can become a running workload in minutes. A misconfiguration committed in the morning can be deployed in minutes and exploited before noon. At that speed, container security can no longer be a point-in-time check, it has to work as one continuous loop.

The numbers back this up. For the first time, 31% of breaches now begin with an attacker exploiting a software vulnerability — overtaking stolen credentials as the most common way in — and 15% of attack techniques are now accelerated by generative AI, with adversaries using it to find gaps and write malware faster at every stage.

Source: Verizon 2026 Data Breach Investigations Report (incidents Nov 2024–Oct 2025).

Over the last few quarters, Microsoft Defender for Cloud has been evolving to offer you this continuous security, end to end. Explore container security’s new capabilities across posture, shift-left, runtime, multicloud coverage, and operations. Collectively they form a more comprehensive approach to container security — one that offers security right during developing a code to a running pod across Azure, AWS, and GCP.

There is a second reason why container security matters more in 2026: containers are increasingly where AI runs. Many AI workloads — from model-serving APIs to retrieval systems and intelligent agents — now live as pods on AKS, EKS, and GKE (the managed Kubernetes services from Azure, AWS, and Google), often connected to some of an organization’s most sensitive models and data. As those crown jewels move into the cluster, the same posture, code‑to‑runtime, and runtime protections described in this post extend to AI workloads. The contest is increasingly AI against AI: attackers use it to find and reach the cluster faster, while defenders use it to push back — surfacing the risks that matter most and turning runtime findings into AI‑assisted code fixes.

One platform, code to runtime

A container finding is not treated as an isolated issue; it is connected to the identity it runs under, the registry and code repository it came from, and the cluster where it is running - all unified under one Microsoft Defender platform.

Container posture and shift-left security are now redesigned for least vulnerabilities in production

Conventional container security posture offered challenges to scale: a single grouped recommendation could stack thousands of findings under one bucket, making ownership, exemptions, and risk scoring too coarse to act on. That experience is now evolved. We have rebuilt the experience so that each finding is its own recommendation — per software, per image, per container. If two CVEs in the same image belong to two different teams, they can now be triaged, exempted, and reported separately. The grouped recommendations are deprecated and will be removed on July 30, 2026, We suggest updating any automation, export rules, and ServiceNow integrations to target the new per-finding recommendations before that date.

That per-finding precision becomes even more powerful once you connect each finding to its source code and to the runtime resources it impacts. Defender for Cloud — part of Microsoft Defender suite — connects this code-to-runtime chain end-to-end. For example, an image built through Azure DevOps or GitHub, pushed to ACR, ECR, Google Artifact Registry, Docker Hub, or JFrog, and pulled by AKS, EKS, or GKE is one continuous evidence chain — traceable from a running container back to the pull request (PR) and line of code that introduced the risk. With GitHub Advanced Security integrated (GA), secrets, code, and dependency findings join the same attack story. The developer-first Defender for Cloud CLI runs the same scanner locally or in any CI/CD pipeline, with consistent exit codes for gating.

The Code-to-Runtime “Development phases” diagram: one continuous Code → Build → Ship → Runtime evidence chain, with a one-click path to open a GitHub issue.

In this diagram, you can see how we have embedded container security at every stage of the software development lifecycle (SDLC), not just the endpoints. At Code, GitHub Advanced Security and the Defender for Cloud CLI catch secrets, vulnerable dependencies, and insecure code before commit. At Build, the same scanner runs as a CI/CD gate — in GitHub Actions, Azure DevOps, Jenkins, or Bitbucket — failing the pipeline on critical findings. At Ship, registry scanning and Gated Deployment block risky or misconfigured images at the cluster door. And at Runtime, the sensor enforces anti-malware and binary-drift policy on the live workload. No stage is left as a blind spot, and a finding can be traced forward to the running pod or backward to the developer who introduced it.

Visibility without enforcement only creates backlog. Gated Deployment — a Kubernetes admission controller — uses the same vulnerability signal, you trust, to block risky images at the cluster level. It supports phased rollout (audit, then deny), targets rules by cluster, namespace, pod, image, or label, and runs across AKS (including AKS Automatic), EKS, and GKE. A newer extension gates on Kubernetes misconfigurations too. Posture practitioners also get KSPM at container granularity — Kubernetes security posture management, available through both Defender for Containers and Defender CSPM — and, on Azure, a new actionable recommendation, Upgrade Azure Kubernetes Service Version (preview), that helps you remediate vulnerabilities in AKS-managed system pods.

Misconfiguration gating rules in Defender for Cloud — block risky deployment before they reach production.

Coverage that matches containers’ evolution

Historically, many container security programs concentrated on managed Kubernetes clusters in AKS, EKS, and GKE. The 2026 reality is broader: a growing share of production runs on serverless container platforms that abstract the cluster away, many sensitive workloads sit behind private, network-isolated clusters, and platform teams increasingly standardize on hardened or distroless base images. The surfaces that were blind spots are now part of the same posture graph as everything else.

Serverless compute posture is now generally available across AWS Lambda, Azure Functions, and Web Apps, while Serverless containers posture (preview) takes the same idea to Azure Container Apps, ACI, and AWS Fargate. Together, they bring more of today’s cloud-native production footprint into the same posture graph.

Coverage also improves where platform teams are standardizing on locked-down environments. The long-standing gap around private EKS and GKE clusters is closed, bringing some of the hardest-to-reach environments into the same security model. Scanning now works on hardened images from Docker Hardened or Minimus, and runtime protection supports BottleRocket on EKS — with the full feature set also available in Azure Government, which matters for teams running regulated workloads.

Runtime threat protection that prevents, not just detects

Posture closes the door on attackers; runtime threat protection guards the room if they still succeed. The key shift is that the Defender for Containers sensor now adds prevention on top of detection. The goal is simple: stop malicious code before it runs. Anti-malware detection and prevention (GA) scans container workloads and Kubernetes nodes and, based on the policies you define, blocks malicious execution instead of only alerting. Those alerts then flow into Microsoft Defender XDR’s unified incident model.

The second is binary drift detection and prevention (preview). Containers are meant to be immutable. When a process starts from a binary that was not part of the original image, that is drift — and one of the highest-signal indicators of compromise in cloud-native workloads. Defender detects drifts and, with policy enabled, can now also block the drifted process before it executes.

Anti-malware and Drift policies can be scoped by cloud, cluster, namespace, image, or label, with allow-lists for legitimate cases.

Anti-malware policies can alert, block, or ignore — scoped to clusters, namespaces, pods, labels, or images.

Rounding out runtime protection, DNS-based threat detection (GA) catches command-and-control beaconing, DGA traffic, and exfiltration over DNS.

A unified approach to container security

Step back, and the bigger picture is simple. The same platform that secured your VMs and identities now extends across AKS, EKS, GKE, private clusters, serverless containers, and serverless compute. The same Code-to-Runtime chain that once tied Infrastructure as Code (IaC) findings to running infrastructure now connects Dockerfile commits — through CI/CD and any major registry — to the running pod. Admission control turns posture findings into prevention at deploy time, and runtime protection actively blocks. That is a continuous container security loop living inside Microsoft Defender — not a checklist bolted onto Kubernetes. And it rebalances the fight: as attackers use AI to find and exploit gaps faster, the durable answer is security teams using AI of their own — protecting and triaging at machine speed.

If you’ve already enabled container security with Microsoft, the clearest next step is to strengthen the core lifecycle stages first:

Code + build: connect GitHub Advanced Security and integrate the Defender for Cloud CLI into your pipelines so findings are caught early and CI/CD gates can fail builds before an image is pushed.
Ship: stand up Gated Deployment in audit mode on a non-production cluster, tune it, then flip to deny; extend it to Kubernetes misconfigurations.
Run: enable the Defender for Containers sensor, extend it to private EKS and GKE clusters, then tune anti-malware and binary-drift rules in Block mode — starting with your crown-jewel namespaces.
Extend protection: turn on serverless compute posture for Lambda, Functions, and Web Apps, and enable serverless container posture for Container Apps, ACI, or Fargate.

Triage vulnerabilities with the Vulnerability Remediation Agent, now in public preview

Intune_Support_Team — Tue, 16 Jun 2026 21:27:48 GMT

As automation and AI accelerate the pace of vulnerability discovery, the window between disclosure and exploitation continues to shrink. For IT and security teams, the challenge is no longer just finding vulnerabilities - it's prioritizing the ones that matter and acting on them before they can be exploited. To help organizations close that gap, we're pleased to announce that the Vulnerability Remediation Agent for Security Copilot in Microsoft Intune is now in public preview and rolling out to all customers.

Following a successful limited preview, the agent is now broadly available. This release brings agentic vulnerability remediation out of an early-access cohort and into the hands of every eligible organization - an important step in our continued investment in helping admins reduce exposure faster and with greater confidence. View eligibility prerequisites here.

How the agent helps you identify and triage vulnerabilities

The Vulnerability Remediation Agent uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) across your Intune-managed Windows devices and apps, then prioritizes them for remediation. Rather than leaving admins to sift through lengthy CVE lists with little context, the agent surfaces a prioritized set of recommendations directly in the Intune admin center - accessible from both the Agents and Endpoint security pages.

When the agent runs, it evaluates vulnerability data and ranks threats based on factors such as CVSS scores, exposure impact, and affected device count, so the most critical issues rise to the top. Drilling into any suggestion provides:

The count of associated CVEs
A Copilot-assisted summarized impact analysis
Suggested actions and affected systems
Exposed devices and potential impact
Step-by-step guidance for remediating the threat using Intune

After acting on a recommendation, admins can mark it as applied, allowing the agent to retain a record for tracking remediation actions over time. The result is a meaningful reduction in the time it takes to investigate, prioritize, and remediate - strengthening overall security posture.

Introducing agentic identity for the Vulnerability Remediation Agent

With this release, the agent now operates under Microsoft Entra agentic identity - a meaningful advancement in how autonomous agents are governed and secured.

What it is. Agentic identity is a specialized identity in Microsoft Entra ID that allows the agent to operate securely and independently. During setup, the agent provisions a dedicated agentic identity and a corresponding agentic user in your tenant's Microsoft Entra directory. The agent then runs under the permissions delegated to that agentic user rather than under a human user account.

Why it matters. Agentic identity decouples the agent from any one person, ensuring its behavior is strictly bound to the permissions and scope you delegate to it. This delivers clearer accountability, a cleaner audit trail, and enterprise-grade governance for autonomous operations.

How it helps. Admins remain firmly in control. After setup, delegate the required read permissions to the agentic user in the Microsoft Intune and Microsoft Defender admin centers, then use the built-in Readiness Check to confirm everything is configured correctly before the agent runs.

Learn more in Agent identity.

Getting started: Connect → Enable → Run → Remediate → Track

One of the design goals behind the Vulnerability Remediation Agent is to make agentic security approachable, not complex. Rather than stitching together signals across multiple tools and admin centers, the agent guides admins through a clear, repeatable flow - from connecting your data to tracking measurable improvement over time.

Connect — bring Defender and Intune data together. The agent draws on Microsoft Defender Vulnerability Management for CVE intelligence and Microsoft Intune for device and configuration context. With the required Microsoft Defender and Microsoft Intune plugins in place, your vulnerability and management signals work as one. Learn more on what is needed to connect the experience.
Enable — turn on the agent. From the Agents node in the Microsoft Intune admin center, set up the agent in a few guided steps. During setup, the agent provisions its Microsoft Entra agentic identity and surfaces the permissions and plugins it needs, so you know exactly what to delegate before the first run.
Run — let automated prioritization do the heavy lifting. Once permissions are delegated and the Run Readiness Check passes, you can configure the agent to run on demand or schedule it to run automatically in the background on a cadence you define; scheduling is a unique capability that helps teams stay ahead of emerging risks without requiring constant manual intervention. Each run analyzes your environment and produces a prioritized list of recommendations ranked by CVSS score, exposure impact, and affected device count so the most critical risks rise to the top automatically.
Remediate — act with guided, Intune-ready actions. Each recommendation includes a Copilot-assisted impact summary, exposed devices, and step-by-step guidance for remediating the threat using Intune. Admins move directly from insight to action, without leaving the admin center.
Track — measure improvement over time. Recommendations can be marked as applied, and the agent retains a record of your remediation actions.

The outcome is a streamlined operating model: connect once, enable with confidence, and let the agent drive a continuous cycle of prioritization, remediation, and view progress. For full prerequisites, licensing, plugin, and role requirements, see Vulnerability Remediation Agent overview and set up.

The Vulnerability Remediation Agent represents a meaningful step toward a more proactive, AI-assisted security posture, one where admins spend less time sifting through CVE lists and more time acting on what matters most. We invite you to try the public preview today, connect your Defender and Intune data, and experience how agentic remediation can help your team stay ahead of emerging threats. As always, we'd love to hear your feedback as we continue investing in making security in Intune faster, smarter, and more accessible. Share your tips and lessons learned in the comments below or reach out to us on X @IntuneSuppTeam.

Azure Arc Server May 2026 Forum

Aurnov_Chattopadhyay — Tue, 16 Jun 2026 20:47:16 GMT

Please find the recording for the monthly Azure Arc Server Forum on YouTube!

During the May 2026 Azure Arc Server Forum, we discussed:

Private Preview of Windows Server 2016 Extended Security Updates (ESUs): Customers with Windows Server 2016 Servers with an NDA and willingness to provide feedback can sign up at https://aka.ms/WS2016ESU-PrivatePreview
Special Announcement: Windows Server Hotpatch enabled by Azure Arc is now available at no additional cost for Windows Server 2025 machines connected to Azure Arc
Feedback opportunity to product group on Azure Arc + RDP Capability: Customers can sign up at https://aka.ms/arc-rdp

To sign up for the Azure Arc Server Forum and newsletter, please register with contact details at https://aka.ms/arcserverforumsignup/.

For the latest agent release notes, check out What's new with Azure Connected Machine agent - Azure Arc | Microsoft Learn.

Our June 2026 forum will be held on Thursday, June 18 at 9:30 AM PST / 12:30 PM EST. We look forward to you joining us, thank you!

Learn along with your community peers!

EmilyHove — Tue, 16 Jun 2026 20:39:05 GMT

Join Host Heather Cook for our Monthly Microsoft Global Community Initiative (#MGCI) General session – and we'd love for you to join the conversation! All are welcome!

Agenda:

MGCI Program updates
Subcommittee updates from MGCI Board Members
Topic: CollabDays Poland Community Spotlight

Host: Heather Cook, Principal PM, Microsoft Customer Advocacy Group, Microsoft

Guest Speaker: Michal Ziemba, Senior Software Architect, Capgemini and MGCI Regional Lead

What does it actually take to turn a local event into a community people show up for and come back to?

In this Community Spotlight, Heather Cook sits down with Michal Ziemba to unpack the energy behind CollabDays Poland, not just the logistics, but the mindset. From rallying organizers and speakers to creating a space that feels genuinely owned by the community, this session explores how momentum is built, not manufactured.

Expect a candid look at the decisions, trade-offs, and moments that shaped the event, from early traction to sustained impact. This isn’t about a “perfect playbook,” it’s about what happens when organizers lean into what their community actually needs and build from there.

If you’re thinking about how to make your event feel less like a schedule and more like a shared experience, this conversation will give you a fresh lens to start from.

📅 July 14⏰ 8:10 AM PT

https://aka.ms/MGCIMtgAM

Bring your ideas too! Let’s share, learn, and capture best practices for producing events.

Learn about the Microsoft Global Community Initiative: https://aka.ms/MGCI

Post-event all meetings are available on demand.

Microsoft Community Learning YouTube channel: https://aka.ms/community/learning

Differentiate yourself for the AI era—earn your Frontier Transformation Engineer badge

JillArmourMicrosoft — Tue, 16 Jun 2026 20:00:14 GMT

Each session of the Frontier Transformation Engineer Summit is designed for you to build the skills to advance your Frontier Engineering journey and accelerate progress toward earning your Frontier Transformation Engineer badge.

With this badge, you can validate that you have the expertise to deliver agentic AI solutions at the hypervelocity that customers expect, with the breadth of the Microsoft technology stack to support you.

Here’s how you can keep building your AI capability:

View the summit sessions on demand.

Work toward earning the Frontier Transformation Engineer badge.

Join us at MCAPS Start for Partners on July 22 to refresh your go-to-market approach for the next year.

Bug fixes in Microsoft Access - Preview Version 2606 (Build 16.0.20131)

lindalu-MSFT — Tue, 16 Jun 2026 18:08:07 GMT

Bug Name	Issue Fixed
German keyboard: AltGr key combinations triggered zoom shortcuts instead of typing characters	On German and other keyboard layouts that use AltGr for common characters (such as ~, }, and others), pressing AltGr+key combinations triggered the zoom keyboard shortcuts instead of inserting the expected character. These keyboard layouts now correctly distinguish AltGr from Ctrl+Alt so that character input works as expected.
Zoom was disabled for all ACCDE and MDE files	The new zoom feature was incorrectly disabled for ACCDE and MDE files. Zoom now works correctly in these file types.
Default zoom value in Access Options validated per-keystroke	When entering a custom default zoom percentage in the Access Options dialog, the field validated the value after every keystroke, which blocked multi-digit entry (e.g., typing "15" triggered a validation error after "1"). The field now validates on commit rather than per-keystroke.
Display issues when extending laptop to a large external monitor	When a laptop was extended to a larger external monitor, certain controls such as checkboxes and option buttons did not zoom correctly. These controls now scale properly when the form is displayed on a monitor with different DPI or resolution than the primary display.
Zoom range extended for Print Preview	The zoom keyboard shortcuts, mouse wheel, and slider in Print Preview now support the full zoom range from 10% to 1000%, matching the range available in Form and Report views.
Date selector control showed truncation and ghosting at certain zoom levels	At certain zoom levels, the date selector control displayed truncated text and visual ghosting artifacts. The date selector now renders cleanly at all zoom levels.
Current record indicator didn't draw in Continuous Form view when zoomed	In Continuous Form view, the current record indicator (the arrow marking the selected record) did not draw when zoom was enabled. The indicator now renders correctly at all zoom levels.
Extra line appeared at the top of the record selector when zoomed	When zoom was enabled, a small extra line appeared extending from the top of the topmost record selector in Continuous Form view. This visual artifact has been removed.
Screen reader did not announce zoom level changes via keyboard shortcuts	When using keyboard shortcuts (Ctrl+Alt+Plus / Ctrl+Alt+Minus) to adjust the zoom level, screen readers did not announce the updated zoom percentage. The zoom control now exposes the updated value to assistive technology after each change.
Screen reader announced incorrect context for zoom controls	When navigating to the zoom split button on the Home tab, screen readers announced it as "Print Preview Zoom" instead of reflecting the current zoom context. The control now announces the correct context.
Zoom button on Home tab did not respond to keyboard activation	The Zoom button on the Home tab did not perform any action when activated via Enter, Spacebar, or mouse click. The button now opens the zoom dropdown as expected.
Added 125% and 175% zoom levels to the ribbon	The zoom dropdown on the Home tab now includes 125% and 175% as preset zoom levels, making it easier to select commonly used zoom percentages without typing a custom value.
Tab header font rendered incorrectly when zoomed	When zooming was enabled, tab control headers could render with an incorrect font size or style. Tab headers now render with the correct font at all zoom levels.
Dropdown list detached from its control when form was scrolled	When a form was scrolled while a dropdown list was open, the dropdown could become visually detached from its parent control and appear at the wrong position on screen. The dropdown now repositions correctly when the form scrolls.
Query with IS NULL predicate could return incorrect data	When a query used an IS NULL predicate on certain field types, the query could return incorrect results or trigger an internal error. The query engine now evaluates IS NULL predicates correctly in all cases.
Linked Table Manager showed a confusing dialog when re-linking tables	When using the Linked Table Manager to re-link tables, a confusing confirmation dialog could appear that made it unclear whether the operation succeeded. The dialog messaging has been clarified.
Reduced unnecessary repainting during horizontal scroll in Form view	When scrolling horizontally in Form view, Access was repainting the entire form window instead of just the newly visible area. This caused visible flicker and unnecessary CPU usage. Horizontal scrolling now repaints only the region that has changed.

Course Retirement: DP-3011

AshleeLyman — Tue, 16 Jun 2026 17:37:53 GMT

This course is being retired because its Azure Databricks coverage is now better served by the newer DP-750 course. DP-750 provides a more complete, role-aligned path for learners who need production-ready data engineering skills with Azure Databricks, including Unity Catalog, secure governance, ingestion pipelines, deployment, and workload maintenance.

DP-3011: Implement a Data Analytics Solution with Azure Databricks

https://learn.microsoft.com/training/courses/dp-3011

Credential: N/A

Retirement date: September 30, 2026

Replacement course: DP-750T00: Implement data engineering solutions using Azure Databricks

Anomaly detection made easy with Dynamic thresholds for Log search alerts

Efrat_Ben_Porat — Tue, 16 Jun 2026 17:33:52 GMT

We’re excited to announce the General Availability of dynamic thresholds for log search alerts in Azure Monitor. Dynamic thresholds make anomaly detection easier by using machine learning to learn normal behavior from your historical log query results, automatically account for patterns such as hourly, daily, and weekly seasonality, and adapt as your environment changes. Instead of manually choosing static limits that can quickly become outdated, you can let Azure Monitor automatically determine the right threshold for each alert rule. Dynamic thresholds for Log search alerts are available at no extra charge - you pay the standard log search alert rule rate.

Dynamic threshold preview chart displayed when setting up a new alert rule.

Why it matters

Simplified configuration: No need to fine-tune thresholds manually.

Adaptive monitoring: Alerts automatically adapt to changing usage patterns and trends.

At-scale intelligence: For multi-dimensional monitoring, thresholds are calculated per dimension combination.

Example use cases

AKS Pod restart spike anomaly detection

Scenario: Monitor Kubernetes Pod logs for spikes in pod restarts across clusters.
Why dynamic thresholds help:

AKS workloads often scale dynamically; static thresholds can’t account for autoscaling patterns.
Dynamic thresholds adapt to normal fluctuations in node/pod counts and alert only on true anomalies.

Example query:

KubePodInventory | summarize restartCount = sum(PodRestartCount) by bin(TimeGenerated, 10m), ClusterName, Namespace, Name

Dynamic threshold settings:
- Namespace (for workload-level baselines).
- Name (for per-pod granularity if needed).
- Measure: restartCount (the aggregated column from the query).
- Split by dimensions (optional):
  - Namespace (for workload-level baselines).
  - Name (for per-pod granularity if needed).

Resource Inventory Drift Detection (Azure Resource Graph)

Scenario: Detect sudden spikes in resource creation or deletion across subscriptions or management groups utilizing Log search alerts integration with Azure Resource Graph that may indicate runaway deployments.
Why dynamic thresholds help:

Large organizations often have thousands of resources with varying deployment patterns.
Static thresholds can’t account for seasonal changes (e.g., monthly deployments, scaling events).
Dynamic thresholds adapt per subscription or resource type, reducing false positives.

Example query:

arg("").Resources | summarize resourceCount = count() by type, subscriptionId

Dynamic threshold settings:
- type (for specific resource type changes).
- subscriptionId (for per-subscription granularity).
- Measure: resourceCount (the aggregated column from the query).
- Split by dimensions (optional):
  - type (for specific resource type changes).
  - subscriptionId (for per-subscription granularity).

Getting Started

Learn more about Log search alerts with dynamic thresholds and how to set up alert rules in Azure Monitor.

General Availability: Simple log alerts in Azure Monitor

Efrat_Ben_Porat — Tue, 16 Jun 2026 17:33:31 GMT

We are excited to announce the General Availability of Simple log alerts in Azure Monitor! This feature is designed to provide a simplified and more intuitive experience for monitoring and alerting, enhancing your ability to detect and respond to problems in near real-time.

Simple log alerts are a type of Log search alerts in Azure Monitor, designed to provide a simpler alternative to traditional Log search alerts. Unlike Log search alerts that aggregate rows over a defined period, Simple Log Alerts evaluate each row individually.

Simple Log Alerts are supported using Basic logs as well. Before, choosing Basic logs for cost optimization - for example, configuring the traces table in Application Insights with Basic logs plan - meant giving up the ability to alert on that data. Simple log alerts close that gap, so you can keep the cost savings and alert on telemetry stored in Basic Logs.

🌐 When to use

Simple Log Alerts are ideal for monitoring applications or network traffic where unaggregated, real-time detection and quick incident response are critical.

Example scenarios:

Failed automation jobs - get notified the moment a backup job, scheduled task, or any automated process fails, rather than waiting for an aggregation window.
Windows events affecting storage or security - alert on individual event log entries that signal disk failures, security breaches, or service disruptions.

🔁 Flexible Trigger Recurrence

By default, Simple log alerts fire on every matching row, but you can tune this to reduce noise. Choose to alert only when the condition is met at least once, twice, three times, or a custom number of times within a minute - giving you control over sensitivity without sacrificing the low-latency.

💰 Pricing Information

Simple log alert rules evaluate your data every minute, so billing is the same as 1-minute frequency alert rules. For detailed pricing information, refer to Pricing - Azure Monitor | Microsoft Azure. You will see these rules in your billing statement tagged with kind:simplelogalert.

📚 Documentation and Links

Partner Blog | Partners agree: Benefits packages deliver ROI

JillArmourMicrosoft — Tue, 16 Jun 2026 17:15:00 GMT

Microsoft partner benefits packages start at $350 and, when fully utilized, can unlock significant value for partners. They empower you to run your business more efficiently, accelerate skilling and innovation, and improve solution quality.

Partner benefits provide Microsoft partners with access to discounted product licenses, Azure credits, technical consultations, and support. They are available across three package tiers: Partner Launch Benefits, Partner Success Core Benefits, and Partner Success Expanded Benefits, so partners can choose the right level of benefits for their stage of growth.

New research from Omdia and IDC shows that when partners actively use these benefits, the impact can be significant. Omdia found that 90% of surveyed partners reported some level of ROI from their package investment, and 83% of surveyed partners reported that benefits packages contributed to business growth, with growth of at least 30% in some scenarios.¹

According to a new IDC Info Snapshot, sponsored by Microsoft, partners can realize potential retail savings of $17,342* with Partner Launch Benefits, $99,407 with Partner Success Core Benefits, and $578,972 with Partner Success Expanded Benefits when they maximize package utilization.**²

The message across both studies is clear: the strongest returns come when partner benefits packages are used as growth infrastructure, not simply as a set of discounts. Partners are using their packages to operate as Customer Zero (using Microsoft solutions internally before taking them to market), accelerate innovation, move faster to market, and build repeatable, high-margin offerings that strengthen their business.

That Customer Zero approach is already showing up in how partners run their own businesses.

“We have treated the Microsoft partner benefits package as a core operating component of our infrastructure. It’s not just a perk. It is something where we embrace it as Customer Zero.”

– Jason Price, CEO, Aston-Price

This blog shares a practical playbook you can use to turn your partner benefits package into repeatable motions toward Frontier transformation: across internal skilling, solution development, go-to-market, and delivery.

Continue reading blog here

Be sure to join our Partner benefits discussion board if you have questions or want to connect to subject matter experts!

ICYMI: Partner Blog | Partners agree: Benefits packages deliver ROI

JillArmourMicrosoft — Tue, 16 Jun 2026 17:14:03 GMT

Continue reading here!

Announcing Public Preview: Agent Identities Asset Connector for Microsoft Sentinel

Krishna_Sagar_B_V — Tue, 16 Jun 2026 17:00:01 GMT

As organizations accelerate adoption of AI agents across Microsoft 365 and enterprise environments, security teams face a fundamental shift:

Agents are becoming first-class identities and securing them requires understanding both their behavior and their identity context.

We are excited to announce the Public Preview of the Agent Identities Asset Connector for Microsoft Sentinel, a foundational capability that delivers identity context for AI agents, completing the visibility required for end-to-end agentic security.

Completing the picture: From activity to identity-aware security

With the A365 (Agent 365) Observability Connector and M365 Copilot connectors, Sentinel customers already have deep visibility into:

Agent activity and execution flows
Prompts, tools, and data access
Cross-agent interactions

However, activity data alone cannot answer critical security questions, such as:

What is this agent?
What permissions does it have?
Who owns or governs it?
How does it fit into the broader identity ecosystem?

The Agent Identities Asset Connector addresses this gap by bringing agent identity data into the Sentinel data lake, enabling correlation with activity signals to deliver enriched, contextual security insights.

Introducing the Agent Identity data model

This connector introduces four core asset tables that together define the agent identities:

Agent Users

Represents human principals responsible for agents, including owners, sponsors, or administrators.

What it provides:

Ownership and accountability relationships
Mapping of agents to human context
Organizational and governance linkage

Why it matters for security:

Enables accountability and traceability for agent actions
Helps answer: Who is responsible for this agent?
Critical for incident response, governance, and compliance audits

Sample Query

EntraAgentUsers | where tenantId has 'TENANTGUIDHERE' | summarize by displayName, userPrincipalName, agentIdentityBlueprintId, agentIdentitySPID, mailNickname, accountEnabled

Agent Identities

Represents the agent itself as a first-class identity, including its lifecycle and configuration.

What it provides:

Unique identity for each agent
Lifecycle state (e.g., active, disabled)
Metadata describing the agent type and context

Why it matters for security:

Elevates agents from hidden service constructs to first-class security principals
Enables identity-aware detection and hunting
Forms the foundation for monitoring agent behavior at identity granularity

Sample Query

EntraAgentIdentities | where tenantId has 'TENANTGUIDHERE' | summarize by displayName, createdDateTime, accountEnabled

Agent Blueprints

Represents the definition and design of agents, how they are constructed and what capabilities they are intended to have.

What it provides:

Blueprint or template defining agent behavior
Configuration patterns and logical design
Reusable constructs across multiple agents

Why it matters for security:

Enables understanding of intended vs. actual behavior
Identifies systemic risks across agents built from the same blueprint
Supports proactive risk assessment and governance at scale

Sample Query

EntraAgentIdentityBlueprints | where tenantId has 'TENANTGUIDHERE' | summarize by displayName, createdDateTime, isDisabled, groupMembershipClaims, signInAudience, publisherDomain

Agent Blueprint Service Principals

Represents the service principals tied to agent blueprints, which define the permissions and execution boundaries.

What it provides:

Service principal identities used by agents
Permission scopes and access configurations
Linkage between blueprint design and runtime execution

Why it matters for security:

Exposes what access an agent actually has
Enables detection of over-permissioned or misconfigured agents
Critical for enforcing least-privilege access and Zero Trust principles

Ingesting this data opens the SOC to new opportunities for use cases that meet the growing needs for awareness of agentic workloads within the environment.

A Unified Asset Graph for Agentic Security

Together, these four tables will enable a connected agent identity graph depicting connections such as Agent User → Agent Identity → Agent Blueprint → Service Principal → Resources/Data.

This enables Sentinel customers to gain access to key insights and options, such as:

Tracing who owns an agent
Understanding how it is configured
Analyzing what permissions it operates with
Correlating with what it actually does (activity)

Unlocking Asset + Activity Correlation

With the addition of these agent identity tables, Sentinel customers can now combine activity data from the A365 Observability and Copilot connectors with the asset information brought in from the Agent Identities connector to unlock deeper visibility into security scenarios:

Identity-aware investigations that correlate agent actions with identity, ownership, and permissions to identify which agents performed an action and understand how/why it was allowed
End-to-end traceability by showing the full execution chains, highlighting the identity, tools, and data that was used by an agent
Enriched detection and hunting by joining identity, asset, and SIEM data together within Sentinel data lake to better detect anomalous behavior relative to permissions, identify risky configurations, and improve detection fidelity.
This reflects a core Sentinel principle:

Asset data enriches activity data to provide deeper, more actionable security insights.

From Observability to Agentic Security

The Agent Identities connector marks a shift from traditional observability to true agentic security within Sentinel. While customers previously had strong visibility into agent behavior, they often lacked the critical identity and governance context needed to fully understand and control their agent ecosystem. This release bridges that gap by providing a comprehensive, identity-centric view that connects agent activity with ownership, permissions, and relationships. As a result, customers can evolve from simple observability to enriched context and ultimately to actionable control, enabling end-to-end agent governance, identity-driven detections, and graph-based security insights. By establishing agents as raw first-class identities within Sentinel and unifying identity and activity signals, this capability lays the foundation for a cohesive security model that integrates human, non-human, device, and AI agent identities into a single, unified security data platform within Sentinel data lake from Entra, M365, and other sources.

Getting Started

To unlock the full value of agentic security in Microsoft Sentinel, enable:

✅ Install Agent 365 and M365 Copilot Solutions in Content Hub
✅ Enable Agent Identities Asset Connector provided by the solution
✅ Enable A365 Observability Connector provided by the solution
✅ Enable M365 Copilot Connector from the Microsoft Copilot solution

Together, these provide a comprehensive asset + activity view for AI agents in your environment.

Final takeaway

Effective security requires both visibility and context. With the Agent Identities connector, Sentinel now delivers both for AI agents.

mail@mydomain is causing a cert mismatch error in all browsers for Outlook.com

midiman — Tue, 16 Jun 2026 16:12:03 GMT

Hello,

I have created a CNAME for our users in my domain so that they can access webmail.

For example, it's called mail.mycustomdomain.com, and it is directed to Outlook.com

But when I try to visit mail.mycustomdomain.com, it shows a security warning and recommends going back.

I can understand because the SAN name in the certificate presented by Outlook doesn't include my CNAME.

Is there anything I can do as a workaround so our users can enter the CNAME without encountering a Certificate Mismatch Error?

It is causing repeated calls to the helpdesk, and we would like them to use something simple they can remember.

Thanks

Transform your security operation with a unified experience in Defender

Mohit_Kumar1 — Tue, 16 Jun 2026 16:00:00 GMT

Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl

Security operations teams today are being asked to do more than ever: respond faster, manage increasing data volumes, reduce operational complexity, stay ahead of evolving threats, and balance cost and efficiency.

That’s why Microsoft is bringing Microsoft Sentinel into Microsoft Defender: to bring together SIEM, XDR, threat intelligence, AI, and automation into a single experience.

By March 31, 2027, all Microsoft Sentinel customers will be automatically transitioned to Defender. But this transition is about far more than a new interface. It’s an opportunity to modernize the SOC, streamline operations, and unlock capabilities designed for the AI-first era of security operations.

This blog kicks off a six-part series to help you confidently navigate the transition ahead of time, understand what changes (and what doesn’t), and maximize value along the way.

Why this post, and why now

This is the first of a six-part helping customers transition their Sentinel experience from the Azure portal to Defender:

Part 1 – Beyond a portal move (You are here)
○ Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data
○ Part 3 – Detection and automation, reimagined
○ Part 4 – The Governance Shift: RBAC, URBAC, Sentinel data lake, and MSSP
○ Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and checklist
○ Part 6 – The AI-First SOC: Copilot, UEBA, threat intelligence, and SOC optimization

The strategic shift in one paragraph

Defender represents the convergence of Microsoft’s security capabilities into a single operational experience. Instead of switching between disconnected tools and workflows, security teams can work from one integrated environment spanning SIEM, XDR, threat intelligence, AI-powered investigation and response, cross-domain correlation, and SOC automation. Defender helps analysts investigate incidents faster, enables better collaboration across teams, and reduces operational friction across the security lifecycle. Most importantly, it creates a foundation for the future of AI-assisted and agentic security operations.

Why migrate early?

While the transition becomes mandatory in 2027, organizations that start earlier can begin realizing value immediately.

Moving to Defender today helps organizations:

Streamline analyst workflows with a unified incident queue
Reduce investigation time through advanced cross-product correlation
Take advantage of Security Copilot experiences integrated into Defender
Simplify operations across Sentinel and Defender products
Modernize governance and access management models
Prepare their SOC for AI-driven investigation and response
Take advantage of the latest innovations.

Rather than treating migration as a compliance deadline, many customers are approaching it as a strategic modernization initiative for their SOC.

What changes, and what stays the same

One of the most important things to understand is that this is not a “rip and replace” migration. The foundational elements of Microsoft Sentinel remain intact while the operational experience evolves.

Area	What changes	What stays
Management plane	Defender becomes the primary experience	The Sentinel portal in Azure remains usable until March 31, 2027
Incident model	Unified incident queue across Sentinel + Defender, XDR correlation, attack story view	Log analytics remains the core storage layer
Access control	Unified RBAC (URBAC) preferred for cross-product, fine-grained access	Azure RBAC continues to work until role migration to URBAC; service principals are not supported in URBAC
Data	Data lake for long-term retention and advanced analytics	No workspace migration required
Cost	Data lake can materially reduce overall cost by shifting high-volume logs out of the analytics tier, also allowing longer term retention at a lower cost (up to 12 years)	No change in the business model after moving over to Defender

The key takeaway: customers are not rebuilding their environments from scratch. Existing investments continue to work while the operational layer becomes more integrated and intelligent.

What Defender unlocks

The transition to Defender is designed to unlock capabilities that are difficult to achieve in siloed environments.

Security Copilot: Defender enables deeper integration with Security Copilot, including:

AI-assisted incident triage
Natural-language investigation workflows
Guided response recommendations
Natural language to KQL experiences

Copilot capabilities help reduce analyst fatigue and accelerate investigation workflows.

Unified correlation: With a single engine across all your alerts you can create richer, more contextual incidents spanning identities, endpoints, email, cloud apps, and data sources. This means you spend less time stitching alerts together manually and more time focused on high-confidence incidents.

Data lake: Sentinel data lake introduces new flexibility for long-term retention, large-scale analytics, and cross-workspace investigation scenarios. For many customers, this creates opportunities to balance visibility, compliance, and cost more effectively.

Case management: Collaborate across teams to respond to incidents.

Playbook generator: Create custom workflow automations using natural language.

Sentinel graph: Visualize relationships across users, devices, and activities to investigate attack paths, blast radius, and root cause.

Sentinel MCP server: Let AI agents and Copilot query Sentinel in natural language through a unified, identity-secured Model Context Protocol interface

Triage agent: Autonomous Security Copilot agent that triages high-volume alerts (phishing, identity, cloud) with AI reasoning and a transparent rationale.

What this means for you

Different roles feel this transition differently. Use this as a quick orientation as later posts go deep on each.

Role	What to pay attention to
Security analyst	New incident queue, attack story view, and Copilot-assisted triage – your day-to-day surface changes most.
Detection engineer	Custom detections become the forward direction; analytics rules continue to work but the model is evolving from SIEM to XDR detection.
SOC manager	URBAC governance, data lake blast-radius, and incident-centric automation reshape how you run the SOC.
MSSP and Partner	Multi-tenant view (up to 100 tenants), planning to support up to 1k tenants, unified incident queue, dual RBAC model – Lighthouse is still needed for Azure resources.

Clearing up common misconceptions

“The transition is optional.”
No. Customers must migrate their experience by March 31, 2027.
“We need to migrate our workspaces.”
You do not need to migrate log analytics workspaces simply to use Microsoft Sentinel in Defender.
“This is only a UI change.”
Defender introduces meaningful operational and architectural improvements across investigation, correlation, governance, automation, and AI-assisted workflows.
“The transition itself increases costs.”
There is no additional licensing charge simply for using Sentinel in Defender. Optional capabilities—such as Security Copilot or Sentinel data lake usage—may introduce additional costs depending on adoption and usage patterns.

How to get started

Align your stakeholders: Brief your SOC leadership and detection engineering leads on the March 31, 2027 deadline and the platform shift narrative.
Form a readiness team: Identify a small working group (analyst + engineer + SOC manager + identity owner) to own the readiness effort.
Explore Defender: Start familiarizing yourself with Defender and workflows.
Assess your data strategy: Review how leveraging the data lake may fit into your future strategy.
Follow Tech Community: Get more information in this series

Additional resources

Further reading: The Microsoft Security Community post Migrate Sentinel to Defender – Why it is a security architecture decision, not just a portal change frames the same thesis from an architectural lens. For the official transition guidance, start with the Microsoft Learn article Connect Microsoft Sentinel to the Microsoft Defender portal.

Continue the series

This is the first of six parts. The remaining posts will be published over the coming days. Each one stands alone, so you can read them in order as they go live or jump to the angle that matters most to you once it's out:

Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data

If you want component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.

Part 3 – Detection and automation, reimagined

If you write detections or run automation: the shift from analytics rules to custom detections, the move from alert-driven to incident-driven SOAR, and how hunting evolves.

Part 4 – The governance shift: RBAC, URBAC, Sentinel data lake, and MSSP

If you own identity, access, or multi-tenant operations: the move from Azure RBAC to URBAC, Sentinel data lake, better blast-radius identification, and the MSSP model.

Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist

If you need a practical plan: a walk-through of the Defender adoption helper, cost reality, API strategy, and the migration checklist.

Part 6 – The AI-first SOC: Copilot, UEBA, Threat intelligence, and SOC optimization

If you want to see the destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.

New ways to customize how Copilot edits your workbooks

Sam Radakovitz — Tue, 16 Jun 2026 15:44:38 GMT

If you’ve ever typed the same formatting and style instructions into your Copilot prompt every single time - don’t merge cells,” “use my header style,” “name the tables this way”- we built two new features for you! These new customization options let you set your rules once and have Copilot follow them automatically. Personalization is now generally available, and workbook rules are rolling out to general availability across Excel for Web, Windows, and Mac.

Personalization: your rules that follow you

Personalization lets you tell Copilot your standing preferences once, and it follows them across every workbook you touch. No more repeating yourself. Copilot learns your preferences before it starts editing, so the output always reflects the guidance you provide.

Set preferences for things like:

Formatting: “Never merge cells.” “Don’t use red in charts.” “Always format currency in USD with no decimals.”

Naming conventions: “Name tables with a tbl prefix.” “Use clear, descriptive sheet names.”

Formulas: “Write formulas with structured table references, not cell ranges.”

PivotTables & report styles: “Default to my standard summary layout with bold headers and subtotals.”

How to access it

Open Copilot in Excel.

Open Settings (...) → Personalization.

Add your preferences in natural language and save. Copilot applies them every time you prompt it.

Workbook rules: standards that follow the workbook

Where Personalization is about you, workbook rules are about a specific workbook. Rules live in the workbook and travel with it when you share it, so teams and organizations can standardize how a file should look and behave, and everyone who uses Copilot to edit it stays consistent. These rules are stored in the workbook as a sheet with the “.Rules” naming convention, which signals to Copilot that they should be followed for all edits made in the workbook, regardless of the user.

What makes workbook rules especially powerful is the ability to tap into Excel’s calculation engine, giving you a low-barrier way to leverage the Excel functionality you already know how to use.

Unique ways to leverage workbook rules:

Point to an exact example: Format a sample range exactly how you want it, then tell Copilot “match this formatting”—an exact example beats a written description.

Make rules dynamic with formulas: Reference cells, ranges, or other sheets so rules can change based on what’s already in the workbook. For example, applying one instruction when a project is over budget and another when it is on track.

Use Copilot to build and edit the rules sheet: Start from a blank .Rules sheet or an existing template, then ask Copilot to draft, refine, or update the rules. Aim it at an existing, well-built example sheet and ask it to infer the rules automatically for a fast way to standardize an established template.

Share for consistency: Because the rules are stored in the workbook, every collaborator and every future version stays on-standard. Share rules sheets with others to bring into their own workbooks for consistency.

How to access it

Open Copilot in Excel.
Open + → Create workbook rules. This creates a new template.
Add rules in plain language, point to an example range, or ask Copilot to generate rules from a sample sheet.
Rules must be in column A of the sheet, but can reference other areas of the sheet (e.g. example of a formatted table of range).

Note: If you have an existing sheet you'd like to leverage, simply rename the sheet with ".Rules" and start adding your rules in column A.

Try it today:

Personalization is available to all Copilot in Excel users on Excel for Web, Windows, and Mac. Learn more about Copilot in Excel personalization.
Workbook rules is available in the Insiders channel for Windows and Mac and rolling out to general availability in the coming weeks. Learn more about Copilot in Excel workbook rules.

Azure Sets a New Performance Record for LLM Training Benchmark at Extreme Scale

azinheidarshenas — Tue, 16 Jun 2026 15:13:23 GMT

Azure achieved the most performant MLPerf Training v6.0 result to date for Llama 3.1 405B, with a time-to-train of just over seven minutes according to MLCommons. This loadbearing benchmark measures how communication overhead and system stability dominate training performance, where Azure’s full stack, end-to-end advantages shine. Azure scaled to 2,048 NVIDIA GB20 0 NVL720 compute tray nodes spanning 128 racks (8,192 GPUs), assembling the largest reported GB200 NVL72 cluster to date in MLPerf Training. As model sizes continue to grow into hundreds of billions of parameters, achieving this level of performance consistently requires not only massive compute capacity, but also a highly efficient communication infrastructure.

To meet the demands of the massive training workloads, Azure’s Fairwater AI supercomputing infrastructure offers high-performance GPU scale-up domains with resilient, scale-out networking. Fairwater is optimized for frontier-scale distributed AI training, where communication overhead and synchronization latency can become major scaling bottlenecks at multi-thousand GPU scale. This remarkable result was possible by leveraging fifth-generation NVIDIA NVLink at 1,800 GB/s per GPU for intra-rack communication and Azure’s 100 GB/s MRC (Multipath Reliable Connection) fabric accelerated by NVIDIA DOCA and connected with NVIDIA ConnectX-8 and NVIDIA Spectrum-X Ethernet switches for inter-rack communication.

What Enabled Scaling Llama 405B to 8,192 GPUs on Azure

Achieving efficient training at this scale requires more than raw compute. Three architectural ingredients came together to make this result possible:

High operational efficiency of NVLink scale-up domains, providing fast intra-rack GPU-to-GPU communication.
Resiliency and stability of Azure’s MRC scale-out networking fabric, built on NVIDIA ConnectX-8 SuperNICs and Spectrum-X Ethernet switches, delivering 100 GB/s per GPU across racks.
Topology-aware workload mapping, aligning parallelism strategies with the underlying network structure.

Large-scale LLM training is fundamentally synchronous. At every training step, GPUs perform forward and backward passes followed by gradient synchronization across ranks. Because all GPUs must stay in sync, training progress is ultimately limited by the slowest rank — any time spent waiting on the network directly increases overall step time.

For the Llama 405B benchmark, the workload is distributed across four dimensions of parallelism: Tensor, Context, Pipeline, and Data parallelism. Each generates different communication patterns, with some communication sitting directly on the critical training path. If left unmanaged, communication overhead can quickly become a major bottleneck at scale.

The key insight is that not all communication is equally latency-sensitive. Some communication must be completed before computation can continue, while other communication can overlap with compute.

Tensor-Parallel and Context-Parallel communication sit directly on the critical compute path, meaning each layer must wait for its collective operation to complete before execution can proceed. Pipeline-Parallel communication is also on the critical path, but across stages rather than within a layer (i.e., the next stage cannot begin processing its data until the previous stage has transferred its gradients). To minimize latency, all three are placed on the high-bandwidth NVLink domain, which provides up to 1,800 GB/s per GPU. Data-Parallel communication, on the other hand, can overlap with backward compute because gradient reduction runs alongside the backward pass and does not immediately block the next operation. This traffic is carried over the MRC scale-out network.

The impact of such mapping is clear at scale. Our profiling shows that cross-rack MRC communication contributes just ~20 ms of exposed time on the critical path of a ~1.27 s training step (≈1.6% of step time). This communication — primarily gradient synchronization across all ranks — is well overlapped by compute and NVLink traffic, making the scale-out network nearly invisible to training performance.

Stable Step Time as the Cluster Grows

To evaluate execution stability as the cluster scales, we compared our GB200 NVL72 128-rack submission against a 112-rack configuration used for this experiment. In the Llama 405B workload, the critical path of each training step is dominated by compute (forward and backward GEMMs) together with latency-sensitive Tensor-Parallel and Context-Parallel communication over NVLink. Importantly, neither of these changes as the cluster scales out.

Cross-node communication, such as Data-Parallel collectives and Pipeline-Parallel transfers over the MRC network, runs concurrently with backward compute and remains largely hidden behind computation. This overlap is sustained only if cross-node communication remains fast and predictable. Any network instability, congestion, or synchronization jitter would reduce this overlap and expose communication on the critical path, directly increasing overall step time.

Figure 1. Step-time vs cluster size at scale

This is exactly what we observe in practice under a weak scaling model, where we maintain a constant workload per GPU while scaling total cluster capacity. As shown in Figure 1, step time remains nearly identical at scale, measuring 1.2734 seconds at 112 GB200 NVL72 racks (7,168 GPUs) and 1.2712 seconds at 128 racks (8,192 GPUs) — a difference of just 2 ms. This corresponds to a near-perfect 99.8% weak scaling efficiency as we expanded the cluster by an additional 1,024 GPUs. Step-time variance also remains extremely low (±0.04–0.05%), confirming stable and predictable execution at extreme scale. This directly translates to maximized hardware utilization and an accelerated overall time-to-train, demonstrating the resiliency of Azure’s MRC scale-out network.

Acknowledgement

This work was made possible through strong collaboration across multiple teams. We would like to especially recognize Shantanu Patankar for his contributions to execution and performance analysis and Mark Gitau for his contributions to data preparation and experiment support as core contributors, and extend our thanks to Amirreza Rastegari, Ojasvi Bhalerao, Sai Kovouri, Adam Hough, Nandini Ramanathan, Manasa Govindu, Sanian Gaffar, Ekrem Aksoy, Bhupender Thakur, Matthew Kappel, John Rankin, Girish Bhatia, Sreevatsa Anantharamu, Scott Moe, Yang Wang, and Jithin Jose, as well as many others across Azure and NVIDIA who supported this effort.

Don't expire attached chat files | Show a warning.

Anthony-123 — Tue, 16 Jun 2026 15:09:44 GMT

Teams allows users to upload files to share with others in a chat. These files inherit the organization's sharing policy.

So whether you use Share or Copy Link in SharePoint or OneDrive or you use Attach File in Teams, the same default policy is applied.

The issue, what makes the Teams experience different from SharePoint / OneDrive, is that the message with the attached file persists in the chat. A file that was attached to a conversation two months ago appears to still be in the chat. However, the default policy blocks access to the file that appears present. Moreover, there is no method for the sender to alter the sharing policy using the Attach function.

When this an issue, this is a HUGE issue.

Suggestions:

Actually attach the attached file and store in the recipient's Attachments folder.
Don't use a paperclip icon that says "Attach file" for files that aren't actually attachments.
Warn the sender that the attached file inherits the organization's 'Share with anyone' policy and may expire.
Prompt the sender to alter the sharing link before sending.
Put a timer on the attachment showing the countdown to expiration.
After the expiration date, the file should be labeled "Your organization's sharing policy has expired access to this file".
Add a button for the recipient to request access to the file again.

MVP and RD Community Powers Connection and Innovation at Microsoft Build 2026

kimsanchez — Tue, 16 Jun 2026 15:00:00 GMT

A Community-Driven Experience

From demo and lightning talk sessions to hands-on labs and informal table talks, MVPs and RDs were deeply embedded across the Microsoft Build experience. They contributed as speakers, experts, proctors, and facilitators, helping developers explore new technologies and translate announcements into practical insights. MVPs and RDs also had priority seating at the keynote, creating a strong community presence for one of Microsoft Build’s most visible moments.

Microsoft Build 2026 featured a wide range of session formats—including breakouts, labs, demos, lightning talks, and table talk discussions—designed to create both technical depth and peer-to-peer learning opportunities.

The MVP Program team also partnered with multiple MVPs to deliver, “So You Want to Become an MVP ,” offering attendees a closer look at the program and the community behind it. Together, the team and MVP speakers answered questions about how the program works, what it recognizes, and what it’s like to be an MVP.

Supporting the Global Livestream Audience

MVPs also helped extend the Microsoft Build experience to developers tuning in remotely by supporting livestream moderation on YouTube. During two-hour moderator shifts, MVPs jumped into chat to engage with viewers, keep the energy up, and help create a welcoming, high-quality online experience for a global developer audience.

Their role included answering technical questions in real time in English, helping viewers connect session content to practical implementation, and making the online broadcast feel more interactive and community-driven. This support was another meaningful example of MVPs meeting developers where they are, whether in person at Build or online from around the world.

Their involvement extended beyond formal sessions. Throughout the event, MVPs and RDs engaged directly with attendees at the Skilling Hub, Expert Meetup booths, and Community Finder activation, helping foster an environment where developers could learn, connect, and collaborate.

MVP Connect: Bringing the Community Together

MVP Connect offered MVPs and RDs a relaxed social gathering before Microsoft Build, creating dedicated time to connect with one another, engage with product group teams, and spend time with the MVP Program team. With delicious food, drinks, and informal conversation, the event gave community members a welcoming space to reconnect, meet new peers, and build relationships ahead of the broader conference experience.

The gathering was intentionally designed to make conversation easy and natural, helping MVPs share ideas, strengthen peer relationships, and have direct touchpoints with the product groups they collaborate with throughout the year. It also created an approachable setting for the MVP Program team to listen, answer questions, and celebrate the community in person.

Moments like MVP Connect reinforce what makes the MVP community so valuable: relationships built through shared expertise, open conversation, and a genuine commitment to helping one another learn, connect, and grow.

Expanding Impact Beyond Build

The momentum from Microsoft Build doesn’t stop when the event ends. MVPs and RDs are instrumental in extending Microsoft Build’s reach through community-led initiatives like Build //localhost events hosted through the Microsoft Reactor, bringing content and learnings back to local developer communities around the world.

These post-event engagements ensure that insights from Microsoft Build are shared broadly, enabling more developers to benefit from the knowledge, resources, and innovations introduced during the event.

A Thank You to Our Community

The success of Microsoft Build 2026 is a direct reflection of the passion, expertise, and generosity of the MVP and RD community.

From delivering sessions and mentoring attendees, to creating welcoming spaces and amplifying conversations, MVPs and RDs continue to shape what it means to build a thriving, global developer ecosystem.

As we look ahead, their role remains essential, not just in supporting Microsoft events, but in driving innovation, fostering inclusion, and helping developers everywhere learn, connect, and grow.

Learn more about the MVP Program

To find an MVP and learn more about the MVP Program visit the MVP Communities website and follow our updates on LinkedIn.

Join us for a future live session through the Microsoft Reactor where we walk through what the MVP program is about, what we look for, and how nominations work. These sessions are designed to help you connect the dots between the work you’re already doing and the impact the MVP Program recognizes - with time for questions, examples, and real conversations.

Metrics in Training Service Partner dashboard still shows not started

Hamras — Tue, 16 Jun 2026 14:52:56 GMT

our TSP was on-boarded some months before, and it has now been more than some months since we started delivering training courses. We received the welcome email, completed all required formalities, and have delivered some trainings, and learners redeemed the achievement codes, and completed the surveys in MTM. All of these sessions appear correctly in, MTM surveys, and related dashboards.

However, in Partner Center it still shows “Not Started.”

Could you guys please review this and help us understand why the status has not updated?

Thank you,

Metrics in Training Service Partner dashboard still shows not started

Hamras — Tue, 16 Jun 2026 14:50:55 GMT

However, in Partner Center it still shows “Not Started.”

Could you guys please review this and help us understand why the status has not updated?

Thank you,