rss.livelink.threads-in-node

Intune macOS ADE: support for minimum macOS version enforcement before Platform SSO registration

KacperM — Thu, 04 Jun 2026 20:56:14 GMT

Hi everyone,

I would like to ask whether Microsoft Intune has any supported method, roadmap, or recommended workaround for enforcing a minimum or target macOS version during Automated Device Enrollment before Setup Assistant continues.

The scenario is macOS zero-touch deployment with Intune, Automated Device Enrollment, Setup Assistant with modern authentication, Await final configuration, and Platform SSO registration during ADE.

Platform SSO registration during Setup Assistant depends on newer macOS capabilities. In addition, some macOS deployment scenarios, such as Platform SSO password sync and macOS LAPS, may require or strongly benefit from a specific macOS version being installed before the user completes enrollment.

Today, Intune can manage macOS software updates after enrollment using Declarative Device Management software update policies. However, that does not fully solve the issue where the Mac starts ADE on an older macOS version. In that case, the device may begin Setup Assistant and Platform SSO registration before the required macOS version is installed.

What I am looking for is an Intune-native equivalent of enforcing a minimum or target macOS version during ADE, before Setup Assistant continues.

Ideally, the macOS ADE enrollment profile in Intune would support options such as:

- Minimum required macOS version

- Target specific macOS version

- Target specific build, if supported

- Latest eligible macOS version for the device

- Apply the OS update before Platform SSO registration and final configuration

- Reporting in Intune showing whether the ADE OS update was required, started, completed, skipped, or failed

Without this capability, organizations using Intune-only macOS deployment may still need manual IT staging or macOS restore/update before handing devices to users. This weakens the zero-touch deployment model, especially when adopting Platform SSO registration during Automated Device Enrollment.

1. Is there currently any supported way in Intune to enforce a minimum or target macOS version during ADE before Setup Assistant continues?

2. Is this capability on the Intune roadmap?

3. Are there any recommended workarounds for organizations deploying Platform SSO registration during ADE where a specific macOS version is required?

Thanks in advance for any guidance from the Intune team or the community.

driver version on com port is not same as USB port after update

techi_guy — Thu, 04 Jun 2026 19:09:40 GMT

hi everybody,

i am using printer that i have updated its usb to serial driver but recently find out that the version on com port is not equal on usb port on device manager

so how to fix this difference

how to completely change windows 10 language to English

techi_guy — Thu, 04 Jun 2026 18:58:16 GMT

hi every one,

i have changed display language to English but it did not completely change to English ,i still get settings in Arabic

so my default language is English

i am using windows 10 version 1909(OS build 18363.418)

how to completely change windows to English

thanks in advanced

Microsoft Defender for Cloud Customer Newsletter

Yura_Lee — Thu, 04 Jun 2026 18:30:12 GMT

What's new in Defender for Cloud?

Defender for Cloud is now integrated into the Defender portal to bring together cloud security posture management and threat protection in a single experience. Read more about it here.

Cloud security reporting in the Defender portal is now in public preview

Customers can now create, customize, and share security insights across the organization through Defender portal’s integrated cloud security reporting capabilities. With these reporting capabilities, customers can view built-in reports like CNAPP Executive Summary, create custom reports, export to PDF and more. For more details, please refer to this documentation.

Check out other updates from last month here!

Check out monthly news for the rest of the MTP suite here!

Blog(s) of the month

In May, our team published the following blog posts we would like to share:

Defender for Cloud in the field

Check out the two short videos on Defender Portal integration and Start Secure Stay Secure with Defender for Cloud

GitHub Community

Check out this PS script and CLI to help you enable Defender for API at scale:

Customer journey

Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Loyens & Loeff, a law and tax firm, that operates in a high complex environment, sought to modernize the digital workplace with Microsoft 365 Copilot, Defender for Cloud and Purview.

Join our community!

We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP.

We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback.

Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe

Run Global Secure Access with confidence: Introducing the GSA Operations Guide

tdetzner — Thu, 04 Jun 2026 18:25:27 GMT

In working with customers, I’ve seen the same pattern again and again: deployment gets the attention, but day 2 operations are where teams need the most structure. This guide is meant to make that part easier—with practical guidance teams can use right away.

TL;DR: Your day 2 playbook is here

What’s new? A prescriptive Microsoft Entra Global Secure Access operations guide on Microsoft Learn
Why it matters: It brings actionable, alert-first procedures for teams running Global Secure Access after deployment
What’s inside: A role matrix, automated health checks, capability-specific guides, templates, and automation scripts
Start here: Microsoft Entra Global Secure Access operations guide

The day 2 gap

Deploying Global Secure Access (GSA) is only the beginning. Day 2 challenges raise questions like:
Who monitors what? When do checks happen? How do we know everything is healthy?

The deployment guide covers rollout, and the product documentation explains configuration. But until now, there was no single resource that explained how to operate Global Secure Access in production. Customers, FastTrack, and partners built their own runbooks—and rebuilt them for each deployment.

That ends today.

Announcing the Operations Guide

The Microsoft Entra Global Secure Access operations guide is now live on Microsoft Learn.

This post-deployment playbook delivers prescriptive guidance for running Global Secure Access in production at scale. It was created by the Global Secure Access customer experience engineering team with input from Thomas Detzner, Janice Ricketts, Jeff Bley, Luis Flores, Marilee Turscak, Peter Lenzke, Mohammad Zmaili, and Ken Withe.

Who this guide empowers

This guide is for the teams that keep Global Secure Access running every day: IT administrators, network engineers, and platform operations teams that need clear answers to questions like “Who owns what?” and “How do we prevent issues before they happen?”

It also equips security leaders with structured reporting so they can demonstrate value and service health to executives. If you’re responsible for Global Secure Access performance, alerting, or automation, this is your new reference playbook. (And if you haven’t deployed yet, start with the deployment guide.)

What you’ll gain from this guide

Shared practices that work across any environment

Know your roles early: A RACI matrix so responsibilities never overlap

Manage change with confidence: A GSA-tailored change-control framework for smooth updates
Prove success with clarity: Reporting templates for operators, managers, and executives
Adopt continuous improvement: Built-in processes to spot gaps before they become issues

Capability-specific playbooks structured for speed

Every workload (Private Access, Internet Access, Remote Networks, Microsoft Traffic) follows one clear pattern so teams always know what comes next:
✔ Begin with alert-first monitoring steps that catch issues early
✔ Follow daily, weekly, monthly routines for health maintenance
✔ Automate critical workflows with Sentinel, Graph API, and PowerShell scripts
✔ Track and tune KPIs using measured baselines
✔ Diagnose and resolve quickly with symptom-to-fix troubleshooting

Don’t start from zero—use the templates

Daily health check across all GSA capabilities

Ready-made change request forms and notification playbooks
Modular checklists ready for your ITSM process

Why this guide is different

Unlike generic environment monitoring advice, this guide delivers concrete, tested procedures built from field experience. It applies an alert-first approach so teams can act on signals from Microsoft Sentinel and Azure Monitor before dashboards show trouble.

Each alert comes with an action—nothing is left unanswered. Automation is embedded throughout, including role-based access control (RBAC) hygiene checks and failover tests. Because operations demand clarity, the guide also provides measurable thresholds, baseline methods, and recovery steps that reduce noise and reinforce uptime.

Six moves to launch operational maturity

Assign roles using the RACI matrix for full coverage

Configure critical alerts before adding custom workflows
Collect 30 days of baseline data before adjusting thresholds
Automate backups and priority alert notifications early
Schedule routine checks using provided templates
Begin structured reporting starting with weekly operations and monthly management reviews

Why it matters for customers and partners

This framework reduces time to readiness after deployment, documents a defensible Day 2 plan for audits, cuts escalations by linking every alert to a clear action path, and gives FastTrack and partners a baseline for consistency in engagements.

Next up

Soon we will publish the GSA Security Operations Guide for Microsoft Entra Global Secure Access, providing a dedicated security monitoring and detection companion to the operational guides for Private Access, Internet Access, Remote Networks, and Microsoft traffic. It brings together the built-in alerts, log sources, Sentinel detections, and cross-signal investigation patterns that security teams need to identify suspicious activity and unauthorized changes across the GSA environment.

If deployment is still ahead, start with the GSA Deployment Guide.

Your move

Open the full guide
Download templates and run your first daily health check today
Post feedback and ideas to help shape future updates

-Thomas Detzner

Thomas Detzner | LinkedIn

Additional resources

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

MGCI Training - July Topic: Food! Meals, snacks, and beverages

WesPreston — Thu, 04 Jun 2026 18:02:16 GMT

Getting a little ahead of ourselves, but it's a tasty topic, maybe even a little spicy. :)

Are you serving food at your event? It's one of the bigger costs for many events.

What are your venue rules and requirements? Are you locked into their services?

How do you address folks with dietary restrictions?

What questions do you have about feeding your attendees?

What should you do? How can you get engaged in the conversation?

Chime in here.
Do you have thoughts you'd like to contribute to the conversation? Let us know you'll be on the call!

Thanks!

Giving Developers Claude Code with Azure API Management and Claude Models in Microsoft Foundry

MuraliKumanduri — Thu, 04 Jun 2026 17:41:20 GMT

Summary

You want to give your engineering org Claude Code without handing out Anthropic API keys, without per-developer billing sprawl, and without losing visibility into who is spending what. This post shows a battle-tested pattern:

Claude models run in Microsoft Foundry, billed through your Azure subscription — no Anthropic contract or keys required.
Azure API Management (APIM) sits in front as an LLM gateway: it authenticates each developer with Entra ID, enforces per-user rate limits and token quotas, and emits per-user usage metrics for chargeback.
Foundry lives in its own Azure subscription, and APIM authenticates to it with a Foundry API key — so there's no cross-subscription RBAC to untangle.
Developers hold only short-lived Entra tokens. The Foundry key never leaves APIM.

Everything below is grounded in the Claude Code LLM gateway requirements and Azure API Management's GenAI gateway policies. All command-line steps are shown in PowerShell for Windows developers.

The problem

Claude Code is a terminal- and IDE-native coding agent that talks to Claude over the Anthropic Messages API. Pointing it directly at Anthropic (or even directly at Foundry) creates three headaches for any organization beyond a handful of users:

Key sprawl and billing. Direct API keys mean either a shared key (no per-user attribution, a rotation nightmare) or many keys (procurement and offboarding overhead).
No throttle. Claude Code is token-heavy — it reads files, plans, and edits in long loops. One runaway session or an over-enthusiastic team can produce a surprising bill with nothing standing between the developer and the model.
No visibility. Finance wants to know cost per team. Security wants to know who is calling what. A raw key gives you neither.

The fix is a gateway that every request flows through — one that knows who the developer is (Entra ID), enforces how much they can use (APIM GenAI policies), and records what they used (Azure Monitor). Claude Code supports exactly this through its gateway configuration.

Architecture

Claude Code on a developer laptop authenticates to Azure API Management with an Entra ID bearer token; APIM validates the token, applies per-user token and request limits, swaps in the Foundry API key, and forwards the Anthropic Messages request to Claude in Microsoft Foundry in a separate subscription; per-user token usage is emitted to Application Insights.

The request path:

Developer laptop (Claude Code CLI / VS Code) | Authorization: Bearer <Entra access token for the APIM app> v Azure API Management (the LLM gateway) [Subscription A] | 1. validate-jwt confirm Entra identity, audience, app role | 2. extract oid per-user counter key | 3. llm-token-limit per-user tokens/min + monthly token quota | 4. rate-limit-by-key per-user requests/min | 5. strip Authorization; set api-key from secret named value | 6. llm-emit-token-metric per-user usage to App Insights v (forwards Anthropic Messages format; anthropic-* headers preserved) Microsoft Foundry https://{resource}.services.ai.azure.com/anthropic/v1/messages v [Subscription B] Claude deployments (Sonnet 4.6 / Haiku 4.5 / Opus 4.6)

The key idea: developer-facing auth and backend auth are independent. Developers always authenticate as themselves with Entra ID at the gateway. How the gateway authenticates to Foundry is a separate decision — and you have two good options.

Choosing how the gateway authenticates to Foundry

Both options below are independent of the developer-facing Entra ID auth, and both work whether Foundry is in the same subscription as APIM or a different one. The only hard constraint for managed identity is that both resources live in the same Entra tenant.

	Option A — Foundry API key	Option B — Managed identity
How APIM authenticates	api-key header from a secret named value	Entra token from APIM's managed identity, in the Authorization header
Setup	Read the key once, store it in APIM	Enable APIM's identity, assign Cognitive Services User on Foundry
Same subscription	Works	Works
Cross-subscription	Works — no RBAC crosses the boundary	Works — role assignment spans subscriptions in the same tenant
Cross-tenant	Works	Not supported — use a key
Shared secret to rotate	Yes	None
Best for	Fastest start; cross-tenant; key-only environments	Production; eliminates the shared secret

This guide builds the key-based path end to end, then shows the managed-identity swap inline at each step (Parts 3 and 4). Pick one — you don't need both.

What this design achieves

Goal	How it's met
Developers use Claude Code with no Anthropic billing or keys	Claude runs in Microsoft Foundry, billed through your Azure subscription
Foundry can live in a different subscription	APIM reaches Foundry by URL + API key only — no cross-subscription RBAC
Every developer authenticates as themselves	Entra ID tokens validated at the APIM gateway
Per-developer rate limits and quotas	rate-limit-by-key + llm-token-limit keyed on the Entra oid claim
Per-developer usage and cost tracking	llm-emit-token-metric → Application Insights / Log Analytics
No Foundry keys on developer laptops	The Foundry key lives only inside APIM; developers hold short-lived Entra tokens

Prerequisites

Two Azure subscriptions, both pay-as-you-go. Subscription A holds APIM; Subscription B holds Foundry. (Foundry Claude does not run on free, trial, sponsored, or CSP subscriptions.)
A Microsoft Foundry resource (Subscription B) in a region where Claude is available — currently East US 2 or Sweden Central — with Claude deployments created and at least one API key under Keys and Endpoint.
An API Management instance (Subscription A). Developer SKU is fine for a pilot; Standard v2 or Premium for production and VNet integration.
Permission to read the Foundry key in Subscription B, contributor on the APIM instance, and the ability to register Entra apps.
Developers on Windows 10/11 with PowerShell (5.1 built-in, or 7), the Azure CLI (winget install Microsoft.AzureCLI), and the Claude Code CLI installed.

Option A (key): no cross-subscription role assignment — the only cross-subscription action is reading the Foundry key once (Part 3), which you can also do from the Foundry portal. Option B (managed identity): one cross-subscription role assignment (Cognitive Services User), supported as long as APIM and Foundry share an Entra tenant.

Part 1 — Deploy Claude in Foundry (Subscription B)

In the Foundry portal, open Model catalog, search Claude, and deploy the models Claude Code uses. Name each deployment to match its model ID so the gateway can pass the model field through unchanged:
Role Deployment name (recommended)
Primary (general coding) claude-sonnet-4-6
Fast (file reads, small edits, background tasks) claude-haiku-4-5
Extended thinking (optional) claude-opus-4-6
Pin versions — select a specific version, not auto-update to latest. Without pinning, a new model release can break every developer at once.
On the resource's Keys and Endpoint blade, copy the endpoint and one of the two API keys. The Anthropic endpoint base is:

Role	Deployment name (recommended)
Primary (general coding)	claude-sonnet-4-6
Fast (file reads, small edits, background tasks)	claude-haiku-4-5
Extended thinking (optional)	claude-opus-4-6

https://{resource}.services.ai.azure.com/anthropic

Critical: Foundry's Claude endpoint is the Anthropic surface (/anthropic/v1/messages), not the OpenAI surface (/openai/deployments/.../chat/completions?api-version=...). When you build the APIM API, do not apply the OpenAI policy template, do not add an api-version query parameter, and do not rewrite to an /openai/... path. Any of these produces the "not supported" or "resource not found" errors people commonly hit.

✅ Checkpoint: You now have Claude deployed in Foundry. Verify your deployment before continuing to Part 2.

Part 2 — Entra ID app registration (developer-facing)

This registration lives in Subscription A's tenant. It defines the audience developers' tokens are issued for, and what APIM validates. It's unaffected by where Foundry lives.

App registrations → New registration → name it e.g. Claude Code Gateway.
Expose an API → set the Application ID URI, e.g. api://claude-code-gateway. Add a scope access_as_user (admin + user consent).
(Optional, for tiering) App roles → add roles such as Claude.Standard and Claude.Premium. Assign developers or groups under Enterprise applications → this app → Users and groups.
Note the Application (client) ID, the Application ID URI, and your Tenant ID.

Developers request tokens for this app's audience; APIM validates aud = api://claude-code-gateway.

Part 3 — Provision the APIM API and Foundry backend (Subscription A)

3.1 Option A — Store the Foundry API key in APIM

First read the key from Foundry in Subscription B (use --subscription so you don't have to switch your active context):

# Read a Foundry key from Subscription B $FOUNDRY_KEY = az cognitiveservices account keys list ` --name <foundry-resource> ` --resource-group <foundry-rg> ` --subscription <SUBSCRIPTION_B_ID> ` --query key1 -o tsv

Then store it as a secret named value in APIM (Subscription A). The policy references it as {{foundry-api-key}}:

# Create a secret named value in APIM holding the Foundry key az apim nv create -g <apim-rg> --service-name <apim-name> ` --named-value-id foundry-api-key ` --display-name foundry-api-key ` --value "$FOUNDRY_KEY" ` --secret true

Hardening: instead of the raw key in APIM, put it in Key Vault and create a Key Vault-backed named value, so rotation lives in one place. APIM needs a managed identity with Get/List secret access on that vault — but the vault is in Subscription A alongside APIM, so this is still not a cross-subscription role assignment.

3.2 Option B — Give APIM a managed identity instead

If you'd rather not manage a shared key, skip 3.1 and give APIM an identity that Foundry trusts. This works in the same subscription and across subscriptions alike, as long as both resources are in the same Entra tenant.

# Enable a system-assigned managed identity on APIM (Subscription A) az apim update -g <apim-rg> --name <apim-name> ` --set identity.type=SystemAssigned # Get the identity's principal (object) ID $APIM_MI = az apim show -g <apim-rg> --name <apim-name> ` --query identity.principalId -o tsv # Get the Foundry resource ID (Subscription B) $FOUNDRY_ID = az cognitiveservices account show ` --name <foundry-resource> --resource-group <foundry-rg> ` --subscription <SUBSCRIPTION_B_ID> ` --query id -o tsv # Grant Cognitive Services User on the Foundry resource (works cross-subscription) az role assignment create ` --assignee-object-id $APIM_MI ` --assignee-principal-type ServicePrincipal ` --role "Cognitive Services User" ` --scope $FOUNDRY_ID

The Cognitive Services User role (a97b65f3-24c7-4388-baec-2e87135dc908) grants data-plane access to call the model without key-management rights. Role assignments can take a few minutes to propagate. A user-assigned identity works too — assign it to APIM and reference its client ID in the policy (Part 4, Option B). On this path there is no foundry-api-key named value to create or rotate.

3.3 Create the backend and API

# Named backend pointing at the Foundry Anthropic endpoint (Subscription B URL) az apim backend create -g <apim-rg> --service-name <apim-name> ` --backend-id foundry-claude ` --url "https://<foundry-resource>.services.ai.azure.com/anthropic" ` --protocol http # API with NO path suffix so callers hit /v1/messages at the gateway root az apim api create -g <apim-rg> --service-name <apim-name> ` --api-id claude-anthropic --display-name "Claude (Foundry)" ` --path="" --protocols https ` --service-url "https://<foundry-resource>.services.ai.azure.com/anthropic"

PowerShell + empty strings: write --path="" (joined with =), not --path "" as two tokens. PowerShell strips a bare "" before the az wrapper sees it, so the CLI reports argument --path: expected one argument. The = form keeps it a single token (--path=) that az reads as an empty string. The same trick applies to any empty-string value you pass to az from PowerShell.

Add the operations Claude Code calls (a wildcard covers them all):

POST /v1/messages
POST /v1/messages/count_tokens
GET /v1/models (only if you enable gateway model discovery — see Part 5.3)

az apim can't apply XML policies. Apply the Part 4 policy via the portal (APIs → Claude (Foundry) → Inbound processing → policy editor) or via Bicep/ARM.

Part 4 — The APIM policy (auth + rate limiting + metering)

Apply this at the API level. Replace the tenant ID and audience. The policy below is the key-based (Option A) version — its step 6 removes the developer's Authorization header and sets the api-key header from the secret named value. For managed identity (Option B), swap step 6 as shown immediately after the policy; every other step is identical.

<policies> <inbound> <base />  <set-header name="Authorization" exists-action="skip"> <value>@("Bearer " + context.Request.Headers.GetValueOrDefault("x-api-key",""))</value> </set-header>  <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized: invalid or missing Entra token."> <openid-config url="https://login.microsoftonline.com/{{tenant-id}}/v2.0/.well-known/openid-configuration" /> <audiences> <audience>{{gateway-audience}}</audience> </audiences> <issuers> <issuer>https://login.microsoftonline.com/{{tenant-id}}/v2.0</issuer>  <issuer>https://sts.windows.net/{{tenant-id}}/</issuer> </issuers> <required-claims> <claim name="roles" match="any"> <value>Claude.Standard</value> <value>Claude.Premium</value> </claim> </required-claims> </validate-jwt>  <set-variable name="callerId" value="@{ var jwt = context.Request.Headers .GetValueOrDefault("Authorization","").Split(' ').Last().AsJwt(); return jwt.Claims.GetValueOrDefault("oid", "unknown"); }" />  <set-variable name="tier" value="@{ var jwt = context.Request.Headers .GetValueOrDefault("Authorization","").Split(' ').Last().AsJwt(); return jwt.Claims.GetValueOrDefault("roles","").Contains("Claude.Premium") ? "premium" : "standard"; }" /> <set-variable name="modelName" value="@{ var body = context.Request.Body.As<JObject>(preserveContent: true); return body?["model"]?.ToString() ?? "unknown"; }" />  <choose> <when condition="@(((string)context.Variables["tier"]) == "premium")"> <llm-token-limit counter-key="@((string)context.Variables["callerId"])" tokens-per-minute="200000" estimate-prompt-tokens="true" remaining-tokens-header-name="x-tokens-remaining" token-quota="20000000" token-quota-period="Monthly" /> <rate-limit-by-key calls="300" renewal-period="60" counter-key="@((string)context.Variables["callerId"])" retry-after-header-name="retry-after" remaining-calls-header-name="x-ratelimit-remaining" /> </when> <otherwise> <llm-token-limit counter-key="@((string)context.Variables["callerId"])" tokens-per-minute="50000" estimate-prompt-tokens="true" remaining-tokens-header-name="x-tokens-remaining" token-quota="5000000" token-quota-period="Monthly" /> <rate-limit-by-key calls="100" renewal-period="60" counter-key="@((string)context.Variables["callerId"])" retry-after-header-name="retry-after" remaining-calls-header-name="x-ratelimit-remaining" /> </otherwise> </choose>  <llm-emit-token-metric namespace="claudecode"> <dimension name="UserId" value="@((string)context.Variables["callerId"])" /> <dimension name="Tier" value="@((string)context.Variables["tier"])" /> <dimension name="Model" value="@(context.Request.Body?.As<JObject>(true)?["model"]?.ToString() ?? "unknown")" /> </llm-emit-token-metric>  <llm-emit-token-metric namespace="claudecode"> <dimension name="UserId" value="@((string)context.Variables["callerId"])" /> <dimension name="Tier" value="@((string)context.Variables["tier"])" /> <dimension name="Model" value="@((string)context.Variables["modelName"])" /> </llm-emit-token-metric>   <set-header name="Authorization" exists-action="delete" /> <set-header name="x-api-key" exists-action="override"> <value>{{foundry-api-key}}</value> </set-header> <set-backend-service backend-id="foundry-claude" /> </inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </on-error> </policies>

Option B — authenticate to Foundry with managed identity

If you chose the managed-identity path (3.2), replace step 6 above with the block below. Instead of injecting an api-key, APIM acquires an Entra token for its own identity and forwards it as the Authorization bearer token. Token validation, rate limits, and metering are unchanged.

<authentication-managed-identity resource="https://cognitiveservices.azure.com" output-token-variable-name="msi-token" /> <set-header name="Authorization" exists-action="override"> <value>@("Bearer " + (string)context.Variables["msi-token"])</value> </set-header> <set-backend-service backend-id="foundry-claude" />

The token audience for Azure AI Services / Foundry is https://cognitiveservices.azure.com. For a user-assigned identity, add client-id="<uami-client-id>" to the authentication-managed-identity element. There's no api-key named value and no secret to rotate on this path — which is exactly why it's the preferred production posture.

Policy notes

Stripping the developer's Authorization header before forwarding (step 6) matters: that Entra token is for APIM only. Foundry must receive only the api-key header.
{{tenant-id}}, {{gateway-audience}}, and {{foundry-api-key}} are APIM named values. Mark foundry-api-key as secret; the first two can be plain named values.
llm-token-limit and llm-emit-token-metric are APIM's GenAI gateway policies — they understand the Anthropic/OpenAI message formats and parse token usage, so you meter tokens, not just requests. That's the right cost lever for token-heavy Claude Code.
These counters are per-region per-gateway. With multi-region APIM, limits are enforced per region.

Part 5 — Configure Claude Code on developer machines

Developers point Claude Code at APIM (Anthropic Messages gateway mode) and authenticate with their own Entra token. The backend-auth swap is invisible to clients.

5.1 Entra token helper (per-developer, auto-refreshing)

Create %USERPROFILE%\.claude\get-claude-gateway-token.ps1:

# Returns a short-lived Entra access token for the APIM gateway audience. az account get-access-token ` --resource "api://claude-code-gateway" ` --query accessToken -o tsv

PowerShell scripts need no chmod. If execution policy blocks the helper, allow local scripts for your user once:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

5.2 Claude Code settings (%USERPROFILE%\.claude\settings.json)

In enabling configuration of below environment variables in settings.json under .claude folder allows its usage for all Claude Code sessions (VS Code, terminal CLI, JetBrains, etc.)

{ "env": { "ANTHROPIC_BASE_URL": "https://<apim-name>azure-api.net", "ANTHROPIC_MODEL": "claude-opus-4-8", "ANTHROPIC_DEFAULT_OPUS_MODEL": "claude-opus-4-8", "CLAUDE_CODE_API_KEY_HELPER_TTL_MS": "600000" }, "apiKeyHelper": "powershell -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\<you>\\.claude\\get-claude-gateway-token.ps1" }

In JSON, backslashes must be doubled — hence C:\\Users\\.... Use pwsh in place of powershell if you run PowerShell 7.

apiKeyHelper output is sent as the Authorization (and X-Api-Key) header, validated by APIM's validate-jwt. The developer never holds the Foundry key.
CLAUDE_CODE_API_KEY_HELPER_TTL_MS=3600000 refreshes the token hourly (Entra access tokens last ~60–90 minutes).
Pinning the three ANTHROPIC_DEFAULT_*_MODEL IDs ensures Claude Code sends model names that match your Foundry deployment names, so the gateway passes model through untouched.
Other Anthropic models like Sonnet and Haiku can be provided. Default model to be used is provided with ANTHROPIC_MODEL.

Then developers run claude from their project folder.

5.3 Optional — model discovery

To list gateway models in the /model picker, expose GET /v1/models on the API and set CLAUDE_CODE_ENABLE_GATEWAY_MODEL_DISCOVERY=1 (Claude Code v2.1.129+). Only IDs starting with claude or anthropic appear.

5.4 VS Code extension

Settings.json in .claude folder will control both VS Code Extension and Claude Code CLI.

🚀 Ready to test? Jump to Part 7 to validate your setup, or run claude from your project folder to try it live.

Part 6 — Rate-limiting and usage-tracking design

Per-developer keying. Everything is keyed on the Entra oid claim — stable and unique per user, unlike email or upn which can change. For service accounts or CI, key on appid instead.

Two enforcement layers:

llm-token-limit — tokens/min plus a monthly token quota. The real cost control.
rate-limit-by-key — requests/min. Guards against runaway loops.

Tiering is driven by Entra app roles (Claude.Standard / Claude.Premium) read from the JWT — no separate APIM subscription management needed.

Usage tracking flows from llm-emit-token-metric into Application Insights with UserId, Tier, and Model dimensions. Example Log Analytics query for per-user monthly token spend:

customMetrics | where name == "Total Tokens" and customDimensions.namespace == "claudecode" | extend UserId = tostring(customDimensions.UserId), Model = tostring(customDimensions.Model) | summarize Tokens = sum(valueSum) by UserId, Model, bin(timestamp, 1d) | order by Tokens desc

Foundry doesn't return Anthropic's standard rate-limit headers, so manage and observe limits through APIM (the headers above) and Azure Monitor rather than relying on upstream headers.

Part 7 — Test and validate

# 1. Get a token as a developer $TOKEN = az account get-access-token --resource "api://claude-code-gateway" --query accessToken -o tsv # 2. Call the gateway directly in Anthropic Messages format $body = @{ model = "claude-sonnet-4-6" max_tokens = 64 messages = @(@{ role = "user"; content = "Say hello in one word." }) } | ConvertTo-Json Invoke-RestMethod -Method Post ` -Uri "https://<apim-name>.azure-api.net/v1/messages" ` -Headers @{ "Authorization" = "Bearer $TOKEN" "anthropic-version" = "2023-06-01" "content-type" = "application/json" } ` -Body $body

Invoke-RestMethod returns the parsed body but hides response headers. To see x-tokens-remaining / x-ratelimit-remaining, use Invoke-WebRequest with -ResponseHeadersVariable resp (then read $resp), or call curl.exe -i (the real curl, not PowerShell's curl alias).

Validation checklist

No token / expired token → 401 from validate-jwt (confirm before trusting rate limits).
Valid token → 200 with a Claude completion; response carries x-tokens-remaining / x-ratelimit-remaining.
401 from Foundry on a valid developer token → the api-key named value is wrong or not injected (see Troubleshooting).
Exceed the limit → 429 with retry-after.
App Insights → customMetrics shows token counts dimensioned by UserId.
Then run claude end to end from a project folder.

Part 8 — Operations and hardening

Key rotation (Option A). Foundry gives you two keys. Rotate by updating the foundry-api-key named value to key2, then regenerating key1 — zero downtime. A Key Vault-backed named value makes this a one-place change.
Prefer managed identity in production (Option B). If you started on the key path, switch to managed identity (Parts 3.2 and 4, Option B) to remove the shared secret entirely. Because the Cognitive Services User role assignment works across subscriptions in the same tenant, the cross-subscription topology doesn't block this upgrade — and developers see no change, since their side of the contract is always authenticate to the gateway as yourself.
Private networking. Put APIM in internal VNet mode and reach Foundry over a Private Endpoint; disable Foundry public network access so the gateway is the only path in. Cross-subscription private endpoints are supported.
Resilience. Deploy Claude in two regions and use APIM's load-balanced backend pool with retry on 429 and 5xx.
Cost guardrails. Pair per-user llm-token-limit quotas with an Azure Budget and alert on the Foundry resource in Subscription B.

Troubleshooting

Symptom	Cause / fix
404 resource not found from Foundry	Backend URL or path wrong, or an OpenAI-style rewrite applied. Backend must end in /anthropic; callers hit /v1/messages. Remove any /openai/... rewrite and api-version query param.
401 from Foundry (developer token is valid) — Option A	The api-key header is missing/wrong, or the foundry-api-key named value wasn't saved as expected. Confirm the named value, and that the policy deletes the developer Authorization header and sets api-key.
401 / 403 from Foundry — Option B (managed identity)	The role assignment is missing or hasn't propagated yet, or the token audience is wrong. Confirm APIM's identity has Cognitive Services User on the Foundry resource, wait a few minutes, and ensure the policy requests resource="https://cognitiveservices.azure.com". For a user-assigned identity, confirm the client-id is set.
Managed identity works same-sub but not cross-sub	The two resources are in different Entra tenants. Cross-tenant managed identity isn't supported — use the API key (Option A) instead.
401 at the gateway even with a token	aud or issuer mismatch. Confirm the token's aud = api://claude-code-gateway and you used the v2.0 OIDC config and issuer.
403 from Foundry	The key belongs to a different Foundry resource, or the resource disabled key auth. Re-copy a key from Keys and Endpoint, or re-enable local/key auth.
Reduced Claude Code functionality	Gateway stripped anthropic-beta / anthropic-version. Ensure both headers pass through.
Model not available	Claude Code's model ID doesn't match the Foundry deployment name. Align names, or rewrite the body model field in policy.
ChainedTokenCredential authentication failed (client side)	Developer not logged in. Run az login so the helper has a usable Azure credential.

Wrapping up

With about an afternoon of setup you get a gateway that every Claude Code request flows through: Entra ID proves who the developer is, APIM GenAI policies cap how much each person can spend, and Application Insights tells you exactly where the tokens went. For the APIM → Foundry hop you pick what fits: a Foundry API key held only inside APIM (fastest start, works cross-tenant) or a managed identity with no shared secret at all (the production posture). Either way Claude can live in its own subscription, and developers hold nothing more sensitive than a short-lived Entra token.

When you're ready to tighten the screws, the upgrade path is clean: if you started on the key, move it into Key Vault, then graduate to managed identity to eliminate the secret entirely, and put the whole path on a private network.

'None of those steps disrupt developers, because their side of the contract — authenticate to the gateway as yourself — never changes.

Start your pilot today: Deploy a Developer-tier APIM instance, connect it to Foundry, and have your first developer running Claude Code through the gateway by end of day. The Prerequisites section has everything you need to begin.'

All command-line steps target Windows with PowerShell 5.1 or 7. Model IDs and Foundry regions reflect availability at time of writing; check the Foundry model catalog for current options.

Next Steps

Get started now: - Deploy Claude models in Microsoft Foundry — browse the model catalog and create your first deployment - Create an API Management instance — spin up a Developer SKU for your pilot

Go deeper: - Claude Code LLM gateway requirements — full specification for gateway compatibility - APIM GenAI gateway policies reference — all available token and rate limiting options

Get help: - Questions? Post in the Azure AI Community with tag #ClaudeCode - Found an issue with this guide? Open a GitHub issue

No way to automate restoring user‑reported emails after “no threats found”

GT_deb — Thu, 04 Jun 2026 17:30:51 GMT

When a user reports an email as phishing in Defender, the message gets moved to Deleted Items. After we triage it, if we mark it as “no threats found,” there’s no way to push it back to the user’s inbox as part of that workflow.

That creates a bit of a broken experience:

User is told the email is safe with our customized email response, but has to go find it themselves
In a lot of cases they don’t (Outlook search won’t find it)
We end up with follow‑ups like “where did it go?”

Technically we could restore the email as part of our triage process, but that just shifts the effort onto the SOC. It doesn’t scale, and it’s not really the right place for that work. We have tried to create an automation to do this, but we have not been able to create an advanced hunting query based on our triage result that can then trigger an action to restore it to the mailbox.

So we end up choosing between:

Users having a bad experience, or
Analysts doing manual mailbox work

Neither is ideal.

Other platforms (like Proofpoint) handle this end‑to‑end — once something is confirmed clean, it can be returned to the user automatically.

Right now Defender stops at classification instead of completing the workflow.

Is there a reason this isn’t wired in, or anything on the roadmap to address it?

Partner Blog | Streamline your campaign execution with Partner Marketing Center Pro

JillArmourMicrosoft — Thu, 04 Jun 2026 17:00:00 GMT

Your customers are moving quickly, and their expectations for relevance, speed, and clear business value are rising. For partners, that means marketing execution needs to move faster too, from campaign discovery, to planning, and localization, lead generation, performance tracking, and optimization.

Since we introduced Partner Marketing Center Pro, the focus has stayed the same: reduce friction so you can find the right campaign, tailor it to your business, launch with confidence, and understand what to improve next.

Partner Marketing Center Pro brings the campaign lifecycle into one AI-powered marketing hub so you can save time, reduce manual effort, lower localization costs, and get to market faster without stitching together multiple tools.

If you are already running campaigns, PMC Pro is built to shorten the path from idea to execution and give marketing leaders better visibility into what is working. If you are building your marketing muscle, it gives you a clear starting point with proven campaign structures, Microsoft-aligned messaging, and the tools to customize, launch, measure, and improve over time.

Partner Marketing Center Pro simplifies campaign execution

Partner Marketing Center Pro Is the unified, AI-powered marketing hub designed to streamline end-to-end planning, activation, execution, and performance tracking. It enables partners to reduce manual production work, scale demand generation more consistently, and move from campaign idea to customer engagement faster.

In this video walkthrough, Maddie Cupchak from Pax8 shows how PMC Pro brings campaign discovery, AI-assisted customization, translation, publishing workflows, lead engagement visibility, and reporting into one unified experience.

Continue reading blog here

Teams Remote App/ Cloud App optimization for Windows 365 and Azure Virtual Desktop now GA

PavithraT — Thu, 04 Jun 2026 18:45:09 GMT

Today, we are announcing the general availability of Microsoft Teams for Remote App scenarios, expanding support for optimized Microsoft Teams experiences when connecting to Azure Virtual Desktop. Additionally, Cloud Apps for Windows 365 will also be supported. This update introduces a new media engine that replaces the legacy WebRTC-based optimization.

Optimized Teams experience for Remote App

The new optimization improves audio and video performance, reliability, and security, and simplifies ongoing support by enabling media engine updates without frequent upgrades to the infrastructure or client.

This feature will be available to anyone using Microsoft Teams as a Remote App on Azure Virtual Desktop or Cloud Apps on Windows 365 from Windows endpoints.

Teams users running in Remote App will automatically transition to the new optimization:

Audio and video performance and reliability are improved compared to the legacy WebRTC optimization.
Media engine updates no longer require frequent upgrades to the VDI infrastructure or client.

Note: Give and Take control is not supported at this time.

Try the optimized Teams experience for Remote App and Cloud Apps today

If you are using Windows App on Windows, you can try it today by meeting the following requirements:

On the user device, use Windows App for Windows version 2.0.964.0 or later
On the remote VM, install Microsoft Teams version 26043.2016.4478.2773 or later

Learn more: New VDI solution for Teams | Microsoft Teams | Microsoft Learn

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on  LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

From campus to career: 3 practical steps for students

Matt_Jubelirer — Thu, 04 Jun 2026 16:00:00 GMT

This graduation season, build the skills employers are looking for, create proof-of-work to get you noticed, grow as a global student community leader. And explore free tools & offers to help you build what's next!

For many students around the world, graduation season is here – bringing both excitement and uncertainty about what’s next. According to LinkedIn’s 2026 Grad’s guide, students are entering one of the toughest job markets in years and many are reconsidering traditional career paths. Yet alongside these challenges comes real opportunity to create and shape the future with access to powerful new tools in ways earlier generations never could. This is a moment of real uncertainty, but it is also one of unprecedented opportunities.

Whether you're graduating, beginning an internship, starting a first job, exploring entrepreneurship, or returning to campus, here are three practical steps and free tools to help you move forward.

1. Develop the skills employers are increasingly looking for

According to the 2026 Work Trend Index Annual Report employers are increasingly interested in AI‑related skills, particularly for early-career roles. Students who start building skills early may be better prepared to seize their next opportunity.

Microsoft AI Skills Fest (June 8–12, 2026) is a large, no-cost online AI skilling event (registration required). This year features two playlists for students entering the workforce: Get the Job (resume to job offer) and Succeed at the Job (your first 90 days).

Two LinkedIn Live sessions anchor the week: Ask a Recruiter, an open Q&A with Microsoft early-career recruiters on interviews and resumes, and Build your Brand: From Zero to Resume, a session on using Microsoft Copilot to build a "walking deck" that articulates your experience before your first professional role.

In addition, AI Skills Navigator gives you a personalized starting point with a newly launched student path filled with learning options. Pair it with LinkedIn's 2026 Grad Guide for a better understanding about which roles are growing and how to stand out.

2. Build proof-of-work that can get you noticed

Hiring managers aren't just scanning resumes. They're looking for evidence. The candidates who stand out arrive with something to show: a project, a prototype, a piece of published work that shows what they can do. Building an app, a website, or an AI tool that brings your ideas to life is easier than ever. To start, join GitHub Education and get access to free and discounted products and tutorials including GitHub Copilot, Codespaces, and other tools that are part of the Student Developer Pack.

Find inspiration for your entrepreneurial dreams by exploring student stories from programs like Imagine Cup and Red Bull Basement that show how Microsoft can help bring your ideas to life.

3. Grow into a global student community leader

Heading back to campus in a few months? The Microsoft Student Ambassadors program is now open to all higher education students, not just developers. Fill in a simple form and complete a few activities and you’re in! As an ambassador, you connect with peers, mentors, and Microsoft employees, build verifiable credentials, and develop leadership experience that shows up on a resume.

The program is for currently enrolled college students. Learn more and register today.

Tools and offers to help you learn and build what's next

Between classes, finals, internships, and figuring out what’s next, student life can feel like a lot! Many colleges provide students with access to AI tools like Microsoft Copilot. Learning-science-based tools like the Study and Learn Agent found in Copilot can help you break down complex materials across a range of subjects, turn notes into flashcards and quizzes, and help build your confidence for interviews or exams. Copilot in Word can help you refine your resume to present your experiences more clearly.

The Microsoft student page lists our best offers and deals for college students right now. If you’re graduating, the Microsoft 365 Premium graduation offer gives you 12 months of access, at no cost to eligible students and recent graduates, to some of the most powerful AI tools Microsoft offers. Microsoft 365 Premium unlocks Copilot in familiar apps like Word, Excel, and PowerPoint, along with extensive AI usage tokens, exclusive Copilot features and agents, and up to 6 TB of secure cloud storage that you can share with five others (1 TB per person).¹

Start building apps, explore AI, and build your developer skills with free access to professional tools with a $100 Azure credit or access to the GitHub student developer pack.

With the Ultimate college bundle, eligible U.S. students who buy a select Windows 11 PC can get 1 year of Microsoft 365 Premium, Xbox Game Pass Ultimate, and a design-your-own Xbox Wireless Controller—over $500 in estimated value based on included products.²

Study and Learn: step-by-step coaching with images

Your next steps

Students like you are already shaping the future with Microsoft tools and skilling programs available today.

Register for Microsoft AI Skills Fest (June 8–12, 2026) and explore the content curated for students, including featured playlists and live sessions.
Claim the Windows 11 College Student Bundle (US only), Microsoft 365 Premium student offer or GitHub student developer pack. Explore other free tools and offers for students at the Microsoft Education student page.
If you’re headed back to campus, register for Microsoft Student Ambassadors and follow @MicrosoftStudentSkills on Instagram where we share real-world skills for college and beyond.

Wherever you are right now, explore these ideas, and take a step forward today towards your future.

______________________________________________________________________________________________________________________

1. Offers vary by market and end June 30, 2026. Eligibility requirements apply. Students will need to verify their academic status using their college email address. See details here.

2. Offer is valid only for verified college students physically located in the United States at time of qualifying PC purchase, while supplies last. Redemption requires a Microsoft account and following the provided steps after purchase of a qualifying PC. Eligibility and terms apply. Offers vary by market. See details here.

From insight to action: how Adobe and Microsoft are helping marketers move faster with AI

kakennedy — Thu, 04 Jun 2026 16:00:00 GMT

Today’s marketing leaders are under pressure to do more than ever—deliver meaningful personalization, accelerate execution, and prove measurable business impact. At the same time, teams are navigating increasing complexity: fragmented data, disconnected tools, and insights that arrive too late to act on.

AI can change this—but only when it’s embedded directly into how people already work.

That’s why Microsoft and Adobe are deepening our partnership: bringing customer experience intelligence, AI-powered workflows, and enterprise-grade AI directly into Microsoft 365 Copilot—so teams can move from insight to alignment to execution in one continuous workflow. The result is faster decisions, more coordinated execution, and clearer business outcomes—without breaking flow or context.

Bringing customer experience intelligence into the flow of work

Marketing teams don’t struggle because they lack data. They struggle because insights live in one place, collaboration in another, and execution somewhere else entirely. That disconnect slows teams down and creates unnecessary friction between analysis and action.

Together, Adobe and Microsoft are changing that dynamic by connecting Adobe’s customer experience capabilities with Microsoft 365 Copilot and Copilot Cowork—so insight, collaboration, and next-best action can happen where work already happens: in Copilot Chat and in everyday apps like Teams, Word, and PowerPoint. Marketers can ask questions, explore insights, align with teammates, and take action without jumping between tools—turning intelligence into impact at the moment it matters.

Adobe Marketing Agent for Microsoft 365 Copilot: now generally available

A major milestone in this journey is the general availability of the Adobe Marketing Agent for Microsoft 365 Copilot, now available via Microsoft Commercial Marketplace.

The Adobe Marketing Agent brings Adobe customer experience intelligence directly into Copilot, enabling marketing teams to:

Accelerate time from insight to decision
Move seamlessly from analysis to execution
Keep humans firmly in control, with AI supporting—not replacing—decision‑making

Importantly, the agent is enterprise-ready by design. IT administrators can deploy and manage the experience through the Microsoft 365 admin center, ensuring security, governance, and compliance at scale.

Expanding executive experiences with Copilot Cowork

Looking ahead, Adobe skills designed for customer experience orchestration will be accessible in Copilot Cowork—in a future release. This upcoming experience will enable customer experience leaders to engage with customer experience insights in a more direct, conversational way, bringing strategic visibility into the same Copilot environments where decisions are made and actions are coordinated.

Built on Azure to scale securely and responsibly

The technology foundation of this innovation is Azure. Adobe Experience Platform, Adobe Experience Platform Agent Orchestrator, and Adobe AI Agents are built on Azure and leverage Azure AI models, providing the scalability, security, and reliability enterprises require. By running on Azure, these agentic experiences benefit from Microsoft’s global infrastructure, enterprise‑grade security, and responsible AI commitments—supporting customer trust as organizations scale AI across their business.

Designed for interoperability across agent ecosystems

Modern enterprises don’t operate in a single ecosystem—and their agents shouldn’t either.

Adobe agents are built to interoperate with agents created using Microsoft Azure AI Foundry or Copilot Studio, enabling customers to orchestrate richer, cross‑functional workflows across marketing, sales, service, and operations.

This architecture is designed to enable organizations to compose agentic solutions that reflect how work actually happens—across systems, teams, and business processes.

Moving from experimentation to execution

This partnership reflects a broader shift in how organizations adopt AI—moving from experimentation to embedded, enterprise‑ready execution.

By bringing the full power of Adobe Experience Platform together with Microsoft’s AI platform, cloud infrastructure, and Copilot experiences, we’re helping teams move faster with clarity, confidence, and control. This is how AI becomes not just powerful—but practical.

Learn more

Adobe + Microsoft partnership page
Adobe Marketing Agent for Microsoft Copilot page

Driving AI-Powered Healthcare: Advanced Analytics, AI, and Real-World Impact Workshop

CamilleWhicker — Thu, 04 Jun 2026 14:57:17 GMT

What We Covered

The evolving role of data in becoming a frontier AI organization
The modern data estate and how Microsoft Fabric unifies analytics
Architecture patterns for healthcare data platforms
Real-world healthcare and life sciences use cases driving impact
Building unified data foundations in Microsoft Fabric
Applying governance and security best practices
Activating data with AI and agent-based solutions

Key Takeaways

Unified data is foundational to scaling AI effectively
Microsoft Fabric simplifies the analytics stack and accelerates time to value
Governance and security must be built-in, not added later
AI-powered agents unlock new ways to operationalize data across clinical and business workflows
Hands-on experience is critical to moving from concept to deployment

Session Content and Resources

Workshop materials linked at the bottom of this post.

Becoming a Frontier Firm The State of Data & AI
The Modern Data Estate Inside Microsoft Fabric
Unified Data Foundation for Analytics Fabric as the Unifying Layer
Unlocking AI Securely Data Protection & Governance
Unified Data Foundation for AI Activating Data with Agents

What’s Next

If you’re looking to continue the momentum:

View our upcoming healthcare focused Data & AI workshops & webinars
Set up your free Microsoft Fabric trial:
Get started with SQL Fabric
Create a Data Agent
Discuss with your Microsoft partner
Join our upcoming virtual RTI Hands-on Lab June 11

Harness-Driven Agents: Secure Podcast Pipeline in Hyperlight MicroVM Sandbox

kinfey — Thu, 04 Jun 2026 14:12:41 GMT

The moment the agent reached for rm -rf

For most of 2024 and 2025, "agents" were a demo word. By 2026 they are something you run — autonomously, in a loop, executing code they wrote themselves a second ago.

I was watching one work late one night. I had given it a goal, a handful of tools, and the freedom to write and run its own Python. For twenty minutes it was magic: read a file, reason about it, write a script, run it, inspect the output, correct itself, try again. Then it produced this:

import shutil shutil.rmtree("/") # "cleaning up temporary files"

It was trying to be helpful — it had decided the workspace was cluttered and wanted a clean start. The "workspace," as far as that process was concerned, was my entire machine.

I killed it in time. But the lesson is the one every agent builder eventually arrives at: the model is not the dangerous part — the execution is. A chatbot that answers wrong is annoying. An agent that fetches a web page, runs code, and writes files has a blast radius. The bounding box has to come from infrastructure, not from a system prompt.

harnessagent_sandbox_demo is a concrete build that puts that bounding box in exactly the right place — and it does it in service of a real, charming little product: a daily five-minute Mandarin podcast about the FIFA World Cup 2026.

The scenario: a daily World Cup podcast, written by agents

Strip away the infrastructure for a second and look at what this thing actually does.

Every day it produces a fresh Mandarin podcast script about the FIFA World Cup 2026. Three LLM agents run in sequence:

SearchAgent — goes out and gathers the day's World Cup news.
ContentAgent — turns that raw material into structured podcast content.
GenScriptAgent — writes the final, readable five-minute script.

The output is two text files — one in Simplified Chinese, one in Traditional Chinese:

./outputs/<YYMMDD>/<YYMMDD>.simple.zh.txt ./outputs/<YYMMDD>/<YYMMDD>.tranditional.zh.txt

That's the whole product. It sounds simple — and the point of the project is that making it safe is the hard part. SearchAgent has to reach the open internet. All three agents write and run code. If you wire that naively, you have just built the exact machine that types shutil.rmtree("/") for you. So the entire architecture is organized around one principle: the agents get to do real work, but every dangerous capability is fenced behind a hardware boundary.

Why the obvious sandboxes fall short for agents

An agent is defined by an act-observe-correct loop running untrusted, model-generated code over and over. That single property breaks most conventional isolation choices.

Option	Why it falls short for agents
No sandbox	One rm -rf, one leaked .env, one rogue network call — the blast radius is the whole machine.
Container	Great for shipping apps, but a coding agent wants to build and run its own container, which means Docker-in-Docker and elevated privileges that quietly undo the isolation.
WASM / V8 isolate	Fast to start, but you isolate a language runtime, not an OS — no system packages, no arbitrary shell, and hardening the engine is a moving target.
Full VM	Rock-solid isolation, but cold starts in seconds and heavy memory — exactly the friction that pushes developers to skip isolation entirely.

Each option trades away safety, speed, or compatibility. A podcast pipeline that runs every day, spinning agents up and down, needs all three at once:

A real environment — to fetch URLs, run shells, call tools.
A hard boundary — so a bad step can't reach the host.
Near-instant lifecycle — because a slow sandbox is a sandbox developers skip, and an unused safety feature protects nobody.

The MicroVM answer, embedded as a library: Hyperlight

A MicroVM gives each workload its own kernel and a hardware-enforced boundary — the isolation strength of a full VM — stripped down to start in milliseconds and tear down just as fast. Misbehave inside, and you hit a wall; there is no path back to the host. And it is disposable by design: when an agent goes off the rails, you delete the sandbox and reopen in milliseconds, with nothing to clean up.

Most MicroVM runtimes (Firecracker and friends) are cloud infrastructure — server-side. Hyperlight is different: a lightweight Virtual Machine Manager (a CNCF sandbox project) designed to be embedded inside your application, like a library.

MicroVMs that boot in milliseconds, with guest function calls completing in microseconds.
No guest kernel, no OS — the guest is a purpose-built no_std Rust/C binary. Nothing in there to attack.
Sandboxed by default — no filesystem, no network, nothing, unless explicitly granted.
Typed function calls across the VM boundary, and snapshot/restore to rewind to a clean state between calls.
Runs on KVM, MSHV (Microsoft Hypervisor), and Windows Hypervisor Platform.

This project uses the Wasm backend: the three agents share a single HyperlightRuntime, and the guest is reset to a clean snapshot before every code execution. That detail is what makes a daily, many-step pipeline cheap — you capture the sandbox state once and rewind to it, instead of rebuilding a VM hundreds of times.

Agent = Model + Harness

The community has converged on a simple equation: Agent = Model + Harness.

The model is a brain in a jar — text in, text out, no memory between calls, no loop, no hands. It can express the intent to call a tool; it cannot actually call it.

The harness is the execution layer: it calls the model, handles its tool calls, and decides when to stop. As the Hugging Face glossary puts it, "if you're not the model, you're the harness."

That reframes the safety problem precisely. When my agent emitted shutil.rmtree("/"), the model deleted nothing — it merely suggested. The harness would have run it. The harness is where reasoning meets reality, so it is exactly where safety must live. The question stops being "how do I make the model safer?" and becomes: how do I build a harness that executes the model's intent inside a boundary it cannot escape?

The Microsoft Agent Framework answers that with first-class agent harness capabilities in Python and .NET, and it ships with one security note stated plainly:

For local shell execution, we recommend running this logic in an isolated environment and keeping explicit approval in place before commands are allowed to run.

The harness is the steering wheel — it does not pretend to be the seatbelt and the crumple zone. For that, it points you outward: run this somewhere isolated. Hyperlight is that isolated somewhere. This project snaps the two pieces together.

The architecture: two planes, one bridge

Here is the heart of the design. Two planes run together every episode:

An orchestration plane on the host — the WorkflowBuilder graph, the LLM clients, and the deterministic save step.
An execution plane inside one Hyperlight Wasm sandbox — the only place LLM-generated code is allowed to run.

The single bridge between them is one call: call_tool("fetch_url", ...).

The mapping to layers:

Layer	Component	Role
Model	Azure AI Foundry via FoundryChatClient (AzureCliCredential)	The reasoning brain behind each harness agent
Agent runtime	Microsoft Agent Framework create_harness_agent	Drives the model, advertises skills, handles tool calls, decides when to stop
Orchestration	WorkflowBuilder graph	prepare → SearchAgent → adapt → ContentAgent → adapt → GenScriptAgent → save_scripts
Code execution	CodeAct provider	Runs model-written code via the one execute_code tool — inside the MicroVM, never on the host
Isolation	Hyperlight Wasm MicroVM	One shared HyperlightRuntime; clean snapshot restored before every execute_code
Host tool	fetch_url (sandbox/podcast_tools.py)	The only network path; urllib + a BBC-only allow-list
Persistence	save_scripts Executor	Deterministic, no LLM — parses two fenced blocks and writes the two output files

The four invariants that make it safe

The README is explicit about what the diagram guarantees. These four invariants are the whole security argument.

The model never sees the network.Its only tool isexecute_code. Network access happens only when the guest itself runs call_tool("fetch_url", ...) from inside the sandbox. The model cannot reach the internet directly — it can only ask the guest to, and the guest can only reach BBC.
One sandbox per run, snapshot per call.All three agents share the sameHyperlightRuntime. Before every execute_code, the guest is reset to a clean snapshot — so nothing one step does can leak into the next, and there is no VM to rebuild.
Two counter paths — and why there are two.Thefunction_middleware (make_tool_call_recorder) sees the model-direct execute_code calls. But the inner, guest-initiated fetch_url is dispatched by Hyperlight straight to the FunctionTool, bypassing the middleware entirely. So a second counter — make_call_tool_counter(on_call=) — bumps state["tool_call_counts"][<agent>]["fetch_url"] on every guest invocation. Two observation points, because the architecture has two genuinely different call surfaces.
Deterministic save — no LLM in the persistence step.GenScriptAgentonly emits text. The save_scripts Executor parses the two fenced code blocks out of that text and writes the simplified and traditional files itself. There is no model in the loop when bytes hit disk, so the output path is fully predictable.

Now let's look at the real code surface

The README documents the API the demo is built on. The snippets below reflect that surface.

1. Install and environment

pip install agent-framework-hyperlight --pre

# Hyperlight needs a hypervisor: KVM on Linux, WHP on Windows. macOS is not yet supported. # The model runs on Azure AI Foundry; FoundryChatClient authenticates via AzureCliCredential. az login export HYPERLIGHT_PYTHON_GUEST_PATH="/path/to/python_guest"

2. A harness agent that carries only a stub — skills do the rest

Each of the three agents is built with create_harness_agent + FoundryChatClient. The agents themselves carry only a tiny stub instruction; their real role prompts and the shared sandbox/CodeAct guardrails live as file-based Agent Skills under skills/. The harness's built-in SkillsProvider advertises those SKILL.md packages, and the model loads them at runtime via load_skill.

from agent_framework import create_harness_agent from agent_framework.foundry import FoundryChatClient from azure.identity import AzureCliCredential # Model on Azure AI Foundry — not Azure OpenAI directly. client = FoundryChatClient(credential=AzureCliCredential()) # The agent carries a tiny stub. Its real persona — "you gather World Cup # news", "you write the script" — lives in a SKILL.md package under skills/, # advertised by the harness SkillsProvider and pulled in via load_skill. search_agent = create_harness_agent( chat_client=client, name="SearchAgent", instructions="You are a harness agent. Load your skill, then begin.", )

3 The CodeAct surface: one tool the model can see

This is the CodeAct pattern from 02-agents/context_providers/code_act/code_act.py. The model sees exactly one tool — execute_code. Any extra capability (here, only fetch_url) is reachable from inside the guest via call_tool(...).

# What the MODEL sees and writes — one script, not ten tool round-trips: # # # inside execute_code, running in the Hyperlight Wasm guest: page = call_tool("fetch_url", url="https://www.bbc.com/sport/football/world-cup") # # ... parse page["BODY"], pull out today's stories ... print(top_stories) # # execute_code is the ONLY tool on the model's surface. call_tool("fetch_url", ...) is reachable only from inside the sandbox.

4. The one host tool, with a BBC-only allow-list

fetch_url lives on the host (sandbox/podcast_tools.py). It is the single bridge across the boundary, and it is deliberately narrow.

import urllib.request from urllib.parse import urlparse ALLOWED_DOMAINS = {"bbc.com", "www.bbc.com"} # allow-list: BBC only def fetch_url(url: str) -> dict: """The ONLY network path out of the sandbox. Host-side, allow-listed.""" host = urlparse(url).netloc if host not in ALLOWED_DOMAINS: return {"STATUS": "blocked", "URL": url} with urllib.request.urlopen(url, timeout=20) as resp: body = resp.read(8192).decode("utf-8", "ignore") # BODY capped at ~8 KB return { "STATUS": "ok", "URL": url, "TITLE": _extract_title(body), "DESCRIPTION": _extract_description(body), "LINKS": _extract_links(body), "BODY": body, }

Notice what this buys you: even if SearchAgent writes hostile code, the worst it can do over the network is read BBC, 8 KB at a time. The allow-list is host-side and the model never sees it — it cannot be prompt-injected away.

5. Wiring the graph and the deterministic save

from agent_framework import WorkflowBuilder workflow = ( WorkflowBuilder() .add_node("prepare", prepare) .add_node("SearchAgent", search_agent) .add_node("adapt_1", adapt) .add_node("ContentAgent", content_agent) .add_node("adapt_2", adapt) .add_node("GenScriptAgent", genscript_agent) .add_node("save_scripts", save_scripts) # deterministic Executor, NO LLM .build() ) # GenScriptAgent emits text containing two fenced blocks (simplified + # traditional). save_scripts parses them and writes the files itself — # there is no model in the persistence step. await workflow.run() # -> ./outputs/<YYMMDD>/<YYMMDD>.simple.zh.txt # -> ./outputs/<YYMMDD>/<YYMMDD>.tranditional.zh.txt

6. The payoff

Run that shutil.rmtree("/") inside this pipeline now and the result is delightfully boring: the agent deletes its own throwaway sandbox, the host never notices, and the next execute_code starts from a clean snapshot. Two things to call out:

Snapshot/restore means every code execution starts from a clean, reusable baseline — capture state once, rewind between calls, instead of rebuilding the whole VM. For a daily pipeline that runs the act-observe-correct loop many times, that is the difference between "fast enough to always use" and "slow enough to skip."
Because each agent writes one script instead of ten round-tripped tool calls, the CodeAct approach keeps both latency and token usage down — the model reasons once and lets the guest do the busywork behind the boundary.

Where it fits, and the one idea to keep

harnessagent_sandbox_demo lives inside Multi-AI-Agents-Cloud-Native — a gallery of patterns for running agent systems safely on Azure: A2A multi-agent orchestration, the Kubernetes sidecar pattern, hardened pipelines, and a sibling sample that runs Copilot agents on AKS inside Kata Containers MicroVMs at the pod level.

And the README is explicit that this design is cloud-native: running it in-cluster on AKS changes nothing about the architecture — the same WorkflowBuilder graph, the same Hyperlight sandbox, the same deterministic save_scripts executor. The local build and the in-cluster build are the same shape.

The two MicroVM samples are two ends of one spectrum. The Kata sample puts the boundary around the whole pod — a deployment topology. This Hyperlight demo pulls the boundary all the way into the agent process itself — the sandbox becomes a library call. Same question — where do you place the hardware boundary in an agent stack? — answered at two different altitudes.

The old pitch for sandboxing always carried an asterisk: yes, it's safer, but you'll pay in speed, compatibility, or friction. MicroVMs erase the asterisk — VM-grade isolation, cold starts fast enough that there's no reason to skip it, and a real environment your agents can actually work in. Enough of a real environment, in fact, to write you a World Cup podcast every morning.

The one idea to internalize: the harness decides, the MicroVM contains. Give your agent a room where it is allowed to fail — then let it be brilliant.

References

Project: harnessagent_sandbox_demo · Multi-AI-Agents-Cloud-Native
Hyperlight: hyperlight-dev/hyperlight · hyperlight-dev/hyperlight-sandbox
Agent Framework: Agent Harness in Microsoft Agent Framework
Background: Why MicroVMs (Docker) · Harness vs. Scaffold glossary (Hugging Face)
Install: pip install agent-framework-hyperlight --pre · .NET: dotnet add package Microsoft.Agents.AI.Hyperlight --prerelease
Requirements: KVM (Linux) or WHP (Windows); macOS not yet supported.

Bluetooth mouse fails to reconnect automatically after waking from sleep in Windows 11

Thatcherw — Thu, 04 Jun 2026 14:05:10 GMT

After the computer wakes up from sleep mode, the paired Bluetooth mouse often fails to connect automatically; I have to manually remove the device and pair it again before it works.

Why does my refresh rate show as 60.01 Hz instead of 60 Hz?

Kodyon — Thu, 04 Jun 2026 14:02:27 GMT

In Windows 11, my monitor displays 60.01 Hz instead of exactly 60 Hz. Is this normal? What causes this?

Windows 11's dark mode isn't fully implemented yet; the interface in older versions is white.

DaxxonSawyer — Thu, 04 Jun 2026 13:43:34 GMT

Although system-wide dark mode is enabled, legacy windows such as file properties, the Control Panel, and progress dialog boxes remain bright white.

Windows 11 File Explorer frequently freezes

Lucienw — Thu, 04 Jun 2026 13:23:18 GMT

When opening folders containing a large number of media files, the address bar and taskbar often become unresponsive, causing File Explorer to restart automatically.

A Helpful AI-Powered Learning Experience I Found While Preparing for PL-400 within Microsoft Learn

SajedaSultana — Thu, 04 Jun 2026 13:23:01 GMT

While preparing for the PL-400 (Microsoft Power Platform Developer) exam, I discovered a very useful learning feature in some Microsoft Learn modules.

In a few modules, the Module Assessment appears to include AI-generated questions. What I found particularly helpful is that when I answered a question incorrectly and retook the assessment, Microsoft Learn didn't just generate completely new questions. Instead, it often brought back the concepts I had previously answered incorrectly while also introducing new questions.

This approach helped me reinforce weak areas and better understand the module content rather than simply memorizing answers. It felt more like adaptive learning, where the assessment focuses on concepts that need more attention.

Also, if you find this AI-generated learning experience helpful, consider using the "Provide feedback about AI-generated content" option available in Microsoft Learn. Sharing feedback can help Microsoft continue improving these learning experiences for certification candidates.

Has anyone else noticed this behavior in Microsoft Learn assessments? I'd be interested to hear whether you've had a similar experience while preparing for Microsoft certifications.

We hope the Windows 11 Start menu will allow for manual pinning

PhoenixAdler — Thu, 04 Jun 2026 13:05:51 GMT

I like the categorized view in the Start menu, but since I can’t manually assign or change categories, it’s pretty much useless. I hope you can add the ability to manually assign and customize categories.