Azure topics

Integrating Tableau to a Azure Internal Database

sharmerika — Mon, 08 Jun 2026 04:57:55 GMT

Hi everyone, I wanted to ask if it's possible if I can connect Tableau to an internal database that I'm planning to build. Not just Tableau but Monday.com too. And yeah, I know I need to build the database first, and sort everything out first, but it's for my presentation. I would really be grateful if someone can answer this and show me a bit of how I can do that. Do I need some token from tableau or something?

Restoring a user to Azure API Management instance who had registered using Azure B2C

curious7 — Tue, 02 Jun 2026 13:02:31 GMT

I am trying to restore a Azure API Management user account that I had backed up and has identity.provider and intentity.id backed up. When I restore this user using the ARM endpoint using URI similar to one below, the user gets restored but has both "AadB2c" and "Basic" as the auth type:-

"https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.ApiManagement/service/${apimName}/users/${userId}?api-version=2024-05-01"

Why is Basic being added as the value because the backup had "AadB2c" as the Auth Type?

And is there a way to avoid that and only have "AadB2C" as the Auth type.

Which Azure certification are you currently preparing for, or planning to take next?

Dravidan — Tue, 26 May 2026 18:25:37 GMT

I recently started exploring Microsoft Azure training and certifications, and I can clearly see how valuable they are for building cloud skills and growing a career in technology.

Azure certifications help professionals learn real-world cloud concepts, improve technical knowledge, and stay updated with technologies like AI, Security, DevOps, and Data Engineering.

Some of the most popular certifications are:

AZ-900 – Azure Fundamentals

AZ-104 – Azure Administrator

AZ-204 – Azure Developer

AZ-500 – Azure Security Engineer

Microsoft Learn also provides free learning paths and hands-on content, which makes it easier for beginners and experienced professionals to learn at their own pace.

Azure Managed Identity randomly returns 403 and then self-recovers

Dravidan — Sat, 23 May 2026 18:22:58 GMT

Our production apps intermittently lose Key Vault access via Managed Identity for a few minutes, then recover automatically without any config, RBAC, or deployment changes.

Everything appears healthy from Azure’s side, which makes root cause analysis extremely difficult. Has anyone else seen this behavior?

Is there no way to get better support for Azure - esp for SEV A tickets

ImranRana — Fri, 22 May 2026 07:36:03 GMT

We have had a sev A ticket open for over 5 days, and are incurring thousands in losses every day, and despite assurances from the Azure Support that it is being solved in hours and then having confirmations that it is solved, the issue is still not solved. I have asked numerous times to get our teams in touch with actual microsoft employees, not front end contractors, who is more like level 1 support, and just running messages between customer and back end team, and really are powerless to handle any suport issues themselves, and they are on complete mercy of "other teams" yet as a customer, apparantly we cant even get on a call with these other teams, and the poor front end contractors are getting the brunt of our pain. Absolutely are in the dark, as to what is actually happening in the back end, other than "trust me bro" we are working on it. No eta, no explanation.. hard to fathom how this can go on like this

Unable to backup APIM instance to storage account

curious7 — Thu, 14 May 2026 15:11:43 GMT

I have a Standard V2 APIM instance and a storage account that has public access disabled but allows traffic from the Integration subnet of the APIM and the "Microsoft.ApiManagement/Service" resource type and the specific instance of APIM allowed access. It also has the "Allow trusted MIcrosoft Services to access this resource" selected.

Integration subnet of APIM has the "Microsoft.Storage" service connection configured.

I am following this MS KB to setup the backup:-

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore?tabs=powershell#back-up-an-api-management-service

And using the "Access using managed identity" method. The Service principal that I am using in Powershell & Managed Identity of APIM has been given the "Storage Blob Data Contributor" role on the storage account.

When I run the following 2 commands from a VM in the same VNET as the APIM Instance I get error: "Backup-AzApiManagement : Long running operation failed with status 'BadRequest'."

$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName
Backup-AzApiManagement -ResourceGroupName $apiManagementResourceGroup -Name $apiManagementName -StorageContext $storageContext -TargetContainerName $containerName -TargetBlobName $blobName -AccessType "SystemAssignedManagedIdentity"

Storage logs seems to indicate that it successfully does the "putblob" operation and within few milliseconds does the "DeleteBlob" operation.

APIM activity logs have the following error for "Backup API Management Service":-

"message": "Unable to backup API service at this time. Please, retry the operation.If the issue persists, please contact support providing correlation ID

How can I troubleshoot this further or what needs to change in my setup to allow the backup?

Remote debug options for Linux container on App Services

LouisT — Thu, 14 May 2026 13:59:09 GMT

We run .Net hosted on Linux Docker containers running in App Service. This makes debugging very difficult as while there is an option for remote debugging, this is only for Windows containers.

https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=visualstudio

The only option I can find for Linux is the one detailed in the link below from 2018 which involves running an SSH server in the Docker container and using an extension which doesn't seem to have a stable version.

az extension add --name webapp

az : WARNING: No stable version of 'webapp' to install. Preview versions allowed.

https://azure.github.io/AppService/2018/05/07/New-SSH-Experience-and-Remote-Debugging-for-Linux-Web-Apps.html

Are there any currently supported options for remote debugging in Linux containers? Are there any plans to introduce the remote debug feature for Linux App Services?

Ingesting Logs through Azure Private Link

NotMarcus77 — Wed, 13 May 2026 21:19:20 GMT

Hi,

We are currently using Azure Private Link within our environment and we are attempting to ingest logs into Log Analytics. When I reached out to Microsoft Support, it appears that the CCF connectors will not work using Private Link and the Azure Functions connectors are becoming depricated.

Has anyone else run into this issue and what is the solution for getting logs into Sentinel through the Private Link, specifically API log sources? Did this require a custom app for each of these log sources or some sort of custom script that lives on an AMA host within the Private Link to ingest the logs?

Any advice here would be greatly appeciated.

Thank you,

Can you backup API Management Instance without including the product subscription keys

curious7 — Tue, 12 May 2026 23:35:42 GMT

I am following this KB to backup and restore APIM instance:-
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore?tabs=powershell

But it includes the product subscription keys which can be a security concern.

Can you backup API Management Instance without including the product subscription keys?

Cloud-Native vs. Hybrid for the 2026 Workplace

Gaaleh-Mem — Fri, 01 May 2026 14:54:03 GMT

When to choose Cloud-Native vs. Hybrid for the 2026 Workplace?

Hi everyone,

I am starting a discussion on the foundational phase of one project. As a Computer Engineer, I believe the most critical decision we face in 2026 is determining exactly when to step to a Full Cloud model versus maintaining a Hybrid Infrastructure.

In my view, the decision is not about cost, it is about resiliency, high availability and more avalability. I would like to exchange views with other engineers on these area: latency, edge requirements, integration and aglility.

In your experience, what are the Tipps that makes you choose one over the other for a 2026 environment?

I'm looking for technical architectural insights, not sales approaches.

Azure Automation Hybrid Runbook Worker Supported OS

PhilippZiemke — Thu, 30 Apr 2026 08:51:30 GMT

Hi everyone,

we are currently in the process of updating or environment to Server 2025. Since the mainstream support of Server 2022 ends October this year, we would also like to update our on-premise Azure Automation Hybrid Runbook Worker from 2022 to 2025.

As far as I can see from the documentation, OS is only supported up to Server 2022, but not Server 2025. Since the mainstream support end is closing in, is there any information on official support for Server 2025 for Azure Automation HRWs? Do you already have one successfully running with Server 2025?

Thanks!

Patterns for low-code Azure config state snapshot + recovery solution for resource groups

nicksal — Thu, 30 Apr 2026 02:08:17 GMT

I’m looking for patterns that capture resource configuration changes over time and support best-effort recovery (redeployment) of resource config state.

I understand that authoritative IaC (Bicep) would be the most mature option, however, I am wondering if anyone has ever implemented a solution similar to what I have described above.

Ideally this would be a low-code, Azure native solution.

Using Github Copilot from Azure Subscription

MSOPS1 — Wed, 29 Apr 2026 10:28:33 GMT

Hello,
I have a question on how GitHub Copilot can be accessed and managed through an Azure subscription. If I am getting a Github Copilot license, how is my azure subscription getting linked to the billing and licensing?
Specifically, I would like clarification on how the Azure subscription is linked to GitHub Copilot billing and licensing.

MFA required for Global Admin without Conditional Access or PIM enforcement

schiachris — Tue, 28 Apr 2026 15:06:56 GMT

Hi,

I'm analyzing a break-glass account scenario in Microsoft Entra ID and would like to validate a behavior I'm observing.

The account:

Has Global Administrator role (permanent assignment)
Is excluded from all Conditional Access policies (fully validated)
Is excluded from Authentication Methods policies and MFA Registration Campaign (fully validated)
Has no per-user MFA enabled (disabled)
PIM is not enforcing MFA (role is permanently active, no activation required)
Security Defaults are disabled
SSPR is not enforcing MFA

All configurable sources that could require MFA have been reviewed and fully ruled out.

However, when signing into Microsoft Admin Portals (Entra/Azure), MFA is still required and cannot be skipped.

In Sign-in logs:

Conditional Access → Not Applied
Authentication Details show:
"MFA required in Azure AD"
"App requires multifactor authentication"

Additionally, there is a Microsoft-managed policy:
"Multifactor authentication for admins accessing Microsoft Admin Portals"
but it is in Report-only mode.

Question:
Is Microsoft Entra ID enforcing MFA automatically for privileged roles (like Global Administrator) in admin portals, even when no Conditional Access or PIM policy requires it?

And if so, is there any supported way to fully exclude a break-glass account from this behavior?

Thanks in advance.

Azure Artifact Signing: SignTool "Access is denied" with active Public Trust profile

samuelRiosLazo — Sat, 25 Apr 2026 23:21:29 GMT

I’m blocked on Azure Artifact Signing for Windows EXE signing.

What is already confirmed:

- Account endpoint: https://wus2.codesigning.azure.net/

- Code signing account: notarios

- Certificate profile: notarios-public-trust (Public Trust, Active)

- Identity validation: Completed

- User object id: 9aa27294-c04d-4aab-a7b2-3a8b10be96f9

- RBAC includes:

- Artifact Signing Identity Verifier

- Artifact Signing Certificate Profile Signer

(also assigned at certificate profile scope)

Signing command (signtool 10.0.26100.0 x64 + dlib):

... sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib "<...>\\Azure.CodeSigning.Dlib.dll" /dmdf "C:\temp\metadata-corr.json" "C:\temp\notarial-app-test.exe"

Error every time:

- SignTool Error: Access is denied.

- Number of files successfully Signed: 0

I also tested Azure CLI auth and explicit AccessToken in metadata; same result.

CorrelationId for troubleshooting:

- notarios-20260425-1859

If anyone from Microsoft can check backend logs for that CorrelationId, I’d appreciate the exact reason and remediation.

Azure RBAC Custom Role Best Practices or Common Build Patterns

nicksal — Mon, 20 Apr 2026 18:40:54 GMT

As a platform admin, I want to grant application admins Contributor access while removing their ability to write or delete most Microsoft.Network resource types, with a few exceptions such as Private Endpoints, Network Interfaces, and Application Gateways.

Based on the effective control plane permissions logic, we designed two custom roles. The first role is a duplicate of the Contributor role, but with Microsoft.Network//Write and Microsoft.Network//Delete added to notActions. The second role adds back specific Microsoft.Network operations using wildcarded resource types, such as Microsoft.Network/networkInterfaces/*.

Application Admin Effective Permissions = Role 1 (Contributor - Microsoft.Network) + Role 2 (for example, Microsoft.Network/networkInterfaces/, Microsoft.Network/networkSecurityGroups/, Microsoft.Network/applicationGateways/write, etc.)

I understand that Microsoft RBAC best practices recommend avoiding wildcard (*) operations. However, my team has found that building roles with individual operations is extremely tedious and time-consuming, especially when trying to understand the impact of each operation.

Does anyone have suggestions for a simpler or more maintainable pattern for implementing this type of custom RBAC design?

Legacy SSRS reports after upgrading Azure DevOps Server 2020 to 2022 or 25H2

fujiwaraH2O — Sat, 18 Apr 2026 04:24:17 GMT

We are currently planning an upgrade from Azure DevOps Server 2020 to Azure DevOps Server 2022 or 25H2, and one of our biggest concerns is reporting.

We understand that Microsoft’s recommended direction is to move to Power BI based on Analytics / OData. However, for on-prem environments with a large number of existing SSRS reports, rebuilding everything from scratch would require significant time and effort.

Since Warehouse and Analysis Services are no longer available in newer versions, we would like to understand how other on-prem teams are handling legacy SSRS reporting during and after the upgrade.

Have you rebuilt your reports in Power BI, moved to another reporting approach, or found a practical way to keep existing SSRS reports available during the transition?

Any real-world experience, lessons learned, or recommended approaches would be greatly appreciated.

Excluding break-glass account from MFA Registration Campaign – impact on existing users?

schiachris — Thu, 16 Apr 2026 14:03:10 GMT

Hi everyone,

I'm currently reviewing the configuration of a break-glass (emergency access) account in Microsoft Entra ID and I have a question regarding MFA registration enforcement.

We currently have an Authentication Methods Registration Campaign enabled for all users for quite some time. We identified that the break-glass account is being required to register MFA due to this configuration.

The account is already excluded from all Conditional Access policies that enforce MFA, so the behavior appears to be specifically coming from the registration campaign (Microsoft Authenticator requirement).

Our goal is to exclude this break-glass account from the MFA registration requirement, following Microsoft best practices.

My question is:

If we edit the existing registration campaign and add an exclusion (user or group), could this have any impact on users who are already registered?

Specifically, could it re-trigger the registration process or affect existing MFA configurations?

We want to avoid any unintended impact, considering this campaign has been in place for a long time.

Has anyone implemented a similar exclusion for break-glass accounts within an active registration campaign? Any insights or confirmation would be really helpful.

Thanks in advance!

Running Commands Across VM Scale Set Instances Without RDP/SSH Using Azure CLI Run Command

vdivizinschi — Wed, 15 Apr 2026 11:46:24 GMT

If you’ve ever managed an Azure Virtual Machine Scale Set (VMSS), you’ve likely run into this situation:

You need to validate something across all nodes, such as:

Checking a configuration value
Retrieving logs
Applying a registry change
Confirming runtime settings
Running a quick diagnostic command

And then you realize:

You’re not dealing with two or three machines you’re dealing with 40… 80… or even hundreds of instances.

The Traditional Approach (and Its Limitations)

Historically, administrators would:

Open RDP connections to Windows nodes
SSH into Linux nodes
Execute commands manually on each instance

While this may work for a small number of machines, in real‑world environments such as:

Azure Batch (user‑managed pools)
Azure Service Fabric (classic clusters)
VMSS‑based application tiers

This approach quickly becomes:

Operationally inefficient
Time‑consuming
Sometimes impossible

Especially when:

RDP or SSH ports are blocked
Network Security Groups restrict inbound connectivity
Administrative credentials are unavailable
Network configuration issues prevent guest access

Azure Run Command

To address this, Azure provides a built‑in capability to execute commands inside virtual machines through the Azure control plane, without requiring direct guest OS connectivity. This feature is called Run Command.

You can review the official documentation here:
Run scripts in a Linux VM in Azure using action Run Commands - Azure Virtual Machines | Microsoft Learn
Run scripts in a Windows VM in Azure using action Run Commands - Azure Virtual Machines | Microsoft Learn

Run Command uses the Azure VM Agent installed on the virtual machine to execute PowerShell or shell scripts directly inside the guest OS.

Because execution happens via the Azure control plane, you can run commands even when:

RDP or SSH ports are blocked
NSGs restrict inbound access
Administrative user configuration is broken

In fact, Run Command is specifically designed to troubleshoot and remediate virtual machines that cannot be accessed through standard remote access methods.

Prerequisites & Restrictions.

Before using Run Command, ensure the following:

VM Agent installed and in Ready state
Outbound connectivity from the VM to Azure public IPs over TCP 443 to return execution results.

If outbound connectivity is blocked, scripts may run successfully but no output will be returned to the caller.

Additional limitations include:

Output limited to the last 4,096 bytes
One script execution at a time per VM
Interactive scripts are not supported
Maximum execution time of 90 minutes

Full list of restrictions and limitations are available here:
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command?tabs=portal%2Cpowershellremove#restrictions

Required Permissions (RBAC)

Executing Run Command requires appropriate Azure RBAC permissions.

Action	Permission
List available Run Commands	Microsoft.Compute/locations/runCommands/read
Execute Run Command	Microsoft.Compute/virtualMachines/runCommand/action

The execution permission is included in:

Virtual Machine Contributor role (or higher)

Users without this permission will be unable to execute remote scripts through Run Command.

Azure CLI: az vm vs az vmss

When using Azure CLI, you’ll encounter two similar‑looking commands that behave very differently.

az vm run-command invoke

Used for standalone VMs
Also used for Flexible VM Scale Sets
Targets VMs by name

az vmss run-command invoke

Used only for Uniform VM Scale Sets
Targets instances by numeric instanceId (0, 1, 2, …)

Example: az vmss run-command invoke --instance-id <id>

Unlike standalone VM execution, VMSS instances must be referenced using the parameter "--instance-id" to identify which scale set instance will run the script.

Important: Uniform vs Flexible VM Scale Sets

This distinction is critical when automating Run Command execution.

Uniform VM Scale Sets

Instances are managed as identical replicas
Each instance has a numeric instanceId
Supported by az vmss run-command invoke

Flexible VM Scale Sets

Each instance is a first‑class Azure VM resource
Instance identifiers are VM names, not numbers
az vmss run-command invoke is not supported
Must use az vm run-command invoke per VM

To determine which orchestration mode your VMSS uses:

az vmss show -g "${RG}" -n "${VMSS}" --query "orchestrationMode" -o tsv

Windows vs Linux Targets

Choose the appropriate command ID based on the guest OS:

Windows VMs → RunPowerShellScript
Linux VMs → RunShellScript

Example Scenario - Retrieve Hostname From All VMSS Instances

The following examples demonstrate how to retrieve the hostname from all VMSS instances using Azure CLI and Bash.

Flexible VMSS, Bash (Azure CLI)

RG="<ResourceGroup>" VMSS="<VMSSName>" SUBSCRIPTION_ID="<SubscriptionID>" az account set --subscription "${SUBSCRIPTION_ID}" VM_NAMES=$(az vmss list-instances \ -g "${RG}" \ -n "${VMSS}" \ --query "[].name" \ -o tsv) for VM in $VM_NAMES; do echo "Running on VM: $VM" az vm run-command invoke \ -g "${RG}" \ -n "$VM" \ --command-id RunShellScript \ --scripts "hostname" \ --query "value[0].message" \ -o tsv done

Uniform VMSS, Bash (Azure CLI)

RG="<ResourceGroup>" VMSS="<VMSSName>" SUBSCRIPTION_ID="<SubscriptionID>" az account set --subscription "${SUBSCRIPTION_ID}" INSTANCE_IDS=$(az vmss list-instances -g "${RG}" -n "${VMSS}" --query "[].instanceId" -o tsv) for ID in $INSTANCE_IDS; do echo "Running on instanceId: $ID" az vmss run-command invoke \ -g "${RG}" \ -n "${VMSS}" \ --instance-id "$ID" \ --command-id RunShellScript \ --scripts "hostname" \ --query "value[0].message" \ -o tsv done

Summary

Azure Run Command provides a scalable method to:

Execute diagnostics
Apply configuration changes
Collect logs
Validate runtime settings

…across VMSS instances without requiring RDP or SSH connectivity.

This significantly simplifies operational workflows in large‑scale compute environments such as:

Azure Batch (user‑managed pools)
Azure Service Fabric classic clusters
VMSS‑based application tiers

Excited to share my latest open-source project: KubeCost Guardian

Hlali_Mohamed_Amine — Fri, 10 Apr 2026 15:16:04 GMT

After seeing how many DevOps teams struggle with Kubernetes cost visibility on Azure, I built a full-stack cost optimization platform from scratch.

𝗪𝗵𝗮𝘁 𝗶𝘁 𝗱𝗼𝗲𝘀:
✅ Real-time AKS cluster monitoring via Azure SDK
✅ Cost breakdown per namespace, node, and pod
✅ AI-powered recommendations generated from actual cluster state
✅ One-click optimization actions
✅ JWT-secured dashboard with full REST API

𝗧𝗲𝗰𝗵 𝗦𝘁𝗮𝗰𝗸:
- React 18 + TypeScript + Vite
- Tailwind CSS + shadcn/ui + Recharts
- Node.js + Express + TypeScript
- Azure SDK (@azure/arm-containerservice)
- JWT Authentication + Azure Service Principal

𝗪𝗵𝗮𝘁 𝗺𝗮𝗸𝗲𝘀 𝗶𝘁 𝗱𝗶𝗳𝗳𝗲𝗿𝗲𝗻𝘁:
Most cost tools show you generic estimates. KubeCost Guardian reads your actual VM size, node count, and cluster configuration to generate recommendations that are specific to your infrastructure not averages.
For example, if your cluster has only 2 nodes with no autoscaler enabled, it immediately flags the HA risk and calculates exactly how much you'd save by switching to Spot instances based on your actual VM size.

This project is fully open-source and built for the DevOps community.

⭐ GitHub: https://github.com/HlaliMedAmine/kubecost-guardian

This project represents hours of hard work, and passion.

I decided to make it open-source so everyone can benefit from it 🤝 ,If you find it useful, I’d really appreciate your support .

Your support motivates me to keep building and sharing more powerful projects 👌.

More exciting ideas are coming soon… stay tuned! 🔥.