Azure Governance and Management Blog articles

Announcing One‑Command Backup Configuration for AKS with Azure Backup

shobhitgarg — Thu, 16 Apr 2026 07:50:59 GMT

Running production workloads on Azure Kubernetes Service (AKS) is becoming the norm for platform teams building cloud‑native applications at scale. As these environments increasingly host stateful workloads using persistent volumes, ensuring data protection and rapid recovery becomes mission‑critical.

Today, we’re excited to introduce an alternate simplified CLI‑based experience that allows customers to configure backups for AKS using Azure Backup with a single command.

The challenge with AKS backup onboarding today

Until now, enabling backup for an AKS cluster through Azure CLI required customers to understand and coordinate across multiple CLI domains, including:

az aks
az k8s-extension
az dataprotection

Configuring vaulted backup involved:

Extension installation
Storage account provisioning
Backup vault creation
Policy configuration
Trusted access setup
Backup instance initialization

All of which required orchestrating 8 separate lifecycle steps across 15+ CLI commands.

For platform teams managing tens or hundreds of AKS clusters through automation or CI/CD pipelines, this multi‑step setup often became a barrier to experimentation and adoption.

A simpler way: Configure backup in one CLI command

With this new experience, customers can now enable full‑cluster backup for AKS using a single CLI command:

az dataprotection enable-backup trigger \ --datasource-type AzureKubernetesService \ --datasource-id <cluster-arm-id> \ --backup-strategy <strategy> \ --backup-configuration-file @config.json

This command orchestrates the entire AKS backup enablement workflow behind the scenes by automatically performing the following steps:

Validate AKS cluster existence and running state
Create or identify region‑specific backup resource group
Check if Backup Extension is already installed on the cluster
Install Backup Extension (if not present)
Create or reuse Storage Account for backup data
Create or reuse Backup Vault
Create or reuse Backup Policy
Enable Trusted Access between vault and cluster
Initialize and create Backup Instance

Customers no longer need to manually orchestrate resources across different CLI surfaces.

Backup Strategy Presets

Customers can select predefined strategies aligned to common protection needs:

Strategy	Op Store Retention	Vault Store Retention	Use Case
Week (default)	7 days	—	Dev/Test
Month	30 days	—	Production
DisasterRecovery	7 days	90 days	Cross‑region DR
Custom	User-defined	User-defined	BYO Vault & Policy

Example:

az dataprotection enable-backup trigger \ --datasource-type AzureKubernetesService \ --datasource-id <cluster-arm-id> \ --backup-strategy DisasterRecovery

Backup Configuration JSON (Advanced Customization)

Advanced users can optionally provide a configuration JSON file to:

Use existing vaults or policies
Bring your own storage account
Apply enterprise tags
Use custom backup resource groups

Supported Parameters

Parameter	When Required	Description
backupVaultId	Custom strategy	Use existing vault
backupPolicyId	Custom strategy	Use existing policy
storageAccountResourceId	Optional	Use existing SA
blobContainerName	Optional	Custom container
backupResourceGroupId	Optional	Use existing RG
tags	Optional	Apply to created resources

Built‑in validations for reliability

Before enabling backup, the CLI automatically validates:

Cluster existence
Running state
Backup compatibility
Required RBAC permissions
Resource availability (if provided)

Faster time‑to‑protection for AKS workloads

By collapsing a previously multi‑step setup into a single command:

Backup onboarding becomes automation‑friendly
Platform teams can enable protection consistently across environments
Setup errors from manual orchestration are reduced
Backup rollout across large AKS estates becomes significantly faster

What’s next

The simplified single‑command backup enablement experience introduced for AKS is part of a broader effort to make Azure Backup more automation‑friendly across cloud‑native and platform workloads.

We are actively working to extend this model to other workloads supported by Azure Backup, enabling customers to:

Configure protection using native CLI workflows
Reduce onboarding complexity across backup‑supported resources
Integrate backup enablement seamlessly into CI/CD pipelines
Achieve faster time‑to‑protection across heterogeneous environments

Over time, customers can expect similar single‑command backup configuration experiences for additional Azure Backup‑supported workloads — bringing consistency and ease of adoption across their backup strategy.

For more information, see how to configure AKS backup using a single CLI command.

Announcing Public Preview for Essential Machine Management

Meagan McCrory — Mon, 06 Apr 2026 18:54:19 GMT

Managing servers and VMs across Azure, on premises, and multi-cloud environments often means turning on core capabilities—monitoring, updates, inventory, and configuration—through separate setup experiences. We’ve heard feedback that this makes it harder to get visibility into machine state and take actions.

We’re excited to announce the public preview of Essential Machine Management experience within Compute Infrastructure Hub—a new entry point in Azure that streamlines onboarding for machines at scale and enables basic management capabilities. Start once at subscription scope, get a clear view of what’s turned on, and move from setup to operations faster across your Azure and cloud and hybrid estate.

What is Essential Machine Management?

Essential Machine Management is a centralized onboarding experience that helps customers enroll their machines into a set of selected cloud-native management services from Azure in a simple, scalable way,

Instead of enabling monitoring, updates, inventory, and configuration independently per machine, Essential Machine Management allows you to enroll entire subscriptions at once, including both Azure Virtual Machines and Azure Arc–enabled servers. These services are pre-configured with best practices, enabling customers with out-of-the-box value right away.

Once enrolled, current and future machines in the selected subscriptions are automatically onboarded to the enabled management services, helping ensure consistent visibility and operational coverage from day one.

What management capabilities are enabled?

Using Essential Machine Management, you can quickly onboard machines to multiple Azure management capabilities, including:

Monitoring insights and recommended alerts for machine health and performance
Azure Update Manager to help keep machines secure and compliant
Change tracking and inventory for visibility and auditability
Machine configuration for managing in-machine configuration, compliance and security
Azure Security baseline policy is a set of tailored rules to assess your machine's security posture

These services help keep your infrastructure secure and healthy.

How much does it cost?

Azure VMs: For Azure Virtual Machines only, capabilities enabled by Essential Machine Management are provided at no additional charge.

Azure Arc-enabled servers:

For Azure Arc-enabled servers with Windows Server Software Assurance, Windows Server PayGo, and Windows Server Extended Security Updates, capabilities enabled by Essential Machine Management are provided at no additional charge.
For all other Arc-enabled servers, Essential Machine Management will be priced at $9 per server per month once billing is enabled. See more details here.

Getting started

If you manage Azure VMs or Arc-enabled servers and are looking to simplify how you onboard and manage machines at scale, Essential Machine Management feature is now available for you to try in public preview. Check out the preview in the Azure Portal under Compute infrastructure --> Monitoring + Operations --> Essential Machine Management (preview):

Check out Essential Machine Management now and reach out to machineenrollmentsupport@microsoft.com for any feedback or support. Learn more about Essential Machine Management here.

Azure Policy: Required Actions for Docker Content Trust Deprecation in Azure Container Registry

ShannonHicks — Wed, 17 Dec 2025 22:36:46 GMT

As Azure evolves, certain features are deprecated to streamline services and improve security and performance. One such upcoming change is the deprecation of the Docker Content Trust (DCT) feature in Azure Container Registry (ACR) which is ongoing over a three-year period. This change will eventually remove the trustPolicy property from underling APIs.

This blog post explains what is changing, the potential impact on your Azure Policy environment, and steps you can take to mitigate disruption.

What is Changing?

The Docker Content Trust (DCT) feature in ACR is being deprecated. As part of this process:
- The trustPolicy property will be removed from ARM APIs in a future version.
- The Azure Policy aliases referencing this property will eventually be impacted.
Affected aliases include:
- Microsoft.ContainerRegistry/registries/trustPolicy
- Microsoft.ContainerRegistry/registries/trustPolicy.type
- Microsoft.ContainerRegistry/registries/trustPolicy.status
Key findings:
- No built-in policy definitions currently use these aliases, so no built-ins will be deprecated because of this feature deprecation.
- The alias trustPolicy.status is modifiable, so any active modify policies targeting this property will break when the property is removed. This alias will be removed.

Impacts on Azure Policy

If you have active policy assignments referencing these aliases, you will need to update or remove them during the deprecation period to avoid future compliance issues:

Existing policies will eventually become non-compliant for any new ACR resources. For example, if a policy assignment requires trustPolicy to be enabled (Microsoft.ContainerRegistry/registries/trustPolicy.status == "enabled"), but the ACR trustPolicy property can no longer be set due to deprecation, then any new ACRs created after that point will automatically be noncompliant with the policy.
Policies using the modifiable alias (trustPolicy.status) will fail when the alias is deleted or marked non-modifiable at the end of the deprecation period.

Steps to Mitigate the Impact

To ensure a smooth transition:

Identify Affected Policies and Assignments: Locate any custom policy definitions in your environment referencing the affected aliases.
Update Policy Definitions: Remove or replace references to trustPolicy properties in your policy definitions. If the policy's only purpose is to evaluate the ACR trustPolicy, consider removing the definition altogether.
Test and Validate: After updating policies, validate that they enforce compliance as intended without relying on deprecated properties.
Monitor for Updates: Stay informed by monitoring Azure Container Registry retirement documentation for more details on transitioning from Docker Content Trust to Notary Project.

Announcing General Availability for Azure Resource Graph (ARG) GET/LIST API

JaspreetKaur — Wed, 03 Dec 2025 04:39:28 GMT

ARG GET/LIST API delivers 10X higher throttling quotas to callers compared to ARG query unlocking a more scalable, resilient way to perform resource lookups in Azure. ARG GET/LIST API is a new platform capability within Azure Resource Graph that provides a high-performance experience for both Point GET and collection GET requests. A key advantage of this capability is its ability to significantly reduce READ throttling for high volume calls efficiently. This is made possible through intelligent control plane routing based on a query parameter controlled by the caller. When a specific query parameter is included, requests are automatically directed to this optimized ARG GET/LIST backend. When the parameter is omitted, requests flow to the Resource provider —ensuring flexibility and backward compatibility.

What Challenge Are We Addressing?

Azure Read Throttling is a significant challenge for many customers. When services hit throttling limits, applications may experience performance degradation, elevated latency, or even failed requests—issues that can disrupt critical workloads and customer operations.

The ARG GET/LIST API is designed to directly address this problem. By routing GET and LIST calls through Azure Resource Graph’s scalable indexing infrastructure and intelligent control-plane routing, it dramatically reduces the likelihood of read throttling. Best of all, it follows the ARM control plane GET APIs request response contract, allowing you to benefit from improved performance and reliability with minimal effort, appending the flag “useResourceGraph=true”.

When to use Azure Resource Graph (ARG) GET/LIST API

The ARG GET/LIST API is designed for scenarios where you need to retrieve a single resource by its ID or list resources of the same type within a defined scope—whether that's a subscription, resource group, or parent resource.

You should consider using the ARG GET/LIST API if your service fits into one or more of the following categories:

High Volume of GET Calls Within a Single Scope:
Your service issues a large number of GET requests targeting resources within a single subscription or resource group, without the need for cross-subscription queries, complex filters, or joins.
Risk of Throttling or Quota Competition:
Your service produces a high volume of requests and may encounter issues such as::
- Experience throttling during sudden traffic spikes.
- Quota competition, where other workloads in the same subscription consume shared quota limits, causing your service to be throttled.
- Bursty traffic patterns, where large volume of GET requests are issued within a short time window, increasing the chance of throttling.
Need for High Availability and Faster Performance:
Your service depends on consistent; low-latency GET operations for either single-resource lookups or listing resources within a specific scope

Note: The ARG GET/LIST API is currently supported only for resources in the resources and computeresources tables.

Using the ARG GET/LIST API

To get started with the ARG GET/LIST API, begin by assessing whether your scenario aligns with the recommended calling patterns and throttling considerations described earlier. Once confirmed, simply append the parameter &useResourceGraph=true to your eligible GET/LIST API calls. This flag routes your request through the Azure Resource Graph GET/LIST API backend, allowing you to take advantage of its optimized performance and query efficiency. No calls will route to ARG GET/LIST backend automatically. The switch is entirely in the user’s control—the call will route to ARG GET/LIST API only when you explicitly include the useResourceGraph=true parameter in your request.

Follow the ARG GET/LIST API contract here - Azure Resource Graph GET/LIST API Guidance - Azure Resource Graph | Microsoft Learn

Let’s walk through a simple example of retrieving a Virtual Machine (VM) along with its InstanceView through ARG Query vs. ARM API vs. ARG GET/LIST API to show the difference in the calling experience.

Using an ARG Query (via ARG Explorer)

In ARG Explorer, you can use Kusto Query Language (KQL) to query resources.
A sample query to retrieve a specific VM looks like this:

Resources | where type =~ 'microsoft.compute/virtualmachines' | where id =~ '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.compute/virtualmachines/{vm}'

This query filters the Resource Graph index to return the VM resource.

Using the ARM (Compute RP) API

The equivalent ARM API call to retrieve the VM with InstanceView is:

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.compute/virtualmachines/{vm}?api-version=2024-07-01&$expand=instanceView

This hits the Compute Resource Provider, pulls the VM state, and expands the instanceView section.

Using the ARG GET/LIST API

ARG GET/LIST APIs that follow the same request structure as ARM—but with an additional flag that routes the call through ARG:

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.compute/virtualmachines/{vm}?api-version=2024-07-01&$expand=instanceView&useResourceGraph=true

The important distinction here is the useResourceGraph=true parameter, which routes the call through ARM to serve the response through ARG’s GET/LIST backend.

Sample Response -

You can find more examples in our documentation - Azure Resource Graph GET/LIST API Guidance - Azure Resource Graph | Microsoft Learn

Video Walkthrough

Increase Throttling Quota via Azure Resource Graph

Learn More

Azure Resource Graph GET/LIST API Overview

Known Limitations

Frequently Asked Questions

Share Your Feedback

For questions and feedback, you can reach us at Azure Resource Graph team 
Share Product feedback and ideas with us at Azure Governance · Community

Happy Querying!

Azure Governance @ Ignite 2025

jodiboone — Sat, 22 Nov 2025 01:24:16 GMT

Recap: Azure Governance @ Ignite 2025

Azure governance is thrilled to be back at ignite this year with some exciting updates. In this blog we will be sharing highlights from the session, overviews on new releases, and links on how you can get started using governance products including Azure Policy & Service Groups to maintain a well governed environment where you can deploy secure applications. Make sure to catch the recording if you missed it to see how Microsoft deploys these products in practice!

Service Groups

Service groups is the newest product in the Azure governance suite allowing you to maintain more dynamic and flexible resource hierarchies. To recap, service groups provide:

Low Privilege Management: Service Groups are designed to operate with minimal permissions, ensuring that users can manage resources without needing excessive access and appealing to multiple personas. Access to a Service Group does not grant role-based access control or policy inheritance to its members.
Flexible and Varying Hierarchies: Azure resources and scopes, from anywhere in the tenant, can become members of one or multiple service groups. Additionally, Service Groups can be nested providing the ability to have multiple hierarchy structures, i.e. Cost Center, Product, Organization, and more!

Service groups has recently gone Public Preview and this year at ignite we are excited to announce new integrations including,

Azure Monitoring

Azure Resiliency

Stay tuned for future integrations and get started using service groups today at: aka.ms//servicegroups

Azure Policy

This ignite we are excited to showcase new releases enriching the power of the policy language and improving ease of use through major UX improvements.

To start off, we announced our public preview for Identity Based Exemptions, a new type of exemption resource that targets the callers service principal versus the scope on which the exemption is applied. Allowing admins to place targeted exemptions for approved service principals, to avoid over exempting without interrupting business critical workflows.

New Home Page Experience!

As the policy framework has expanded, the focus of your policy management has expanded beyond just compliance, to other aspects of the policy deployment lifecycle, including exemptions & remediations. We also know that one size does not fit all, so we are excited to release a new Azure policy UX landing page that provides a refreshed view on compliance, policy status, and will showcase how to get started using new primitives & releases. Try it out and let us know what you think!

Machine Configuration Customizable Baselines

The Azure Windows and Azure Linux baselines have provided a standard set of guidance for how to configure server operating systems in Azure. To make these baselines more relevant to changing regulatory standards & business goals, we’re

releasing an extensibility framework to make it easier than ever to deploy custom Azure baselines through Azure policy & Machine configuration.
Aligning the baseline content to be aligned with CIS across our supported distributions

Getting started is easy, select the baseline that you’re interested in applying and adjust any settings based on business requirements.

For more details on getting started visit: aka.ms//machinebaselines

Optimize Your Cloud Environment Using Agentic AI

riteshkini — Tue, 18 Nov 2025 16:20:32 GMT

In today’s cloud-first world, optimization is no longer a luxury—it’s a strategic imperative. As IT professionals and developers navigate increasingly complex environments, the need to reduce costs, improve sustainability, and accelerate decision-making has never been more urgent.

At Ignite 2025, Microsoft is introducing a new wave of agentic capabilities within Azure Copilot—one of the key capabilities includes the optimization agent, designed to help you identify, validate, and act on opportunities to streamline cloud operations. For FinOps teams, this agent becomes especially powerful, enabling cost governance, carbon insights, and actionable recommendations to maximize financial efficiency at scale.

From Complexity to Clarity

For users familiar with Azure’s cost and performance tools, the new operations center experience in the Azure Portal provides a unified agentic experience to monitor spend and carbon emissions side by side, surface the most critical optimization opportunities, and seamlessly trigger actions by invoking the Optimization agent—bringing governance, efficiency, and sustainability into one streamlined experience.

What’s New in Optimization

The optimization agent in Azure Copilot empowers teams to:

Identify top actions prioritized by impact, cost savings, and ease of implementation.
Evaluate cost and carbon impacts side-by-side, helping you make informed decisions that align with financial and sustainability goals.
Validate recommendations with supporting evidence, current / projected utilization trends, and alternative SKU choices.
Accelerate implementation with step-by-step guidance and agentic workflows that reduce toil and increase confidence.

These capabilities are designed to scale FinOps impact, enabling collaboration across engineering, finance, procurement, and sustainability teams—all within a unified experience.

A Day in the Life: FinOps in Action

Let’s step into the shoes of a FinOps practitioner at a large enterprise navigating the complexities of cost management.

It’s Monday morning. Over the weekend, a set of development VMs were left running, quietly accumulating costs. The optimization agent—a capability within Azure Copilot—surfaces a top action: resize or shut down the idle resources. With a few clicks, the practitioner reviews the supporting evidence, including usage trends, cost impact, and carbon footprint. The agent offers visibility over alternative SKUs and guides the practitioner through a step-by-step implementation—all within the same interface.

But it doesn’t stop there. For teams that prefer automation or scripting, the agent also generates Azure CLI and PowerShell scripts tailored to the recommended action. This gives practitioners flexibility: they can execute changes directly in the portal or integrate scripts into their existing workflows for repeatability and scale. The experience is seamless—every recommendation is actionable, verifiable, and aligned with enterprise policy.

By midweek, the practitioner has implemented multiple optimizations without leaving the console or writing custom code. Each action is logged for audit visibility, ensuring compliance and transparency across the organization. What used to take hours of manual investigation and coordination now happens in minutes, freeing the team to focus on strategic initiatives rather than firefighting cost overruns.

Why It Matters

These aren’t just features—they’re answers to the pain points customers have been voicing for years.

Cost visibility and predictability: Azure Copilot centralizes insights across subscriptions, helping teams avoid surprise bills and understand where every dollar goes.
Resource inefficiencies: The optimization agent proactively identifies underutilized resources and guide teams to act before costs escalate.
Scalability and complexity: Azure Copilot’s unified experience simplifies operations for even the most complex setups.

Azure Copilot isn’t just simplifying cloud operations—it’s transforming how teams collaborate, govern, and optimize.

Get Started at Ignite

At Ignite 2025, you’ll get hands-on with Azure Copilot’s optimization capabilities. Explore how intelligent assistance can help you:

Reduce cloud costs
Improve sustainability metrics
Strengthen governance and compliance
Drive better outcomes—faster

Azure Copilot: turning cloud operations into intelligent collaboration. Sign up for the Agents in Azure Copilot Limited (Preview) and try the experience today.

Improve your resiliency posture with new capabilities and intelligent assistance

rochakm — Tue, 18 Nov 2025 16:36:10 GMT

In today’s cloud-first world, resilience isn’t optional—it’s mission-critical. The next phase of cloud operations is about simplifying workflows, enhancing control, and removing friction from daily work. At Microsoft Ignite 2025, Azure is redefining resiliency with expanded capabilities to include Infrastructure Resiliency, Data Resiliency, and Cyber Recovery with AI-powered innovations designed to help you maintain uninterrupted business continuity.

Introducing the resiliency agent in Azure Copilot

With natural language guidance and automated actions, we are announcing the preview of the resiliency agent in Azure Copilot which helps you assess your current posture, fix gaps with intelligent automation, and continuously monitor your environment to keep critical workloads safe from disruptions.

Infra Resiliency: Leverage Guided Experiences to Become Zonally Resilient

The new Infrastructure resiliency experiences are designed to keep your critical applications running—even during unexpected zonal outages. These new capabilities empower you to actively assess and improve your architecture and continuously validate your resiliency posture.

Leverage at-scale views across Resources and Service Groups to uncover resiliency blind spots and prioritize remediation. Set resilience targets for your key workloads and invoke the resiliency agent from the operations center in Azure to proactively find resources (like virtual networks or firewalls) that are deployed in only one availability zone and could become single points of failure. Once identified the agent will highlight which resources aren’t zone-resilient and the risks they pose, such as potential downtime or IP address changes during a zone failure, enabling you to prioritize the most crucial gaps first. Then with a click, the agent will generate ready-to-run scripts (or commands) to distribute those resources across zones to address configuration drift and strengthen architecture. This guided automation ensures that even if an entire Azure zone goes down, your application stays up.

You can then validate readiness with built-in failure scenario drill templates (e.g., simulating a full availability zone outage) and proactively test failover behaviors without impacting production using default faults or custom runbooks. Create predefined recovery plans that sequence the failover of your application’s components during test drills or actual failovers and execute them with a single click to automatically fail over workloads to another Availability Zone. Track failover progress in real time, monitor key performance metrics, and export attestation reports for compliance and audit readiness.

By streamlining what used to require multiple tools and significant expertise, you can utilize proactive insights, automated recovery, and continuous validation, to confidently strengthen your architecture, maintain operational continuity, and achieve high availability by design without the usual complexity.

Beyond Infrastructure: Data and Cyber Recovery

The expanded resiliency experiences go beyond infrastructure, bringing in powerful new & existing capabilities that help you stay protected and recover fast, whether it's meeting your RPO and RTO goals through smarter data protection or defending against ransomware with built-in cyber-recovery. At Ignite, we’re excited to showcase new innovations designed to help you strengthen your business continuity strategy and stay ahead of evolving threats.

Data Resiliency: Fortify your Cloud Data with enhanced workload protection & disaster recovery

Never get caught without a backup plan. Azure Backup is evolving toward application-centric recovery, expanding coverage to protect critical cloud-native workloads that power enterprise data apps. As part of this journey, we’re introducing vaulted backups for ADLS Gen2—a native, secure, and managed solution that safeguards data against deletion, corruption, and malicious threats. Additionally, agentless backup for Windows and Linux VMs is now available, offering crash-consistent protection across multiple disks with high-frequency, lightweight backups. This makes it ideal for performance-sensitive workloads such as databases, delivering reliable protection with minimal operational overhead.

And rather than manually checking each service or using separate dashboards for backups and disaster recovery, you can ask the resiliency agent to summarize your backup coverage across both primary and secondary regions. It will report which virtual machines, databases, or other resources are already backed up and replicating, and which ones might need attention. With granular recovery, long-term retention for compliance, and enterprise-grade management through the Resiliency blade in Azure, you can confidently ensure business continuity across your most vital workloads.

As part of our continued investment in resilience and scale, Azure Site Recovery now offers a suite of powerful enhancements to support enterprise-grade disaster recovery. Capacity Guidance now provides alternative VM size recommendations during failovers to improve allocation success in target regions. ASR now supports up to 5x churn (500 MB/s per VM), enabling protection of high IOPS workloads and ensuring robust recovery for data-intensive applications. We’ve also expanded disk support with Premium SSD v2 and Ultra Disks now fully supported, allowing seamless protection of performance-critical workloads across Azure regions. Finally, ASR enables failback from Azure VMs to on-premises Hyper-V even when the original replication used a storage account and the failed-over VM was converted to managed disks, offering greater flexibility and control in hybrid recovery scenarios.

For any critical resource that needs failover and failback capabilities, the agent can recommend the next step, like enabling Azure Site Recovery for cross-region replication. By turning on Site Recovery (with the agent’s guidance), you add a second layer of protection: if your primary region suffers an outage, those critical VMs can fail over to a secondary region with minimal downtime. In short, the resiliency agent ensures your data meets your business continuity goals. It helps you balance recovery point objectives (keeping data loss to a minimum with frequent backups) and recovery time objectives (restoring services quickly via failover). Through Copilot’s conversational interface, you can instantly get answers like “Are all my tier-1 workloads protected in a secondary region?” and follow prompts to fill any gaps reducing the need to hunt through multiple tools. The result is a cloud estate that’s not only backed up, but truly disaster-ready.

Cyber Recovery: Safeguard your critical data against Ransomware Attacks

Fortify your backups against cyber threats. Strengthen your organization’s cyber recovery with Azure Backup’s Vault Soft Delete. This feature is enabled by default across all Recovery Services Vaults and ensures that backups remain recoverable for at least 14 days, even in the event of accidental or malicious deletions. It applies comprehensively to vaults, containers, backup items, and recovery points, offering robust protection against ransomware threats.

The resiliency agent in Azure helps guard your backup data and recovery systems so they remain reliable even if attackers strike. It continuously reviews the security posture of your Recovery Services Vaults (where your backups are stored) and other protection settings. If it finds that any backup vault is missing critical safeguards—say, if soft-delete or immutability isn’t enabled—it will alert you and recommend enabling them. Through the Copilot interface, you can simply ask something like “How secure are my backups?” and the agent may respond with a summary like: “4 of 5 backup vaults have soft-delete and immutability on. One vault needs immutability; enable it now?” You can then approve the suggestion, and the agent will automatically apply the setting or provide a script to do so. Through intelligent guidance and recommendations, the resiliency agent ensures your backups are tamper-proof and ready to restore. Therefore, even if a ransomware attack or accidental deletion hits your environment, you’ll have clean, safe backups to recover from. In essence, the agent helps make sure that when trouble comes, your last line of defense, your backup, remains intact and readily available.

Additionally, Azure Backup now also integrates with Microsoft Defender for Cloud (MDC) to enhance the security of Azure VM backups. With a one-time setup via Defender for Servers, Azure Backup automatically assesses the health of recovery points at the time of snapshot creation using Defender signals. This marks a significant step toward proactive threat detection in backups, helping organizations strengthen their overall cyber resilience posture.

Together, data resiliency and cyber recovery form a unified defense strategy that ensures enterprise-grade protection across the full spectrum of threats—from accidental data loss to sophisticated ransomware attacks. By combining deep workload-aware backup and disaster recovery with proactive threat detection and secure retention, Azure empowers organizations to safeguard critical data assets and recover swiftly with confidence. This integrated approach not only meets business continuity goals but also strengthens security posture, delivering resilient-by-default coverage for modern cloud environments.

Next Steps

Azure is reaffirming its commitment to enterprise resilience. Whether it’s a datacenter outage, a cyberattack, or a zonal disaster, your applications and data can keep running and recover swiftly.

Join us at Ignite 2025:

Connect with Microsoft experts at the Azure Copilot, Operations, and Management expert meet-up booth to get your questions answered.

Additional Resources:

Learn more about specialized agents across the entire cloud management lifecycle: Introducing Azure Copilot
Sign up for the preview of Azure Copilot here
Read about best practices about how to start, get, and stay resilient here
Explore Resiliency features in Azure and join us in this journey from reactive recovery to proactive resilience here
Explore new Learn documentation here

[Public Preview] Introducing Customizable Security Baseline Policies in Machine Configuration

mutemwamasheke — Thu, 13 Nov 2025 17:20:06 GMT

Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.

We’re excited to announce Public Preview support for Customizable Security Baselines in Azure Policy and Machine Configuration. This feature empowers you to tailor industry security benchmarks—such as CIS benchmarks for Linux or Azure Security Baselines for Windows and Linux —to align with your organization’s unique compliance standards across both Azure and Arc-connected machines. This feature builds on top of our existing audit baseline capabilities for Windows and Linux.

Now you can create, parameterize, and assign custom baselines at scale, enabling continuous compliance visibility across your entire environment. Learn more about how to get started here: Customize Security Baselines with Azure Policy and Machine Configuration.

What's New?

Customizable security baselines in Azure Policy and Machine Configuration bring a powerful new way to assess, monitor, and improve your security posture across both Windows and Linux servers. Built on industry benchmarks such as the Center for Internet Security (CIS) and Microsoft’s own Azure Compute Security Baselines, this capability enables you to adapt compliance frameworks to your organization’s specific needs — all while maintaining a consistent governance model across Azure and hybrid environments. By passing custom baseline parameters directly into Azure Policy, you can represent internal controls at scale, ensuring that compliance reflects your enterprise’s unique standards and regulatory requirements.

This cloud-native approach embodies Microsoft’s Secure by Design and Secure by Default principles — ensuring your workloads stay compliant, wherever they run.

Baselines Customization Experience in Azure Policy

Key Scenarios

Baseline Customization

Tailor your security standards through the Modify Settings wizard under Policy > Machine Configuration.
You can:

Enable, exclude, or adjust rules from existing benchmarks
Apply organization-specific parameters
Export your custom configuration as a downloadable JSON file

Each baseline JSON file serves as a reusable, declarative artifact—ideal for policy-as-code workflows, version control, and CI/CD integration.

Assign Audit Policies

When you assign a baseline via Azure Policy, it automatically:

Evaluates configurations against your defined standards
Reports compliance in near real time
Surfaces findings in Azure Policy, Azure Resource Graph, and the Guest Assignments view

This integrated visibility helps IT administrators, security teams, and auditors track compliance status with minimal overhead.

Integration and Automation

Security baselines integrate seamlessly into your DevOps pipelines and configuration management workflows.
Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using:

Azure CLI
ARM templates
Bicep
CI/CD automation

This ensures reproducible, traceable compliance configurations across environments.

Supported Standards

Standard	Description
CIS Linux Benchmarks	Official CIS Benchmarks for Azure-endorsed Linux distributions, matching the latest CIS versions.
Azure Compute Security Baseline for Windows	Applies security controls for Windows Server 2022 and 2025, aligned with Azure Compute guidance.
Azure Compute Security Baseline for Linux	Enforces consistent controls aligned with Azure Compute recommendations.

Availability

Customizable security baselines are available in all public Azure regions.

NOTE:
Support for Azure Government and Sovereign Clouds will be added in a future release. These environments are not included in the current Public Preview.

Getting Started

Prerequisites

Before you begin:

Deploy the Azure Machine Configuration prerequisite policy initiative.
(This installs the required Guest Configuration extension on supported VMs.)
Ensure your Azure subscription or management group includes supported Windows or Linux VMs.
Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions.

Step-by-Step Guidance

Select a baseline from the Machine Configuration tab in Azure Policy.
Modify settings to enable, exclude, or parameterize rules to match your internal policies.
Download JSON to export your customized baseline configuration file for programmatic and repeatable customization.
Assign the policy which can be deployed through the Azure portal, CLI, or your CI/CD pipeline.
Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page.

Learn More

Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.

Empower Smarter AI Agent Investments

Fernando_Vasconcellos — Wed, 05 Nov 2025 14:46:02 GMT

This curated series of modules is designed to equip technical and business decision-makers, including IT, developers, engineers, AI engineers, administrators, solution architects, business analysts, and technology managers, with the practical knowledge and guidance needed to make cost-conscious decisions at every stage of the AI agent journey.

From identifying high-impact use cases and understanding cost drivers, to forecating ROI, adopting best practices, designing scalable and effective architectures, and optimizing ongoing investments, this learning path provides actionable guidance for building, deploying, and managing AI agents on Azure with confidence. Whether you’re just starting your AI journey or looking to scale enterprise adoption, these modules will help you align innovation with financial discipline, ensuring your AI agent initiatives deliver sustainable value and long-term success.

Discover the full learning path here: aka.ms/Cost-Efficient-AI-Agents

Explore the sections below for an overview of each module included in this learning path, highlighting the core concepts, practical strategies, and actionable insights designed to help you maximize the value of AI agent investments on Azure:

Module 1: Identify and Prioritize High-Impact, Cost-Effective AI Agent Use Cases

The journey begins with a strategic approach to selecting AI agent use cases that maximize business impact and cost efficiency. This module introduces a structured framework for researching proven use cases, collaborating across teams, and defining KPIs to evaluate feasibility and ROI. You’ll learn how to target “quick wins” while ensuring alignment with organizational goals and resource constraints. Explore this module

Module 2: Understand the Key Cost Drivers of AI Agents

Building on the foundation of use case selection, Module 2 dives into the core cost drivers of AI agent development and operations on Azure. It covers infrastructure, integration, data quality, team expertise, and ongoing operational expenses, offering actionable strategies to optimize spending at every stage. The module emphasizes right-sizing resources, efficient data preparation, and leveraging Microsoft tools to streamline development and ensure sustainable, scalable success. Explore this module

Module 3: Forecast the Return on Investment (ROI) of AI agents

With a clear understanding of costs, the next step is to quantify value. Module 3 empowers both business and technical leaders with practical frameworks for forecasting and communicating ROI, even without a finance background. Through step-by-step guides and real-world examples, you’ll learn to measure tangible and intangible outcomes, apply NPV calculations, and use sensitivity analysis to prioritize AI investments that align with broader organizational objectives. Explore this module

Module 4: Implement Best Practices to Empower AI Agent Efficiency and Ensure Long-Term Success

To drive efficiency and governance at scale, Module 4 introduces essential frameworks such as the AI Center of Excellence (CoE), FinOps, GenAI Ops, the Cloud Adoption Framework (CAF), and the Well-Architected Framework (WAF). These best practices help organizations accelerate adoption, optimize resources, and foster operational excellence, ensuring AI agents deliver measurable value, remain secure, and support sustainable enterprise growth. Explore this module

Module 5: Maximize Cost Efficiency by Choosing the Right AI Agent Development Approach

Selecting the right development approach is critical for balancing speed, customization, and cost. In Module 5, you’ll learn how to align business needs and technical skills with SaaS, PaaS, or IaaS options, empowering both business users and developers to efficiently build, deploy, and manage AI agents. The module also highlights how Microsoft Copilot Studio, Visual Studio, and Azure AI Foundry can help your organization achieve its goals. Explore this module

Module 6: Architect Scalable and Cost-Efficient AI Agent Solutions on Azure

As your AI initiatives grow, architectural choices become paramount. Module 6 explores how to leverage Azure Landing Zones and reference architectures for secure, well-governed, and cost-optimized deployments. It compares single-agent and multi-agent systems, highlights strategies for cost-aware model selection, and details best practices for governance, tagging, and pricing, ensuring your AI solutions remain flexible, resilient, and financially sustainable. Explore this module

Module 7: Manage and Optimize AI Agent Investments on Azure

The learn path concludes with a focus on operational excellence. Module 7 provides guidance on monitoring agent performance and spending using Azure AI Foundry Observability, Azure Monitor Application Insights, and Microsoft Cost Management. Learn how to track key metrics, set budgets, receive real-time alerts, and optimize resource allocation, empowering your organization to maximize ROI, stay within budget, and deliver ongoing business value. Explore this module

Ready to accelerate your AI agent journey with financial confidence?
Start exploring the new learning path and unlock proven strategies to maximize the cost efficiency of your AI agents on Azure, transforming innovation into measurable, sustainable business success.

Get started today

AMBA-ALZ pattern: Learn about the latest and greatest enhancements!

BrunoGabrielli — Wed, 08 Oct 2025 13:49:40 GMT

Hello AMBA-ALZ customers,

after some time since our last Time for new exciting news about AMBA-ALZ pattern! blog post it again time for some exciting news.

We are very thrilled to share that in September 2025 we were able to reach 2 important goals, both of them enhancing both the Azure platform and the ALZ pattern . In summary we've been working on the :

Adoption of new Azure Service Health built-in policy (see the announcing blog post 🚨 Azure Service Health Built-In Policy (Preview) – Now Available!)
Adoption of the new least privileged "Monitoring Policy Contributor" Azure role for the System Assigned Managed Identities created by AMBA-ALZ deployment

Adoption of Azure Service Health built-in policy

Adopting the new built-in policy, available as of release 2025-10-01, allowed us to address situations where customers only permit the use of built-in policies with a consequent increase of trust in the AMBA-ALZ pattern. We combined with the Service Health Product team to ensure feature parity between the Azure native policy and the previous custom version available in AMBA-ALZ.

The new built-in policy, called "Configure subscriptions to enable service health alert monitoring rule", has been added to the new "Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) for Service Health and Resource Health" initiative together with the previous Resource Health custom policy

Updating to the version that includes the built-in policy is a straightforward process. For new deployments, there's nothing to do since this is going to be the default behavior as of release 2025-10-01. Updating an existing deployment requires some pre-deployment tasks which are clearly documented at Adopt the new built-in Azure Service Health policy

Adoption of the new least privileged "Monitoring Policy Contributor" Azure role

As part of the ongoing security enhancements in AMBA-ALZ and following-up on some customer evidence about System Assigned Managed Identities created by AMBA being flagged as overprovisioned by Microsoft Defender for Cloud, we started a collaboration with the Azure RBAC team to create a new tailored and least privileged role. After some research, we were able to craft a new built-in role that is benefit not only for AMBA-ALZ but also for other bult-in policies (like the new Azure Service Health policy) or customer policies that aims at creating Azure Monitor alerts. This role is basically an enhancement of the existing Monitoring Contributor role with some additional permissions necessary to deploy the policies, run the remediations which includes Azure Monitor alerts and Resource Group creation.

This new role, which is designed to align with security standards, is now assigned by default to the managed identities in place of the previous Contributor role. Thanks to this effort we were able to significantly reduce the security risk surface by cutting down the number of unnecessary permissions from nearly 6,700 to just 6.

Before (with Contributor rights)		After (with Monitoring Policy Contributor)

Adopting the least privileged role is super easy. For new deployments, there's nothing to do since this is going to be the default behavior as of release 2025-10-01. Updating an existing deployment requires some pre-deployment tasks which are clearly documented at Adopt the new Monitoring Policy Contributor least privileged role.

So, what to do next? Visit the Introduction to deploying the AMBA-ALZ Pattern page to read more about AMBA and to find the deployment methods (Azure Portal UI, Azure CLI, Azure PowerShell, Azure Pipelines, GitHub Actions, Terraform) the best aligns with your needs/preferences and start testing out these new features.

Cloud and AI Cost Efficiency: A Strategic Imperative for Long-Term Business Growth

Fernando_Vasconcellos — Mon, 29 Sep 2025 17:37:37 GMT

Why cost efficiency matters more than ever

In today’s digital-first economy, cost efficiency is top of mind for organizations worldwide. As businesses increasingly rely on cloud and AI technologies to drive innovation, streamline operations, and deliver customer value, the pressure to manage investments effectively has never been greater. As organizations scale their workloads, managing infrastructure expenses and usage patterns strategically becomes essential to maximizing ROI and unlocking long-term value.

Cost efficiency is not just a financial metric; it’s a critical enabler of sustainable business growth. Organizations that embrace innovation and modernization with a cost-conscious strategy are better positioned to:

Innovate faster and more confidently
Scale operations without compromising profitability
Maintain agility to adapt and thrive in dynamic market conditions
Align technology spend with business outcomes

Microsoft Azure offers a comprehensive approach to cost efficiency through its Azure Essentials framework, empowering organizations to maximize value across every stage of their cloud and AI journey.

Azure Essentials: A three-stage approach

Azure Essentials provides a structured path to help organizations plan, design, and manage their cloud and AI investments. Let’s explore each stage from a cost efficiency perspective:

Stage 1: Readiness and Foundation

This foundational phase focuses on building clarity, strategy, and skills.

Gain clarity on cloud and AI costs: Understand the cost drivers of cloud and AI workloads.
Prioritize use cases to enhance efficiency and accelerate growth: Identify high-impact use cases where cloud and AI technologies can minimize manual effort, enhance decision-making, automate workflows, and accelerate productivity and revenue growth.
Develop a strategic plan and business case: Align cloud and AI investments with business goals. Build a compelling business case that includes cost-benefit analysis and ROI projections.
Equip teams with the skills for long-term success by providing access to training and certifications that empower them to manage resources efficiently and make informed decisions.

Stage 2: Design and Govern

This phase focuses on cost-conscious, well-architected design and strong governance practices.

Evaluate cost implications throughout the design lifecycle: Consider cost efficiency during solution design, from compute choices to data storage and networking.
Implement governance policies to track and manage spending: Establish and enforce cost-related policies that promote accountability, ensure compliance, and provide visibility into cloud and AI expenditures.
Utilize proven solutions to accelerate time to market: Leverage Microsoft’s solutions, accelerators and reference architectures to reduce development time and avoid costly rework.
Design scalable architectures to maximize long-term efficiency: Build solutions that scale predictably and cost-effectively.

Stage 3: Manage and Optimize

This ongoing phase ensures continuous improvement and value realization.

Continuously monitor usage and spending patterns: Use Microsoft solutions to track resource utilization and identify anomalies.
Quantify the business value of investments: Measure ROI and outcomes to demonstrate impact, guide future decisions, and ensure alignment with strategic goals.
Develop comprehensive remediation plans: Address inefficiencies through rightsizing, automation, and workload optimization.
Maximize investments: Take advantage of pricing offers, automation, and intelligent recommendations to reduce waste without sacrificing performance.

Microsoft solutions and resources to support a cost-efficient journey

To support a cost-efficient journey, Azure Essentials guides organizations through a comprehensive ecosystem of frameworks, products, tools, programs and resources designed to help teams to plan strategically, operate efficiently, and maximize the value of their cloud and AI investments.

1. Frameworks that support cost efficiency

Frameworks play a critical role in driving cost efficiency by providing structured guidance, proven practices, and repeatable patterns that help organizations make informed decisions throughout their cloud and AI journey. These best practices reduce the risk of overspending by promoting well-governed, scalable, and optimized strategies and designs from the outset. They also help teams align technical implementation with business objectives, ensuring that every investment delivers measurable value. By leveraging frameworks like FinOps, CAF, WAF, AI Ops, and the AI Center of Excellence organizations can accelerate deployment, avoid common pitfalls, and continuously refine their approach to maximize return on investment. It’s important to note that organizations don’t necessarily need to adopt every framework listed below. Instead, they can select the ones most aligned with their goals, maturity level, and/or operational needs.

	Overview	Learn more	Get started
FinOps Framework	A collaborative framework that brings finance, engineering, and business teams together to maximize cloud and AI investments. FinOps promotes visibility, accountability, and continuous optimization.	Learn more	Get started
Cloud Adoption Framework (CAF)	CAF offers best practices, tools, and guidance for cloud adoption. It includes cost management strategies across the Azure adoption journey.	Learn more	Get started
Well-Architected Framework (WAF)	WAF helps organizations design secure, reliable, and cost-optimized workloads. The cost optimization pillar focuses on eliminating waste and maximizing value.	Learn more	Get started
AI Ops	An operational model for managing generative AI workloads. It emphasizes cost control, performance monitoring, and responsible AI practices.	Learn more	Get started
AI Center of Excellence	As AI continues to make a global impact, it’s become more important than ever to consider the best practices that will help you scale your operations responsibly and effectively.	Learn more	Get started

2. Products, tools, programs and resources that support cost efficiency

Microsoft’s suite of solutions plays a pivotal role in driving cost efficiency by helping organizations forecast costs, optimize resources, streamline operations, and accelerate innovation. These tools and solutions are designed to empower teams to accelerate adoption with greater visibility, control, and efficiency. By integrating these solutions into their strategy, organizations can make smarter decisions, improve productivity, and ensure that every dollar invested in cloud and AI delivers measurable business value.

Products and tools

	Overview	Learn more	Get started
Azure AI Foundry	Accelerates AI development with reusable components and governance tools. Reduces time-to-value and avoids redundant investments.	Learn more	Get started
Microsoft Fabric	An integrated data platform that simplifies data management and analytics. Consolidates tools and reduces infrastructure overhead.	Learn more	Get started
Copilot in Azure	AI-powered assistance that speeds up tasks, reduces errors, and improves productivity, leading to indirect cost savings.	Learn more	Get started
GitHub	Streamlines DevOps with automation and collaboration tools. GitHub Copilot helps developers write code faster and more efficiently.	Learn more	Get started
Azure Cost Management	Provides visibility into cloud spending, budget tracking, and cost analysis. Enables proactive cost control and optimization	Learn more	Get started
Azure Advisor	Offers personalized recommendations to improve performance, security, and cost efficiency. Helps identify underutilized resources and savings opportunities.	Learn more	Get started
Azure Monitor	Tracks performance and usage metrics. Helps detect inefficiencies and optimize resource allocation.	Learn more	Get started
Azure Policy	Enforces governance rules to prevent cost overruns. Ensures compliance with organizational standards.	Learn more	Get started
Azure Pricing Calculator	Helps estimate costs for planned workloads. Supports informed decision-making during design and planning.	Access	Get started
Azure Migrate	Simplifies migration planning with cost assessments and optimization recommendations. Ensures efficient transition to the cloud.	Learn more	Get started

Programs and Resources

	Overview	Learn more	Get started
Azure Accelerate	A consolidated Microsoft offering that fuels transformation with experts and investments. It is designed to drive cost efficiency across all phases of a project.	Learn more	Get started by contacting your Microsoft account representative or finding an Azure specialized partner.
Azure Architecture Center	A rich repository of reference architectures, design patterns, and best practices. It helps teams build efficient, scalable, and cost-effective solutions.	Learn more	Get started
Azure Landing Zones	Pre-configured environments that provide a scalable, secure, and governed foundation for cloud adoption, helping organizations accelerate deployment while ensuring cost efficiency through standardized architectures, automated governance, and optimized resource management.	Learn more	Get started

3. Azure pricing offers that enable cost efficiency

Azure pricing offers are essential for cost efficiency because they enable organizations to strategically manage cloud and AI spending by aligning pricing models with workload needs. Whether through long-term commitments like Azure Reservations, leveraging existing licenses via Azure Hybrid Benefit, or flexible plans such as the Azure savings plan for compute, these offers help reduce costs, improve budget predictability, and maximize the value of investments, allowing businesses to scale and innovate without overspending.

	Overview	Learn more	Get started
Azure Reservations	Commit to one- or three-year terms for virtual machines, SQL databases, and other resources. Offers significant discounts compared to pay-as-you-go pricing.	Learn more	Get started
Azure Hybrid Benefit	Allows organizations to maximize savings in their migration journey by giving a discount on server licenses and subscriptions and granting hosting and outsourcing benefits.	Learn more	Get started
AI Foundry Provisioned Throughput reservations	Strategic pricing offer for businesses using Provisioned Throughput Units (PTUs) to deploy AI models. Reservations enable businesses to reduce AI workload costs on predictable consumption patterns by locking in significant discounts compared to hourly pay-as-you-go pricing.	Learn more	Get started
Azure Savings Plan for Compute	Flexible commitment-based pricing for compute services. Automatically applies savings across eligible resources.	Learn more	Get started

4. More resources to explore

eBooks: Cost Efficiency Series

	Overview	Download
AI adoption	Learn how to achieve success with Azure AI.	Download
Cloud sustainability	Find out how to effectively manage environmental, social, and governance (ESG) goals.	Download
Cloud migration	Read the cloud migration guide for financial leaders.	Download

Interactive guides and learn modules

	Overview	Get started
Guides for FinOps practitioners	Get hands-on experience with Microsoft solutions to enable FinOps capabilities.	Get started
Azure Hybrid Benefit activation	Get hands-on experience on activating Azure Hybrid Benefit.	Get started
Azure Pricing Plan on MS Learn	This Azure Pricing Plan will help you leverage Azure pricing options and offers, resources and tools to get the most of your cloud investments and achieve your business goals at every stage of your cloud journey.	Get started

Total Economic Impact Study

	Overview	View
The Total Economic Impact™ Of Microsoft Azure Solutions That Enhance Cost Efficiency	In this study, Forrester examined the potential value enterprises may realize by deploying Azure solutions that enhance cost efficiency.	View

Cost efficiency as a catalyst for innovation and growth

In a world where digital transformation is accelerating, cost efficiency is no longer optional, it’s a strategic imperative. Azure Essentials offers a structured approach that leverages proven frameworks, solutions, tools, pricing models and other resources to help organizations:

Maximize the value of their cloud and AI investments
Drive innovation without overspending
Build resilient, scalable, and cost-efficient operations

Whether you're just beginning your journey or refining your cloud and AI strategy, Azure Essentials helps you navigate tools, guidance, and best practices to optimize performance, manage costs effectively, and unlock long-term business value.

GA: Enhanced Audit in Azure Security Baseline for Linux

AmirB — Tue, 02 Sep 2025 16:00:00 GMT

We’re thrilled to announce the General Availability (GA) of the Enhanced Azure Security Baseline for Linux—a major milestone in cloud-native security and compliance. This release brings powerful, audit-only capabilities to over 1.6 million Linux devices across all Azure regions, helping enterprise customers and IT administrators monitor and maintain secure configurations at scale.

What Is the Azure Security Baseline for Linux?

The Azure Security Baseline for Linux is a set of pre-configured security recommendations delivered through Azure Policy and Azure Machine Configuration. It enables organizations to continuously audit Linux virtual machines and Arc-enabled servers against industry-standard benchmarks—without enforcing changes or triggering auto-remediation.

This GA release focuses on enhanced audit capabilities, giving teams deep visibility into configuration drift and compliance gaps across their Linux estate. For our remediation experience, there is a limited public preview available here: What is the Azure security baseline for Linux? | Microsoft Learn

Why Enhanced Audit Matters

In today’s hybrid environments, maintaining compliance across diverse Linux distributions is a challenge. The enhanced audit mode provides:

Granular insights into each configuration check
Industry aligned benchmark for standardized security posture
Detailed rule-level reporting with evidence and context
Scalable deployment across Azure and Arc-enabled machines

Whether you're preparing for an audit, hardening your infrastructure, or simply tracking configuration drift, enhanced audit gives you the clarity and control you need—without enforcing changes.

Key Features at GA

✅ Broad Linux Distribution Support

📘 Full distro list: Supported Client Types

🔍 Industry-Aligned Audit Checks

The baseline audits over 200+ security controls per machine, aligned to industry benchmarks such as CIS. These checks cover:

OS hardening
Network and firewall configuration
SSH and remote access settings
Logging and auditing
Kernel parameters and system services

Each finding includes a description and the actual configuration state—making it easy to understand and act on.

🌐 Hybrid Cloud Coverage

The baseline works across:

Azure virtual machines
Arc-enabled servers (on-premises or other clouds)

This means you can apply a consistent compliance standard across your entire Linux estate—whether it’s in Azure, on-prem, or multi-cloud.

🧠 Powered by Azure OSConfig

The audit engine is built on the open-source Azure OSConfig framework, which performs Linux-native checks with minimal performance impact. OSConfig is modular, transparent, and optimized for scale—giving you confidence in the accuracy of audit results.

📊 Enterprise-Scale Reporting

Audit results are surfaced in:

Azure Policy compliance dashboard
Azure Resource Graph Explorer
Microsoft Defender for Cloud (Recommendations view)

You can query, export, and visualize compliance data across thousands of machines—making it easy to track progress and share insights with stakeholders.

💰 Cost

There’s no premium SKU or license required to use the audit capabilities with charges only applying to the Azure Arc managed workloads hosted on-premises or other CSP environments—making it easy to adopt across your environment.

How to Get Started

Review the Quickstart Guide
📘 Quickstart: Audit Azure Security Baseline for Linux
Assign the Built-In Policy
Search for “Linux machines should meet requirements for the Azure compute security baseline” in Azure Policy and assign it to your desired scope.
Monitor Compliance
Use Azure Policy and Resource Graph to track audit results and identify non-compliant machines.
Plan Remediation
While this release does not include auto-remediation, the detailed audit findings make it easy to plan manual or scripted fixes.

Final Thoughts

This GA release marks a major step forward in securing Linux workloads at scale. With enhanced audit now available, enterprise teams can:

Improve visibility into Linux security posture
Align with industry benchmarks
Streamline compliance reporting
Reduce risk across cloud and hybrid environments

Designing for Certainty: How Azure Capacity Reservations Safeguard Mission‑Critical Workloads

Goutham_Bandapati — Tue, 26 Aug 2025 00:31:11 GMT

Why capacity reservations matter now

Cloud isn’t running out of metal, but demand is compounding and often spikes. Resource strain shows up in specific regions, zones, and VM SKUs, especially for popular CPU families, memory-optimized sizes, and anything involving GPUs. Seasonal events (retail peaks), regulatory cutovers, emergency response, and bursty AI pipelines can trigger sudden surges. Even with healthy regional capacity, a single zone or a specific SKU can be tight. Capacity reservations acknowledge this reality and make it designable instead of probabilistic.

Root reality: Capacity is finite at the SKU-in-zone granularity, and demand arrives in waves.
Risk profile: The risk is not “no capacity in the cloud,” but “no capacity for this exact size in this exact place at this exact moment.”
Strategic move: Reserve what matters, where it matters, before you need it.

What capacity means in practice

Think of three dimensions: region, zone, and SKU. Your workload’s SLO ties to all three.

Region: The biggest pool of resources. It gives you flexibility but doesn’t guarantee availability in a specific zone.
Zone: This is where fault isolation happens and where you’ll often feel the pinch first when demand spikes.
SKU: The specific type of machine you’re asking for. This is usually the tightest constraint, especially for popular sizes like Dv5, Ev5, or anything with GPUs.

Azure Capacity Reservations let you lock capacity for a specific VM size at the regional or zonal scope and then place VMs/scale sets into that reservation.

Pay‑as‑you‑go vs capacity reservations vs reserved instances

Attribute	Pay‑as‑you‑go	Capacity Reservations	Reserved Instances
Primary purpose	Flexibility, no commitment	Guarantee availability for a VM size	Reduce price for steady usage
What it guarantees	Nothing beyond current availability	Capacity in region/zone for N of a SKU	Discount on matching usage (1‑ or 3‑year term)
Scope	Region/zone at runtime, best‑effort	Bound to region or specific zone	Billing benefit across scope rules
Commitment	None	Active while you keep it (on‑demand)	Term commitment (1 or 3 years)

Key clarifications

Capacity reservations ≠ discount tool: They exist to secure availability. You pay while the reservation is active (even if idle) because Azure is holding that capacity for you.
Reserved Instances ≠ capacity guarantee: They reduce the rate you pay when you run matching VMs, but they don’t hold hardware for you.
Together: Use Capacity Reservations to ensure the VMs can run; use Reserved Instances to lower the cost of the runtime those VMs consume.

This is universal, not just Azure

Every major cloud faces the same physics: finite hardware, localized spikes, SKU-specific constraints, and growth in high-demand families (especially GPUs). AWS offers On‑Demand Capacity Reservations; Google Cloud offers zonal reservations. The names differ; the pattern and the need are the same. If your architecture depends on “must run here, as this size, and right now,” you either design for capacity or accept availability risk.

When mission‑critical means “reserve it”

If failure to acquire capacity breaks your SLO, treat capacity as a dependency to engineer, not a variable to assume.

High-stakes cutovers and events:
- Examples: Black Friday, tax deadlines, trading close, clinical batch windows.
- Action: Pre‑reserve the exact SKU in the exact zones for the surge window.
HA across zones:
- Goal: Survive a zone failure by scaling in active zones.
- Action: Consider keeping extra capacity in each zone based on your failover plan, whether that’s N+1 or matching peak load, depending on active/active vs. active/passive.
Change windows that deallocate/recreate:
- Risk: If a VM is deallocated during maintenance, it might not get the same placement when restarted.
- Action: Associate VMs/VMSS with a capacity reservation group before deallocation.
Fixed‑SKU dependencies:
- Signal: Performance needs, licensing rules, or hardware accelerators that lock you into a specific VM family.
- Action: Reserve by SKU. If possible, define fallback SKUs and split reservations across them.
Regulated or latency‑sensitive workloads:
- Constraint: Must run in a specific zone or region due to compliance or latency.
- Action: Prefer zonal reservations to control both locality and availability.

How reserved instances complement capacity reservations

Two-layer strategy:
- Layer 1: Availability: Capacity reservations ensure your compute can be placed when needed.
- Layer 2: Economics: Reserved Instances (or Savings Plans) apply a pricing benefit to the steady‑state hours you actually run.
Practical pairing:
- Steady base load: Cover with 1/3‑year Reserved Instances for maximum savings.
- Critical surge headroom: Hold with Capacity Reservations; if the surge is predictable, you can still layer partial RI coverage aligned to expected utilization.
- Dynamic burst: Leave as pay‑as‑you‑go or use short‑lived reservations during known windows.
FinOps hygiene:
- Coverage ratios: Track RI coverage and capacity reservation utilization separately.
- Rightsizing: Align reservations to the SKU mix you truly run; shift or cancel idle capacity reservations quickly.
- Chargeback: Attribute the cost of “insurance” (capacity) to the workloads that require the SLO, separate from the cost of “fuel” (compute hours).

Conclusion

In today’s cloud landscape, resilience isn’t just redundancy; it’s about assured access to the exact resources your workload demands. Capacity Reservations remove uncertainty by guaranteeing placement, while Reserved Instances drive cost efficiency for predictable use. Together, they form a strategic duo that keeps mission‑critical services running smoothly under any demand surge. Build with both in mind, and you turn capacity from a risk into a controlled asset.

System-Assigned Identity-based Access for Machine Configuration Packages – GA on both Azure and Arc!

mutemwamasheke — Mon, 25 Aug 2025 14:30:00 GMT

We are excited to announce generally available support for System Assigned Identities to privately access configuration packages stored in Azure Storage Blobs. This feature provides a simpler alternative to using Shared Access Signature (SAS) Tokens for anonymous access and is available for use across both Azure and Arc machines. This feature builds on top of our previously released support for User Assigned Identities.

Now you have the flexibility to use either User Assigned or System Assigned Managed Identities when granting private access to packages stored in Azure Storage. Learn more about our support for User Assigned Identities here: Securely store your Machine Configuration packages in Azure Storage using User Assigned Identities

What’s new?

Custom Machine Configuration policy definitions can now automatically use the System Assigned Identity of a Virtual Machine or Arc-enabled server with Azure Storage Blob read permissions. Any machine with system-assigned identity enabled and assigned the proper role can now privately access configuration packages in Azure Storage upon assignment of the Policy.

With this release, you do not need to generate a SAS token to reference the URL to a custom package in a custom Policy definition. With this feature, you can now block anonymous access in your Azure Storage accounts where your configuration packages are stored.

Getting started

For this feature to work successfully, you first need to:

IMPORTANT: Deploy the Machine Configuration extension at scale across all virtual machines by assigning the following policy initiative: Deploy prerequisites to enable machine configuration policies on virtual machines. This a required onboarding step for Azure Machine Configuration in order to receive compliance reports.
Ensure that all the Virtual Machines or Arc-enabled servers within the intended scope of your policy have system-assigned identity enabled and granted Storage Blob Data Reader (or equivalent) permissions on the Storage Blob containing the package. See How to develop a custom machine configuration package to learn how to create and upload a custom package.
Download a minimum version of 4.10.0 of the Guest Configuration PowerShell Module to successfully use cmdlets to author a managed identity-based Machine Configuration policy.
Follow the guidance in our official documentation on how to develop a custom machine configuration package.

In order to generate the Azure Policy definition using our Guest Configuration PowerShell Module, pass in the package path into the New-GuestConfigurationPolicy cmdlet. For system-assigned identities, use the -UseSystemAssignedIdentity flag instead of specifying a managed identity resource ID. You must still include the local path of the package as a parameter to allow for package validation and hash generation.

Example PowerShell snippet:

$PolicyConfig = @{ PolicyId = '_My GUID_' ContentUri = 'https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip; DisplayName = 'My deployment policy' Description = 'My deployment policy' Path = './policies/deployIfNotExists.json' Platform = 'Windows' PolicyVersion = 1.0.0 Mode = 'ApplyAndAutoCorrect' # Required for managed identity package authoring LocalContentPath = "C:\Local\Path\To\Package" } New-GuestConfigurationPolicy @PolicyConfig -UseSystemAssignedIdentity

Example Policy definition metadata snippet:

... "metadata": { "category": "Guest Configuration", "version": "1.0.0", "requiredProviders": [ "Microsoft.GuestConfiguration" ], "guestConfiguration": { "name": "TimeZone", "version": "1.0.0", "contentType": "Custom", "contentUri": "https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip", "contentHash": "HASHVALUE", "contentManagedIdentity": "system" } , ... }

You can now pass the file path of the policy definition as an argument in the New-AzPolicyDefinition cmdlet to upload your custom policy definition to Azure! With this feature you can take advantage of the simplicity of managed identities when deploying secure configurations.

Feature Limitations

For the machine to download the assigned package and apply the policy, the Guest Configuration Agent must be version 1.29.98.0 or higher for Windows and 1.26.93.0 or higher for Linux.
To ensure successful enforcement, the generated Azure Policy definition must call the API version 2024-04-05 or later.

Learn more about Machine Configuration in the documentation.

Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge of $6/server/month. You only pay the charge once no matter how many machine configuration policies you apply to the server. If policies are assigned by Microsoft Defender for Servers Plan 2 or the policy is an Azure Security Benchmark, no charges will be incurred. Additionally, if Azure Change Tracking or Inventory Management are being used or the server is on Azure Stack HCI with Connected Machine agent version 1.13, no charges will be incurred.

Announcing Public Preview for Azure Service Groups!

kenieva — Thu, 21 Aug 2025 17:58:39 GMT

What are Service groups?

Service Groups are a new resource container enabling management and observability scenarios where flexibility in hierarchy and membership is needed. Service Groups are tenant level resources so they can have members across the tenant but do not interfere or use tenant-wide RBAC or Policy abilities.

Key Features

Low Privilege Management: Service Groups are designed to operate with minimal permissions, ensuring that users can manage resources without needing excessive access and appealing to multiple personas. Access to a Service Group does not grant role-based access control or policy inheritance to its members.
Flexible and Varying Hierarchies: Azure resources and scopes, from anywhere in the tenant, can become members of one or multiple service groups. Additionally, Service Groups can be nested providing the ability to have multiple hierarchy structures, i.e. Cost Center, Product, Organization, and more!
Monitoring Capabilities: From your application to infrastructure health, Azure Monitor features (such as Health Models) are now available to help you troubleshoot, investigate, and monitor your Service Group.

When should I use them?

Service Groups should be leveraged in scenarios where resources sprawl across existing containers making it difficult to monitor and manage them. This is commonly found in scenarios needing to model application hierarchy, company services and workloads. Service Groups cannot be used as a deployment scope nor to manage Policy nor RBAC.

Try it out!

Quickly start with Service Groups using REST API or Azure Portal!

For more information on Service Groups, please visit aka.ms/servicegroups.

FAQ 

Do Service Groups replace existing Azure groups?   

No, Service Groups have been designed to work in parallel with existing Azure Groups. For a comparison of existing scopes, please review the scenario comparison documentation.

Who can create Service Groups?

Anyone with a valid Azure user account in a Microsoft Entra directory can leverage Service Groups!

Why are Service Groups tenant level?

Service Groups are tenant level so they can have membership from across the tenant. However, unlike pre-existing tenant level resources (i.e, Management Groups), Service Groups do not have grant users' tenant wide access.

Share Your Feedback

You can reach our team by email at azureservicegroups@microsoft.com.

Create your own Bicep Local Extension using .NET

Sydney Smith — Thu, 07 Aug 2025 14:50:37 GMT

Bicep Local Deploy can be used to author Bicep files which use Bicep extensions that are designed to run fully locally, without the need for an Azure connection. This quick start guide provides guidance for creating your own Bicep Local Extension using .NET.

For more information on Bicep Local please check out this doc and this demo.

This guide assumes you have the .NET 9 SDK installed locally, and the Bicep 0.37.4 (or higher) CLI and VSCode extension installed.

Project Scaffolding

Create a project file named MyExtension.csproj with the following contents:<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <OutputType>Exe</OutputType> <RootNamespace>MyExtension</RootNamespace> <AssemblyName>my-extension</AssemblyName> <IncludeNativeLibrariesForSelfExtract>true</IncludeNativeLibrariesForSelfExtract> <PublishSingleFile>true</PublishSingleFile> <SelfContained>true</SelfContained> <InvariantGlobalization>true</InvariantGlobalization> <TargetFramework>net9.0</TargetFramework> <Nullable>enable</Nullable> <ImplicitUsings>enable</ImplicitUsings> <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath> <AppendRuntimeIdentifierToOutputPath>false</AppendRuntimeIdentifierToOutputPath> </PropertyGroup> <ItemGroup> <PackageReference Include="Azure.Bicep.Local.Extension" Version="0.37.4" /> </ItemGroup> </Project>
Create a file named Program.cs with the following contents:

using Microsoft.AspNetCore.Builder; using Bicep.Local.Extension.Host.Extensions; using Microsoft.Extensions.DependencyInjection; var builder = WebApplication.CreateBuilder(); builder.AddBicepExtensionHost(args); builder.Services .AddBicepExtension( name: "MyExtension", version: "0.0.1", isSingleton: true, typeAssembly: typeof(Program).Assembly) .WithResourceHandler<MyResourceHandler>(); var app = builder.Build(); app.MapBicepExtension(); await app.RunAsync();

3. Create a file named Models.cs with the following contents:

using System.Text.Json.Serialization; using Azure.Bicep.Types.Concrete; using Bicep.Local.Extension.Types.Attributes; public enum OperationType { Uppercase, Lowercase, Reverse, } public class MyResourceIdentifiers { [TypeProperty("The resource name", ObjectTypePropertyFlags.Identifier | ObjectTypePropertyFlags.Required)] public required string Name { get; set; } } [ResourceType("MyResource")] public class MyResource : MyResourceIdentifiers { [TypeProperty("The resource operation type", ObjectTypePropertyFlags.Required)] [JsonConverter(typeof(JsonStringEnumConverter))] public OperationType? Operation { get; set; } [TypeProperty("The text output")] public string? Output { get; set; } }

4. Create a file under Handlers/MyResourceHandler.cs with the following contents:

using Bicep.Local.Extension.Host.Handlers; public class MyResourceHandler : TypedResourceHandler<MyResource, MyResourceIdentifiers> { protected override async Task<ResourceResponse> Preview(ResourceRequest request, CancellationToken cancellationToken) { await Task.CompletedTask; return GetResponse(request); } protected override async Task<ResourceResponse> CreateOrUpdate(ResourceRequest request, CancellationToken cancellationToken) { await Task.CompletedTask; request.Properties.Output = request.Properties.Operation switch { OperationType.Uppercase => request.Properties.Name.ToUpperInvariant(), OperationType.Lowercase => request.Properties.Name.ToLowerInvariant(), OperationType.Reverse => new([.. request.Properties.Name.Reverse()]), _ => throw new InvalidOperationException(), }; return GetResponse(request); } protected override MyResourceIdentifiers GetIdentifiers(MyResource properties) => new() { Name = properties.Name, }; }

Publishing your extension locally

Run the following to in the project directory to publish your extension to your local filesystem:

dotnet publish --configuration release -r osx-arm64 . dotnet publish --configuration release -r linux-x64 . dotnet publish --configuration release -r win-x64 . bicep publish-extension --bin-osx-arm64 ./bin/release/osx-arm64/publish/my-extension --bin-linux-x64 ./bin/release/linux-x64/publish/my-extension --bin-win-x64 ./bin/release/win-x64/publish/my-extension.exe --target ./bin/my-extension --force

Running your extension

Create a file named bicepconfig.json with the following contents:

{ "experimentalFeaturesEnabled": { "localDeploy": true }, "extensions": { "myextension": "./bin/my-extension" }, "implicitExtensions": [] }

2. Create a file named main.bicep with the following contents:

targetScope = 'local' extension myextension param inputText string resource foo 'MyResource' = { name: inputText operation: 'Reverse' } output outputText string = foo.output

3. Create a file named main.bicepparam with the following contents:

using 'main.bicep' param inputText = 'Please reverse me!'

4. Run the following:

bicep local-deploy main.bicepparam

You should see the following output in your terminal:

% bicep local-deploy main.bicepparam Output outputText: "!em esrever esaelP" Resource foo (Create): Succeeded Result: Succeeded

Giving feedback and getting help

Bicep Local is still under development and your feedback is critical to shaping the feature.

Please use our GitHub Repo to get support for give feedback.

Announcing GA of Bicep templates support for Microsoft Entra ID resources

Dan_Kershaw — Tue, 29 Jul 2025 15:00:00 GMT

We're thrilled to announce that Bicep templates for Microsoft Entra ID resources is generally available from July 29th, 2025. Bicep templates bring declarative infrastructure as code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.

Bicep templates for Microsoft Entra resources allow you to define the tenant infrastructure you want to deploy, such as groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources typically used in DevOps and infrastructure as code solutions.

What problems does this solve?

Azure Resource Manager and Bicep templates allow you to declare Microsoft Azure resources in files and deploy those resources into your infrastructure. Configuring and managing your Azure services and infrastructure often includes managing Microsoft Entra ID resources, like applications and groups. Until now, you had to orchestrate your deployments between two mechanisms using Azure Resource Manager or Bicep template files for Azure resources and Microsoft Graph PowerShell for Microsoft Entra ID resources.

With the Microsoft Graph Bicep GA release, you can declare the Microsoft Entra ID resources in the same Bicep files as your Azure resources, making configurations easier to define, and deployments more reliable and repeatable.

Let's look at how this works and then we'll run through an example.

The Microsoft Graph Bicep extension

To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.

Authoring experience

You get the same first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.

Editing a Bicep file containing Microsoft Graph resources

Deploying Bicep files

Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Resource Manager, the deployments engine orchestrates the deployment of interdependent resources so they're created in the correct order, including the Microsoft Graph resources.

The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.

Deploying a Bicep file containing Microsoft Graph resources

Scenario: Using GitHub Actions to build and deploy a web app to Azure App Service

In this scenario you can configure workload identity federation and a GitHub Action workflow, so that the GitHub Action can log into Microsoft Entra, build and deploy a web app into an Azure App Service, without the use of any secrets.

GitHub Action deploys a web app to Azure App Services using a federated identity credential

You can enable a GitHub Actions workflow to exchange a GitHub access token for a Microsoft Entra ID access token, so that the GitHub Actions workflow can access Azure resources. The template below creates an Entra ID application (to represent the GitHub Action) and configures it with a federated identity credential. When the GitHub Actions workflow requests to exchange a GitHub access token for an access token from the Microsoft identity platform, the values in the federated identity credential are checked against the provided GitHub token's issuer and subject claim values.

Bicep template declaring an application and federated identity credential for a GitHub Action, and assigning that application Azure contributor privileges

The Configure federated identity credentials for GitHub Actions contains the full end-to-end sample.

Now that we've walked you through how Bicep templates for Microsoft Graph works and demonstrated it through a scenario sample, you can start creating your own Bicep templates to meet your infrastructure as code scenario needs.

Learn more

Bicep templates for Microsoft Graph resources documentation
Try out the create and deploy your first Bicep file with Microsoft Graph resources quickstart
Explore more samples on our Microsoft Graph Bicep GitHub repo and feel free to contribute your samples too

Azure Automation: General Availability of PowerShell 7.4, Python 3.10 runbooks, Runtime Environment

Nikita_Bajaj — Tue, 29 Jul 2025 11:34:41 GMT

Azure Automation continues to evolve as a robust platform to address the dynamic needs of modern enterprises. In alignment with our commitment to provide business continuity and enhance security of our customers, we are pleased to announce a series of powerful releases. These enhancements are aimed at enabling you to retain and manage PowerShell and Python scripts on the platform over a long-term, thereby reinforcing Azure Automation’s position as a trusted service.

What's new?

General Availability of PowerShell 7.4 and Python 3.10 runtime versions.
Runtime Environment (GA), offering seamless modernization of outdated scripts to supported runtime versions.
Support for Azure CLI commands in PowerShell runbooks (GA).

These new capabilities bring tangible benefits that help you to operate more securely, efficiently, and at scale.

Key Benefits

🔄Stay Current

Run your automation on the latest, supported runtime versions and improve security, performance, and compatibility with the broader Azure ecosystem.

⚡ Faster Runbook Upgrades with Runtime Environment

Runtime Environment feature makes it easy to upgrade your existing runbooks to newer language versions without rewriting them. You can test and validate scripts in a controlled environment before switching to production, hence minimizing downtime and reducing operational risk. You can keep pace with the release cycles of PowerShell and Python while maintaining business continuity.

⏪ Rollback capability

Using Runtime environment, you can quickly revert to a previous language version in case a runbook upgrade introduces issues or unexpected behavior. This gives you the confidence to modernize your scripts while maintaining a safety net.

🎛️ Granular Control Over Execution Environment

You now have fine-grained control over the script execution environment and can easily configure the runtime language, its version, and dependent modules using Runtime environment. This flexibility allows you to tailor each environment to its specific requirements and ensure predictable, consistent execution every time.

🗂️ Efficient Code Organization

Runtime environment eliminates the pain point of managing conflicting module versions in the same Automation account. You no longer need to create multiple Automation accounts just to isolate runbooks that require different module versions. This simplifies governance and significantly reduces administrative overhead.

🌐 Expanded Automation Capabilities with Azure CLI

You can now seamlessly integrate Azure CLI commands into your PowerShell runbooks, unlocking scenarios that previously required separate tooling. This gives you the best of both worlds and more flexibility to automate management of Azure resources.

🌎 Cross-Platform Orchestration

Azure Automation is not limited to Azure - you can orchestrate workflows across on-premises, Azure, and other public clouds. This makes Azure Automation the best-in-class platform for infrastructure management in an adaptive cloud.

Resources:
Azure Automation runbook types | Microsoft Learn
Upgrade runbook to latest language version
Create PowerShell runbooks with Azure CLI commands

Note:

PowerShell 7.1 and 7.2 and Python 2.7 and 3.8 runtime versions are announced retired by parent platforms PowerShell and Python respectively. We strongly recommend upgrading outdated runbooks to latest supported language versions using Runtime environment.

For any questions or feedback, please reach out to askazureautomation@microsoft.com

🚨 Azure Service Health Built-In Policy (Preview) – Now Available!

PaulGrimley_MSFT — Fri, 25 Jul 2025 12:09:25 GMT

Resiliency is a key focus for Microsoft in making sure our customers experience minimal impact due to planned or unexpected outages that may occur. Up until now there has been no native scalable solution to provide consistent notifications across Azure subscriptions for Service Health events.

Building on the success of Azure Monitor Baseline Alerts (AMBA) where this functionality is currently available, the AMBA team has combined with the Service Health Product team to include this capability into the Azure native experience. We’re excited to announce the release of Azure Service Health Built-In Policy (Preview), a new built-in Azure Policy designed to simplify and scale the deployment of Service Health alerts across your Azure environment. This policy enables customers to automatically deploy Service Health alerts across subscriptions, ensuring consistent visibility into platform-level issues that may impact workloads. Existing subscriptions can be remediated in bulk and new Azure subscriptions, created once the Policy has been assigned, will automatically be configured for receiving Service Health alerts.

🔍 What's the purpose of this announcement?

It addresses situations where customers only permit the use of built-in policies.
It automates the setup of Service Health alerts across all subscriptions when deployed at the management group level.
It ensures consistent alert coverage for platform events.
It helps reduce manual setup and ongoing maintenance.

🛠️ What options are available with the Policy?

All the learnings from AMBA have been taken into consideration in designing and creating this policy. There are now a wide range of options available to provide flexibility based on your needs. These options are surfaced as parameters within the policy:

It audits the existing environment for compliance.
It ensures the ability to provide custom alert rules that align with the naming standards.
It gives the ability to choose the types of Service Health events to monitor.
It supports Bring-your-own Action Group, or the ability to create a new Action Group as part of the Policy assignment.
For ARM role notification, it ensures the ability to choose from a pre-set list of built-in roles for notifications.
It provides the ability to choose from email, Logic App, Event Hubs, webhook, and Azure Functions within the Action Group.
It enables naming Resource groups, and location flexibility.
It gives the ability to add Resource tags.

🧩 What about Azure Monitor Baseline Alerts?

The AMBA team have been working to incorporate the newly built-in policy into a future release. The team plans to roll this out in the next few weeks along with details for existing customers on replacing the existing AMBA custom policy. These changes will then be consumed into Azure Landing Zones.

AMBA continues to offer a wide range of alerts for both platform and workload services in addition to Service Health alerts. This announcement does not serve as a replacement for AMBA but simply compliments the AMBA solution.

📣 What’s Next?

Check out the guidance on leveraging this policy in your environment Deploy Service Health alert rules at scale using Azure Policy - Azure Service Health

Should you require support for this policy please raise a support ticket via the portal as comments raised below may not be addressed in a timely manner

A New Platform Management Group & Subscription for Security in Azure landing zone (ALZ)

jtracey93msft — Tue, 15 Jul 2025 12:17:11 GMT

At the start of 2025, during the January 2025 ALZ Community Call, we asked everyone for their feedback, via these discussions on our GitHub repo: 1898 & 1978 , on the future of Microsoft Sentinel in the Azure landing zone (ALZ) architecture as we were receiving feedback that it needed some changes and additional clarity from what ALZ was deploying and advising then.

We have now worked with customers, partners, and internal teams to figure out what we should update in ALZ around Microsoft Sentinel and Security tooling and have updated the ALZ conceptual architecture to show this.

What did ALZ advise and deploy before, by default?

Prior to these updates ALZ advised the following:

The central Log Analytics Workspace (LAW) in the Management Subscription should
- Be used to capture all logs, including security/SIEM logs
- The Microsoft Sentinel solution (called Security) should be installed upon this LAW also

And in the accelerators and tooling it deployed, by default:

The central Log Analytics Workspace (LAW) in the Management Subscription with the Microsoft Sentinel solution installed
Microsoft Sentinel had no additional configuration apart from being installed as a solution on the central LAW

What are the changes being made to ALZ from today?

Based on the feedback from the GitHub discussions and working with customers, partners and internal teams we are making the following changes:

A new dedicated Security Management Group beneath the Platform Management Group
A new dedicated Security Subscription placed in the new Security Management Group
- Nothing will be deployed into this subscription by ALZ by default. This allows:
  1. Customers & partners to deploy and manage the Microsoft Sentinel deployment how they wish to
  2. The 31-day 10GB/day free trial can be started when the customer or partner is ready to utilise it
No longer deploy the Microsoft Sentinel solution (called Security) on the central LAW in the Management Subscription
- This allows for separating of operational/platform logs from security logs, as per considerations documented in Design a Log Analytics workspace architecture

The changes have only been made to our ALZ CAF/MS Learn guidance as of now, and the changes to the accelerators and implementation tools will be made over the coming months 👍

These changes can be seen in the latest ALZ conceptual architecture snippet below

The full ALZ conceptual architecture can be seen here on MS Learn. You can also download a Visio or PDF copy of all the ALZ diagrams.

What if we have already deployed ALZ?

If you have already deployed ALZ and haven't tailored the ALZ default Management Group hierarchy to create a Security Management Group then you can now review and decide whether this is something you'd like to create and align with.

While not mandatory, this enhancement to the ALZ architecture is recommended for new customers. The previous approach remains valid; however, feedback from customers, partners, and internal teams indicates that using a dedicated Microsoft Sentinel and Log Analytics Workspace within a separate security-focused Subscription and Management Group is a common real-world practice. To reflect these real-world implementations and feedback, we’re evolving the ALZ conceptual architecture accordingly 👍

Closing

We hope you benefit from this update to the ALZ conceptual architecture. As always we welcome any feedback via our GitHub Issues

Azure Governance and Management Blog articles

Announcing One‑Command Backup Configuration for AKS with Azure Backup

The challenge with AKS backup onboarding today

A simpler way: Configure backup in one CLI command

Backup Strategy Presets

Backup Configuration JSON (Advanced Customization)

Supported Parameters

Built‑in validations for reliability

Faster time‑to‑protection for AKS workloads

What’s next

Announcing Public Preview for Essential Machine Management

What is Essential Machine Management?

What management capabilities are enabled?

How much does it cost?

Getting started

Azure Policy: Required Actions for Docker Content Trust Deprecation in Azure Container Registry

What is Changing?

Impacts on Azure Policy

Steps to Mitigate the Impact

Announcing General Availability for Azure Resource Graph (ARG) GET/LIST API

What Challenge Are We Addressing?

When to use Azure Resource Graph (ARG) GET/LIST API

High Volume of GET Calls Within a Single Scope:

Risk of Throttling or Quota Competition:

Need for High Availability and Faster Performance:

Using the ARG GET/LIST API

Video Walkthrough

Learn More

Share Your Feedback

Azure Governance @ Ignite 2025

Optimize Your Cloud Environment Using Agentic AI

From Complexity to Clarity

What’s New in Optimization

A Day in the Life: FinOps in Action

Why It Matters

Get Started at Ignite

Improve your resiliency posture with new capabilities and intelligent assistance

Introducing the resiliency agent in Azure Copilot

Infra Resiliency: Leverage Guided Experiences to Become Zonally Resilient

Beyond Infrastructure: Data and Cyber Recovery

Data Resiliency: Fortify your Cloud Data with enhanced workload protection & disaster recovery

Cyber Recovery: Safeguard your critical data against Ransomware Attacks

Next Steps

[Public Preview] Introducing Customizable Security Baseline Policies in Machine Configuration

What's New?

Key Scenarios

Baseline Customization

Assign Audit Policies

Integration and Automation

Supported Standards

Availability

Getting Started

Prerequisites

Step-by-Step Guidance

Empower Smarter AI Agent Investments

Module 1: Identify and Prioritize High-Impact, Cost-Effective AI Agent Use Cases

Module 2: Understand the Key Cost Drivers of AI Agents

Module 3: Forecast the Return on Investment (ROI) of AI agents

Module 4: Implement Best Practices to Empower AI Agent Efficiency and Ensure Long-Term Success

Module 5: Maximize Cost Efficiency by Choosing the Right AI Agent Development Approach

Module 6: Architect Scalable and Cost-Efficient AI Agent Solutions on Azure

Module 7: Manage and Optimize AI Agent Investments on Azure

Get started today

AMBA-ALZ pattern: Learn about the latest and greatest enhancements!

Adoption of Azure Service Health built-in policy

Adoption of the new least privileged "Monitoring Policy Contributor" Azure role

Cloud and AI Cost Efficiency: A Strategic Imperative for Long-Term Business Growth

Why cost efficiency matters more than ever

Azure Essentials: A three-stage approach

Microsoft solutions and resources to support a cost-efficient journey

Cost efficiency as a catalyst for innovation and growth

GA: Enhanced Audit in Azure Security Baseline for Linux

What Is the Azure Security Baseline for Linux?

Why Enhanced Audit Matters

Key Features at GA

✅ Broad Linux Distribution Support

🔍 Industry-Aligned Audit Checks

🌐 Hybrid Cloud Coverage

🧠 Powered by Azure OSConfig

📊 Enterprise-Scale Reporting

FAQ 