Azure Governance and Management Blog articles

[Preview] CIS Benchmarks on Azure; Now for Windows Server

AmirB — Thu, 28 May 2026 23:33:29 GMT

For customers with machines managed by Azure (i.e., Arc-enabled machines and Azure VMs), last year we delivered built-in CIS Benchmarks for Linux. The feedback has been clear: “Excellent, now do Windows.”

Today we're announcing that built-in CIS Benchmarks for Windows Server are coming to Azure Policy and Machine Configuration as well.

Supported Edition: The initial preview supports Windows Server 2025 only. Additional Windows Server editions are planned for future releases.

Familiar workflow

If you've already adopted the new Machine Configuration catalog experience with CIS benchmarks for Linux, the Windows rollout will feel familiar.

Also consistent across Windows and Linux are:

Full parity with official CIS Benchmarks content - precision translation from CIS formats to Machine Configuration formats
Flexible configuration - adjust parameters, exclude settings
Compliance as code - your benchmark selections and customizations can be exported as JSON to support versioning, approval workflows, and even file-centric deployment patterns like GitOps, build pipelines, etc.
Single policy/assignment compatibility with Azure VMs and Arc-enabled machines); no need to handle Azure VMs one way and Arc machine another
Audit-first - Public Preview starts in audit-only mode; remediation and enforcement come next (see below).

Windows specifics

While we strive for consistency, we also strive to nail platform specific details. For instance, the new experience automatically handles heterogenous Windows fleet nuances such as:

Variation in CIS recommended settings by OS version (when available)
Variation in CIS recommended settings by role (domain controller, member server)
Variation in management APIs by OS version

What's next?

Beyond the current preview, we are focusing on:

Granular per-rule auto-remediation / enforcement so you can safely gradually increase security and compliance across your fleet
Retiring overlapping policy definitions in Azure; for example, unmaintained implementations of older CIS benchmarks, and so on
Adding STIG and other industry baseline coverage, so a single Azure control plane can manage your end-to-end compliance posture.

Get Started

Watch for aka.ms/cis-windows-azure to go live for enablement docs and resources.
In Azure Policy > Authoring > Machine Configuration, look for CIS benchmarks for Windows to appear as a built-in option.
Interested in the upcoming auto-remediation preview? See remediation preview sign-up form.

[Now Generally Available] Customizable Security Baseline Policies in Machine Configuration!

mutemwamasheke — Thu, 28 May 2026 19:29:06 GMT

Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.

We're excited to announce the General Availability of Customizable Security Baselines in Azure Policy and Machine Configuration. What began as a Public Preview is now a mature, production-grade capability that empowers you to tailor industry security benchmarks to your organization's unique compliance standards across both Azure and Arc-connected machines, at scale.

This release moves the experience from "useful" to "everyday default." Standards coverage has expanded, the customization and assignment flow is faster, full lifecycle management is now possible directly from the Azure Portal, and a new Overview page gives you a single pane of glass into which parts of your estate are unprotected.

What is Baseline Customization?

The core experience remains: tailor security standards through the Modify Settings wizard under Policy > Machine Configuration. You can enable, exclude, or adjust rules from existing benchmarks, apply organization-specific parameters, and export your custom configuration as a downloadable JSON file. Each baseline JSON file serves as a reusable, declarative artifact, ideal for policy-as-code workflows, version control, and CI/CD integration.

What's New?

GA brings four substantive shifts to the customizable baselines experience: broader standards coverage, a faster path from customization to deployment, lifecycle management directly in the portal, and a new Overview page that surfaces compliance gaps at the subscription level. Together, these changes reflect what we heard from early customers during Preview: that custom baselines need to live alongside the rest of their governance workflows, not in a one-time wizard.

This cloud-native approach continues to embody Microsoft's Secure by Design and Secure by Default principles, with a sharper focus on the operational reality of running compliance at scale.

Built-in Policy Standards Coverage

GA expands what you can customize and where it's supported.

Standard	Status	Notes
CIS Benchmarks for Linux	Generally Available	Expanded distribution coverage since Public Preview. See the full list of supported distros in the official documentation.
[NEW!] CIS Benchmarks for Windows	Public Preview	Initial release covers L1 settings for WS2025 Domain Controller and Member Server roles.
Azure Compute Security Baseline for Windows	Generally Available	Now supports customization for Windows Server 2016 and 2019, in addition to 2022 and 2025.
Azure Compute Security Baseline for Linux	Generally Available	Aligned with Azure Compute recommendations across supported Linux distributions.

Key Scenarios

Faster Time to Deployment

The customization-to-assignment path is now a single continuous flow. You can:

Skip the JSON download step entirely. Baseline settings are auto-populated into the Azure Policy assignment flow, so you no longer have to download a JSON file, browse for it, and upload it back. The settings ride with you from Modify Settings straight into Assign Policy.
Use the improved settings editor. Role-specific values (Domain Controller, Member Server) and formatted inputs render cleanly in the UX, with validation that prevents malformed parameters from reaching the policy assignment.
Still export when you need to. The JSON download remains available for teams that want to commit baselines to source control, share with reviewers, or pipe through CI/CD.

The net result: what used to take a multi-step download-and-reupload sequence is now a few clicks inside one blade.

Lifecycle Management in the Portal

Compliance baselines are not write-once artifacts. They evolve as benchmarks update, as your controls tighten, and as your estate changes. GA introduces two capabilities that treat baselines as living configuration:

Import and Modify. From the Definitions tab under Machine Configuration, you can now import an existing baseline JSON and iterate on it directly in the portal. This closes the loop between policy-as-code workflows and ad-hoc edits, so you no longer have to choose between version-controlled artifacts and in-portal convenience.
Edit Settings on existing Assignments. The Assignments tab now supports updating an active baseline assignment in place. You can refine rules, adjust role-specific values, or exclude controls without tearing down and re-creating the assignment. All you have to do is select the policy assignment and the "Edit Settings" button should be enabled.

Together, these turn baselines into something you maintain, not something you set and forget.

New Overview Page: See Where You're Unprotected

A new Overview page on Policy > Machine Configuration gives you subscription-level visibility into where Machine Configuration is enabled and where it isn't. For each subscription it surfaces status (At Risk, Not Enabled, Enabled), machines missing prerequisites, machines with prerequisites in place, and total eligible machines. From the same view you can enable Machine Configuration on selected subscriptions to onboard eligible VMs and activate baseline auditing in a single action.

This shifts the first question from "is this one machine compliant?" to "which corners of my estate aren't even being assessed yet?", which is usually the more consequential gap.

Integration and Automation

Security baselines continue to integrate into your DevOps pipelines and configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using Azure CLI, ARM templates, Bicep, and CI/CD automation, ensuring reproducible, traceable compliance configurations across environments.

Availability

Customizable security baselines are now generally available in all public Azure regions, Azure Government, and Sovereign Clouds.

Getting Started

Prerequisites

Before you begin:

Deploy the Azure Machine Configuration prerequisite policy initiative. (This installs the required Guest Configuration extension on supported VMs.) You can also do this in a single action from the new Overview page.
Ensure your Azure subscription or management group includes supported Windows or Linux VMs.
Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions.

Step-by-Step Guidance

Check your coverage on the Overview page to see which subscriptions are unprotected and onboard them with one click.
Select a baseline from the Definitions tab in Machine Configuration or use Import and Modify to iterate on an existing baseline JSON.
Modify settings to enable, exclude, or parameterize rules to match your internal policies.
Assign the policy directly from the wizard. Settings are auto populated into the assignment flow, no JSON upload required.
Iterate when needed. Use Edit Settings on the Assignments tab to refine active baselines in place.
Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page.

Learn More

Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.

Introducing the Azure Resource Manager MCP Server!

stevenbucher — Mon, 11 May 2026 20:49:28 GMT

We're super excited to announce the public preview of the Azure Resource Manager MCP Server! This is a remote MCP server that provides tools to give AI agents first-class access to Azure infrastructure operations through Azure Resource Manager (ARM). AI agents can now be equipped with tools to generate, validate, execute Azure Resource Graph (ARG) queries and tools to deploy and manage ARM template deployments. This server is able to generate and execuite queries that return data across all your Azure resource types! At its core, this server is built to help AI agents interact with Azure resources seamlessly.

What this means for you

Ask natural language questions about your Azure estate to your agents and get real time, accurate answers backed with an ARG query
Deploy and manage infrastructure easily by having AI deploy ARM templates for you
Monitor deployment status and catch issues before they escalate
Ability to build more advanced AI agents that understand your Azure environment

What You Can Do Today

Generate, Validate, and Execute Azure Resource Graph Queries from Natural Language

No need to struggle with writing KQL from stratch! Describe what you need, and the MCP server tool generates Azure Resource Graph queries that match your intent. You ask an AI Agent: "Find all virtual machines in my subscription that don't have managed disks". It uses the tool and returns: A ready-to-execute ARG query without manual KQL writing. These queries spans across all your azure resource types so can learn and navigate across any type!

Deploy, monitor and cancel ARM Templates

Pass an ARM template, and the MCP server kicks off the deployment targeted to an existing resource group scope. Monitor the deployment by getting status about it and even cancel it if you decide its not doing what you need it to.

Here is the complete list of the tool available in this preview:

```
generate_query 
```
```
validate_query
```
```
execute_query 
```
```
create_template_deployment 
```
```
get_arm_template_deployment_status 
```
```
cancel_arm_template_deployment 
```

Real-World Scenarios

Infrastructure Compliance Audit

"Show me all resources created in the last 30 days that don't have required tags." - The MCP server generates and executes the query, returning resources that need remediation. Your team can then fix them programmatically or through Copilot.

Rapid Infrastructure Provisioning

"Using this ARM template <path to template>, deploy a secure storage account with HTTPS-only access, private endpoints, and Standard_LRS replication to my production resource group." This will take an existing ARM template and deploy it to a resource group scope.

You can ask your Copilot to generate the ARM template for you as well but there is no quality guarantee on the generated template so we recommend providing your own template for certainty in deployment.

Policy Compliance Check

"Check if all resources in my subscription comply with the latest policy applied to it." - The MCP server generates and executes the query, returning resources that are non-compliant. Your team can then take corrective actions programmatically or through Copilot.

Building Agents with Azure Resource Manager MCP Server

The MCP server's tools can be integrated into custom agents you build with GitHub Copilot. What this means is you can create custom agents that automatically check compliance, track changes in a scope, or ensure all resources have a particular tag applied to them!

Getting Started

Prerequisites

VS Code installed
Valid Azure account with appropriate permissions
GitHub Copilot subscription

Installation

Install the MCP Server

- Open https://aka.ms/JoinARMMCP
- VS Code launches automatically
- Click Install under Azure Resource Manager MCP Server
- Sign in with your Azure credentials
  - If you hit any authentication issues see Troubleshooting Guide in our repo

Check tools are enabled in Chat

- Open Chat in VS Code (View > Chat)
- Click Configure Tools
- Ensure the six Azure Resource Manager MCP Server tools are enabled

Start Using It

- Ask Copilot a question about your Azure resources or infrastructure needs
- The MCP server handles the rest

Governance & Security

The Azure Resource Manager MCP Server respects your Azure permissions and governance policies. All operations run in the context of your signed-in user. Additionally you can apply Azure Policies to prevent deployments via the MCP Server. Find more details in the README of our documentation repo.

What's Next?

We are actively expanding the capabilities of the Azure Resource Manager MCP Server! The Server will expand to include:

Additional ARM API capabilities with ARM
Enhanced query generation and optimization
Support for additional MCP clients beyond VS Code, next up: Claude

Get Feedback

We want to hear from you. Try the public preview and share your feedback. Found a bug? Or have a feature request? Open an issue on GitHub at https://aka.ms/ARMMCPIssue

Resources

- 📖 Full Documentation – Complete setup and usage guide

- 🔗 Install Now – Get started with the public preview

- 🐛 Report Issues – Share feedback and bugs

- ❓ FAQ – Common questions answered

- 🛠️ Troubleshooting – Resolve common issues

Try It Today

The Azure Resource Manager MCP Server public preview is available now. Visit https://aka.ms/JoinARMMCP to install and start automating your Azure infrastructure with AI.

What agents will you build with these tools? We can't wait to see how you'll use this.

Steven Bucher

PM on Azure Resource Manager and Azure Governance

New Local Management Group for ALZ & Updated Sovereign Policies for SLZ

jtracey93msft — Thu, 30 Apr 2026 07:58:07 GMT

Following on from months of working alongside customers, partners, and our internal product groups, we have now made two updates to the Azure landing zone (ALZ) and the Sovereign landing zone (SLZ), that I’d like to walk you through in this post:

A new dedicated ‘Local’ Management Group added beneath the Landing Zones Management Group – applies to both ALZ & SLZ
A refresh of the sovereign policy initiatives assigned in the SLZ, replacing the previous Sovereignty Baseline initiatives with new built-in initiatives that align directly to sovereign control levels 1, 2, and 3 – applies to SLZ only

A new ‘Local’ Management Group

What’s changing?

We have added a new dedicated ‘Local’ Management Group beneath the Landing Zones Management Group in the ALZ conceptual architecture, sitting alongside the existing Corp and Online Management Groups. And because the SLZ extends and takes a dependency on ALZ, this Management Group is inherited by the SLZ hierarchy too in the same hierarchy location, beneath the Landing Zones Management Group.

Azure landing zone conceptual architecture's Management Group hierarchy only. Download a Visio file or PDF file of this architecture.

Why have we added it?

We have been working closely with the Azure Local product group, customers, and partners on what good governance looks like for Azure Local within the ALZ architecture, and we kept hearing two consistent asks:

A clear, opinionated home in the Management Group hierarchy for Azure Local clusters and the workloads that sit on top of them.
A way to help customers — particularly those with sovereignty or resiliency requirements — design and run workloads in the Azure public cloud today that are ready to "exit" to Azure Local disconnected operations (ALDO) if they ever need to.

The new Local Management Group gives us a single, consistent scope to address both scenarios with the same governance and policy guardrails. It is therefore intended to be used both for:

Workloads running directly on Azure Local clusters — to apply consistent best practices, governance, and security guardrails for Azure Local deployments.
Workloads running in the Azure public cloud today that may one day need to be moved to run on Azure Local in disconnected operations mode — to make sure they are exit-ready by construction, rather than at the point you find out you need them to be.

How exit planning is supported

To make exit planning straightforward, the new ‘Local’ Management Group leverages the following new built-in Azure Policy:

[Preview]: Restrict resource types to Azure services supported in Azure Local disconnected operations — Definition ID dabf7c7f-5354-42de-a92a-8367f538dd71. Category: Azure Local, Version: 1.0.0-preview.

This policy can be used in a couple of ways depending on where a customer is on their journey:

In Audit mode, the policy gives you an at-a-glance view of which resource types currently deployed in subscriptions under the ‘Local’ Management Group are not available on Azure Local disconnected operations clusters. This is great for understanding the current state of an exit plan without changing developer behavior.
In Deny mode, the policy prevents deployment of any resource type that is not available on Azure Local disconnected operations clusters. Workloads can carry on running happily in Azure public, but they are exit-ready by construction — there is no scenario where someone "accidentally" introduces a service that breaks the exit story.

The important thing to call out here is that workloads do not have to run on Azure Local today to benefit from this. Customers with sovereignty or business continuity requirements that need a credible exit story to Azure Local disconnected operations can keep their workloads running in the Azure public cloud and use this new ‘Local’ Management Group, with the new built-in policy to Deny, to guarantee portability when they need it. The platform enforces it, rather than someone tracking it in a spreadsheet or other manual methods.

Further policies from the Azure local product group will be created and published in the future. These additional policies will focus on Azure Local cluster and workload best practices and other scenarios that can be assigned to the new ‘Local’ Management Group.

Do I place my Azure Arc-enabled resources in the new local management group?

This is a fantastic question and one that we have had a couple of times already since posting this blog post, hence updating it with this new section.

In short, no, we do not think that this is the best place to place your Azure Arc-enabled resources such as servers as a central location to group them all together. Instead, you should consider putting them with their existing resources in their own application landing zone subscriptions as per the normal Azure landing zone guidance, for example, in either a corp or online application landing zone governed subscription.

We actually wrote up this and other scenarios in the hybrid and multi-cloud cloud adoption framework scenario a few years back that we are sharing here for convenience, as we believe it will help many answer this question, if they have it. Please see Integrate Azure Arc resources with application landing zones for the guidance on this topic.

New sovereign policy built-in initiatives aligned to sovereign control levels 1, 2 & 3

What’s changing?

In the SLZ we have replaced the previous Sovereignty Baseline initiatives with a set of new built-in sovereign policy initiatives, assigned at the appropriate Management Group scopes in the Sovereign landing zone (SLZ), that align to the three sovereign control levels:

Level 1 — Data residency
Level 2 — Encryption-at-Rest / in-Transit
Level 3 — Encryption in use (Confidential Computing)

You can read more about each of these levels and the principles behind them on Microsoft Learn:

What was assigned before?

Up until this update, the SLZ assigned two existing Sovereignty Baseline built-in initiatives:

Sovereignty Baseline – Global Policies (c1cbff38-87c0-4b9f-9f70-035c7a3b5523) — 5 policies covering location restrictions and Trusted Launch.
Sovereignty Baseline – Confidential Policies (03de05a4-c324-4ccd-882f-a814ea8ab9ea) — 19 policies covering customer-managed keys, confidential compute, and resource type / location restrictions.

These were broad baselines, not purpose-built per sovereign control level. They did the job, but they didn’t map cleanly to the L1/L2/L3 model that customers, partners, and our own documentation use to talk about sovereign controls.

What’s assigned now?

Working with the Sovereign Public product group, we have moved the SLZ over to a set of new built-in initiatives that we have built and published recently, each aligned to a specific sovereign control level. These are now assigned by default in the SLZ in place of the two Sovereignty Baseline initiatives above:

Initiative	Control level	Purpose
[Preview]: Enforce Data Residency across Azure Services	Level 1 — Data Residency	Restrict / audit Azure regions; prevent cross-region replication (Cosmos DB, SQL, Storage, etc.)
[Preview]: Enforce Encryption-at-Rest with Customer Managed Keys (CMK) with Azure Key Vault Premium Keys across Azure Services	Level 2 — Encryption-at-Rest	Restrict / audit Azure services to use CMK with AKV Premium keys
[Preview]: Enforce Encryption-at-Rest with Customer Managed Keys (CMK) with Azure Key Vault Managed HSM Keys across Azure Services	Level 2 — Encryption-at-Rest	Restrict / audit Azure services to use CMK with AKV Managed HSM keys
[Preview]: Enforce Encryption-in-Transit across Azure Services - HTTPS	Level 2 — Encryption-at-Rest	Restrict / audit Azure services to use HTTPS/SSL
[Preview]: Enforce Encryption-in-Transit across Azure Services - TLS Version	Level 2 — Encryption-at-Rest	Restrict / audit Azure services to use latest TLS versions (e.g. TLS 1.3)
[Preview]: Enforce Encryption-in-Use across Azure Services	Level 3 — Encryption-in-Use	Restrict / audit to Azure Confidential Compute (ACC) VM SKUs or ACC-backed PaaS services

Sovereign landing zone conceptual architecture's Management Group hierarchy with the associated controls and principles applied. Download a Visio file or PDF file of this architecture.

Why have we done this?

Aligning the SLZ to these new built-in policy initiatives gives customers, partners, and our internal teams several benefits:

Single source of truth — the policies assigned by the SLZ now match exactly what is documented in the sovereign controls and principles guidance on Microsoft Learn. No translation, no mapping exercise.
Per-level alignment — each initiative aligns to a specific level (L1, L2, L3), so customers can map their data classifications (Public, Internal, Confidential, Secret) to the right scope in the hierarchy and apply only what is required for that classification.
Lower maintenance overhead — by moving from broad baselines to per-control built-ins owned by the Sovereign Public product group, customers benefit from updates made by the product group automatically, without us having to ship and version our own copies in the SLZ.
Easier auditing and reporting — built-in initiatives are first-class citizens in tools such as Microsoft Defender for Cloud and Azure Policy compliance reporting, which makes evidencing compliance against the sovereign controls easier for those that need to.

What if we have already deployed ALZ or the SLZ?

These changes are now live in the following releases in the Azure Landing Zones library.

We have also updated the ALZ Accelerator and our AVM-based Terraform & Bicep deployment options to use these latest releases for new deployments. And for those of you who already have an active deployment you can upgrade your library version following the guidance here:

The ALZ Portal accelerator is also being updated this week so stay tuned for those if you use that, although we highly recommend the ALZ IaC Accelerator.

Announcing One‑Command Backup Configuration for AKS with Azure Backup

shobhitgarg — Thu, 16 Apr 2026 07:50:59 GMT

Running production workloads on Azure Kubernetes Service (AKS) is becoming the norm for platform teams building cloud‑native applications at scale. As these environments increasingly host stateful workloads using persistent volumes, ensuring data protection and rapid recovery becomes mission‑critical.

Today, we’re excited to introduce an alternate simplified CLI‑based experience that allows customers to configure backups for AKS using Azure Backup with a single command.

The challenge with AKS backup onboarding today

Until now, enabling backup for an AKS cluster through Azure CLI required customers to understand and coordinate across multiple CLI domains, including:

az aks
az k8s-extension
az dataprotection

Configuring vaulted backup involved:

Extension installation
Storage account provisioning
Backup vault creation
Policy configuration
Trusted access setup
Backup instance initialization

All of which required orchestrating 8 separate lifecycle steps across 15+ CLI commands.

For platform teams managing tens or hundreds of AKS clusters through automation or CI/CD pipelines, this multi‑step setup often became a barrier to experimentation and adoption.

A simpler way: Configure backup in one CLI command

With this new experience, customers can now enable full‑cluster backup for AKS using a single CLI command:

az dataprotection enable-backup trigger \ --datasource-type AzureKubernetesService \ --datasource-id <cluster-arm-id> \ --backup-strategy <strategy> \ --backup-configuration-file @config.json

This command orchestrates the entire AKS backup enablement workflow behind the scenes by automatically performing the following steps:

Validate AKS cluster existence and running state
Create or identify region‑specific backup resource group
Check if Backup Extension is already installed on the cluster
Install Backup Extension (if not present)
Create or reuse Storage Account for backup data
Create or reuse Backup Vault
Create or reuse Backup Policy
Enable Trusted Access between vault and cluster
Initialize and create Backup Instance

Customers no longer need to manually orchestrate resources across different CLI surfaces.

Backup Strategy Presets

Customers can select predefined strategies aligned to common protection needs:

Strategy	Op Store Retention	Vault Store Retention	Use Case
Week (default)	7 days	—	Dev/Test
Month	30 days	—	Production
DisasterRecovery	7 days	90 days	Cross‑region DR
Custom	User-defined	User-defined	BYO Vault & Policy

Example:

az dataprotection enable-backup trigger \ --datasource-type AzureKubernetesService \ --datasource-id <cluster-arm-id> \ --backup-strategy DisasterRecovery

Backup Configuration JSON (Advanced Customization)

Advanced users can optionally provide a configuration JSON file to:

Use existing vaults or policies
Bring your own storage account
Apply enterprise tags
Use custom backup resource groups

Supported Parameters

Parameter	When Required	Description
backupVaultId	Custom strategy	Use existing vault
backupPolicyId	Custom strategy	Use existing policy
storageAccountResourceId	Optional	Use existing SA
blobContainerName	Optional	Custom container
backupResourceGroupId	Optional	Use existing RG
tags	Optional	Apply to created resources

Built‑in validations for reliability

Before enabling backup, the CLI automatically validates:

Cluster existence
Running state
Backup compatibility
Required RBAC permissions
Resource availability (if provided)

Faster time‑to‑protection for AKS workloads

By collapsing a previously multi‑step setup into a single command:

Backup onboarding becomes automation‑friendly
Platform teams can enable protection consistently across environments
Setup errors from manual orchestration are reduced
Backup rollout across large AKS estates becomes significantly faster

What’s next

The simplified single‑command backup enablement experience introduced for AKS is part of a broader effort to make Azure Backup more automation‑friendly across cloud‑native and platform workloads.

We are actively working to extend this model to other workloads supported by Azure Backup, enabling customers to:

Configure protection using native CLI workflows
Reduce onboarding complexity across backup‑supported resources
Integrate backup enablement seamlessly into CI/CD pipelines
Achieve faster time‑to‑protection across heterogeneous environments

Over time, customers can expect similar single‑command backup configuration experiences for additional Azure Backup‑supported workloads — bringing consistency and ease of adoption across their backup strategy.

For more information, see how to configure AKS backup using a single CLI command.

Announcing Public Preview for Essential Machine Management

Meagan McCrory — Mon, 06 Apr 2026 18:54:19 GMT

Managing servers and VMs across Azure, on premises, and multi-cloud environments often means turning on core capabilities—monitoring, updates, inventory, and configuration—through separate setup experiences. We’ve heard feedback that this makes it harder to get visibility into machine state and take actions.

We’re excited to announce the public preview of Essential Machine Management experience within Compute Infrastructure Hub—a new entry point in Azure that streamlines onboarding for machines at scale and enables basic management capabilities. Start once at subscription scope, get a clear view of what’s turned on, and move from setup to operations faster across your Azure and cloud and hybrid estate.

What is Essential Machine Management?

Essential Machine Management is a centralized onboarding experience that helps customers enroll their machines into a set of selected cloud-native management services from Azure in a simple, scalable way,

Instead of enabling monitoring, updates, inventory, and configuration independently per machine, Essential Machine Management allows you to enroll entire subscriptions at once, including both Azure Virtual Machines and Azure Arc–enabled servers. These services are pre-configured with best practices, enabling customers with out-of-the-box value right away.

Once enrolled, current and future machines in the selected subscriptions are automatically onboarded to the enabled management services, helping ensure consistent visibility and operational coverage from day one.

What management capabilities are enabled?

Using Essential Machine Management, you can quickly onboard machines to multiple Azure management capabilities, including:

Monitoring insights and recommended alerts for machine health and performance
Azure Update Manager to help keep machines secure and compliant
Change tracking and inventory for visibility and auditability
Machine configuration for managing in-machine configuration, compliance and security
Azure Security baseline policy is a set of tailored rules to assess your machine's security posture

These services help keep your infrastructure secure and healthy.

How much does it cost?

Azure VMs: For Azure Virtual Machines only, capabilities enabled by Essential Machine Management are provided at no additional charge.

Azure Arc-enabled servers:

For Azure Arc-enabled servers with Windows Server Software Assurance, Windows Server PayGo, and Windows Server Extended Security Updates, capabilities enabled by Essential Machine Management are provided at no additional charge.
For all other Arc-enabled servers, Essential Machine Management will be priced at $9 per server per month once billing is enabled. See more details here.

Getting started

If you manage Azure VMs or Arc-enabled servers and are looking to simplify how you onboard and manage machines at scale, Essential Machine Management feature is now available for you to try in public preview. Check out the preview in the Azure Portal under Compute infrastructure --> Monitoring + Operations --> Essential Machine Management (preview):

Check out Essential Machine Management now and reach out to machineenrollmentsupport@microsoft.com for any feedback or support. Learn more about Essential Machine Management here.

Azure Policy: Required Actions for Docker Content Trust Deprecation in Azure Container Registry

ShannonHicks — Wed, 17 Dec 2025 22:36:46 GMT

As Azure evolves, certain features are deprecated to streamline services and improve security and performance. One such upcoming change is the deprecation of the Docker Content Trust (DCT) feature in Azure Container Registry (ACR) which is ongoing over a three-year period. This change will eventually remove the trustPolicy property from underling APIs.

This blog post explains what is changing, the potential impact on your Azure Policy environment, and steps you can take to mitigate disruption.

What is Changing?

The Docker Content Trust (DCT) feature in ACR is being deprecated. As part of this process:
- The trustPolicy property will be removed from ARM APIs in a future version.
- The Azure Policy aliases referencing this property will eventually be impacted.
Affected aliases include:
- Microsoft.ContainerRegistry/registries/trustPolicy
- Microsoft.ContainerRegistry/registries/trustPolicy.type
- Microsoft.ContainerRegistry/registries/trustPolicy.status
Key findings:
- No built-in policy definitions currently use these aliases, so no built-ins will be deprecated because of this feature deprecation.
- The alias trustPolicy.status is modifiable, so any active modify policies targeting this property will break when the property is removed. This alias will be removed.

Impacts on Azure Policy

If you have active policy assignments referencing these aliases, you will need to update or remove them during the deprecation period to avoid future compliance issues:

Existing policies will eventually become non-compliant for any new ACR resources. For example, if a policy assignment requires trustPolicy to be enabled (Microsoft.ContainerRegistry/registries/trustPolicy.status == "enabled"), but the ACR trustPolicy property can no longer be set due to deprecation, then any new ACRs created after that point will automatically be noncompliant with the policy.
Policies using the modifiable alias (trustPolicy.status) will fail when the alias is deleted or marked non-modifiable at the end of the deprecation period.

Steps to Mitigate the Impact

To ensure a smooth transition:

Identify Affected Policies and Assignments: Locate any custom policy definitions in your environment referencing the affected aliases.
Update Policy Definitions: Remove or replace references to trustPolicy properties in your policy definitions. If the policy's only purpose is to evaluate the ACR trustPolicy, consider removing the definition altogether.
Test and Validate: After updating policies, validate that they enforce compliance as intended without relying on deprecated properties.
Monitor for Updates: Stay informed by monitoring Azure Container Registry retirement documentation for more details on transitioning from Docker Content Trust to Notary Project.

Announcing General Availability for Azure Resource Graph (ARG) GET/LIST API

JaspreetKaur — Wed, 03 Dec 2025 04:39:28 GMT

ARG GET/LIST API delivers 10X higher throttling quotas to callers compared to ARG query unlocking a more scalable, resilient way to perform resource lookups in Azure. ARG GET/LIST API is a new platform capability within Azure Resource Graph that provides a high-performance experience for both Point GET and collection GET requests. A key advantage of this capability is its ability to significantly reduce READ throttling for high volume calls efficiently. This is made possible through intelligent control plane routing based on a query parameter controlled by the caller. When a specific query parameter is included, requests are automatically directed to this optimized ARG GET/LIST backend. When the parameter is omitted, requests flow to the Resource provider —ensuring flexibility and backward compatibility.

What Challenge Are We Addressing?

Azure Read Throttling is a significant challenge for many customers. When services hit throttling limits, applications may experience performance degradation, elevated latency, or even failed requests—issues that can disrupt critical workloads and customer operations.

The ARG GET/LIST API is designed to directly address this problem. By routing GET and LIST calls through Azure Resource Graph’s scalable indexing infrastructure and intelligent control-plane routing, it dramatically reduces the likelihood of read throttling. Best of all, it follows the ARM control plane GET APIs request response contract, allowing you to benefit from improved performance and reliability with minimal effort, appending the flag “useResourceGraph=true”.

When to use Azure Resource Graph (ARG) GET/LIST API

The ARG GET/LIST API is designed for scenarios where you need to retrieve a single resource by its ID or list resources of the same type within a defined scope—whether that's a subscription, resource group, or parent resource.

You should consider using the ARG GET/LIST API if your service fits into one or more of the following categories:

High Volume of GET Calls Within a Single Scope:
Your service issues a large number of GET requests targeting resources within a single subscription or resource group, without the need for cross-subscription queries, complex filters, or joins.
Risk of Throttling or Quota Competition:
Your service produces a high volume of requests and may encounter issues such as::
- Experience throttling during sudden traffic spikes.
- Quota competition, where other workloads in the same subscription consume shared quota limits, causing your service to be throttled.
- Bursty traffic patterns, where large volume of GET requests are issued within a short time window, increasing the chance of throttling.
Need for High Availability and Faster Performance:
Your service depends on consistent; low-latency GET operations for either single-resource lookups or listing resources within a specific scope

Note: The ARG GET/LIST API is currently supported only for resources in the resources and computeresources tables.

Using the ARG GET/LIST API

To get started with the ARG GET/LIST API, begin by assessing whether your scenario aligns with the recommended calling patterns and throttling considerations described earlier. Once confirmed, simply append the parameter &useResourceGraph=true to your eligible GET/LIST API calls. This flag routes your request through the Azure Resource Graph GET/LIST API backend, allowing you to take advantage of its optimized performance and query efficiency. No calls will route to ARG GET/LIST backend automatically. The switch is entirely in the user’s control—the call will route to ARG GET/LIST API only when you explicitly include the useResourceGraph=true parameter in your request.

Follow the ARG GET/LIST API contract here - Azure Resource Graph GET/LIST API Guidance - Azure Resource Graph | Microsoft Learn

Let’s walk through a simple example of retrieving a Virtual Machine (VM) along with its InstanceView through ARG Query vs. ARM API vs. ARG GET/LIST API to show the difference in the calling experience.

Using an ARG Query (via ARG Explorer)

In ARG Explorer, you can use Kusto Query Language (KQL) to query resources.
A sample query to retrieve a specific VM looks like this:

Resources | where type =~ 'microsoft.compute/virtualmachines' | where id =~ '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.compute/virtualmachines/{vm}'

This query filters the Resource Graph index to return the VM resource.

Using the ARM (Compute RP) API

The equivalent ARM API call to retrieve the VM with InstanceView is:

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.compute/virtualmachines/{vm}?api-version=2024-07-01&$expand=instanceView

This hits the Compute Resource Provider, pulls the VM state, and expands the instanceView section.

Using the ARG GET/LIST API

ARG GET/LIST APIs that follow the same request structure as ARM—but with an additional flag that routes the call through ARG:

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.compute/virtualmachines/{vm}?api-version=2024-07-01&$expand=instanceView&useResourceGraph=true

The important distinction here is the useResourceGraph=true parameter, which routes the call through ARM to serve the response through ARG’s GET/LIST backend.

Sample Response -

You can find more examples in our documentation - Azure Resource Graph GET/LIST API Guidance - Azure Resource Graph | Microsoft Learn

Video Walkthrough

Increase Throttling Quota via Azure Resource Graph

Learn More

Azure Resource Graph GET/LIST API Overview

Known Limitations

Frequently Asked Questions

Share Your Feedback

For questions and feedback, you can reach us at Azure Resource Graph team 
Share Product feedback and ideas with us at Azure Governance · Community

Happy Querying!

Azure Governance @ Ignite 2025

jodiboone — Sat, 22 Nov 2025 01:24:16 GMT

Recap: Azure Governance @ Ignite 2025

Azure governance is thrilled to be back at ignite this year with some exciting updates. In this blog we will be sharing highlights from the session, overviews on new releases, and links on how you can get started using governance products including Azure Policy & Service Groups to maintain a well governed environment where you can deploy secure applications. Make sure to catch the recording if you missed it to see how Microsoft deploys these products in practice!

Service Groups

Service groups is the newest product in the Azure governance suite allowing you to maintain more dynamic and flexible resource hierarchies. To recap, service groups provide:

Low Privilege Management: Service Groups are designed to operate with minimal permissions, ensuring that users can manage resources without needing excessive access and appealing to multiple personas. Access to a Service Group does not grant role-based access control or policy inheritance to its members.
Flexible and Varying Hierarchies: Azure resources and scopes, from anywhere in the tenant, can become members of one or multiple service groups. Additionally, Service Groups can be nested providing the ability to have multiple hierarchy structures, i.e. Cost Center, Product, Organization, and more!

Service groups has recently gone Public Preview and this year at ignite we are excited to announce new integrations including,

Azure Monitoring

Azure Resiliency

Stay tuned for future integrations and get started using service groups today at: aka.ms//servicegroups

Azure Policy

This ignite we are excited to showcase new releases enriching the power of the policy language and improving ease of use through major UX improvements.

To start off, we announced our public preview for Identity Based Exemptions, a new type of exemption resource that targets the callers service principal versus the scope on which the exemption is applied. Allowing admins to place targeted exemptions for approved service principals, to avoid over exempting without interrupting business critical workflows.

New Home Page Experience!

As the policy framework has expanded, the focus of your policy management has expanded beyond just compliance, to other aspects of the policy deployment lifecycle, including exemptions & remediations. We also know that one size does not fit all, so we are excited to release a new Azure policy UX landing page that provides a refreshed view on compliance, policy status, and will showcase how to get started using new primitives & releases. Try it out and let us know what you think!

Machine Configuration Customizable Baselines

The Azure Windows and Azure Linux baselines have provided a standard set of guidance for how to configure server operating systems in Azure. To make these baselines more relevant to changing regulatory standards & business goals, we’re

releasing an extensibility framework to make it easier than ever to deploy custom Azure baselines through Azure policy & Machine configuration.
Aligning the baseline content to be aligned with CIS across our supported distributions

Getting started is easy, select the baseline that you’re interested in applying and adjust any settings based on business requirements.

For more details on getting started visit: aka.ms//machinebaselines

Optimize Your Cloud Environment Using Agentic AI

riteshkini — Tue, 18 Nov 2025 16:20:32 GMT

In today’s cloud-first world, optimization is no longer a luxury—it’s a strategic imperative. As IT professionals and developers navigate increasingly complex environments, the need to reduce costs, improve sustainability, and accelerate decision-making has never been more urgent.

At Ignite 2025, Microsoft is introducing a new wave of agentic capabilities within Azure Copilot—one of the key capabilities includes the optimization agent, designed to help you identify, validate, and act on opportunities to streamline cloud operations. For FinOps teams, this agent becomes especially powerful, enabling cost governance, carbon insights, and actionable recommendations to maximize financial efficiency at scale.

From Complexity to Clarity

For users familiar with Azure’s cost and performance tools, the new operations center experience in the Azure Portal provides a unified agentic experience to monitor spend and carbon emissions side by side, surface the most critical optimization opportunities, and seamlessly trigger actions by invoking the Optimization agent—bringing governance, efficiency, and sustainability into one streamlined experience.

What’s New in Optimization

The optimization agent in Azure Copilot empowers teams to:

Identify top actions prioritized by impact, cost savings, and ease of implementation.
Evaluate cost and carbon impacts side-by-side, helping you make informed decisions that align with financial and sustainability goals.
Validate recommendations with supporting evidence, current / projected utilization trends, and alternative SKU choices.
Accelerate implementation with step-by-step guidance and agentic workflows that reduce toil and increase confidence.

These capabilities are designed to scale FinOps impact, enabling collaboration across engineering, finance, procurement, and sustainability teams—all within a unified experience.

A Day in the Life: FinOps in Action

Let’s step into the shoes of a FinOps practitioner at a large enterprise navigating the complexities of cost management.

It’s Monday morning. Over the weekend, a set of development VMs were left running, quietly accumulating costs. The optimization agent—a capability within Azure Copilot—surfaces a top action: resize or shut down the idle resources. With a few clicks, the practitioner reviews the supporting evidence, including usage trends, cost impact, and carbon footprint. The agent offers visibility over alternative SKUs and guides the practitioner through a step-by-step implementation—all within the same interface.

But it doesn’t stop there. For teams that prefer automation or scripting, the agent also generates Azure CLI and PowerShell scripts tailored to the recommended action. This gives practitioners flexibility: they can execute changes directly in the portal or integrate scripts into their existing workflows for repeatability and scale. The experience is seamless—every recommendation is actionable, verifiable, and aligned with enterprise policy.

By midweek, the practitioner has implemented multiple optimizations without leaving the console or writing custom code. Each action is logged for audit visibility, ensuring compliance and transparency across the organization. What used to take hours of manual investigation and coordination now happens in minutes, freeing the team to focus on strategic initiatives rather than firefighting cost overruns.

Why It Matters

These aren’t just features—they’re answers to the pain points customers have been voicing for years.

Cost visibility and predictability: Azure Copilot centralizes insights across subscriptions, helping teams avoid surprise bills and understand where every dollar goes.
Resource inefficiencies: The optimization agent proactively identifies underutilized resources and guide teams to act before costs escalate.
Scalability and complexity: Azure Copilot’s unified experience simplifies operations for even the most complex setups.

Azure Copilot isn’t just simplifying cloud operations—it’s transforming how teams collaborate, govern, and optimize.

Get Started at Ignite

At Ignite 2025, you’ll get hands-on with Azure Copilot’s optimization capabilities. Explore how intelligent assistance can help you:

Reduce cloud costs
Improve sustainability metrics
Strengthen governance and compliance
Drive better outcomes—faster

Azure Copilot: turning cloud operations into intelligent collaboration. Sign up for the Agents in Azure Copilot Limited (Preview) and try the experience today.

Improve your resiliency posture with new capabilities and intelligent assistance

rochakm — Tue, 18 Nov 2025 16:36:10 GMT

In today’s cloud-first world, resilience isn’t optional—it’s mission-critical. The next phase of cloud operations is about simplifying workflows, enhancing control, and removing friction from daily work. At Microsoft Ignite 2025, Azure is redefining resiliency with expanded capabilities to include Infrastructure Resiliency, Data Resiliency, and Cyber Recovery with AI-powered innovations designed to help you maintain uninterrupted business continuity.

Introducing the resiliency agent in Azure Copilot

With natural language guidance and automated actions, we are announcing the preview of the resiliency agent in Azure Copilot which helps you assess your current posture, fix gaps with intelligent automation, and continuously monitor your environment to keep critical workloads safe from disruptions.

Infra Resiliency: Leverage Guided Experiences to Become Zonally Resilient

The new Infrastructure resiliency experiences are designed to keep your critical applications running—even during unexpected zonal outages. These new capabilities empower you to actively assess and improve your architecture and continuously validate your resiliency posture.

Leverage at-scale views across Resources and Service Groups to uncover resiliency blind spots and prioritize remediation. Set resilience targets for your key workloads and invoke the resiliency agent from the operations center in Azure to proactively find resources (like virtual networks or firewalls) that are deployed in only one availability zone and could become single points of failure. Once identified the agent will highlight which resources aren’t zone-resilient and the risks they pose, such as potential downtime or IP address changes during a zone failure, enabling you to prioritize the most crucial gaps first. Then with a click, the agent will generate ready-to-run scripts (or commands) to distribute those resources across zones to address configuration drift and strengthen architecture. This guided automation ensures that even if an entire Azure zone goes down, your application stays up.

You can then validate readiness with built-in failure scenario drill templates (e.g., simulating a full availability zone outage) and proactively test failover behaviors without impacting production using default faults or custom runbooks. Create predefined recovery plans that sequence the failover of your application’s components during test drills or actual failovers and execute them with a single click to automatically fail over workloads to another Availability Zone. Track failover progress in real time, monitor key performance metrics, and export attestation reports for compliance and audit readiness.

By streamlining what used to require multiple tools and significant expertise, you can utilize proactive insights, automated recovery, and continuous validation, to confidently strengthen your architecture, maintain operational continuity, and achieve high availability by design without the usual complexity.

Beyond Infrastructure: Data and Cyber Recovery

The expanded resiliency experiences go beyond infrastructure, bringing in powerful new & existing capabilities that help you stay protected and recover fast, whether it's meeting your RPO and RTO goals through smarter data protection or defending against ransomware with built-in cyber-recovery. At Ignite, we’re excited to showcase new innovations designed to help you strengthen your business continuity strategy and stay ahead of evolving threats.

Data Resiliency: Fortify your Cloud Data with enhanced workload protection & disaster recovery

Never get caught without a backup plan. Azure Backup is evolving toward application-centric recovery, expanding coverage to protect critical cloud-native workloads that power enterprise data apps. As part of this journey, we’re introducing vaulted backups for ADLS Gen2—a native, secure, and managed solution that safeguards data against deletion, corruption, and malicious threats. Additionally, agentless backup for Windows and Linux VMs is now available, offering crash-consistent protection across multiple disks with high-frequency, lightweight backups. This makes it ideal for performance-sensitive workloads such as databases, delivering reliable protection with minimal operational overhead.

And rather than manually checking each service or using separate dashboards for backups and disaster recovery, you can ask the resiliency agent to summarize your backup coverage across both primary and secondary regions. It will report which virtual machines, databases, or other resources are already backed up and replicating, and which ones might need attention. With granular recovery, long-term retention for compliance, and enterprise-grade management through the Resiliency blade in Azure, you can confidently ensure business continuity across your most vital workloads.

As part of our continued investment in resilience and scale, Azure Site Recovery now offers a suite of powerful enhancements to support enterprise-grade disaster recovery. Capacity Guidance now provides alternative VM size recommendations during failovers to improve allocation success in target regions. ASR now supports up to 5x churn (500 MB/s per VM), enabling protection of high IOPS workloads and ensuring robust recovery for data-intensive applications. We’ve also expanded disk support with Premium SSD v2 and Ultra Disks now fully supported, allowing seamless protection of performance-critical workloads across Azure regions. Finally, ASR enables failback from Azure VMs to on-premises Hyper-V even when the original replication used a storage account and the failed-over VM was converted to managed disks, offering greater flexibility and control in hybrid recovery scenarios.

For any critical resource that needs failover and failback capabilities, the agent can recommend the next step, like enabling Azure Site Recovery for cross-region replication. By turning on Site Recovery (with the agent’s guidance), you add a second layer of protection: if your primary region suffers an outage, those critical VMs can fail over to a secondary region with minimal downtime. In short, the resiliency agent ensures your data meets your business continuity goals. It helps you balance recovery point objectives (keeping data loss to a minimum with frequent backups) and recovery time objectives (restoring services quickly via failover). Through Copilot’s conversational interface, you can instantly get answers like “Are all my tier-1 workloads protected in a secondary region?” and follow prompts to fill any gaps reducing the need to hunt through multiple tools. The result is a cloud estate that’s not only backed up, but truly disaster-ready.

Cyber Recovery: Safeguard your critical data against Ransomware Attacks

Fortify your backups against cyber threats. Strengthen your organization’s cyber recovery with Azure Backup’s Vault Soft Delete. This feature is enabled by default across all Recovery Services Vaults and ensures that backups remain recoverable for at least 14 days, even in the event of accidental or malicious deletions. It applies comprehensively to vaults, containers, backup items, and recovery points, offering robust protection against ransomware threats.

The resiliency agent in Azure helps guard your backup data and recovery systems so they remain reliable even if attackers strike. It continuously reviews the security posture of your Recovery Services Vaults (where your backups are stored) and other protection settings. If it finds that any backup vault is missing critical safeguards—say, if soft-delete or immutability isn’t enabled—it will alert you and recommend enabling them. Through the Copilot interface, you can simply ask something like “How secure are my backups?” and the agent may respond with a summary like: “4 of 5 backup vaults have soft-delete and immutability on. One vault needs immutability; enable it now?” You can then approve the suggestion, and the agent will automatically apply the setting or provide a script to do so. Through intelligent guidance and recommendations, the resiliency agent ensures your backups are tamper-proof and ready to restore. Therefore, even if a ransomware attack or accidental deletion hits your environment, you’ll have clean, safe backups to recover from. In essence, the agent helps make sure that when trouble comes, your last line of defense, your backup, remains intact and readily available.

Additionally, Azure Backup now also integrates with Microsoft Defender for Cloud (MDC) to enhance the security of Azure VM backups. With a one-time setup via Defender for Servers, Azure Backup automatically assesses the health of recovery points at the time of snapshot creation using Defender signals. This marks a significant step toward proactive threat detection in backups, helping organizations strengthen their overall cyber resilience posture.

Together, data resiliency and cyber recovery form a unified defense strategy that ensures enterprise-grade protection across the full spectrum of threats—from accidental data loss to sophisticated ransomware attacks. By combining deep workload-aware backup and disaster recovery with proactive threat detection and secure retention, Azure empowers organizations to safeguard critical data assets and recover swiftly with confidence. This integrated approach not only meets business continuity goals but also strengthens security posture, delivering resilient-by-default coverage for modern cloud environments.

Next Steps

Azure is reaffirming its commitment to enterprise resilience. Whether it’s a datacenter outage, a cyberattack, or a zonal disaster, your applications and data can keep running and recover swiftly.

Join us at Ignite 2025:

Connect with Microsoft experts at the Azure Copilot, Operations, and Management expert meet-up booth to get your questions answered.

Additional Resources:

Learn more about specialized agents across the entire cloud management lifecycle: Introducing Azure Copilot
Sign up for the preview of Azure Copilot here
Read about best practices about how to start, get, and stay resilient here
Explore Resiliency features in Azure and join us in this journey from reactive recovery to proactive resilience here
Explore new Learn documentation here

[Public Preview] Introducing Customizable Security Baseline Policies in Machine Configuration

mutemwamasheke — Thu, 28 May 2026 17:02:04 GMT

We’re excited to announce Public Preview support for Customizable Security Baselines in Azure Policy and Machine Configuration. This feature empowers you to tailor industry security benchmarks—such as CIS benchmarks for Linux or Azure Security Baselines for Windows and Linux —to align with your organization’s unique compliance standards across both Azure and Arc-connected machines. This feature builds on top of our existing audit baseline capabilities for Windows and Linux.

Now you can create, parameterize, and assign custom baselines at scale, enabling continuous compliance visibility across your entire environment. Learn more about how to get started here: Customize Security Baselines with Azure Policy and Machine Configuration.

What's New?

Customizable security baselines in Azure Policy and Machine Configuration bring a powerful new way to assess, monitor, and improve your security posture across both Windows and Linux servers. Built on industry benchmarks such as the Center for Internet Security (CIS) and Microsoft’s own Azure Compute Security Baselines, this capability enables you to adapt compliance frameworks to your organization’s specific needs — all while maintaining a consistent governance model across Azure and hybrid environments. By passing custom baseline parameters directly into Azure Policy, you can represent internal controls at scale, ensuring that compliance reflects your enterprise’s unique standards and regulatory requirements.

This cloud-native approach embodies Microsoft’s Secure by Design and Secure by Default principles — ensuring your workloads stay compliant, wherever they run.

Baselines Customization Experience in Azure Policy

Key Scenarios

Baseline Customization

Tailor your security standards through the Modify Settings wizard under Policy > Machine Configuration.
You can:

Enable, exclude, or adjust rules from existing benchmarks
Apply organization-specific parameters
Export your custom configuration as a downloadable JSON file

Each baseline JSON file serves as a reusable, declarative artifact—ideal for policy-as-code workflows, version control, and CI/CD integration.

Assign Audit Policies

When you assign a baseline via Azure Policy, it automatically:

Evaluates configurations against your defined standards
Reports compliance in near real time
Surfaces findings in Azure Policy, Azure Resource Graph, and the Guest Assignments view

This integrated visibility helps IT administrators, security teams, and auditors track compliance status with minimal overhead.

Integration and Automation

Security baselines integrate seamlessly into your DevOps pipelines and configuration management workflows.
Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using:

Azure CLI
ARM templates
Bicep
CI/CD automation

This ensures reproducible, traceable compliance configurations across environments.

Supported Standards

Standard	Description
CIS Linux Benchmarks	Official CIS Benchmarks for Azure-endorsed Linux distributions, matching the latest CIS versions.
Azure Compute Security Baseline for Windows	Applies security controls for Windows Server 2022 and 2025, aligned with Azure Compute guidance.
Azure Compute Security Baseline for Linux	Enforces consistent controls aligned with Azure Compute recommendations.

Availability

Customizable security baselines are available in all public Azure regions.

NOTE:
Support for Azure Government and Sovereign Clouds will be added in a future release. These environments are not included in the current Public Preview.

Getting Started

Prerequisites

Before you begin:

Deploy the Azure Machine Configuration prerequisite policy initiative.
(This installs the required Guest Configuration extension on supported VMs.)
Ensure your Azure subscription or management group includes supported Windows or Linux VMs.
Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions.

Step-by-Step Guidance

Select a baseline from the Machine Configuration tab in Azure Policy.
Modify settings to enable, exclude, or parameterize rules to match your internal policies.
Download JSON to export your customized baseline configuration file for programmatic and repeatable customization.
Assign the policy which can be deployed through the Azure portal, CLI, or your CI/CD pipeline.
Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page.

Coming Soon

Leverage baseline customization to gradually remediate server security non-compliance using Azure Policy! Join the waitlist here: https://aka.ms/BaselineRemediationWaitlist

Learn More

Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.

Empower Smarter AI Agent Investments

Fernando_Vasconcellos — Wed, 05 Nov 2025 14:46:02 GMT

This curated series of modules is designed to equip technical and business decision-makers, including IT, developers, engineers, AI engineers, administrators, solution architects, business analysts, and technology managers, with the practical knowledge and guidance needed to make cost-conscious decisions at every stage of the AI agent journey.

From identifying high-impact use cases and understanding cost drivers, to forecating ROI, adopting best practices, designing scalable and effective architectures, and optimizing ongoing investments, this learning path provides actionable guidance for building, deploying, and managing AI agents on Azure with confidence. Whether you’re just starting your AI journey or looking to scale enterprise adoption, these modules will help you align innovation with financial discipline, ensuring your AI agent initiatives deliver sustainable value and long-term success.

Discover the full learning path here: aka.ms/Cost-Efficient-AI-Agents

Explore the sections below for an overview of each module included in this learning path, highlighting the core concepts, practical strategies, and actionable insights designed to help you maximize the value of AI agent investments on Azure:

Module 1: Identify and Prioritize High-Impact, Cost-Effective AI Agent Use Cases

The journey begins with a strategic approach to selecting AI agent use cases that maximize business impact and cost efficiency. This module introduces a structured framework for researching proven use cases, collaborating across teams, and defining KPIs to evaluate feasibility and ROI. You’ll learn how to target “quick wins” while ensuring alignment with organizational goals and resource constraints. Explore this module

Module 2: Understand the Key Cost Drivers of AI Agents

Building on the foundation of use case selection, Module 2 dives into the core cost drivers of AI agent development and operations on Azure. It covers infrastructure, integration, data quality, team expertise, and ongoing operational expenses, offering actionable strategies to optimize spending at every stage. The module emphasizes right-sizing resources, efficient data preparation, and leveraging Microsoft tools to streamline development and ensure sustainable, scalable success. Explore this module

Module 3: Forecast the Return on Investment (ROI) of AI agents

With a clear understanding of costs, the next step is to quantify value. Module 3 empowers both business and technical leaders with practical frameworks for forecasting and communicating ROI, even without a finance background. Through step-by-step guides and real-world examples, you’ll learn to measure tangible and intangible outcomes, apply NPV calculations, and use sensitivity analysis to prioritize AI investments that align with broader organizational objectives. Explore this module

Module 4: Implement Best Practices to Empower AI Agent Efficiency and Ensure Long-Term Success

To drive efficiency and governance at scale, Module 4 introduces essential frameworks such as the AI Center of Excellence (CoE), FinOps, GenAI Ops, the Cloud Adoption Framework (CAF), and the Well-Architected Framework (WAF). These best practices help organizations accelerate adoption, optimize resources, and foster operational excellence, ensuring AI agents deliver measurable value, remain secure, and support sustainable enterprise growth. Explore this module

Module 5: Maximize Cost Efficiency by Choosing the Right AI Agent Development Approach

Selecting the right development approach is critical for balancing speed, customization, and cost. In Module 5, you’ll learn how to align business needs and technical skills with SaaS, PaaS, or IaaS options, empowering both business users and developers to efficiently build, deploy, and manage AI agents. The module also highlights how Microsoft Copilot Studio, Visual Studio, and Azure AI Foundry can help your organization achieve its goals. Explore this module

Module 6: Architect Scalable and Cost-Efficient AI Agent Solutions on Azure

As your AI initiatives grow, architectural choices become paramount. Module 6 explores how to leverage Azure Landing Zones and reference architectures for secure, well-governed, and cost-optimized deployments. It compares single-agent and multi-agent systems, highlights strategies for cost-aware model selection, and details best practices for governance, tagging, and pricing, ensuring your AI solutions remain flexible, resilient, and financially sustainable. Explore this module

Module 7: Manage and Optimize AI Agent Investments on Azure

The learn path concludes with a focus on operational excellence. Module 7 provides guidance on monitoring agent performance and spending using Azure AI Foundry Observability, Azure Monitor Application Insights, and Microsoft Cost Management. Learn how to track key metrics, set budgets, receive real-time alerts, and optimize resource allocation, empowering your organization to maximize ROI, stay within budget, and deliver ongoing business value. Explore this module

Ready to accelerate your AI agent journey with financial confidence?
Start exploring the new learning path and unlock proven strategies to maximize the cost efficiency of your AI agents on Azure, transforming innovation into measurable, sustainable business success.

Get started today

AMBA-ALZ pattern: Learn about the latest and greatest enhancements!

BrunoGabrielli — Wed, 08 Oct 2025 13:49:40 GMT

Hello AMBA-ALZ customers,

after some time since our last Time for new exciting news about AMBA-ALZ pattern! blog post it again time for some exciting news.

We are very thrilled to share that in September 2025 we were able to reach 2 important goals, both of them enhancing both the Azure platform and the ALZ pattern . In summary we've been working on the :

Adoption of new Azure Service Health built-in policy (see the announcing blog post 🚨 Azure Service Health Built-In Policy (Preview) – Now Available!)
Adoption of the new least privileged "Monitoring Policy Contributor" Azure role for the System Assigned Managed Identities created by AMBA-ALZ deployment

Adoption of Azure Service Health built-in policy

Adopting the new built-in policy, available as of release 2025-10-01, allowed us to address situations where customers only permit the use of built-in policies with a consequent increase of trust in the AMBA-ALZ pattern. We combined with the Service Health Product team to ensure feature parity between the Azure native policy and the previous custom version available in AMBA-ALZ.

The new built-in policy, called "Configure subscriptions to enable service health alert monitoring rule", has been added to the new "Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) for Service Health and Resource Health" initiative together with the previous Resource Health custom policy

Updating to the version that includes the built-in policy is a straightforward process. For new deployments, there's nothing to do since this is going to be the default behavior as of release 2025-10-01. Updating an existing deployment requires some pre-deployment tasks which are clearly documented at Adopt the new built-in Azure Service Health policy

Adoption of the new least privileged "Monitoring Policy Contributor" Azure role

As part of the ongoing security enhancements in AMBA-ALZ and following-up on some customer evidence about System Assigned Managed Identities created by AMBA being flagged as overprovisioned by Microsoft Defender for Cloud, we started a collaboration with the Azure RBAC team to create a new tailored and least privileged role. After some research, we were able to craft a new built-in role that is benefit not only for AMBA-ALZ but also for other bult-in policies (like the new Azure Service Health policy) or customer policies that aims at creating Azure Monitor alerts. This role is basically an enhancement of the existing Monitoring Contributor role with some additional permissions necessary to deploy the policies, run the remediations which includes Azure Monitor alerts and Resource Group creation.

This new role, which is designed to align with security standards, is now assigned by default to the managed identities in place of the previous Contributor role. Thanks to this effort we were able to significantly reduce the security risk surface by cutting down the number of unnecessary permissions from nearly 6,700 to just 6.

Before (with Contributor rights)		After (with Monitoring Policy Contributor)

Adopting the least privileged role is super easy. For new deployments, there's nothing to do since this is going to be the default behavior as of release 2025-10-01. Updating an existing deployment requires some pre-deployment tasks which are clearly documented at Adopt the new Monitoring Policy Contributor least privileged role.

So, what to do next? Visit the Introduction to deploying the AMBA-ALZ Pattern page to read more about AMBA and to find the deployment methods (Azure Portal UI, Azure CLI, Azure PowerShell, Azure Pipelines, GitHub Actions, Terraform) the best aligns with your needs/preferences and start testing out these new features.

Cloud and AI Cost Efficiency: A Strategic Imperative for Long-Term Business Growth

Fernando_Vasconcellos — Mon, 29 Sep 2025 17:37:37 GMT

Why cost efficiency matters more than ever

In today’s digital-first economy, cost efficiency is top of mind for organizations worldwide. As businesses increasingly rely on cloud and AI technologies to drive innovation, streamline operations, and deliver customer value, the pressure to manage investments effectively has never been greater. As organizations scale their workloads, managing infrastructure expenses and usage patterns strategically becomes essential to maximizing ROI and unlocking long-term value.

Cost efficiency is not just a financial metric; it’s a critical enabler of sustainable business growth. Organizations that embrace innovation and modernization with a cost-conscious strategy are better positioned to:

Innovate faster and more confidently
Scale operations without compromising profitability
Maintain agility to adapt and thrive in dynamic market conditions
Align technology spend with business outcomes

Microsoft Azure offers a comprehensive approach to cost efficiency through its Azure Essentials framework, empowering organizations to maximize value across every stage of their cloud and AI journey.

Azure Essentials: A three-stage approach

Azure Essentials provides a structured path to help organizations plan, design, and manage their cloud and AI investments. Let’s explore each stage from a cost efficiency perspective:

Stage 1: Readiness and Foundation

This foundational phase focuses on building clarity, strategy, and skills.

Gain clarity on cloud and AI costs: Understand the cost drivers of cloud and AI workloads.
Prioritize use cases to enhance efficiency and accelerate growth: Identify high-impact use cases where cloud and AI technologies can minimize manual effort, enhance decision-making, automate workflows, and accelerate productivity and revenue growth.
Develop a strategic plan and business case: Align cloud and AI investments with business goals. Build a compelling business case that includes cost-benefit analysis and ROI projections.
Equip teams with the skills for long-term success by providing access to training and certifications that empower them to manage resources efficiently and make informed decisions.

Stage 2: Design and Govern

This phase focuses on cost-conscious, well-architected design and strong governance practices.

Evaluate cost implications throughout the design lifecycle: Consider cost efficiency during solution design, from compute choices to data storage and networking.
Implement governance policies to track and manage spending: Establish and enforce cost-related policies that promote accountability, ensure compliance, and provide visibility into cloud and AI expenditures.
Utilize proven solutions to accelerate time to market: Leverage Microsoft’s solutions, accelerators and reference architectures to reduce development time and avoid costly rework.
Design scalable architectures to maximize long-term efficiency: Build solutions that scale predictably and cost-effectively.

Stage 3: Manage and Optimize

This ongoing phase ensures continuous improvement and value realization.

Continuously monitor usage and spending patterns: Use Microsoft solutions to track resource utilization and identify anomalies.
Quantify the business value of investments: Measure ROI and outcomes to demonstrate impact, guide future decisions, and ensure alignment with strategic goals.
Develop comprehensive remediation plans: Address inefficiencies through rightsizing, automation, and workload optimization.
Maximize investments: Take advantage of pricing offers, automation, and intelligent recommendations to reduce waste without sacrificing performance.

Microsoft solutions and resources to support a cost-efficient journey

To support a cost-efficient journey, Azure Essentials guides organizations through a comprehensive ecosystem of frameworks, products, tools, programs and resources designed to help teams to plan strategically, operate efficiently, and maximize the value of their cloud and AI investments.

1. Frameworks that support cost efficiency

Frameworks play a critical role in driving cost efficiency by providing structured guidance, proven practices, and repeatable patterns that help organizations make informed decisions throughout their cloud and AI journey. These best practices reduce the risk of overspending by promoting well-governed, scalable, and optimized strategies and designs from the outset. They also help teams align technical implementation with business objectives, ensuring that every investment delivers measurable value. By leveraging frameworks like FinOps, CAF, WAF, AI Ops, and the AI Center of Excellence organizations can accelerate deployment, avoid common pitfalls, and continuously refine their approach to maximize return on investment. It’s important to note that organizations don’t necessarily need to adopt every framework listed below. Instead, they can select the ones most aligned with their goals, maturity level, and/or operational needs.

	Overview	Learn more	Get started
FinOps Framework	A collaborative framework that brings finance, engineering, and business teams together to maximize cloud and AI investments. FinOps promotes visibility, accountability, and continuous optimization.	Learn more	Get started
Cloud Adoption Framework (CAF)	CAF offers best practices, tools, and guidance for cloud adoption. It includes cost management strategies across the Azure adoption journey.	Learn more	Get started
Well-Architected Framework (WAF)	WAF helps organizations design secure, reliable, and cost-optimized workloads. The cost optimization pillar focuses on eliminating waste and maximizing value.	Learn more	Get started
AI Ops	An operational model for managing generative AI workloads. It emphasizes cost control, performance monitoring, and responsible AI practices.	Learn more	Get started
AI Center of Excellence	As AI continues to make a global impact, it’s become more important than ever to consider the best practices that will help you scale your operations responsibly and effectively.	Learn more	Get started

2. Products, tools, programs and resources that support cost efficiency

Microsoft’s suite of solutions plays a pivotal role in driving cost efficiency by helping organizations forecast costs, optimize resources, streamline operations, and accelerate innovation. These tools and solutions are designed to empower teams to accelerate adoption with greater visibility, control, and efficiency. By integrating these solutions into their strategy, organizations can make smarter decisions, improve productivity, and ensure that every dollar invested in cloud and AI delivers measurable business value.

Products and tools

	Overview	Learn more	Get started
Azure AI Foundry	Accelerates AI development with reusable components and governance tools. Reduces time-to-value and avoids redundant investments.	Learn more	Get started
Microsoft Fabric	An integrated data platform that simplifies data management and analytics. Consolidates tools and reduces infrastructure overhead.	Learn more	Get started
Copilot in Azure	AI-powered assistance that speeds up tasks, reduces errors, and improves productivity, leading to indirect cost savings.	Learn more	Get started
GitHub	Streamlines DevOps with automation and collaboration tools. GitHub Copilot helps developers write code faster and more efficiently.	Learn more	Get started
Azure Cost Management	Provides visibility into cloud spending, budget tracking, and cost analysis. Enables proactive cost control and optimization	Learn more	Get started
Azure Advisor	Offers personalized recommendations to improve performance, security, and cost efficiency. Helps identify underutilized resources and savings opportunities.	Learn more	Get started
Azure Monitor	Tracks performance and usage metrics. Helps detect inefficiencies and optimize resource allocation.	Learn more	Get started
Azure Policy	Enforces governance rules to prevent cost overruns. Ensures compliance with organizational standards.	Learn more	Get started
Azure Pricing Calculator	Helps estimate costs for planned workloads. Supports informed decision-making during design and planning.	Access	Get started
Azure Migrate	Simplifies migration planning with cost assessments and optimization recommendations. Ensures efficient transition to the cloud.	Learn more	Get started

Programs and Resources

	Overview	Learn more	Get started
Azure Accelerate	A consolidated Microsoft offering that fuels transformation with experts and investments. It is designed to drive cost efficiency across all phases of a project.	Learn more	Get started by contacting your Microsoft account representative or finding an Azure specialized partner.
Azure Architecture Center	A rich repository of reference architectures, design patterns, and best practices. It helps teams build efficient, scalable, and cost-effective solutions.	Learn more	Get started
Azure Landing Zones	Pre-configured environments that provide a scalable, secure, and governed foundation for cloud adoption, helping organizations accelerate deployment while ensuring cost efficiency through standardized architectures, automated governance, and optimized resource management.	Learn more	Get started

3. Azure pricing offers that enable cost efficiency

Azure pricing offers are essential for cost efficiency because they enable organizations to strategically manage cloud and AI spending by aligning pricing models with workload needs. Whether through long-term commitments like Azure Reservations, leveraging existing licenses via Azure Hybrid Benefit, or flexible plans such as the Azure savings plan for compute, these offers help reduce costs, improve budget predictability, and maximize the value of investments, allowing businesses to scale and innovate without overspending.

	Overview	Learn more	Get started
Azure Reservations	Commit to one- or three-year terms for virtual machines, SQL databases, and other resources. Offers significant discounts compared to pay-as-you-go pricing.	Learn more	Get started
Azure Hybrid Benefit	Allows organizations to maximize savings in their migration journey by giving a discount on server licenses and subscriptions and granting hosting and outsourcing benefits.	Learn more	Get started
AI Foundry Provisioned Throughput reservations	Strategic pricing offer for businesses using Provisioned Throughput Units (PTUs) to deploy AI models. Reservations enable businesses to reduce AI workload costs on predictable consumption patterns by locking in significant discounts compared to hourly pay-as-you-go pricing.	Learn more	Get started
Azure Savings Plan for Compute	Flexible commitment-based pricing for compute services. Automatically applies savings across eligible resources.	Learn more	Get started

4. More resources to explore

eBooks: Cost Efficiency Series

	Overview	Download
AI adoption	Learn how to achieve success with Azure AI.	Download
Cloud sustainability	Find out how to effectively manage environmental, social, and governance (ESG) goals.	Download
Cloud migration	Read the cloud migration guide for financial leaders.	Download

Interactive guides and learn modules

	Overview	Get started
Guides for FinOps practitioners	Get hands-on experience with Microsoft solutions to enable FinOps capabilities.	Get started
Azure Hybrid Benefit activation	Get hands-on experience on activating Azure Hybrid Benefit.	Get started
Azure Pricing Plan on MS Learn	This Azure Pricing Plan will help you leverage Azure pricing options and offers, resources and tools to get the most of your cloud investments and achieve your business goals at every stage of your cloud journey.	Get started

Total Economic Impact Study

	Overview	View
The Total Economic Impact™ Of Microsoft Azure Solutions That Enhance Cost Efficiency	In this study, Forrester examined the potential value enterprises may realize by deploying Azure solutions that enhance cost efficiency.	View

Cost efficiency as a catalyst for innovation and growth

In a world where digital transformation is accelerating, cost efficiency is no longer optional, it’s a strategic imperative. Azure Essentials offers a structured approach that leverages proven frameworks, solutions, tools, pricing models and other resources to help organizations:

Maximize the value of their cloud and AI investments
Drive innovation without overspending
Build resilient, scalable, and cost-efficient operations

Whether you're just beginning your journey or refining your cloud and AI strategy, Azure Essentials helps you navigate tools, guidance, and best practices to optimize performance, manage costs effectively, and unlock long-term business value.

GA: Enhanced Audit in Azure Security Baseline for Linux

AmirB — Tue, 02 Sep 2025 16:00:00 GMT

We’re thrilled to announce the General Availability (GA) of the Enhanced Azure Security Baseline for Linux—a major milestone in cloud-native security and compliance. This release brings powerful, audit-only capabilities to over 1.6 million Linux devices across all Azure regions, helping enterprise customers and IT administrators monitor and maintain secure configurations at scale.

What Is the Azure Security Baseline for Linux?

The Azure Security Baseline for Linux is a set of pre-configured security recommendations delivered through Azure Policy and Azure Machine Configuration. It enables organizations to continuously audit Linux virtual machines and Arc-enabled servers against industry-standard benchmarks—without enforcing changes or triggering auto-remediation.

This GA release focuses on enhanced audit capabilities, giving teams deep visibility into configuration drift and compliance gaps across their Linux estate. For our remediation experience, there is a limited public preview available here: What is the Azure security baseline for Linux? | Microsoft Learn

Why Enhanced Audit Matters

In today’s hybrid environments, maintaining compliance across diverse Linux distributions is a challenge. The enhanced audit mode provides:

Granular insights into each configuration check
Industry aligned benchmark for standardized security posture
Detailed rule-level reporting with evidence and context
Scalable deployment across Azure and Arc-enabled machines

Whether you're preparing for an audit, hardening your infrastructure, or simply tracking configuration drift, enhanced audit gives you the clarity and control you need—without enforcing changes.

Key Features at GA

✅ Broad Linux Distribution Support

📘 Full distro list: Supported Client Types

🔍 Industry-Aligned Audit Checks

The baseline audits over 200+ security controls per machine, aligned to industry benchmarks such as CIS. These checks cover:

OS hardening
Network and firewall configuration
SSH and remote access settings
Logging and auditing
Kernel parameters and system services

Each finding includes a description and the actual configuration state—making it easy to understand and act on.

🌐 Hybrid Cloud Coverage

The baseline works across:

Azure virtual machines
Arc-enabled servers (on-premises or other clouds)

This means you can apply a consistent compliance standard across your entire Linux estate—whether it’s in Azure, on-prem, or multi-cloud.

🧠 Powered by Azure OSConfig

The audit engine is built on the open-source Azure OSConfig framework, which performs Linux-native checks with minimal performance impact. OSConfig is modular, transparent, and optimized for scale—giving you confidence in the accuracy of audit results.

📊 Enterprise-Scale Reporting

Audit results are surfaced in:

Azure Policy compliance dashboard
Azure Resource Graph Explorer
Microsoft Defender for Cloud (Recommendations view)

You can query, export, and visualize compliance data across thousands of machines—making it easy to track progress and share insights with stakeholders.

💰 Cost

There’s no premium SKU or license required to use the audit capabilities with charges only applying to the Azure Arc managed workloads hosted on-premises or other CSP environments—making it easy to adopt across your environment.

How to Get Started

Review the Quickstart Guide
📘 Quickstart: Audit Azure Security Baseline for Linux
Assign the Built-In Policy
Search for “Linux machines should meet requirements for the Azure compute security baseline” in Azure Policy and assign it to your desired scope.
Monitor Compliance
Use Azure Policy and Resource Graph to track audit results and identify non-compliant machines.
Plan Remediation
While this release does not include auto-remediation, the detailed audit findings make it easy to plan manual or scripted fixes.

Final Thoughts

This GA release marks a major step forward in securing Linux workloads at scale. With enhanced audit now available, enterprise teams can:

Improve visibility into Linux security posture
Align with industry benchmarks
Streamline compliance reporting
Reduce risk across cloud and hybrid environments

Designing for Certainty: How Azure Capacity Reservations Safeguard Mission‑Critical Workloads

Goutham_Bandapati — Tue, 26 Aug 2025 00:31:11 GMT

Why capacity reservations matter now

Cloud isn’t running out of metal, but demand is compounding and often spikes. Resource strain shows up in specific regions, zones, and VM SKUs, especially for popular CPU families, memory-optimized sizes, and anything involving GPUs. Seasonal events (retail peaks), regulatory cutovers, emergency response, and bursty AI pipelines can trigger sudden surges. Even with healthy regional capacity, a single zone or a specific SKU can be tight. Capacity reservations acknowledge this reality and make it designable instead of probabilistic.

Root reality: Capacity is finite at the SKU-in-zone granularity, and demand arrives in waves.
Risk profile: The risk is not “no capacity in the cloud,” but “no capacity for this exact size in this exact place at this exact moment.”
Strategic move: Reserve what matters, where it matters, before you need it.

What capacity means in practice

Think of three dimensions: region, zone, and SKU. Your workload’s SLO ties to all three.

Region: The biggest pool of resources. It gives you flexibility but doesn’t guarantee availability in a specific zone.
Zone: This is where fault isolation happens and where you’ll often feel the pinch first when demand spikes.
SKU: The specific type of machine you’re asking for. This is usually the tightest constraint, especially for popular sizes like Dv5, Ev5, or anything with GPUs.

Azure Capacity Reservations let you lock capacity for a specific VM size at the regional or zonal scope and then place VMs/scale sets into that reservation.

Pay‑as‑you‑go vs capacity reservations vs reserved instances

Attribute	Pay‑as‑you‑go	Capacity Reservations	Reserved Instances
Primary purpose	Flexibility, no commitment	Guarantee availability for a VM size	Reduce price for steady usage
What it guarantees	Nothing beyond current availability	Capacity in region/zone for N of a SKU	Discount on matching usage (1‑ or 3‑year term)
Scope	Region/zone at runtime, best‑effort	Bound to region or specific zone	Billing benefit across scope rules
Commitment	None	Active while you keep it (on‑demand)	Term commitment (1 or 3 years)

Key clarifications

Capacity reservations ≠ discount tool: They exist to secure availability. You pay while the reservation is active (even if idle) because Azure is holding that capacity for you.
Reserved Instances ≠ capacity guarantee: They reduce the rate you pay when you run matching VMs, but they don’t hold hardware for you.
Together: Use Capacity Reservations to ensure the VMs can run; use Reserved Instances to lower the cost of the runtime those VMs consume.

This is universal, not just Azure

Every major cloud faces the same physics: finite hardware, localized spikes, SKU-specific constraints, and growth in high-demand families (especially GPUs). AWS offers On‑Demand Capacity Reservations; Google Cloud offers zonal reservations. The names differ; the pattern and the need are the same. If your architecture depends on “must run here, as this size, and right now,” you either design for capacity or accept availability risk.

When mission‑critical means “reserve it”

If failure to acquire capacity breaks your SLO, treat capacity as a dependency to engineer, not a variable to assume.

High-stakes cutovers and events:
- Examples: Black Friday, tax deadlines, trading close, clinical batch windows.
- Action: Pre‑reserve the exact SKU in the exact zones for the surge window.
HA across zones:
- Goal: Survive a zone failure by scaling in active zones.
- Action: Consider keeping extra capacity in each zone based on your failover plan, whether that’s N+1 or matching peak load, depending on active/active vs. active/passive.
Change windows that deallocate/recreate:
- Risk: If a VM is deallocated during maintenance, it might not get the same placement when restarted.
- Action: Associate VMs/VMSS with a capacity reservation group before deallocation.
Fixed‑SKU dependencies:
- Signal: Performance needs, licensing rules, or hardware accelerators that lock you into a specific VM family.
- Action: Reserve by SKU. If possible, define fallback SKUs and split reservations across them.
Regulated or latency‑sensitive workloads:
- Constraint: Must run in a specific zone or region due to compliance or latency.
- Action: Prefer zonal reservations to control both locality and availability.

How reserved instances complement capacity reservations

Two-layer strategy:
- Layer 1: Availability: Capacity reservations ensure your compute can be placed when needed.
- Layer 2: Economics: Reserved Instances (or Savings Plans) apply a pricing benefit to the steady‑state hours you actually run.
Practical pairing:
- Steady base load: Cover with 1/3‑year Reserved Instances for maximum savings.
- Critical surge headroom: Hold with Capacity Reservations; if the surge is predictable, you can still layer partial RI coverage aligned to expected utilization.
- Dynamic burst: Leave as pay‑as‑you‑go or use short‑lived reservations during known windows.
FinOps hygiene:
- Coverage ratios: Track RI coverage and capacity reservation utilization separately.
- Rightsizing: Align reservations to the SKU mix you truly run; shift or cancel idle capacity reservations quickly.
- Chargeback: Attribute the cost of “insurance” (capacity) to the workloads that require the SLO, separate from the cost of “fuel” (compute hours).

Conclusion

In today’s cloud landscape, resilience isn’t just redundancy; it’s about assured access to the exact resources your workload demands. Capacity Reservations remove uncertainty by guaranteeing placement, while Reserved Instances drive cost efficiency for predictable use. Together, they form a strategic duo that keeps mission‑critical services running smoothly under any demand surge. Build with both in mind, and you turn capacity from a risk into a controlled asset.

System-Assigned Identity-based Access for Machine Configuration Packages – GA on both Azure and Arc!

mutemwamasheke — Mon, 25 Aug 2025 14:30:00 GMT

We are excited to announce generally available support for System Assigned Identities to privately access configuration packages stored in Azure Storage Blobs. This feature provides a simpler alternative to using Shared Access Signature (SAS) Tokens for anonymous access and is available for use across both Azure and Arc machines. This feature builds on top of our previously released support for User Assigned Identities.

Now you have the flexibility to use either User Assigned or System Assigned Managed Identities when granting private access to packages stored in Azure Storage. Learn more about our support for User Assigned Identities here: Securely store your Machine Configuration packages in Azure Storage using User Assigned Identities

What’s new?

Custom Machine Configuration policy definitions can now automatically use the System Assigned Identity of a Virtual Machine or Arc-enabled server with Azure Storage Blob read permissions. Any machine with system-assigned identity enabled and assigned the proper role can now privately access configuration packages in Azure Storage upon assignment of the Policy.

With this release, you do not need to generate a SAS token to reference the URL to a custom package in a custom Policy definition. With this feature, you can now block anonymous access in your Azure Storage accounts where your configuration packages are stored.

Getting started

For this feature to work successfully, you first need to:

IMPORTANT: Deploy the Machine Configuration extension at scale across all virtual machines by assigning the following policy initiative: Deploy prerequisites to enable machine configuration policies on virtual machines. This a required onboarding step for Azure Machine Configuration in order to receive compliance reports.
Ensure that all the Virtual Machines or Arc-enabled servers within the intended scope of your policy have system-assigned identity enabled and granted Storage Blob Data Reader (or equivalent) permissions on the Storage Blob containing the package. See How to develop a custom machine configuration package to learn how to create and upload a custom package.
Download a minimum version of 4.10.0 of the Guest Configuration PowerShell Module to successfully use cmdlets to author a managed identity-based Machine Configuration policy.
Follow the guidance in our official documentation on how to develop a custom machine configuration package.

In order to generate the Azure Policy definition using our Guest Configuration PowerShell Module, pass in the package path into the New-GuestConfigurationPolicy cmdlet. For system-assigned identities, use the -UseSystemAssignedIdentity flag instead of specifying a managed identity resource ID. You must still include the local path of the package as a parameter to allow for package validation and hash generation.

Example PowerShell snippet:

$PolicyConfig = @{ PolicyId = '_My GUID_' ContentUri = 'https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip; DisplayName = 'My deployment policy' Description = 'My deployment policy' Path = './policies/deployIfNotExists.json' Platform = 'Windows' PolicyVersion = 1.0.0 Mode = 'ApplyAndAutoCorrect' # Required for managed identity package authoring LocalContentPath = "C:\Local\Path\To\Package" } New-GuestConfigurationPolicy @PolicyConfig -UseSystemAssignedIdentity

Example Policy definition metadata snippet:

... "metadata": { "category": "Guest Configuration", "version": "1.0.0", "requiredProviders": [ "Microsoft.GuestConfiguration" ], "guestConfiguration": { "name": "TimeZone", "version": "1.0.0", "contentType": "Custom", "contentUri": "https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip", "contentHash": "HASHVALUE", "contentManagedIdentity": "system" } , ... }

You can now pass the file path of the policy definition as an argument in the New-AzPolicyDefinition cmdlet to upload your custom policy definition to Azure! With this feature you can take advantage of the simplicity of managed identities when deploying secure configurations.

Feature Limitations

For the machine to download the assigned package and apply the policy, the Guest Configuration Agent must be version 1.29.98.0 or higher for Windows and 1.26.93.0 or higher for Linux.
To ensure successful enforcement, the generated Azure Policy definition must call the API version 2024-04-05 or later.

Learn more about Machine Configuration in the documentation.

Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge of $6/server/month. You only pay the charge once no matter how many machine configuration policies you apply to the server. If policies are assigned by Microsoft Defender for Servers Plan 2 or the policy is an Azure Security Benchmark, no charges will be incurred. Additionally, if Azure Change Tracking or Inventory Management are being used or the server is on Azure Stack HCI with Connected Machine agent version 1.13, no charges will be incurred.

Announcing Public Preview for Azure Service Groups!

kenieva — Thu, 21 Aug 2025 17:58:39 GMT

What are Service groups?

Service Groups are a new resource container enabling management and observability scenarios where flexibility in hierarchy and membership is needed. Service Groups are tenant level resources so they can have members across the tenant but do not interfere or use tenant-wide RBAC or Policy abilities.

Key Features

Low Privilege Management: Service Groups are designed to operate with minimal permissions, ensuring that users can manage resources without needing excessive access and appealing to multiple personas. Access to a Service Group does not grant role-based access control or policy inheritance to its members.
Flexible and Varying Hierarchies: Azure resources and scopes, from anywhere in the tenant, can become members of one or multiple service groups. Additionally, Service Groups can be nested providing the ability to have multiple hierarchy structures, i.e. Cost Center, Product, Organization, and more!
Monitoring Capabilities: From your application to infrastructure health, Azure Monitor features (such as Health Models) are now available to help you troubleshoot, investigate, and monitor your Service Group.

When should I use them?

Service Groups should be leveraged in scenarios where resources sprawl across existing containers making it difficult to monitor and manage them. This is commonly found in scenarios needing to model application hierarchy, company services and workloads. Service Groups cannot be used as a deployment scope nor to manage Policy nor RBAC.

Try it out!

Quickly start with Service Groups using REST API or Azure Portal!

For more information on Service Groups, please visit aka.ms/servicegroups.

FAQ 

Do Service Groups replace existing Azure groups?   

No, Service Groups have been designed to work in parallel with existing Azure Groups. For a comparison of existing scopes, please review the scenario comparison documentation.

Who can create Service Groups?

Anyone with a valid Azure user account in a Microsoft Entra directory can leverage Service Groups!

Why are Service Groups tenant level?

Service Groups are tenant level so they can have membership from across the tenant. However, unlike pre-existing tenant level resources (i.e, Management Groups), Service Groups do not have grant users' tenant wide access.

Share Your Feedback

You can reach our team by email at azureservicegroups@microsoft.com.

Create your own Bicep Local Extension using .NET

Sydney Smith — Thu, 07 Aug 2025 14:50:37 GMT

Bicep Local Deploy can be used to author Bicep files which use Bicep extensions that are designed to run fully locally, without the need for an Azure connection. This quick start guide provides guidance for creating your own Bicep Local Extension using .NET.

For more information on Bicep Local please check out this doc and this demo.

This guide assumes you have the .NET 9 SDK installed locally, and the Bicep 0.37.4 (or higher) CLI and VSCode extension installed.

Project Scaffolding

Create a project file named MyExtension.csproj with the following contents:<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <OutputType>Exe</OutputType> <RootNamespace>MyExtension</RootNamespace> <AssemblyName>my-extension</AssemblyName> <IncludeNativeLibrariesForSelfExtract>true</IncludeNativeLibrariesForSelfExtract> <PublishSingleFile>true</PublishSingleFile> <SelfContained>true</SelfContained> <InvariantGlobalization>true</InvariantGlobalization> <TargetFramework>net9.0</TargetFramework> <Nullable>enable</Nullable> <ImplicitUsings>enable</ImplicitUsings> <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath> <AppendRuntimeIdentifierToOutputPath>false</AppendRuntimeIdentifierToOutputPath> </PropertyGroup> <ItemGroup> <PackageReference Include="Azure.Bicep.Local.Extension" Version="0.37.4" /> </ItemGroup> </Project>
Create a file named Program.cs with the following contents:

using Microsoft.AspNetCore.Builder; using Bicep.Local.Extension.Host.Extensions; using Microsoft.Extensions.DependencyInjection; var builder = WebApplication.CreateBuilder(); builder.AddBicepExtensionHost(args); builder.Services .AddBicepExtension( name: "MyExtension", version: "0.0.1", isSingleton: true, typeAssembly: typeof(Program).Assembly) .WithResourceHandler<MyResourceHandler>(); var app = builder.Build(); app.MapBicepExtension(); await app.RunAsync();

3. Create a file named Models.cs with the following contents:

using System.Text.Json.Serialization; using Azure.Bicep.Types.Concrete; using Bicep.Local.Extension.Types.Attributes; public enum OperationType { Uppercase, Lowercase, Reverse, } public class MyResourceIdentifiers { [TypeProperty("The resource name", ObjectTypePropertyFlags.Identifier | ObjectTypePropertyFlags.Required)] public required string Name { get; set; } } [ResourceType("MyResource")] public class MyResource : MyResourceIdentifiers { [TypeProperty("The resource operation type", ObjectTypePropertyFlags.Required)] [JsonConverter(typeof(JsonStringEnumConverter))] public OperationType? Operation { get; set; } [TypeProperty("The text output")] public string? Output { get; set; } }

4. Create a file under Handlers/MyResourceHandler.cs with the following contents:

using Bicep.Local.Extension.Host.Handlers; public class MyResourceHandler : TypedResourceHandler<MyResource, MyResourceIdentifiers> { protected override async Task<ResourceResponse> Preview(ResourceRequest request, CancellationToken cancellationToken) { await Task.CompletedTask; return GetResponse(request); } protected override async Task<ResourceResponse> CreateOrUpdate(ResourceRequest request, CancellationToken cancellationToken) { await Task.CompletedTask; request.Properties.Output = request.Properties.Operation switch { OperationType.Uppercase => request.Properties.Name.ToUpperInvariant(), OperationType.Lowercase => request.Properties.Name.ToLowerInvariant(), OperationType.Reverse => new([.. request.Properties.Name.Reverse()]), _ => throw new InvalidOperationException(), }; return GetResponse(request); } protected override MyResourceIdentifiers GetIdentifiers(MyResource properties) => new() { Name = properties.Name, }; }

Publishing your extension locally

Run the following to in the project directory to publish your extension to your local filesystem:

dotnet publish --configuration release -r osx-arm64 . dotnet publish --configuration release -r linux-x64 . dotnet publish --configuration release -r win-x64 . bicep publish-extension --bin-osx-arm64 ./bin/release/osx-arm64/publish/my-extension --bin-linux-x64 ./bin/release/linux-x64/publish/my-extension --bin-win-x64 ./bin/release/win-x64/publish/my-extension.exe --target ./bin/my-extension --force

Running your extension

Create a file named bicepconfig.json with the following contents:

{ "experimentalFeaturesEnabled": { "localDeploy": true }, "extensions": { "myextension": "./bin/my-extension" }, "implicitExtensions": [] }

2. Create a file named main.bicep with the following contents:

targetScope = 'local' extension myextension param inputText string resource foo 'MyResource' = { name: inputText operation: 'Reverse' } output outputText string = foo.output

3. Create a file named main.bicepparam with the following contents:

using 'main.bicep' param inputText = 'Please reverse me!'

4. Run the following:

bicep local-deploy main.bicepparam

You should see the following output in your terminal:

% bicep local-deploy main.bicepparam Output outputText: "!em esrever esaelP" Resource foo (Create): Succeeded Result: Succeeded

Giving feedback and getting help

Bicep Local is still under development and your feedback is critical to shaping the feature.

Please use our GitHub Repo to get support for give feedback.

Azure Governance and Management Blog articles

[Preview] CIS Benchmarks on Azure; Now for Windows Server

Familiar workflow

Windows specifics

What's next?

Get Started

[Now Generally Available] Customizable Security Baseline Policies in Machine Configuration!

What is Baseline Customization?

What's New?

Built-in Policy Standards Coverage

Key Scenarios

Faster Time to Deployment

Lifecycle Management in the Portal

New Overview Page: See Where You're Unprotected

Integration and Automation

Availability

Getting Started

Prerequisites

Step-by-Step Guidance

Learn More

Introducing the Azure Resource Manager MCP Server!

What this means for you

What You Can Do Today

Real-World Scenarios

Infrastructure Compliance Audit

Building Agents with Azure Resource Manager MCP Server

Getting Started

Prerequisites

Installation

Governance & Security

What's Next?

Get Feedback

Resources

Try It Today

New Local Management Group for ALZ & Updated Sovereign Policies for SLZ

A new ‘Local’ Management Group

What’s changing?

Why have we added it?

How exit planning is supported

Do I place my Azure Arc-enabled resources in the new local management group?

New sovereign policy built-in initiatives aligned to sovereign control levels 1, 2 & 3

What’s changing?

What’s assigned now?

Why have we done this?

What if we have already deployed ALZ or the SLZ?

Announcing One‑Command Backup Configuration for AKS with Azure Backup

The challenge with AKS backup onboarding today

A simpler way: Configure backup in one CLI command

Backup Strategy Presets

Backup Configuration JSON (Advanced Customization)

Supported Parameters

Built‑in validations for reliability

Faster time‑to‑protection for AKS workloads

What’s next

Announcing Public Preview for Essential Machine Management

What is Essential Machine Management?

What management capabilities are enabled?

How much does it cost?

Getting started

Azure Policy: Required Actions for Docker Content Trust Deprecation in Azure Container Registry

What is Changing?

Impacts on Azure Policy

Steps to Mitigate the Impact

Announcing General Availability for Azure Resource Graph (ARG) GET/LIST API

What Challenge Are We Addressing?

When to use Azure Resource Graph (ARG) GET/LIST API

High Volume of GET Calls Within a Single Scope:

Risk of Throttling or Quota Competition:

Need for High Availability and Faster Performance:

Using the ARG GET/LIST API

Video Walkthrough

Learn More

Share Your Feedback

Azure Governance @ Ignite 2025

Optimize Your Cloud Environment Using Agentic AI

From Complexity to Clarity

What’s New in Optimization

A Day in the Life: FinOps in Action

Why It Matters

Get Started at Ignite

FAQ 