<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>Core Infrastructure and Security Blog articles</title>
    <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/bg-p/CoreInfrastructureandSecurityBlog</link>
    <description>Core Infrastructure and Security Blog articles</description>
    <pubDate>Sat, 18 Jul 2026 17:53:38 GMT</pubDate>
    <dc:creator>CoreInfrastructureandSecurityBlog</dc:creator>
    <dc:date>2026-07-18T17:53:38Z</dc:date>
    <item>
      <title>Customer Offerings: Solution Optimization for GitHub Copilot</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/customer-offerings-solution-optimization-for-github-copilot/ba-p/4536886</link>
      <description>&lt;H1&gt;Introduction&lt;/H1&gt;
&lt;P&gt;As Microsoft Cloud Solution Architects, we are increasingly asked by engineering leaders, platform teams, finance stakeholders, and GitHub administrators how they can scale GitHub Copilot while keeping usage visible and costs predictable. The question is no longer simply how many licenses have been assigned. Agentic experiences, model choice, context size, reasoning level, and task complexity can all influence consumption.&lt;/P&gt;
&lt;P&gt;To address this challenge, Microsoft customers can engage their account team to request a Solution Optimization for GitHub Copilot engagement. The engagement is designed to help customers create visibility, establish practical cost guardrails, and improve the quality and efficiency of GitHub Copilot usage. The objective is not to minimize every token; it is to help each interaction produce useful outcomes with the right level of capability and control.&lt;/P&gt;
&lt;H1&gt;What changed with GitHub Copilot billing?&lt;/H1&gt;
&lt;P&gt;As of June 1, 2026, GitHub Copilot moved from premium request units to usage-based billing with GitHub AI Credits. When a user interacts with an AI-powered Copilot feature, the interaction can consume input tokens, output tokens, and cached tokens. The model used and the number of tokens processed determine the AI credit consumption, where one AI credit represents $0.01 USD.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Area&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What customers should know&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Included usage&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Copilot Business includes 1,900 AI credits per licensed user per month, while Copilot Enterprise includes 3,900. These credits are pooled at the billing entity level.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Promotional period&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;At the time of writing, existing Business and Enterprise customers receive higher promotional allowances through August 2026. Validate the current allowance before publishing or making financial decisions.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Included experiences&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Code completions and next edit suggestions remain included on paid plans and do not consume AI credits.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Metered experiences&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AI-powered features such as Copilot Chat, Copilot CLI, Copilot cloud agent, Copilot Spaces, Spark, and supported third-party coding agents consume AI credits.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Additional consumption&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Some agentic experiences, including Copilot code review and cloud agent scenarios, can also consume GitHub Actions minutes in addition to AI credits.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Important: &lt;/STRONG&gt;&lt;BR /&gt;Pricing, allowances, supported models, and product behavior can change. The official GitHub documentation and the customer’s commercial agreement remain the source of truth.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H1&gt;Why optimization is more than cost reduction&lt;/H1&gt;
&lt;P&gt;Token consumption is only the visible part of the problem. A poorly scoped task, unnecessary context, or the wrong model can cause an agent to misunderstand the request, make excessive changes, or require repeated attempts. In that situation, reducing the price of an individual request does not solve the underlying quality problem.&lt;/P&gt;
&lt;P&gt;A better optimization strategy starts with agent quality. The right model, clear instructions, focused context, good repository guidance, and deterministic validation can help Copilot complete work in fewer attempts. Better outcomes and lower consumption frequently reinforce each other.&lt;/P&gt;
&lt;H1&gt;Introducing Solution Optimization for GitHub Copilot&lt;/H1&gt;
&lt;P&gt;The Solution Optimization for GitHub Copilot engagement provides customers with an opportunity to work with a Microsoft Cloud Solution Architect to review how GitHub Copilot is being adopted, consumed, governed, and measured. The final scope should be agreed with the Microsoft account team and may vary according to the customer’s licensing model, environment, maturity, and priorities.&lt;/P&gt;
&lt;P&gt;A typical engagement can focus on the following areas:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Usage visibility:&lt;/STRONG&gt; Establish a current-state view of adoption, AI credit consumption, model activity, license allocation, and the users or workflows driving demand.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Billing readiness:&lt;/STRONG&gt; Review exported usage data, compare scenarios, and identify where the move to usage-based billing changes planning assumptions.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Cost guardrails:&lt;/STRONG&gt; Design user-level, cost-center, organization, and enterprise budget controls that protect the shared pool without unnecessarily blocking productive users.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Agent quality and token optimization:&lt;/STRONG&gt; Identify improvements to model selection, prompt structure, context management, reasoning levels, repository instructions, and validation steps.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Operating model:&lt;/STRONG&gt; Define ownership, review cadence, escalation paths, reporting responsibilities, and a prioritized backlog of recommended actions.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Potential customer outcomes&lt;/H1&gt;
&lt;P&gt;Depending on the agreed scope, the engagement can help the customer develop:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A baseline of GitHub Copilot adoption, AI credit consumption, and cost drivers.&lt;/LI&gt;
&lt;LI&gt;A view of heavy users, underused licenses, high-consumption models, and agentic workflows that need closer review.&lt;/LI&gt;
&lt;LI&gt;A budget and guardrail design that balances shared-pool flexibility with predictable financial control.&lt;/LI&gt;
&lt;LI&gt;Practical recommendations for improving agent quality and reducing avoidable retries or context overhead.&lt;/LI&gt;
&lt;LI&gt;A prioritized optimization plan with owners, next actions, and measurable follow-up points.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;H1&gt;A practical engagement approach&lt;/H1&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt; Discover: &lt;/STRONG&gt;Review the customer’s goals, GitHub billing entity, Copilot plans, license assignment model, existing policies, cost centers, and available usage data.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; Analyze: &lt;/STRONG&gt;Use native GitHub reporting and approved accelerators to examine adoption, AI credit usage, model activity, user patterns, and potential cost drivers.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; Optimize: &lt;/STRONG&gt;Map the right model and reasoning level to each task, improve prompts and context, reduce unnecessary tool or repository context, preserve reusable cache, and plan before executing complex changes.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; Govern: &lt;/STRONG&gt;Define user-level budgets, power-user overrides, cost-center or organization controls, enterprise spending limits, alerts, and ownership responsibilities.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; Measure: &lt;/STRONG&gt;Document the baseline, agree on key indicators, and establish a regular review cycle to measure adoption, value, quality, and consumption over time.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H1&gt;Tools and accelerators&lt;/H1&gt;
&lt;H2&gt;GitHub AI usage, billing exports, and budget controls&lt;/H2&gt;
&lt;P&gt;GitHub’s native AI usage pages and billing reports should be the starting point for understanding consumption. They provide the information required to identify model usage, users, features, and cost patterns. Native budget controls can then be applied at the appropriate user, cost-center, organization, or enterprise scope.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;&lt;BR /&gt;GitHub AI usage dashboard, exported usage report, and budget controls&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;GitHub Copilot Billing Preview&lt;/H2&gt;
&lt;P&gt;The &lt;A class="lia-external-url" href="https://github.com/github/copilot-billing-preview" target="_blank" rel="noopener"&gt;GitHub Copilot Billing Preview&lt;/A&gt; is an open-source web application for analyzing Copilot billing CSV reports, comparing request-based and usage-based billing signals, and exploring usage and cost trends by user, organization, model, product, and cost center. CSV processing occurs locally in the browser. The application is a preview and planning tool, not the billing source of record.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;table border="1" style="width: 93.0556%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;&lt;BR /&gt;GitHub Copilot Billing Preview showing usage and cost trends&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Copilot Insights dashboard&lt;/H2&gt;
&lt;P&gt;The community-developed &lt;A class="lia-external-url" href="https://github.com/amgdy/github-copilot-insights-dashboard" target="_blank" rel="noopener"&gt;Copilot Insights dashboard&lt;/A&gt; provides centralized views of adoption, license allocation, AI credit consumption, model activity, productivity indicators, and team-level reporting. It can complement native GitHub data when a customer needs richer visualization or executive reporting. Customers should review the project’s security, deployment, support, and governance model before production use.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 92.1296%; height: 96.8px; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr style="height: 96.8px;"&gt;&lt;td style="height: 96.8px;"&gt;&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Copilot Insights adoption, license, and AI credit views&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H1&gt;Agent quality and token optimization principles&lt;/H1&gt;
&lt;P&gt;GitHub’s guidance emphasizes that the most sustainable way to reduce AI credit consumption is to improve the quality and efficiency of each interaction. The following principles provide a useful starting point:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Choose the right model for the task.&lt;/STRONG&gt; Reserve powerful reasoning models for complex architecture, debugging, and design work. Use mid-tier or lighter models for well-scoped implementation, documentation, formatting, and routine refactoring.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Provide clear guidance.&lt;/STRONG&gt; State the goal, constraints, expected output, relevant files, and validation criteria. Ambiguous prompts often lead to exploration and rework.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Keep context lean.&lt;/STRONG&gt; Supply the information needed for the task and avoid loading unrelated repositories, files, tools, or instructions into the context window.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Preserve reusable context.&lt;/STRONG&gt; Stable instructions and cached context can reduce repeated processing, provided they remain relevant and accurate.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Research and plan before implementation.&lt;/STRONG&gt; For complex work, separate discovery and planning from execution so the agent does not repeatedly rediscover the same information.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Add deterministic guardrails.&lt;/STRONG&gt; Tests, linting, build validation, explicit stop conditions, and session limits help prevent long-running or low-quality loops.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Measure value, not only consumption.&lt;/STRONG&gt; AI credit data should be considered together with adoption, developer experience, quality, delivery outcomes, and business impact.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Overview video&lt;/H1&gt;
&lt;P&gt;The on-demand session &lt;A class="lia-external-url" href="https://www.youtube.com/live/LeALSSsbzHU" target="_blank" rel="noopener"&gt;GitHub Copilot - Token Optimization [AMER/EMEA]&lt;/A&gt; explains the relationship between token usage and agent quality. The session covers how large language models, agent harnesses, context windows, and available controls influence agent behavior, quality, consumption, and cost.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 96.2963%; height: 413.8px; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr style="height: 413.8px;"&gt;&lt;td style="height: 413.8px;"&gt;&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;A class="lia-external-url" href="https://www.youtube.com/live/LeALSSsbzHU?si=4RgxflItkQFAs9Qk" target="_blank" rel="noopener"&gt;https://www.youtube.com/live/LeALSSsbzHU?si=4RgxflItkQFAs9Qk&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H1&gt;Helpful inputs before the engagement&lt;/H1&gt;
&lt;P&gt;The following inputs can help the Microsoft team and customer make the best use of the engagement:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A GitHub enterprise or organization owner, billing manager, and relevant engineering or platform stakeholders.&lt;/LI&gt;
&lt;LI&gt;Current Copilot plan and license counts, including the billing entity and cost-center structure.&lt;/LI&gt;
&lt;LI&gt;A representative GitHub AI usage or billing export, handled according to the customer’s data policies.&lt;/LI&gt;
&lt;LI&gt;Existing budgets, spending policies, model policies, and reporting processes.&lt;/LI&gt;
&lt;LI&gt;Examples of high-volume agent sessions, code review workflows, or teams reporting unexpected consumption.&lt;/LI&gt;
&lt;LI&gt;The business outcomes the customer wants to improve, such as adoption, developer experience, delivery speed, quality, or cost predictability.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Conclusion&lt;/H1&gt;
&lt;P&gt;GitHub Copilot usage-based billing changes the conversation from license assignment alone to the broader discipline of operating AI-assisted software development. Customers need visibility into how AI credits are consumed, controls that prevent unexpected spend, and engineering practices that help agents complete work accurately and efficiently.&lt;/P&gt;
&lt;P&gt;The Solution Optimization for GitHub Copilot engagement can help customers connect usage data to practical decisions, improve agent quality, establish appropriate financial guardrails, and create a repeatable approach for measuring and optimizing GitHub Copilot over time.&lt;/P&gt;
&lt;H1&gt;How do I book this engagement?&lt;/H1&gt;
&lt;P&gt;Microsoft Unified Support customers can contact their Customer Success Account Manager (CSAM) or Microsoft account team and ask about Solution Optimization for GitHub Copilot. The Microsoft team can confirm availability, eligibility, scope, prerequisites, and scheduling for the customer’s environment.&lt;/P&gt;
&lt;H1&gt;Resources&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://docs.github.com/en/copilot/concepts/billing/usage-based-billing-for-organizations-and-enterprises" target="_blank" rel="noopener"&gt;GitHub Copilot usage-based billing for organizations and enterprises&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://docs.github.com/en/copilot/tutorials/budgets/getting-started-with-budget-controls" target="_blank" rel="noopener"&gt;Getting started with GitHub Copilot budget controls&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://docs.github.com/en/copilot/tutorials/optimize-ai-usage" target="_blank" rel="noopener"&gt;Optimizing AI usage to maximize efficiency and reduce cost&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://docs.github.com/en/copilot/reference/copilot-billing/models-and-pricing" target="_blank" rel="noopener"&gt;Models and pricing for GitHub Copilot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://github.com/github/copilot-billing-preview" target="_blank" rel="noopener"&gt;GitHub Copilot Billing Preview&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://github.com/amgdy/github-copilot-insights-dashboard" target="_blank" rel="noopener"&gt;Copilot Insights dashboard&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://www.youtube.com/watch?v=LeALSSsbzHU" target="_blank" rel="noopener"&gt;GitHub Copilot - Token Optimization [AMER/EMEA]&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Disclaimer&lt;/H1&gt;
&lt;P&gt;&lt;EM&gt;Pricing, plan entitlements, AI credit allowances, supported models, and product behavior are subject to change. Always verify current information in the official GitHub documentation and the customer’s commercial agreement before making purchasing, budgeting, or technical decisions.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;The sample applications, dashboards, and scripts referenced in this article are provided AS IS without warranty of any kind and may not be supported under a Microsoft or GitHub standard support program unless explicitly stated. Customers are responsible for reviewing security, privacy, compliance, deployment, and operational requirements before using community or open-source solutions in production. This blog post was drafted with the assistance of generative AI and should be reviewed and approved by the author and relevant Microsoft stakeholders before publication.&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 15 Jul 2026 13:41:27 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/customer-offerings-solution-optimization-for-github-copilot/ba-p/4536886</guid>
      <dc:creator>wernerrall</dc:creator>
      <dc:date>2026-07-15T13:41:27Z</dc:date>
    </item>
    <item>
      <title>Hunting Local AI Tools on macOS with Microsoft Defender for Endpoint</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/hunting-local-ai-tools-on-macos-with-microsoft-defender-for/ba-p/4536965</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;AI tooling is moving fast. Developers are running models locally, agents are spinning up local servers, and frameworks are adding new ways to extend the endpoint with skills, tools, and memory. That creates a useful productivity surface, but it also presents new challenges for security and governance teams.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A set of AI focused detection and protective Defender for Endpoint features are now in preview – &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/discover-local-ai-agents" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Local AI Agent and MCP detection and inventory&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; as well as &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/security-for-ai/ai-agent-inventory?branch=main" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;AI Agent security posture&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;– both announced in detail here on the &lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/the-next-frontier-in-endpoint-security-securing-local-ai-agents-with-microsoft-d/4524651" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Defender XDR blog&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; .&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Those capabilities are emerging, but defenders still need practical visibility now. The power of Microsoft’s XDR platform provides the capability to look at our endpoint telemetry and gather data from your existing environment today…. MDE already captures enough process, file, and network telemetry to start hunting for this activity with Advanced Hunting KQL.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN data-contrast="auto"&gt;Why Focus on macOS?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Many organizations have developers that have adopted macOS clients as development machines.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Developers are a population that are positioned to take advantage of and use AI in the course of developing Frontier and next generation apps, agents, and capabilities. Which increases their attack surface while maintaining their attractiveness for targeted supply chain attacks.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The capability to detect and have visibility on&amp;nbsp; local AI tool usage, MCP server usage, malicious skill files, or AI-specific abuse patterns such as prompt injection are top of mind topics that I encounter routinely with my customers that I support.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This post walks through how I’d approach that problem: inventory first, then detect local AI servers, monitor skill/configuration files, and finally look for suspicious behavior that may indicate abuse. Keep in mind that though I am specifically addressing macOS in this post, the techniques can be shifted to Linux and other supported platforms through the power and flexibility of KQL and Advanced Hunting.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Why local AI on macOS matters&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Most endpoint detection content has historically focused on malware, persistence, credential theft, and command execution. Local AI agents blur those lines.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;An AI agent running on a developer workstation may legitimately:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Spawn shell commands.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Read source files and configuration files.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Write scripts.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Start a local server.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Pull packages or model files.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Maintain memory or context in local markdown files.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;That same behavior can also become risky if the agent is compromised, misconfigured, or influenced by malicious instructions.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For macOS, two local AI frameworks stand out in the telemetry patterns I reviewed:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Ollama&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; — a local LLM runtime that exposes a local API, commonly on port 11434.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;OpenClaw&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; — an autonomous AI agent platform that uses a local gateway, commonly on port 18789.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Both leave process, filesystem, and network artifacts that MDE can see.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN data-contrast="auto"&gt;Start with inventory, not alerts&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Before turning anything into a detection rule, start by understanding where local AI tools already exist.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The first useful question is simple: &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Which macOS devices are running AI tooling?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A reporting query against DeviceProcessEvents can identify known AI-related processes such as ollama, openclaw, node, npx, codex, or claude-code. The important detail is that macOS platform filtering needs to come from DeviceInfo, as it is not present in the other KQL tables we will be using.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A practical inventory pattern looks like this:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="caption"&gt;KQL — macOS AI tool inventory&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:200,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceInfo 
| where OSPlatform == "macOS" 
| distinct DeviceId 
| join DeviceProcessEvents on DeviceId 
| where Timestamp &amp;gt; ago(30d) 
| where ( 
    FileName in~ ( 
        "ollama", 
        "openclaw", 
        "ollama_llama_server", 
        "ollama-runner", 
        "mcp-server", 
        "codex", 
        "codex-cli", 
        "claude-code", 
        "npx", 
        "node", 
        "deno" 
    ) 
    or ProcessCommandLine has_any ( 
        "ollama", 
        "openclaw", 
        "ollama_llama_server", 
        "ollama-runner", 
        "mcp-server", 
        "codex", 
        "codex-cli", 
        "claude-code", 
        "npx", 
        "node", 
        "deno" 
    ) 
) 
| summarize 
    FirstSeen = min(Timestamp), 
    LastSeen = max(Timestamp), 
    ExecutionCount = count(), 
    DistinctUsers = dcount(AccountName) 
    by DeviceName, FileName, FolderPath 
| sort by LastSeen desc &lt;/LI-CODE&gt;
&lt;PRE&gt;&amp;nbsp;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This gives you a baseline. Once you know what normal looks like, you can start asking more interesting questions:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which devices are running AI tools for the first time?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which users are adopting them?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which tools are approved?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which tools appeared without a change request or expected rollout?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;That baseline becomes the foundation for alerting.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Detect first-time AI tool usage&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A good first alert is “new AI tool on a macOS device.”&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The key is to compare recent activity against historical activity by both &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;device&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; and &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;tool name&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;. If a Mac has already run OpenClaw but suddenly starts running Ollama, that should still be considered a new tool introduction.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="caption"&gt;KQL — first-time AI tool usage on macOS&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:200,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceProcessEvents 
| where Timestamp &amp;gt; ago(1d) 
| where FileName in~ ("ollama", "openclaw") 
    or ProcessCommandLine has_any ("ollama", "openclaw", "openclaw.mjs") 
| join kind=leftanti ( 
    DeviceProcessEvents 
    | where Timestamp between (ago(30d)..ago(1d)) 
    | where FileName in~ ("ollama", "openclaw") 
        or ProcessCommandLine has_any ("ollama", "openclaw", "openclaw.mjs") 
    | distinct DeviceId, FileName, ProcessCommandLine 
) on DeviceId, FileName, ProcessCommandLine 
| summarize 
    FirstSeen = min(Timestamp), 
    LastSeen = max(Timestamp), 
    Count = count() 
    by DeviceName, FileName, ProcessCommandLine, AccountName
| sort by LastSeen desc &lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;335557856&amp;quot;:15921906}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This may be a good daily custom detection candidate, especially in environments where AI tooling needs to be explicitly approved.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Watch for local AI servers&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Local AI frameworks often expose services on localhost. That makes network telemetry useful even when the tool is only listening locally.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Known ports worth watching:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Tool&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Port&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Purpose&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Ollama&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;11434&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Local HTTP API&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;OpenClaw&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;18789&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Local WebSocket gateway&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A targeted detection for those ports is straightforward:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="caption"&gt;KQL — local AI server listener detection&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:200,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceInfo 
| where OSPlatform == "macOS" 
| distinct DeviceId 
|join DeviceNetworkEvents on DeviceId 
| where Timestamp &amp;gt; ago(1d) 
| where ActionType == "ListeningConnectionCreated" 
| where LocalPort in (18789, 11434) 
| project 
    Timestamp, 
    DeviceName, 
    LocalIP, 
    Port = LocalPort, 
    ProcessName = InitiatingProcessFileName, 
    CommandLine = InitiatingProcessCommandLine, 
    User = InitiatingProcessAccountName 
| sort by Timestamp desc &lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For broader hunting, enumerate localhost listeners and exclude known system services. This helps find new or less common MCP servers before they show up in a curated indicator list.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Monitor AI skill and context files&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The next detection surface is the filesystem.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;AI agent frameworks increasingly use markdown-based instruction and context files. Examples include:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;SKILL.md&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;SKILLS.md&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;SOUL.md&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;MEMORY.md&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;AGENTS.md&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These files are powerful because they influence how the agent behaves. A malicious skill file can embed instructions, reference scripts, deliver payloads, or create persistence.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A weekly reporting query can monitor creation and modification of these files:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="caption"&gt;KQL — AI skill and context file monitoring&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:200,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceInfo 
| where OSPlatform == "macOS" 
| distinct DeviceId 
|join DeviceFileEvents on DeviceId  
| where Timestamp &amp;gt; ago(7d) 
| where ActionType in ("FileCreated", "FileModified") 
| where tolower(FileName) in ( 
    "skill.md", 
    "skills.md", 
    "soul.md", 
    "memory.md", 
    "agents.md" 
) 
| project 
    Timestamp, 
    DeviceName, 
    FileName, 
    FolderPath, 
    ActionType, &lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For alerting, I would focus on suspicious creators: curl, wget, python, bash, scp, or browser-downloaded files with FileOriginUrl populated.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceInfo 
| where OSPlatform == "macOS" 
|distinct DeviceId 
|join DeviceFileEvents on DeviceId 
| where Timestamp &amp;gt; ago(1d) 
| where ActionType == "FileCreated" 
| where tolower(FileName) in ("skill.md", "skills.md", "soul.md") 
| where InitiatingProcessFileName in ("curl", "wget", "python", "python3","bash", "sh", "zsh", "nscurl", "scp") or isnotempty(FileOriginUrl) 
| project Timestamp, DeviceName, FileName, FolderPath,FileOriginUrl, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine &lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The signal is not “a skill file exists.” The signal is “a skill file appeared or modified in an unusual way.”&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Look for prompt injection side effects&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Prompt injection is hard to detect directly from endpoint telemetry because MDE does not see the prompt content inside encrypted sessions or local model interactions.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;But endpoint telemetry can show the downstream effects.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;If an AI agent is manipulated into doing something unsafe, you may see it:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Spawn a shell.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Run osascript.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Invoke launchctl.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Access the macOS Keychain via security.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Use curl, wget, or scp.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Read sensitive paths such as .ssh, .env, or credential files.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="5" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="7" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Make unexpected external network connections.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A useful behavioral detection is AI-related parent processes spawning sensitive child commands:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="caption"&gt;KQL — AI parent process spawning sensitive child commands&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:200,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceInfo 
| where OSPlatform == "macOS" 
| distinct DeviceId 
|join DeviceProcessEvents on DeviceId 
| where Timestamp &amp;gt; ago(1d) 
| where tolower(InitiatingProcessFileName) in ("ollama", "openclaw", "node", "npx", "deno") 
    or InitiatingProcessCommandLine has_any ("openclaw", "ollama", "openclaw.mjs") 
| where FileName in~ ( 
    "sh", 
    "bash", 
    "zsh", 
    "python", 
    "python3", 
    "curl", 
    "wget", 
    "scp", 
    "osascript", 
    "launchctl", 
    "security", 
    "dscl" 
) 
| project 
    Timestamp, 
    DeviceName, 
    ParentProcess = InitiatingProcessFileName, 
    ParentCmdLine = InitiatingProcessCommandLine, 
    ChildProcess = FileName, 
    ChildCmdLine = ProcessCommandLine, 
    User = AccountName 
| sort by Timestamp desc &lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This may not be suitable for use as an alert, as developers using AI coding assistants will legitimately run shell commands. The goal is not to block all shell execution. The goal is to identify suspicious combinations: encoded payloads, persistence commands, credential access, unexpected network transfer, or sensitive file access.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Don’t skip external network checks&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Local inference should mostly stay local. Ollama may contact external services for model downloads or registry activity, and agents may call approved cloud AI APIs depending on configuration. But unexpected public destinations from local AI processes are worth reviewing.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Start with a narrow allowlist and expand based on your environment:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="caption"&gt;KQL — external network connections from local AI processes&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:200,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceInfo 
| where OSPlatform == "macOS" 
| distinct DeviceId 
|join DeviceNetworkEvents on DeviceId 
| where Timestamp &amp;gt; ago(1d) 
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt") 
| where InitiatingProcessFileName in~ ("ollama", "openclaw", "node") 
    or InitiatingProcessCommandLine has_any ("openclaw", "ollama") 
| where RemoteIPType == "Public" 
| where RemoteUrl !endswith "ollama.com" 
    and RemoteUrl !endswith "openclaw.ai" 
    and RemoteUrl !endswith "anthropic.com" 
    and RemoteUrl !endswith "openai.com" 
| project 
    Timestamp, 
    DeviceName, 
    RemoteIP, 
    RemoteUrl, 
    RemotePort, 
    ProcessName = InitiatingProcessFileName, 
    CommandLine = InitiatingProcessCommandLine 
| sort by Timestamp desc &lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For alerting, consider thresholding on multiple distinct remote URLs from the same AI process over 24 hours. That helps separate one-off legitimate activity from suspicious multi-destination behavior.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;KQL — OpenClaw LaunchAgent Plist Creation (Last 24 Hours)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This catches plist files appearing in ~/Library/LaunchAgents (or /Library/LaunchAgents) that reference OpenClaw by name or were created by an OpenClaw-related process. A matching result indicates that a persistent auto-start configuration has been installed for the AI gateway — which should be validated against approved deployment records.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;DeviceFileEvents 
| where Timestamp &amp;gt; ago(1d) 
| where ActionType in ("FileCreated", "FileModified") 
| where FolderPath has "LaunchAgents" and FileName endswith ".plist" 
| where FileName has "openclaw" 
    or InitiatingProcessFileName in~ ("openclaw", "node") 
    or InitiatingProcessCommandLine has "openclaw" 
| where DeviceId in ( 
    DeviceInfo | where OSPlatform == "macOS" | distinct DeviceId 
) 
| project 
    Timestamp, 
    DeviceName, 
    FileName, 
    FolderPath, 
    InitiatingProcessFileName, 
    InitiatingProcessCommandLine, 
    User = InitiatingProcessAccountName &lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Recommended deployment model&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;I would not deploy every query as an alert on day one. A better operational model is:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Use case&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Cadence&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Deployment&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;AI process inventory&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Weekly&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Reporting dashboard&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;First-time AI tool per device&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Daily&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Custom detection&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Known AI server ports&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Daily&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Custom detection&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;OpenClaw LaunchAgent persistence&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Daily&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Custom detection&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Skill/context file monitoring&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Weekly&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Reporting dashboard&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Suspicious skill creation&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Daily&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Custom detection&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;AI process spawning system commands&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Daily&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Custom detection after tuning&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;AI external network connections&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Daily&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Custom detection after tuning&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Broad localhost listener discovery&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Weekly&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Threat hunt&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The most reliable detections are inventory deltas, known listening ports, persistence artifacts, and suspicious skill creation. The highest-noise detections are behavioral heuristics, especially shell execution and external network activity.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Practical limitations&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;A few MDE/macOS realities matter:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;MDE does not decrypt TLS traffic.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;DeviceProcessEvents does not include OSPlatform, so use DeviceInfo to scope macOS devices. These queries can be used as a base to expand hunting into other OS platforms with minimal modification of the KQL.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;A positive SKILL.md hit still requires content review.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;DeviceFileEvents shows file metadata, not file contents.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;That means these queries should be part of a broader defense-in-depth strategy, not the entire program.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Pair them with:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;MDM and other controls restricting unsigned or unapproved AI apps- which may be problematic in a developer centric environment.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Network monitoring for known local AI ports.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Review processes for third-party skills.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Proxy/firewall correlation for suspicious external traffic.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Version-controlled detection content so query changes can be audited and rolled back.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Final thought&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Local AI tools are becoming part of the endpoint reality. You can get a head start on understanding your org’s AI usage with KQL and Advanced hunting, especially on developer-heavy macOS fleets.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp; Agent visibility in the XDR portal is in flight and arriving soon.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In the interim can start now with the telemetry we already have: processes, files, ports, and network connections. Build a baseline. Alert on meaningful change. Tune the noisy heuristics. Review skill files like executable content, because in practice that is what they can become.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Other artifacts that you can hunt for AI are the Defender for Cloud Apps leveraging the &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;governance capability for monitoring or sanctioning and unsanctioning apps&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; – which in this case -&amp;nbsp; monitor the AI related apps.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This is not necessarily about blocking AI usage by default. It is about giving defenders enough visibility to distinguish normal local AI adoption from risky or compromised behavior.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Addendum:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;I’ve created a Sentinel Workbook that incorporates these queries. Available at &lt;/SPAN&gt;&lt;A href="https://github.com/vboyev-MSFT/Microsoft-Sentinel-Workbooks" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;https://github.com/vboyev-MSFT/Microsoft-Sentinel-Workbooks&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Jul 2026 16:42:42 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/hunting-local-ai-tools-on-macos-with-microsoft-defender-for/ba-p/4536965</guid>
      <dc:creator>Vytas_Boyev</dc:creator>
      <dc:date>2026-07-14T16:42:42Z</dc:date>
    </item>
    <item>
      <title>Check This Out! (CTO!) Guide (July 2026)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-july-2026/ba-p/4536608</link>
      <description>&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/users/tysonpaul/322025" data-lia-auto-title="Member: TysonPaul | Microsoft Community Hub" data-lia-auto-title-active="0" target="_blank"&gt;Member: TysonPaul | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/triage-vulnerabilities-with-the-vulnerability-remediation-agent-now-in-public-pr/4528646" target="_blank" rel="noopener noreferrer"&gt;Triage vulnerabilities with the Vulnerability Remediation Agent, now in public preview&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/16/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has launched the Vulnerability Remediation Agent for Security Copilot in Microsoft Intune, now in public preview. This agent automates the identification, prioritization, and remediation of vulnerabilities on Intune-managed Windows devices using data from Microsoft Defender. It provides prioritized recommendations, Copilot-assisted impact analysis, and step-by-step remediation guidance, all within the Intune admin center. The agent operates securely under a dedicated agentic identity, ensuring clear governance and accountability. The streamlined workflow helps IT teams quickly address critical threats, reduce exposure, and track progress, supporting a more proactive, AI-driven security posture.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/deploying-platform-sso-for-pre-macos-26-with-microsoft-intune-lessons-learned/4521368" target="_blank" rel="noopener noreferrer"&gt;Deploying Platform SSO for pre macOS 26 with Microsoft Intune: Lessons Learned&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/mikegriz/293153" target="_blank" rel="noopener noreferrer"&gt;MikeGriz&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/18/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article details Microsoft’s internal deployment of Platform Single Sign-On (PSSO) for pre-macOS 26 devices using Intune. It highlights the benefits of Secure Enclave-backed authentication—phishing-resistant MFA, device-bound tokens, and improved Conditional Access—while outlining setup steps, user experience, troubleshooting, and best practices. Key challenges included password policy mismatches and users dismissing registration prompts. The authors recommend starting with Secure Enclave, deploying during enrollment, aligning password policies, and piloting thoroughly. PSSO enables passwordless, hardware-backed SSO across Microsoft 365 apps, improving security and user experience for Mac fleets.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/scale-on-prem-ai-with-foundry-local-on-azure-local-multi-node-inference-and-vllm/4516692" target="_blank" rel="noopener noreferrer"&gt;Scale On-Prem AI with Foundry Local on Azure Local: Multi-Node Inference and vLLM Support&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/liranlyabock/3433085" target="_blank" rel="noopener noreferrer"&gt;LiranLyabock&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article announces expanded capabilities for Foundry Local on Azure Local, including multi-node inference scheduling, vLLM runtime support, and a broader model catalog. These enhancements enable scalable, high-concurrency AI deployments fully on-premises—even in disconnected environments—using Kubernetes-native and OpenAI-compatible patterns. vLLM boosts throughput for large models and concurrent workloads, with automatic GPU tuning via vLLMplanner. Identity-based access is supported for multi-user scenarios. The platform now accommodates more models, including Mistral and Nemotron, and offers seamless integration and operation for regulated, sovereign, and edge environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/unlock-on-prem-productivity-with-agentic-retrieval-in-foundry-local/4523646" target="_blank" rel="noopener noreferrer"&gt;Unlock On-Prem Productivity with Agentic Retrieval in Foundry Local&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/moran_assaf/3028283" target="_blank" rel="noopener noreferrer"&gt;moran_assaf&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces Agentic Retrieval in Foundry Local, a new on-premises platform enabling advanced, context-rich AI interactions without relying on cloud connectivity. Powered by Azure Arc and Foundry models, it offers orchestration, governed knowledge management, and a production-ready chat UI for regulated, disconnected, and mission-critical environments. Key features include flexible deployment, auditable reasoning, multi-document synthesis, data sovereignty, and seamless user experience. This release supports Microsoft’s Adaptive Cloud vision, delivering resilient, intelligent GenAI solutions wherever customer data and operations reside, ensuring compliance and autonomy for enterprise and public sector users.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/microsoft-365-copilot-on-mobile-what-staged-rollout-plans-can-miss/4524953" target="_blank" rel="noopener noreferrer"&gt;Microsoft 365 Copilot on mobile: What staged rollout plans can miss&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights that staged rollout plans for Microsoft 365 Copilot on mobile often miss how quickly real-world usage spreads. Mobile access accelerates adoption in “in-between” work moments, making usage less linear and more socially driven than planned. Desktop-focused governance and communication strategies may not apply to mobile-first behaviors, leading to early questions and confusion. IT teams should focus on rollout sequencing, setting user behavior expectations, governance/readiness, and clear communication to align planned deployment with actual adoption momentum. Early signals of mobile usage require proactive adjustments to maintain clarity and control.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuretoolsblog/faster-az-login-introducing---skip-subscription-discovery-and-targeted---subscri/4526116" target="_blank" rel="noopener noreferrer"&gt;Faster az login: introducing --skip-subscription-discovery and targeted --subscription&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuretoolsblog" target="_blank" rel="noopener noreferrer"&gt;Azure Tools&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alex-wdy/1467559" target="_blank" rel="noopener noreferrer"&gt;Alex-wdy&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces two new Azure CLI flags—`--skip-subscription-discovery` and targeted `--subscription`—which significantly speed up the `az login` process for users with many tenants and subscriptions. By skipping the post-authentication subscription enumeration, login times drop from minutes to seconds. These features, available from Azure CLI v2.86.0, are ideal for enterprise users or CI/CD scenarios needing quick access to specific subscriptions, but may not suit cases requiring access to multiple subscriptions or discovery.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/network-security-perimeter-for-azure-service-bus--also-now-available-in-azure-go/4526413" target="_blank" rel="noopener noreferrer"&gt;Network security perimeter for Azure Service Bus &amp;amp; also now available in Azure Gov. Regions&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/shashankamalladi/1995095" target="_blank" rel="noopener noreferrer"&gt;shashankamalladi&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/08/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Network security perimeter support for Azure Service Bus is now generally available, including in Azure Government regions. This enables centralized security boundaries, perimeter-based governance, and secure PaaS-to-PaaS communication for messaging services. Customers can define explicit access controls, confine communications, and enhance audit/compliance visibility. The feature supports regulated and mission-critical workloads, ensuring consistent security across commercial and sovereign environments. Future plans include expanding onboarding to more PaaS services and improving access rule capabilities.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/migrating-from-msee-hairpin-routing-to-avnm-mesh-for-large-scale-vnet-to-vnet-co/4529320" target="_blank" rel="noopener noreferrer"&gt;Migrating from MSEE Hairpin Routing to AVNM Mesh for Large-Scale VNet-to-VNet Connectivity&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jay-li/1197988" target="_blank" rel="noopener noreferrer"&gt;Jay-Li&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/18/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how large Azure deployments can migrate from MSEE hairpin routing to Azure Virtual Network Manager (AVNM) mesh for VNet-to-VNet connectivity. AVNM mesh enables direct, in-datacenter east-west traffic, eliminating MSEE as a single point of failure, reducing latency, and supporting up to 5,000 VNets and 20,000 Private Endpoints. Migration is incremental, reversible, and doesn’t disrupt existing network paths or security inspection, with AVNM centrally managing connectivity. The article details migration steps, scaling considerations, and validation processes, emphasizing operational simplicity and improved performance for large-scale Azure environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurehighperformancecomputingblog/azure-sets-a-new-performance-record-for-llm-training-benchmark-at-extreme-scale/4523077" target="_blank" rel="noopener noreferrer"&gt;Azure Sets a New Performance Record for LLM Training Benchmark at Extreme Scale&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurehighperformancecomputingblog" target="_blank" rel="noopener noreferrer"&gt;Azure High Performance Computing (HPC)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/azinheidarshenas/3326178" target="_blank" rel="noopener noreferrer"&gt;azinheidarshenas&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/16/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure set a new MLPerf Training benchmark record by training Llama 3.1 405B in just over seven minutes, scaling to 8,192 NVIDIA GB200 NVL72 GPUs across 128 racks. This was achieved through high operational efficiency, resilient networking, and topology-aware workload mapping. Azure’s Fairwater AI supercomputing infrastructure, with NVLink and MRC networking, minimized communication bottlenecks, enabling near-perfect scaling and stable step times. The result demonstrates Azure’s ability to handle massive, synchronous LLM training workloads efficiently, showcasing both hardware and system-level innovations for frontier-scale AI.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurehighperformancecomputingblog/scaling-high-performance-cad-on-azure-virtual-desktop-with-nvidia-rtx-pro-6000/4528892" target="_blank" rel="noopener noreferrer"&gt;Scaling High-Performance CAD on Azure Virtual Desktop with NVIDIA RTX PRO 6000&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurehighperformancecomputingblog" target="_blank" rel="noopener noreferrer"&gt;Azure High Performance Computing (HPC)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/sunita_az0708/1500754" target="_blank" rel="noopener noreferrer"&gt;Sunita_AZ0708&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/17/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The study validates Siemens NX 2506 running on Azure Virtual Desktop with NVIDIA RTX PRO 6000 GPU, supporting up to 30 concurrent users with stable graphics and consistent performance. Single-host setups efficiently consolidate users, while multi-host configurations boost responsiveness and performance, especially for GPU-intensive tasks at higher user densities. All certification workloads passed successfully, confirming reliable GPU sharing and scalability. Azure AVD with RTX PRO 6000 proves suitable for enterprise CAD deployments, enabling centralized infrastructure, high user density, reduced hardware dependency, and scalable engineering workflows for real-world tasks and assemblies.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/from-prompt-to-provisioned-a-closer-look-at-the-azure-deployment-agent/4529935" target="_blank" rel="noopener noreferrer"&gt;From Prompt to Provisioned: A Closer Look at the Azure Deployment Agent&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/pierre_roman/140097" target="_blank" rel="noopener noreferrer"&gt;Pierre_Roman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/23/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces the Azure Deployment Agent, showcased at the Microsoft Azure Infra Summit 2026. This AI-driven tool helps IT professionals design, review, and provision Azure workloads by conversing in natural language, grounding plans in the Well-Architected Framework, and generating production-ready infrastructure code. It enables consistent, efficient deployments, supports both Terraform and Bicep, integrates with Copilot and popular IDEs, and is open-source for customization. Currently focused on new workloads, the agent aims to simplify cloud architecture and standardize operations, with ongoing improvements for existing estates.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/deploy-an-azure-landing-zone-in-about-twelve-minutes-with-the-alz-iac-accelerato/4529937" target="_blank" rel="noopener noreferrer"&gt;Deploy an Azure Landing Zone in About Twelve Minutes with the ALZ IaC Accelerator&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/pierre_roman/140097" target="_blank" rel="noopener noreferrer"&gt;Pierre_Roman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/24/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights the Azure Landing Zone (ALZ) Infrastructure as Code Accelerator, showcased at the Microsoft Azure Infra Summit 2026. The ALZ Accelerator drastically reduces deployment time for secure, governed Azure platforms from weeks to about twelve minutes using Bicep or Terraform modules. It automates setup, supports multiple scenarios and options, aligns with the Well-Architected Framework, and is open source. The accelerator enables rapid, production-grade deployments, saving IT pros from manual configurations, and supports both GitHub and Azure DevOps pipelines, making cloud adoption faster and easier.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/announcing-the-path-to-production-for-agents-webinar-series/4526560" target="_blank" rel="noopener noreferrer"&gt;Announcing the Path to Production for Agents Webinar Series&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/brauerblogs/1161065" target="_blank" rel="noopener noreferrer"&gt;brauerblogs&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/09/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The Path to Production for Agents Webinar Series, held July 27-28, helps organizations transition AI projects from prototypes to secure, scalable, production-ready systems. Sessions cover governance frameworks, production architecture, multi-agent design, operational best practices, security, observability, and optimization techniques. Attendees will learn practical, actionable patterns for deploying and managing AI agents at enterprise scale, with real-world examples and reference architectures. The series targets architects, engineers, and technical leaders seeking to operationalize AI, and offers follow-up engagements for Microsoft customers to implement these practices. Registration is available online.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/revolutionizing-document-intelligence-scaling-construction-industries-with-ai-dr/4522393" target="_blank" rel="noopener noreferrer"&gt;Revolutionizing Document Intelligence: Scaling Construction Industries with AI-Driven Extraction&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/gauravbhardwaj/3490943" target="_blank" rel="noopener noreferrer"&gt;gauravbhardwaj&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/18/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explores how Generative AI and Azure AI services are revolutionizing document extraction in the construction industry, addressing challenges like low productivity and high costs. By automating the analysis of design documents, AI increases accuracy, reduces manual labor, and improves coordination. The proposed hybrid architecture combines deterministic extraction with generative gap-filling for scalable, auditable workflows, resulting in cost savings, reduced errors, and faster project delivery. The solution emphasizes robust security and adaptability, offering a blueprint for AI-driven document intelligence across multiple sectors, including insurance, legal, healthcare, and finance.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackforazureblog/azure-availability-zone-mapping-and-vm-resilience-analysis-guidance-using-sre-az/4526548" target="_blank" rel="noopener noreferrer"&gt;Azure Availability Zone Mapping and VM Resilience Analysis Guidance using SRE.AZURE.COM Agent&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackforazureblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack for Azure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/munieswar_avulapalli/1127849" target="_blank" rel="noopener noreferrer"&gt;munieswar_avulapalli&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/08/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how SRE.Azure.com helps Azure engineers analyze Availability Zone mappings and VM resilience. Logical zone numbers (1, 2, 3) do not directly map to physical datacenter zones across subscriptions, impacting high availability and disaster recovery planning. The SRE agent enables discovery of zone mappings, VM distribution, resilience gaps, and generates reports. Understanding these mappings is essential for ensuring workload separation and compliance. The guidance includes suggested prompts for generating analysis and emphasizes that physical separation cannot be assumed based solely on logical zone numbers.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurevirtualdesktopblog/azure-virtual-desktop-supports-greater-application-and-identity-functionality-wi/4521365" target="_blank" rel="noopener noreferrer"&gt;Azure Virtual Desktop supports greater application and identity functionality with latest updates&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurevirtualdesktopblog" target="_blank" rel="noopener noreferrer"&gt;Azure Virtual Desktop&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/christian_montoya/305776" target="_blank" rel="noopener noreferrer"&gt;Christian_Montoya&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced new Azure Virtual Desktop updates, including general availability of FSLogix user profile management and Azure Role-based Access Control (RBAC) for external identities. SAML IdP can now be configured as domainless (public preview), easing integration for developers. External identity support is expanded to Android and macOS platforms in Azure public cloud and is generally available for US Government cloud. These enhancements streamline access for users outside organizations without needing new accounts and improve application and identity functionality. More technical details and resources are available on Microsoft’s Learn and Community pages.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/a-deep-dive-into-azure-bastion-session-recording/4527583" target="_blank" rel="noopener noreferrer"&gt;A deep dive into Azure Bastion session recording&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juquint/3370988" target="_blank" rel="noopener noreferrer"&gt;juquint&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Bastion Premium’s session recording feature captures RDP and SSH sessions for improved security, compliance, and forensic analysis. Recordings are stored in Azure Storage accounts, authenticated via either SAS URL or Managed Identity. While SAS URLs require manual token management and pose security risks, Managed Identity offers automated, secure authentication with no credentials to rotate, better RBAC integration, and improved compliance. The article details setup steps for both options and recommends Managed Identity for enterprise environments due to its simplicity and robust security. Session recordings are easily accessed within the Bastion resource’s Session recordings blade.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/designing-cloud-landing-zones-by-traffic-flow-a-defence%E2%80%91in%E2%80%91depth-dmz%E2%80%91first-archi/4524280" target="_blank" rel="noopener noreferrer"&gt;Designing Cloud Landing Zones by Traffic Flow: A Defence‑in‑Depth, DMZ‑First Architecture&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/avanishyadav/3424257" target="_blank" rel="noopener noreferrer"&gt;AvanishYadav&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/03/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article advocates for a security-driven, DMZ-first cloud landing zone architecture in Microsoft Azure, emphasizing defense-in-depth and clear trust boundaries for traffic flows. It recommends multi-hub designs to separate Internet-facing (DMZ) and internal (Core) traffic inspection, improving security, scalability, and operational clarity. Scenarios using third-party firewalls, Azure Firewall, and Azure Virtual WAN illustrate approaches for inbound, outbound, East-West, and hybrid connectivity. The distributed hub-and-DMZ model reduces complexity, supports regulatory compliance, and enhances resiliency, making it essential for large, regulated, and multi-region enterprise workloads.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/kubernetes-center-security--ltsout-of-support-version-insights-now-available/4524567" target="_blank" rel="noopener noreferrer"&gt;Kubernetes Center: Security &amp;amp; LTS/Out-of-Support Version Insights Now Available&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azureinfrastructureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Infrastructure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/harsha_nair/3151331" target="_blank" rel="noopener noreferrer"&gt;Harsha_Nair&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/01/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Kubernetes Center now offers enhanced security and cluster version support insights in the Azure portal. The new Security page provides an overview of vulnerabilities, runtime alerts, misconfigurations, and regulatory compliance, with actionable recommendations, requiring Microsoft Defender for Containers. The Cluster Version Support Status panel displays Kubernetes version support across clusters, highlighting those expiring soon, out-of-support, or eligible for Long Term Support (LTS), and enables easy remediation. These features help platform teams monitor security posture, prevent version drift, address misconfigurations, and report compliance efficiently across all AKS clusters.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/ginkgo-bioworks-and-microsoft-discovery-bringing-agentic-ai-to-biological-discov/4526550" target="_blank" rel="noopener noreferrer"&gt;Ginkgo Bioworks and Microsoft Discovery: Bringing agentic AI to biological discovery&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azureinfrastructureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Infrastructure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/nihitpokhrel/3326079" target="_blank" rel="noopener noreferrer"&gt;NihitPokhrel&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/09/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft and Ginkgo Bioworks are collaborating to integrate Microsoft Discovery’s agentic AI platform with Ginkgo’s autonomous lab infrastructure, enabling researchers to design, execute, and analyze biological experiments seamlessly. This integration supports iterative, Design–Make–Test–Analyze workflows, streamlining experiment planning, execution, and data analysis. The partnership aims to accelerate biological discovery by increasing speed, scale, transparency, and reproducibility, reducing manual effort and connecting AI-driven reasoning directly to real-world lab validation. The approach is extensible, supporting broader scientific and engineering research needs.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/new-ways-to-learn-and-demonstrate-skills/4519038" target="_blank" rel="noopener noreferrer"&gt;New ways to learn and demonstrate skills&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/cameronpercy/3490952" target="_blank" rel="noopener noreferrer"&gt;CameronPercy&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft announced new ways for developers to learn and demonstrate skills, including Microsoft Pro Badges—credentials that recognize real-world proficiency without separate tests, assessed via Verified Proficiency telemetry. Pro Badges launch in June 2026, starting with GitHub Copilot. Microsoft Applied Skills lab assessments will soon award Pro Badges. New co-authored AI skilling paths, beginning with Anthropic, are available in AI Skills Navigator. The Microsoft AI Skills Fest (June 8–12, 2026) offers practical sessions, a hackathon, and opportunities to earn certification vouchers, all aimed at advancing developers’ real-world capabilities.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/deep-reasoning-agents-for-academic-research-the-right-tool-for-the-task/4501741" target="_blank" rel="noopener noreferrer"&gt;Deep-reasoning agents for academic research: The right tool for the task&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/darcyogden/3189326" target="_blank" rel="noopener noreferrer"&gt;DarcyOgden&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/23/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how deep-reasoning agents, like Researcher and Analyst in Microsoft 365 Copilot, enhance academic research by supporting source comparison, assumption testing, and data analysis. It compares these specialized tools to general-purpose AI, highlighting their alignment with academic standards. The Academic Researcher’s Guide to Deep-Reasoning Agents offers practical advice for selecting and using these tools effectively, managing limitations, and improving outputs. Researchers are encouraged to treat these AI agents as supportive tools, document their processes, and critically evaluate results to ensure rigorous research practices.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/public-preview-automatic-os-image-upgrades-for-vmss-flex/4523067" target="_blank" rel="noopener noreferrer"&gt;Public preview: Automatic OS Image Upgrades for VMSS Flex&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/bmahboob/3510938" target="_blank" rel="noopener noreferrer"&gt;BMahboob&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/01/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure has launched a public preview of Automatic OS Image Upgrades for Virtual Machine Scale Sets (VMSS) using Flexible Orchestration Mode. This feature streamlines OS updates across VMSS fleets, enhancing security, performance, and compliance while reducing manual effort and operational complexity. It provides consistent, fleet-wide orchestration with health-based safety measures. To use it, prerequisites include registering the feature, installing health extensions, and enabling the upgrade policy. Azure is now expanding onboarding and validating the experience across more workloads. Feedback is encouraged during the preview.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/announcing-preview-of-guest-rdma-for-azure-boost/4524589" target="_blank" rel="noopener noreferrer"&gt;Announcing Preview of Guest RDMA for Azure Boost&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/mengxiwu/3515724" target="_blank" rel="noopener noreferrer"&gt;MengxiWu&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has launched a preview of Guest RDMA in Azure’s UK South region, enabling high-throughput, ultra-low latency networking within guest virtual machines via Azure Boost. This allows VMs to bypass the traditional networking stack, reducing CPU usage and improving performance for AI, storage, database, and HPC workloads. Guest RDMA supports various VM series and Linux distributions, but is currently limited to direct VM-to-VM connections within a VNET. Broader network scenarios will be supported at general availability. Interested users can sign up for the preview and provide feedback to Microsoft.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/finopsblog/right%E2%80%91sizing-azure-savings-plans-one-hour-at-a-time/4527507" target="_blank" rel="noopener noreferrer"&gt;Right‑sizing Azure Savings Plans, one hour at a time&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/finopsblog" target="_blank" rel="noopener noreferrer"&gt;FinOps&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/dirk_brinkmann/2425227" target="_blank" rel="noopener noreferrer"&gt;Dirk_Brinkmann&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how FinOps teams can use Azure's Benefit Recommendations API and a companion PowerShell script to extract hourly Pay-As-You-Go (PAYG) usage and alternative Savings Plan commitment levels. This approach enables more accurate, data-driven decisions instead of relying on a single recommended figure. The script produces analyst-friendly outputs for deeper analysis, allowing teams to visualize demand patterns, optimize savings, and minimize wastage. Full documentation and code are available on GitHub, encouraging users to improve their Azure savings strategies with transparent, defensible data.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/finopsblog/introducing-github-pre-purchase-plans-a-simpler-way-to-plan-your-github-spend/4528855" target="_blank" rel="noopener noreferrer"&gt;Introducing GitHub Pre-Purchase Plans: A Simpler Way to Plan Your GitHub Spend&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/finopsblog" target="_blank" rel="noopener noreferrer"&gt;FinOps&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/kyleikeda/849111" target="_blank" rel="noopener noreferrer"&gt;kyleikeda&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/17/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; GitHub Pre-Purchase Plans offer organizations a way to simplify and save on GitHub spending by committing upfront to a prepaid amount, which can be used across eligible services over 12 months. Larger commitments unlock higher discounts, up to 15%. This approach enables predictable budgeting for variable, usage-based costs like Copilot and AI Credits, and aligns GitHub billing with Azure subscriptions. Two plan types are available via Azure Reservations, providing flexibility for platform-wide or AI-specific usage. Pre-Purchase Plans do not replace existing purchasing methods but offer an additional budgeting option for commercial customers.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/automating-daily-mde-compliance-monitoring-across-azure-vms/4528274" target="_blank" rel="noopener noreferrer"&gt;Automating Daily MDE Compliance Monitoring Across Azure VMs&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/sayanroy/791828" target="_blank" rel="noopener noreferrer"&gt;SayanRoy&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article details a Logic App solution for automating daily Microsoft Defender for Endpoint (MDE) compliance checks across Azure VMs. It addresses gaps where VMs may silently lose MDE coverage and provides automated owner notifications, daily IT summary reports with CSV attachments, and explicit handling of VMs lacking owner tags. The workflow queries all running Azure VMs, matches them to MDE device records, and sends compliance alerts. It requires a Logic App, managed identity, specific API permissions, and proper tagging. The approach streamlines compliance monitoring, reduces manual effort, and ensures prompt visibility of security gaps.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/security-copilot-rbac-for-embedded-experience-in-unified-security-platform/4528833" target="_blank" rel="noopener noreferrer"&gt;Security Copilot RBAC for Embedded Experience in Unified Security Platform&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/santoshpargi/1255468" target="_blank" rel="noopener noreferrer"&gt;SantoshPargi&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/17/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how Microsoft Security Copilot integrates AI-powered assistance directly within security platforms like Defender XDR and Sentinel, streamlining SOC operations. It details a three-layer Role-Based Access Control (RBAC) model—Security Copilot, Microsoft Entra, and service-specific roles—to ensure secure, least-privilege access. Copilot uses an On-Behalf-Of model, limiting data access to user permissions. Key use cases include summarization, guided response, script analysis, and reporting, all mapped to SOC processes. Proper RBAC alignment enables Copilot to accelerate investigations, enhance accuracy, and strengthen security while maintaining compliance and governance.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/simpler-scalable-file-share-management-in-azure---now-generally-available/4523035" target="_blank" rel="noopener noreferrer"&gt;Simpler, scalable file share management in Azure - now generally available&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/vincentliu/3144831" target="_blank" rel="noopener noreferrer"&gt;VincentLiu&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/02/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Azure has announced the general availability of a new, simplified file share management experience for premium SSD NFS file shares. This update enables independent provisioning, security, and billing for each file share, aligning management boundaries to workload needs. Key benefits include faster provisioning, enhanced scalability (up to 10,000 shares per region), share-level security and networking, improved cost tracking, and robust data protection with snapshots. The new experience supports Infrastructure-as-Code automation and is designed to reduce complexity, improve operational agility, and facilitate easier chargeback and resource management for Linux workloads in Azure.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/from-file-data-to-ai%E2%80%91powered-knowledge-pipelines-using-azure-netapp-files-object/4528001" target="_blank" rel="noopener noreferrer"&gt;From File Data to AI‑Powered Knowledge Pipelines using Azure NetApp Files object REST API&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/geertvanteylingen/222853" target="_blank" rel="noopener noreferrer"&gt;GeertVanTeylingen&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how Azure NetApp Files, OneLake, Azure AI Search, and Azure OpenAI combine to create an AI-powered knowledge pipeline for enterprise file data. This pipeline indexes and semantically searches files in place, enabling retrieval-augmented generation (RAG) for accurate, traceable, and grounded AI responses without moving or duplicating data. The architecture ensures compliance, scalability, and seamless integration with existing workflows, transforming file data into a living, queryable resource. It prepares enterprises for AI-driven user experiences, like Copilot, by delivering controlled, authoritative answers with source citations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/three-lessons-that-make-or-break-your-aws-to-azure-workload-migration/4520020" target="_blank" rel="noopener noreferrer"&gt;Three lessons that make or break your AWS-to-Azure workload migration&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/rhack/2854208" target="_blank" rel="noopener noreferrer"&gt;rhack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights three crucial lessons for successful AWS-to-Azure workload migration: (1) Ensure ongoing stakeholder alignment through readiness assessments and clear approvals; (2) migrate workloads like-for-like before optimizing to avoid complexity and build confidence; and (3) use a blue-green cutover strategy to minimize risk and downtime, enabling easy rollback. Avoid common pitfalls like overengineering, misaligned stakeholders, and believing in instant cutovers. The article recommends Microsoft’s structured migration process and resources for further guidance.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/generate-at-scale-code-insights-in-azure-migrate-using-github-copilot-modernize-/4529120" target="_blank" rel="noopener noreferrer"&gt;Generate at scale code insights in Azure Migrate using GitHub Copilot Modernize CLI (preview)&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/nikita_bajaj/1441355" target="_blank" rel="noopener noreferrer"&gt;Nikita_Bajaj&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Migrate now integrates with GitHub Copilot Modernize CLI (preview) to provide scalable code insights for .NET and Java web apps. This collaboration enables migration teams to assess multiple applications simultaneously, reduce analysis time, and make informed refactor-versus-replatform decisions. Users receive actionable code-fix recommendations and effort estimates, improving modernization planning and adherence to security guidelines. Setup involves downloading a configuration file from Azure Migrate, mapping repositories, and running the CLI. Code assessments are automatically reported back to Azure Migrate for centralized review and remediation guidance.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/networkingblog/doh-is-now-generally-available-on-windows-dns-server/4526839" target="_blank" rel="noopener noreferrer"&gt;DoH is now generally available on Windows DNS Server&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/networkingblog" target="_blank" rel="noopener noreferrer"&gt;Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jorgeca%C3%B1as/2838432" target="_blank" rel="noopener noreferrer"&gt;JorgeCañas&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced general availability of DNS over HTTPS (DoH) for Windows DNS Server on Windows Server 2025, enabling encrypted and authenticated DNS client-to-server traffic. This feature enhances privacy, reduces spoofing risks, and supports Zero Trust architectures without requiring new resolver infrastructure. Organizations can deploy DoH alongside traditional DNS, preserving compatibility and allowing incremental adoption. Built on IETF standards, DoH helps meet regulatory requirements and strengthens DNS security. Future updates will support encrypted server-to-resolver traffic, advancing fully secure DNS resolution. The release is production-ready, reflecting feedback from real-world enterprise deployments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/networkingblog/announcing-windows-clat-public-preview/4506046" target="_blank" rel="noopener noreferrer"&gt;Announcing Windows CLAT Public Preview&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/networkingblog" target="_blank" rel="noopener noreferrer"&gt;Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jimalumbaugh/3197491" target="_blank" rel="noopener noreferrer"&gt;JimAlumbaugh&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/09/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced the public preview of Windows CLAT, a feature designed to aid IPv6 adoption by enabling IPv4/IPv6 translation. Available in Windows Insider Canary build #29599-1000 and rolling out to other channels, it now supports Group Policy Object (GPO) configuration. The preview is for evaluation only, not production use, and feedback is encouraged. Notable limitations include lack of support for DHCPv6 Prefix Delegation and Windows Subsystem for Linux, with known issues in Wi-Fi roaming and diagnostics. Participant feedback from the private preview has shaped this release.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/arm-mcp-server-a-catalog-of-24-pocs/4519069" target="_blank" rel="noopener noreferrer"&gt;ARM MCP Server: A Catalog of 24 PoCs&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/varghesejoji/1393158" target="_blank" rel="noopener noreferrer"&gt;varghesejoji&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 06/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces the Azure Resource Manager MCP Server, a remote Model Context Protocol server enabling AI agents to perform Azure infrastructure operations using six core tools. It details the arm-mcp-poc-catalog, a public repository of 24 proof-of-concept agents covering governance, FinOps, platform engineering, and SRE scenarios. The catalog emphasizes deterministic, safe agent operations, with most PoCs focused on read-only tasks. Write-capable agents are carefully gated. The Reliability Posture Scorecard is highlighted as a reference implementation. The article encourages teams to explore and adapt these PoCs for practical cloud management needs.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;</description>
      <pubDate>Mon, 13 Jul 2026 20:50:04 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-july-2026/ba-p/4536608</guid>
      <dc:creator>TysonPaul</dc:creator>
      <dc:date>2026-07-13T20:50:04Z</dc:date>
    </item>
    <item>
      <title>When Arc Goes Silent: Turning Visibility Gaps into SOC Action</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/when-arc-goes-silent-turning-visibility-gaps-into-soc-action/ba-p/4535711</link>
      <description>&lt;P&gt;Hybrid blind spots rarely announce themselves. They appear when an&amp;nbsp;&lt;STRONG&gt;Azure Arc-enabled server&lt;/STRONG&gt;&amp;nbsp;drops out, health signals go stale, and the SOC loses confidence in monitoring coverage. This playbook uses&amp;nbsp;&lt;STRONG&gt;Microsoft Sentinel&lt;/STRONG&gt;&amp;nbsp;and&amp;nbsp;&lt;STRONG&gt;Logic Apps&lt;/STRONG&gt; to turn that noise into one clear daily signal the team can act on.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The problem: too much noise, not enough assurance&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;One unhealthy server, one alert, one more email—at scale, that does not help the SOC. What leaders need is assurance: where visibility is weakening, which systems matter, and when action is needed.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The use case: daily assurance for hybrid monitoring coverage&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The use case is simple: identify Arc-enabled servers that stay unhealthy beyond a set threshold, such as&amp;nbsp;&lt;STRONG&gt;30 minutes&lt;/STRONG&gt;, and send one consolidated summary each day. For a&amp;nbsp;&lt;STRONG&gt;CISO&lt;/STRONG&gt;, this improves assurance. For a&amp;nbsp;&lt;STRONG&gt;SOC Manager&lt;/STRONG&gt;, it cuts noise and helps teams prioritize faster.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Solution overview: simple automation, stronger operational signal&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The workflow runs on a schedule, queries&amp;nbsp;&lt;STRONG&gt;Log Analytics&lt;/STRONG&gt;, filters Arc health issues, formats the results into a clean HTML report, and sends a single email through&amp;nbsp;&lt;STRONG&gt;Office 365 Outlook&lt;/STRONG&gt;. The outcome is not more telemetry—it is a better operational signal.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Prerequisites&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;One or more Azure Arc-enabled servers connected to Azure.&lt;/LI&gt;
&lt;LI&gt;Azure Monitor Agent installed and sending heartbeat data to a Log Analytics workspace.&lt;/LI&gt;
&lt;LI&gt;Microsoft Sentinel enabled on the target workspace if the playbook is being used as part of SOC operations.&lt;/LI&gt;
&lt;LI&gt;A Logic App with permissions to run the query and send email through Office 365 Outlook.&lt;/LI&gt;
&lt;LI&gt;A reviewed threshold, recipient list, and notification cadence aligned to your operating model.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;How the workflow creates decision-ready visibility&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;In practice, this becomes a daily control: check Arc health, isolate persistent issues, and route one concise summary to the right teams. That gives the SOC a cleaner way to review monitoring gaps before they become bigger operational problems.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why this matters to a CISO and SOC Manager&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;For security leadership, this is about confidence. If Arc health degrades on systems tied to monitoring, policy, or data collection, the risk is not just technical—it is a visibility gap. This playbook helps surface that gap early and in a form teams can act on quickly.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Three practical scenarios where this playbook delivers value &lt;/STRONG&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt; Reduce SOC noise.&lt;/STRONG&gt;Replace scattered alerts with one daily summary.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; Strengthen executive assurance.&lt;/STRONG&gt;Highlight persistent blind spots before they turn into escalations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; Improve team coordination.&lt;/STRONG&gt;Give security and infrastructure teams one shared view of the issue.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sample KQL to identify persistent Arc monitoring gaps&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This sample query uses the Heartbeat table to identify Azure Arc-connected machines whose latest heartbeat is older than the defined threshold. It is a practical starting point and can be tuned further based on the environment and data collection design.&lt;/P&gt;
&lt;LI-CODE lang="sql"&gt;let ThresholdTime = 30;
AzureActivity
| where TimeGenerated &amp;gt; ago(1d)
| where CategoryValue == "ResourceHealth"
| where parse_json(Properties).currentHealthStatus == "Unavailable"
| where ActivityStatusValue == "Active"
| extend ResourceType = Properties_d.resourceProviderValue
| where ResourceType == "MICROSOFT.HYBRIDCOMPUTE"
| extend StartTime = TimeGenerated
| extend ServerName = Properties_d.resource
| join kind=leftouter (
AzureActivity
| where ActivityStatusValue == "Resolved"
| extend ResourceType = Properties_d.resourceProviderValue
| where ResourceType == "MICROSOFT.HYBRIDCOMPUTE"
| extend EndTime = TimeGenerated
) on CorrelationId
| extend Minutes_OfflineTillResolve = datetime_diff('minute', EndTime, StartTime)
| project ServerName, StartTime, EndTime, CorrelationId, Minutes_OfflineTillResolve, Level, ActivityStatusValue1, ResourceGroup, OperationNameValue, SubscriptionId, ResourceProvider, Type, CategoryValue, ActivityStatusValue
| extend TotalMinutes_Offline = datetime_diff('minute', now(), StartTime)
| where TotalMinutes_Offline &amp;gt;= ThresholdTime and ActivityStatusValue1 !has "Resolved"
| order by TotalMinutes_Offline desc
&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Operational flow &lt;/STRONG&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;ARM Template:&lt;/STRONG&gt; &lt;A href="https://github.com/Abhishek-Sharan/microsoft-security-operations-toolkit/blob/1e3aeff329e0d9b1d7caf2e4bfbc8476dfdb2ff2/Microsoft%20Sentinel/Automation/Playbooks/AzureArcServerMonitoring.playbook.json" target="_blank"&gt;microsoft-security-operations-toolkit/Microsoft Sentinel/Automation/Playbooks/AzureArcServerMonitoring.playbook.json at 1e3aeff329e0d9b1d7caf2e4bfbc8476dfdb2ff2 · Abhishek-Sharan/microsoft-security-operations-toolkit&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Customization Ideas:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Adjust the heartbeat threshold based on server criticality or business hours.&lt;/LI&gt;
&lt;LI&gt;Route summaries to different teams based on subscription, resource group, or server tags.&lt;/LI&gt;
&lt;LI&gt;Send notifications to Microsoft Teams in addition to, or instead of, email.&lt;/LI&gt;
&lt;LI&gt;Enrich the output with owner, business service, or environment metadata.&lt;/LI&gt;
&lt;LI&gt;Trigger incident creation only for high-priority or repeated visibility gaps.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Closing perspective&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The best SOC automations do not just collect signals—they create clarity. This playbook helps security teams spot Arc-related monitoring gaps early, reduce noise, and act with more confidence.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jul 2026 12:07:15 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/when-arc-goes-silent-turning-visibility-gaps-into-soc-action/ba-p/4535711</guid>
      <dc:creator>absharan</dc:creator>
      <dc:date>2026-07-10T12:07:15Z</dc:date>
    </item>
    <item>
      <title>Azure Database Security Newsletter - July 2026</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-database-security-newsletter-july-2026/ba-p/4534477</link>
      <description>&lt;P&gt;AI agents are changing how applications interact with data, and database security needs to evolve with them. In this July 2026 edition of the Azure Database Platform Security Newsletter, we focus on what this shift means for identity, access, monitoring, and data protection, along with the latest security feature updates and practical resources to help teams strengthen their database security posture.&lt;/P&gt;
&lt;P&gt;AI agents are quickly becoming a new layer in how applications interact with data. Unlike traditional applications that follow predictable workflows, agents operate with more autonomy. They can generate queries dynamically, explore data, and act on behalf of users or systems.&lt;/P&gt;
&lt;P&gt;This shift changes the database security model.&lt;/P&gt;
&lt;P&gt;Agents do not just introduce new risks, they amplify existing ones. Over-privileged access can scale quickly, identity boundaries can become harder to trace, and dynamically generated queries can increase the risk of unintended data exposure or manipulation.&lt;/P&gt;
&lt;P&gt;In this new reality, every AI agent effectively becomes a database user with the ability to access, reason over, and act on sensitive data.&lt;/P&gt;
&lt;P&gt;Securing data in an agentic world requires a shift in mindset:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Identity-first security:&lt;/STRONG&gt; every agent should have a unique, traceable identity.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Least privilege by default:&lt;/STRONG&gt; access should be tightly scoped to the task at hand.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Data-aware protection:&lt;/STRONG&gt; only the data that is strictly required should be exposed.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Continuous monitoring:&lt;/STRONG&gt; assume issues can occur and detect them early.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Azure SQL provides a broad set of security capabilities, from authentication and fine-grained access control to encryption, masking, auditing, and threat detection. Together, these capabilities enable a defense-in-depth approach for agent-driven scenarios.&lt;/P&gt;
&lt;H1&gt;Feature highlights 💡&lt;/H1&gt;
&lt;H2&gt;Transparent Data Encryption in Azure SQL Database now supports AES keys (Preview)&lt;/H2&gt;
&lt;P&gt;Azure SQL Database now supports symmetric AES keys for Transparent Data Encryption (TDE) with customer-managed keys in public preview. This gives organizations another option for protecting data at rest while keeping control of key management.&lt;/P&gt;
&lt;P&gt;For teams thinking about long-term cryptographic resilience, this preview is especially relevant. TDE with customer-managed keys has traditionally used asymmetric RSA-based key protectors, while broader industry guidance is increasingly focused on preparing for a post-quantum cryptographic future and adopting cryptographic approaches that are better aligned with that transition.&lt;/P&gt;
&lt;P&gt;This update aligns with broader security guidance, including the NSA’s CNSA 2.0 recommendations, which emphasize modern cryptographic planning for a quantum-resistant future. For organizations building crypto agility into their platforms, AES support is a practical step in that direction.&lt;/P&gt;
&lt;P&gt;Learn more:&amp;nbsp;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://techcommunity.microsoft.com/blog/azuresqlblog/transparent-data-encryption-in-azure-sql-database-now-supports-aes-keys-public-p/4523240" data-lia-auto-title-active="0" data-lia-auto-title="Transparent data encryption in Azure SQL Database now supports AES keys (Public Preview)" target="_blank"&gt;Transparent data encryption in Azure SQL Database now supports AES keys (Public Preview)&lt;/A&gt;&lt;/P&gt;
&lt;H2&gt;General Availability: Microsoft Entra server principals for Azure SQL Database&lt;/H2&gt;
&lt;P&gt;Azure SQL Database has historically lacked support for server-level Microsoft Entra principals, requiring customers to manage identities separately in each database. This has been a migration blocker for enterprise customers coming from SQL Server, where centralized login and access management is standard.&lt;/P&gt;
&lt;P&gt;With this release, Azure SQL Database now supports server-level Microsoft Entra principals. Customers can create identities once, apply them consistently across databases, and operate with a unified, enterprise-grade identity and access model aligned with SQL Server and Azure SQL Managed Instance.&lt;/P&gt;
&lt;P&gt;Learn more: &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/azuresqlblog/generally-available-microsoft-entra-server-principals-and-server-roles-for-azure/4529326" target="_blank" rel="noopener" data-lia-auto-title="Generally Available: Microsoft Entra Server Principals and Server Roles for Azure SQL Database" data-lia-auto-title-active="0"&gt;Generally Available: Microsoft Entra Server Principals and Server Roles for Azure SQL Database&lt;/A&gt;.&lt;/P&gt;
&lt;H2&gt;Cross-tenant customer-managed keys for Azure Database for PostgreSQL Flexible Server (Preview)&lt;/H2&gt;
&lt;P&gt;This preview allows customers to encrypt data at rest using an Azure Key Vault key that resides in a different Microsoft Entra tenant than the database service. It is especially relevant for ISVs and customers in regulated industries that need clear separation of duties between key ownership and service operation.&lt;/P&gt;
&lt;P&gt;Customers retain control over key lifecycle management, including rotation and revocation, while authentication to the customer-owned Key Vault is handled through federated identity with Microsoft Entra ID for cross-tenant access.&lt;/P&gt;
&lt;P&gt;Learn more: &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/postgresql/security/security-data-encryption#cross-tenant-customer-managed-keys-cmk-preview" target="_blank" rel="noopener"&gt;Data Encryption - Azure Database for PostgreSQL | Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Defender security posture assessments for Azure Database for PostgreSQL Flexible Server (GA)&lt;/H2&gt;
&lt;P&gt;Microsoft Defender Cloud Security Posture Management (CSPM) assessments for Azure Database for PostgreSQL Flexible Server are now available in general availability. This capability introduces built-in security assessments that continuously evaluate PostgreSQL server configurations against best practices, helping identify vulnerabilities and misconfigurations with actionable remediation guidance. A core set of assessments is available at launch, with additional coverage planned for future releases. Assessments are automatically available for PostgreSQL servers where Microsoft Defender for Cloud is already enabled, requiring no additional setup or costs.&lt;/P&gt;
&lt;P&gt;Learn more: &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/postgresql/security/security-defender-for-cloud#microsoft-defender-for-cloud-security-posture-management-cspm-assessments---preview" target="_blank" rel="noopener"&gt;Microsoft Defender for Cloud - Azure Database for PostgreSQL | Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;H1&gt;Best Practices Corner ⚖️&lt;/H1&gt;
&lt;H2&gt;Move to secure-by-default configurations&lt;/H2&gt;
&lt;P&gt;Modern data platforms should reduce the need for manual hardening by enabling strong defaults out of the box.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Enforce encrypted connections by default.&lt;/LI&gt;
&lt;LI&gt;Disable insecure or legacy options where possible.&lt;/LI&gt;
&lt;LI&gt;Adopt platform defaults that align with compliance standards.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This shifts security from being configuration-driven to posture-driven, reducing the risk of misconfiguration, which remains one of the leading causes of data exposure.&lt;/P&gt;
&lt;H2&gt;Classify data first, protect it second&lt;/H2&gt;
&lt;P&gt;You cannot secure what you do not understand. Start by identifying where sensitive data lives, then use that understanding to apply the right protections.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Use &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql" target="_blank" rel="noopener"&gt;Data Discovery &amp;amp; Classification&lt;/A&gt; to identify sensitive data.&lt;/LI&gt;
&lt;LI&gt;Apply labels and information types consistently.&lt;/LI&gt;
&lt;LI&gt;Use those labels to drive masking, encryption, and governance policies.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Why this matters: Security controls are only effective when they are data-aware. Classification provides the foundation for applying the right protection to the right data, especially for regulated workloads.&lt;/P&gt;
&lt;H2&gt;Continuously assess and remediate vulnerabilities&lt;/H2&gt;
&lt;P&gt;Security posture is not static. It requires continuous validation and timely remediation.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Run &lt;A class="lia-external-url" href="https://docs.azure.cn/en-us/defender-for-cloud/sql-azure-vulnerability-assessment-overview" target="_blank" rel="noopener"&gt;Vulnerability Assessment&lt;/A&gt; scans regularly.&lt;/LI&gt;
&lt;LI&gt;Track deviations from baseline security policies.&lt;/LI&gt;
&lt;LI&gt;Act on remediation guidance proactively.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Why this matters: Even well-configured systems drift over time. Continuous assessment helps detect misconfigurations early and maintain a strong, compliant security posture without relying on manual reviews.&lt;/P&gt;
&lt;H1&gt;Blogs and Video Spotlight 🅱️&lt;/H1&gt;
&lt;P&gt;Over the last three months, we published several posts covering major releases, platform updates, and practical security guidance. These resources provide deeper technical context and implementation guidance for teams working across Azure SQL, Azure Database for PostgreSQL, Azure Database for MySQL, and Azure Cosmos DB.&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/azuresqlblog/azure-sql-is-retiring-the-%E2%80%9Cno-minimum-tls%E2%80%9D-mintls-none-configuration/4508933" target="_blank" rel="noopener" data-lia-auto-title="Azure SQL Retiring The No Minimum TLS Option" data-lia-auto-title-active="0"&gt;Azure SQL Retiring The No Minimum TLS Option&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/azuresqlblog/dynamic-data-masking-%E2%80%93-what-it-is-what-it-isn%E2%80%99t-and-how-to-use-it-effectively/4512877" target="_blank" rel="noopener" data-lia-auto-title="Dynamic Data Masking – What it is, What it isn’t, and How to use it effectively | Microsoft Community Hub" data-lia-auto-title-active="0"&gt;Dynamic Data Masking – What it is, What it isn’t, and How to use it effectively | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/tls-certificate-pinning-and-best-practices-in-azure-open-source-relational-datab/4519531" target="_blank" rel="noopener" data-lia-auto-title="TLS Certificate Pinning in PostgreSQL and MySQL: Risks, Rotations, and Best Practices" data-lia-auto-title-active="0"&gt;TLS Certificate Pinning in PostgreSQL and MySQL: Risks, Rotations, and Best Practices&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://devblogs.microsoft.com/cosmosdb/im-starting-a-new-cosmos-db-app-what-security-do-i-actually-need/" target="_blank" rel="noopener"&gt;I'm Starting a New Cosmos DB App. What Security Do I Actually Need? - Azure Cosmos DB Blog&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/azuresqlblog/transparent-data-encryption-in-azure-sql-database-now-supports-aes-keys-public-p/4523240" target="_blank" rel="noopener" data-lia-auto-title="Transparent data encryption in Azure SQL Database now supports AES keys (Public Preview) | Microsoft Community Hub" data-lia-auto-title-active="0"&gt;Transparent data encryption in Azure SQL Database now supports AES keys (Public Preview) | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://devblogs.microsoft.com/cosmosdb/which-azure-cosmos-db-role-does-my-app-need/" target="_blank" rel="noopener"&gt;Which Azure Cosmos DB Role Does My App Need? - Azure Cosmos DB Blog&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/azuresqlblog/generally-available-microsoft-entra-server-principals-and-server-roles-for-azure/4529326" target="_blank" rel="noopener" data-lia-auto-title="Generally Available: Microsoft Entra Server Principals and Server Roles for Azure SQL Database | Microsoft Community Hub" data-lia-auto-title-active="0"&gt;Generally Available: Microsoft Entra Server Principals and Server Roles for Azure SQL Database | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;H1&gt;Community &amp;amp; Events 👥&lt;/H1&gt;
&lt;P&gt;The data platform security team will be present at several community and industry events. If you are attending, come and say hello.&lt;/P&gt;
&lt;H2&gt;Where to meet us next&lt;/H2&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://espc.tech/conference/fabcon-europe-2026/" target="_blank" rel="noopener"&gt;Microsoft Fabric and SQL Conference, Barcelona, 28 September to 01 October 2026&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://datamindsconnect.be/" target="_blank" rel="noopener"&gt;dataMinds Connect, Mechelen, 12 to 14 October 2026&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://www.techorama.nl/" target="_blank" rel="noopener"&gt;Techorama, Utrecht, 26 to 28 October 2026&lt;/A&gt;&lt;/P&gt;
&lt;H2&gt;Recent community highlights&lt;/H2&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://sqlbits.com/" target="_blank" rel="noopener"&gt;SQLBits, Wales, 22 to 25 April 2026&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://www.meetup.com/azure-sql-bangalore-user-group-meetup/events/314905858/" target="_blank" rel="noopener"&gt;Azure SQL Bangalore User Group Meeting, Bangalore, 13 June&lt;/A&gt;&lt;/P&gt;
&lt;H1&gt;Call to action 📢&lt;/H1&gt;
&lt;P&gt;As AI agents become a more active layer between applications, users, and data, now is the right time to review how they access your database platform. Treat every agent as a database user: confirm that each one has a unique identity, validate that permissions follow least privilege, and monitor agent-driven activity for unusual access patterns. A focused access review today can help reduce the risk of unintended data exposure as agentic workloads continue to grow.&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jul 2026 11:47:08 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-database-security-newsletter-july-2026/ba-p/4534477</guid>
      <dc:creator>PieterVanhove</dc:creator>
      <dc:date>2026-07-07T11:47:08Z</dc:date>
    </item>
    <item>
      <title>Turning Azure Policy Signals into Actionable Governance Insights</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/turning-azure-policy-signals-into-actionable-governance-insights/ba-p/4534126</link>
      <description>&lt;P&gt;&lt;EM&gt;Most Azure Policy reporting stops at compliance status. Useful, yes — but not enough. When a control fails, teams need to know what failed, why it matters, and who should act.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;That gap becomes obvious at enterprise scale. A failed policy evaluation is only a signal. By itself, it does not tell you whether the issue affects recovery, auditability, telemetry, or another control leaders care about.&lt;/P&gt;
&lt;P&gt;That is&lt;STRONG&gt; &lt;/STRONG&gt;why&lt;STRONG&gt; &lt;/STRONG&gt;joining &lt;EM&gt;PolicyStates&lt;/EM&gt; with &lt;EM&gt;PolicyAssignments&lt;/EM&gt; matters. One tells you the outcome. The other tells you which control was applied, where, and in what governance context. Together, they turn Azure Policy from a compliance feed into a control intelligence layer.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The problem:&amp;nbsp;&lt;EM&gt;PolicyStates&lt;/EM&gt;&amp;nbsp;alone tells you&amp;nbsp;&lt;EM&gt;what&lt;/EM&gt;&amp;nbsp;is non-compliant, but not always&amp;nbsp;&lt;EM&gt;why it matters&lt;/EM&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Microsoft’s sample ARG queries quickly show which resources are non-compliant. Helpful, but still incomplete. They show the result, not the business meaning.&lt;/P&gt;
&lt;P&gt;At enterprise scale, that distinction matters. A storage account without blob soft delete is a &lt;STRONG&gt;recovery risk&lt;/STRONG&gt;. Missing Azure Activity logs creates an&lt;STRONG&gt; audit gap&lt;/STRONG&gt;. A virtual machine without Azure Monitor Agent creates a &lt;STRONG&gt;telemetry blind spot&lt;/STRONG&gt;. Azure Policy shows the state. The join to &lt;EM&gt;PolicyAssignments&lt;/EM&gt; explains why it matters.&lt;/P&gt;
&lt;P&gt;There is also a technical reason to care about assignments. The same &lt;EM&gt;PolicyDefinitionId&lt;/EM&gt; can appear in &lt;STRONG&gt;multiple assignments &lt;/STRONG&gt;across&lt;STRONG&gt; different scopes&lt;/STRONG&gt;. That makes &lt;EM&gt;PolicyAssignmentId&lt;/EM&gt; the operational key.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;How&amp;nbsp;Azure Policy compliance data flows&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Azure Policy evaluates resources against JSON-based rules. Those rules are packaged as policy definitions and can be grouped into initiatives. Once assigned to a scope, the policy engine evaluates matching resources during creation, updates, assignment changes, and regular compliance cycles. The results are exposed through &lt;EM&gt;PolicyStates&lt;/EM&gt; and &lt;EM&gt;PolicyEvents&lt;/EM&gt;, and can also be queried through Azure Resource Graph.&lt;/P&gt;
&lt;P&gt;This is the architecture flow for turning the ARG query into a scheduled governance report through Logic App:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The key shift is operational. A Logic App can run the ARG query on a schedule, format the results, and email them to stakeholders. That turns a manual check into a repeatable governance report.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The analytical pattern: enrich compliance with assignment context&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The analytical flow is straightforward:&amp;nbsp;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Configure a &lt;EM&gt;Recurrence&lt;/EM&gt; trigger in Logic App so the report runs on the schedule you need.&lt;/LI&gt;
&lt;LI&gt;Use an HTTP action with managed identity to run the ARG query against &lt;EM&gt;PolicyStates&lt;/EM&gt; and join it to &lt;EM&gt;PolicyAssignments&lt;/EM&gt;.&lt;/LI&gt;
&lt;LI&gt;Filter on the control assignments that matter to your organisation and shape the response into a compact HTML table or CSV.&lt;/LI&gt;
&lt;LI&gt;Send the output by email to governance, engineering, or audit stakeholders so the insight reaches people without requiring them to open the portal.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;In practice, the query starts with non-compliant resources and enriches them with assignment details such as the &lt;STRONG&gt;assignment name&lt;/STRONG&gt; and optional&lt;STRONG&gt; metadata&lt;/STRONG&gt; like owner. That is the shift from raw signal to governance insight.&lt;/P&gt;
&lt;P&gt;A simple implementation pattern is: schedule the Logic App, run the ARG query with managed identity, format the output, and send the report. HTML works well for leadership emails; CSV is better for downstream analysis.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;ARM template for the Logic App&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;If you want to deploy this pattern instead of building it step by step, I have also published an&amp;nbsp;&lt;A href="https://github.com/Abhishek-Sharan/Microsoft-Unified-Security-Operations-Platform/blob/main/Microsoft%20Sentinel/LogicApp%20to%20track%20policy%20compliance.json" target="_blank"&gt;ARM template for the Logic App&lt;/A&gt; in my GitHub repository. The template is intended to help you stand up the scheduled policy compliance workflow faster and then customise the query, email recipients, and formatting for your own environment.&lt;/P&gt;
&lt;P&gt;This makes the architecture in this post directly reusable: schedule the Logic App, run the ARG query, shape the output, and send a control-focused report without having to assemble the workflow from scratch. See the repository for the template and related Microsoft Sentinel automation content.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Reference ARG query&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang="sql"&gt;policyResources
| where type =~ 'microsoft.policyinsights/policystates'
| where properties.complianceState == 'NonCompliant'
| extend ResourceId = tostring(properties.resourceId),
         PolicyAssignmentId = tolower(trim(@" ", tostring(properties.policyAssignmentId))),
         SubscriptionId = tostring(subscriptionId),
         LastEvaluated = todatetime(properties.timestamp)
| extend ResourceName = tostring(extract(@"[^/]+$", 0, ResourceId))
| extend ResourceProvider = tostring(extract(@"providers/([^/]+)/", 1, ResourceId))
| extend ResourceCategory = case(
    ResourceId has "Microsoft.Compute/virtualMachines", "VM",
    ResourceId has "Microsoft.Storage/storageAccounts", "Storage",
    ResourceId has "Microsoft.Network/virtualNetworks", "Network",
    ResourceId has "Microsoft.Sql/servers", "SQL",
    ResourceId has "Microsoft.KeyVault/vaults", "Key Vault",
    ResourceProvider =~ "Microsoft.Compute", "Compute",
    ResourceProvider =~ "Microsoft.Storage", "Storage",
    ResourceProvider =~ "Microsoft.Network", "Network",
    ResourceProvider =~ "Microsoft.KeyVault", "Key Vault",
    "Other"
)
| project ResourceId, ResourceName, ResourceCategory, SubscriptionId, PolicyAssignmentId, LastEvaluated
| join kind=inner (
    policyResources
    | where type =~ 'microsoft.authorization/policyassignments'
    | extend AssignmentName = tostring(properties.displayName),
             AssignmentId = tolower(trim(@" ", tostring(id))),
             Scope = tostring(properties.scope),
             PolicyOwner = tostring(properties.metadata.owner)
    | where AssignmentName has "CSTM--Configure blob soft delete on a storage account"
        or AssignmentName has "Configure Azure Activity logs to stream to specified Log Analytics workspace"
        or AssignmentName has "Audit diagnostic setting for selected resource types"
    | project AssignmentId, AssignmentName, Scope, PolicyOwner
) on $left.PolicyAssignmentId == $right.AssignmentId
| project SubscriptionId,
          ResourceId,
          ResourceName,
          ResourceCategory,
          AssignmentName,
          AssignmentId,
          Scope,
          ['LastEvaluated[UTC]'] = LastEvaluated
&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What this query is doing — in plain English&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;This query finds &lt;STRONG&gt;Azure resources that are currently NonCompliant with Azure Policies&lt;/STRONG&gt; by reading data from the PolicyStates table in Azure Resource Graph.&lt;/LI&gt;
&lt;LI&gt;It extracts useful details such as &lt;STRONG&gt;Resource ID, Resource Name, Resource Type/Category, Subscription ID, Policy Assignment ID, and the last evaluation timestamp&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;LI&gt;Resources are categorized into groups like &lt;STRONG&gt;VM, Storage, Network, SQL, and Key Vault&lt;/STRONG&gt; based on their resource type/provider.&lt;/LI&gt;
&lt;LI&gt;It then &lt;STRONG&gt;joins the non-compliant resources with specific policy assignments&lt;/STRONG&gt; (three named policies) to show which policy caused the non-compliance, along with the policy scope, and evaluation time.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why CISOs and governance leaders should care&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;For a CISO, this is not about counting failed evaluations. It is about knowing whether critical controls are drifting, where the risk sits, and who owns the response.&lt;/P&gt;
&lt;P&gt;Three use cases stand out:&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Audit readiness:&lt;/STRONG&gt; show control-focused evidence instead of a flat list of resource IDs.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Ownership:&lt;/STRONG&gt; enrich assignments with metadata so findings can be routed to the right team faster.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Prioritization:&lt;/STRONG&gt; focus on the controls &lt;STRONG&gt;that matter now&lt;/STRONG&gt;, not every non-compliant resource in the estate.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Operational benefits: scalable, repeatable, and security-friendly&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;From an engineering perspective, this pattern is attractive because it is &lt;STRONG&gt;repeatable&lt;/STRONG&gt;, &lt;STRONG&gt;scalable&lt;/STRONG&gt;, and aligned to the native Azure Policy data model.&lt;/P&gt;
&lt;P&gt;It also fits naturally into operational tooling. The enriched output can feed workbooks, dashboards, Sentinel content, and alerting workflows.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Closing thought&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;At small scale, Azure Policy can be reviewed in the portal. At enterprise scale, that quickly becomes noise. The better question is not &lt;EM&gt;Which resources are non-compliant?&lt;/EM&gt; It is &lt;EM&gt;Which important&lt;/EM&gt;&lt;EM&gt; controls are failing, where, and who should act?&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;That is what makes this pattern powerful: it turns Azure Policy from a compliance dashboard into a &lt;STRONG&gt;control intelligence layer&lt;/STRONG&gt; that works for both engineers and executives.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 06 Jul 2026 12:40:50 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/turning-azure-policy-signals-into-actionable-governance-insights/ba-p/4534126</guid>
      <dc:creator>absharan</dc:creator>
      <dc:date>2026-07-06T12:40:50Z</dc:date>
    </item>
    <item>
      <title>Windows 365 Boot</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-365-boot/ba-p/4533696</link>
      <description>&lt;P&gt;Hi folks – Mike Hildebrand here!&amp;nbsp; It’s the July 4&lt;SUP&gt;th&lt;/SUP&gt; holiday here in the good 'ol USA and happens to also be our country’s 250&lt;SUP&gt;th&lt;/SUP&gt; birthday … and where I live, that means it’s probably hot.&amp;nbsp; VERY hot.&amp;nbsp; So, I’m taking some time to enjoy the A/C and type up a ‘cool’ post about a ‘cool’ solution.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;In the land of Windows 365, there are a couple of physical endpoint connectivity options – the Windows App or browser from any device and thin-client or other purpose-built devices, like our own Link (and&amp;nbsp;&lt;A href="https://www.asus.com/displays-desktops/nucs/nuc-mini-pcs/asus-nuc-16-for-windows-365/" target="_blank" rel="noopener"&gt;one soon coming from Asus&lt;/A&gt;).&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We also have another option called &lt;A href="https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-overview" target="_blank" rel="noopener"&gt;Windows 365 Boot&lt;/A&gt;.&amp;nbsp; In this nifty little situation, we take a full-throated Windows 11 device and apply policy from Intune to transform the shell and other settings into a Link-like experience.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;NOTE: For a long time, the Boot configuration process was only configurable via a ‘black-box’ guided flow in the Intune portal – and that works just fine.&amp;nbsp; However, after an update of &lt;A href="https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-guide#manually-set-up-windows-365-boot-without-the-intune-guided-scenario" target="_blank" rel="noopener"&gt;docs&lt;/A&gt; and the Intune Settings Catalog, the W365 Boot configurations can now be hand-carved like all of your other Intune configuration policies.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Recently, I was part of a customer conversation where they had a substantial quantity of Flex Dedicated CPCs used by rotating call center staff and accessed from a fleet of Windows 11 PCs deployed at hot-desk stations.&amp;nbsp; They wondered about a model to simplify and streamline access directly to the CPCs, bypassing the local Windows OS, which wasn’t used/needed and sometimes caused confusion.&lt;/P&gt;
&lt;P&gt;The physical devices were still ‘current’ and had a lot of life left (i.e. warranty coverage, driver and firmware support, parts availability, etc.) - and due to the price-jumps of new devices, it made ‘dollars and sense’ ( 🙂 ) to leverage that investment and re-purpose them.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;They also wondered if they could use Autopilot in ‘Self-deploy’ mode to further automate the deployment process for these endpoints.&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;“Let’s try it out”&lt;/H1&gt;
&lt;P&gt;I proposed a rapid, off-the-cuff ‘right now’ PoC to try out the W365 Boot scenario in their environment and they were up for it.&amp;nbsp; These days, it’s common and easy to perform carefully controlled ‘production pilots’ to more accurately validate the proposed experience.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;NOTE: Since the customer already had Entra, Intune, and modern management in steady-state operations for quite some time, we were able to make this idea very real, very fast.&lt;/P&gt;
&lt;P&gt;We reset a few of the test PCs they use for their hot-desks and &lt;A href="https://learn.microsoft.com/en-us/autopilot/add-devices#directly-upload-the-hardware-hash-to-an-mdm-service" target="_blank" rel="noopener"&gt;uploaded them&lt;/A&gt; into Autopilot via the Get-WindowsAutopilotInfo PowerShell script and the -online switch.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Entra – Create a Device Group&lt;/H1&gt;
&lt;P&gt;We created a device group in Entra for the PoC Boot devices and added the Autopilot-uploaded test devices into it as members&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;This group was used by Intune to target several different elements of the PoC:&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; An Autopilot Self-deployment Profile - for an almost zero-touch rollout&lt;/P&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; An Enrollment Status Page (ESP) profile - to prevent access to the Boot device until the Windows App is installed&lt;/P&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; The Windows App – used by the Boot device to connect to Cloud PCs&lt;/P&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; A W365 Boot Configuration Profile to transform the Windows 11 OS into a W365 Boot device&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Intune - Autopilot Self-deploy Profile&lt;/H1&gt;
&lt;P&gt;We created an Autopilot ‘self-deployment’ profile via Intune, to automatically enroll the physical endpoints at the call center desks.&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Autopilot self-deploy requires very little interaction at the endpoint - plug in power, connect to network and turn it on.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; There are some specific URLs and other requirements for Autopilot Self-deploy devices so be sure to check this (i.e. you can’t use Hyper-V VMs)&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/autopilot/self-deploying" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/en-us/autopilot/self-deploying&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Intune – Enrollment Status Page&lt;/H1&gt;
&lt;P class="lia-clear-both"&gt;We created an ESP targeted at the device group to block access to the Boot devices until the Windows App is installed.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Intune – Windows App&lt;/H1&gt;
&lt;P&gt;They already deploy the Windows App to ‘All Devices,’ so this step was easy 😊&lt;/P&gt;
&lt;P class="lia-clear-both"&gt;The key thing here is make sure it installs in the ‘System’ context:&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Intune - Boot Device Configuration Policy&lt;/H1&gt;
&lt;P&gt;We created a very simple Configuration Policy (two settings from the Settings Catalog – that’s it) in Intune to transform these self-deployed endpoints into “Shared PC Mode” Windows 365 Boot devices.&amp;nbsp; These have minimal ‘end user’ configurations/apps because they boot to the W365 purpose-specific ‘cloud shell’ – which allows the user to sign in to the Boot device and be directly SSO’d into their CPC.&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;NOTE: The ‘Boot to Cloud PC Enhanced’ &lt;A href="https://learn.microsoft.com/en-us/windows/client-management/mdm/clouddesktop-csp#boottocloudpcenhanced-technical-reference" target="_blank" rel="noopener"&gt;setting includes many other settings/behaviors&lt;/A&gt; but they’re all bundled up which makes it super easy to deploy this&lt;/LI&gt;
&lt;LI&gt;NOTE: If the ‘Personalization &amp;gt; Company Name’ setting isn’t used, you’ll see ‘Cloud PC’ at the sign in screen&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Self-deploy…oh the joy!&lt;/H1&gt;
&lt;P&gt;Plug it in; turn it on … Autopilot Self-deploy OOBE screen, followed by a brief ESP&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;NOTE: As part of the Autopilot deployment profile, a device naming template was applied and the devices were renamed; this was reflected in various portals/UIs&lt;/P&gt;
&lt;P&gt;Before:&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-clear-both"&gt;After:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;&lt;EM&gt;“So, what does it look like for the users?”&lt;/EM&gt;&lt;/H1&gt;
&lt;P&gt;I thought you’d never ask!&amp;nbsp; A PIN, a touch and TA DA!&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;NOTE: The org already was using FIDO2 for these users, so they insert their FIDO2 key to the Boot device, enter the PIN for it, touch it for ‘proof of presence’ - and that’s it.&amp;nbsp; No long username to type in; no long password to remember/type; no additional prompts.&amp;nbsp; The users glide right through to their CPC desktop.&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;NOTE: Hello for Business (H4B) is supported for the “Dedicated Mode” Boot deployment option but since we used the “Shared PC Mode” setting, where H4B is not supported, we didn’t test.&amp;nbsp; Maybe official H4B support will come later to Shared PC Mode, but given how easy FIDO2 is, and the fact that the target users already use FIDO keys, we didn’t spend any more time on H4B.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;At the end of the shift, disconnect the session from the CPC desktop to get back to the Boot sign in screen:&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;&amp;nbsp;&lt;/H1&gt;
&lt;H1&gt;&amp;nbsp;&lt;/H1&gt;
&lt;H1&gt;A few FAQs&lt;/H1&gt;
&lt;P&gt;&lt;EM&gt;“What if a user has more than one CPC?”&lt;/EM&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Connection Center is supported via Boot – here’s one of my demo users, using Boot w/ more than one CPC:&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Further, you can select ‘Connect automatically’ from the three dots of a specific CPC’s card; then you’ll always bypass the Connection Center and get SSO’d right into that one.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;o&amp;nbsp;&amp;nbsp; To get back to the Connection Center from the Cloud PC, you can use the hotkey combo of &amp;lt;Ctrl&amp;gt; + &amp;lt;Windows key&amp;gt; + &amp;lt;Up Arrow&amp;gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; BONUS SECRET HOTKEY COMBO (just between us) – For detailed connection info, from the Cloud PC: &amp;lt;Ctrl&amp;gt; + &amp;lt;Windows key&amp;gt; + &amp;lt;Down Arrow&amp;gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;“Can I customize the look and feel of the Boot sign in experience?”&lt;/EM&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Yes – There are policy settings for a custom icon, company name and wallpapers to help differentiate Boot devices from other PCs/devices.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-60px"&gt;o&amp;nbsp;&amp;nbsp; &lt;A href="https://learn.microsoft.com/en-us/windows/client-management/mdm/personalization-csp" target="_blank" rel="noopener"&gt;Personalization CSP | Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="list-style-type: none;"&gt;
&lt;UL&gt;
&lt;LI style="list-style-type: none;"&gt;
&lt;UL&gt;
&lt;LI&gt;TIP: those docs indicate needing to use a URL for files – you can use this syntax for local content already on the device: &lt;A class="lia-external-url" target="_blank" rel="noopener"&gt;file:///C:/Folder/File.jpg&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;There you have it, folks … Windows 365 Boot (or, &lt;A href="https://en.wikipedia.org/wiki/Das_Boot" target="_blank" rel="noopener"&gt;DAS BOOT!!&lt;/A&gt; as I like to sometimes yell) … in the form of a quick PoC.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;P.S. A special shout-out is in order for Mr. Liu for his assistance and appreciation of the Boot scenarios.&lt;/P&gt;
&lt;P&gt;Stay cool out there…&lt;/P&gt;
&lt;P&gt;Hilde&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 04 Jul 2026 17:01:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-365-boot/ba-p/4533696</guid>
      <dc:creator>MichaelHildebrand</dc:creator>
      <dc:date>2026-07-04T17:01:23Z</dc:date>
    </item>
    <item>
      <title>Building C# and C++ Apps with GitHub Copilot CLI and Visual Studio 2026</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/building-c-and-c-apps-with-github-copilot-cli-and-visual-studio/ba-p/4531648</link>
      <description>&lt;P&gt;Most engineers learned Visual Studio through a mouse-driven workflow — &lt;EM&gt;New Project&lt;/EM&gt; — open a project, click through a few dialogs, press F5. The GitHub Copilot &lt;STRONG&gt;CLI&lt;/STRONG&gt; inverts that workflow: you describe the desired outcome in plain English (or any other language Copilot supports), and the agent scaffolds the project, drives MSBuild, resolves its own compiler errors, and explains the result. By the way: this style of working — you describe what you want and the AI does the actual programming and takes care of the rest — is also known as &lt;EM&gt;Vibe Coding&lt;/EM&gt;. For Microsoft FTEs, this translates into measurably faster proofs of concept for customer escalations, reproduction builds, and internal tooling. Engineers outside Microsoft benefit in exactly the same way, as long as their organization — or their personal subscription — provides the corresponding Copilot entitlement.&lt;/P&gt;
&lt;P&gt;This article documents the setup and workflow recommended for engineers onboarding to the CLI. The guidance is deliberately opinionated, assumes a clean Windows 11 installation, and has been verified end-to-end against the current &lt;STRONG&gt;Visual Studio 2026 Community (18.6.2)&lt;/STRONG&gt; and &lt;STRONG&gt;Copilot CLI 1.0.56&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H2&gt;Why use the CLI at all?&lt;/H2&gt;
&lt;P&gt;Copilot is available inside Visual Studio, inside VS Code, in the browser, and on the command line. These front-ends share the same underlying model, but the user experiences differ significantly.&lt;/P&gt;
&lt;P&gt;The CLI is the preferred choice in the following scenarios:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;You want a single tool that &lt;STRONG&gt;drives the whole machine&lt;/STRONG&gt; — installer flags, MSBuild, winget, certificates, registry, even vswhere — rather than only the files open in an editor.&lt;/LI&gt;
&lt;LI&gt;You are working on a &lt;STRONG&gt;throwaway repro&lt;/STRONG&gt; for a customer issue, where opening the full IDE is disproportionate.&lt;/LI&gt;
&lt;LI&gt;You want repeatable, scriptable workflows. The CLI accepts instructions, plans and prompts that can be checked in, reviewed, and shared with the rest of your team.&lt;/LI&gt;
&lt;LI&gt;You need to build small tools or short projects without deep programming expertise.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Prerequisites&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;Windows 11 (or Windows 10 22H2) with administrator rights for the install step.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft FTE GitHub account&lt;/STRONG&gt; linked through the Open Source @ Microsoft portal and a Copilot Business or Enterprise seat assigned by your org. Engineers at other organizations use whichever GitHub identity their employer has assigned a Copilot seat to; individuals can substitute a personal GitHub account that holds a Copilot Pro or Pro+ subscription.&lt;/LI&gt;
&lt;LI&gt;A modern terminal — &lt;STRONG&gt;Windows Terminal&lt;/STRONG&gt; with PowerShell 7 is the supported combination.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Note &lt;/STRONG&gt;Everything in this guide is built on supported, GA components. Nothing here requires private previews, MSIT exceptions, or non-public flags. If your tenant has additional Conditional Access policies, you may be prompted for MFA the first time you sign in.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Recommended: Run it all in a virtual machine&lt;/H2&gt;
&lt;P&gt;Before installing anything, an important recommendation: &lt;STRONG&gt;don't run the agent on your primary, company-managed laptop&lt;/STRONG&gt;. The CLI — especially with --yolo — has full read, write and execute access to any directory you have trusted. A well-intentioned prompt such as &lt;EM&gt;"clean up the temp files in my projects folder"&lt;/EM&gt; may delete production work if it is pointed at the wrong root. Compliance tooling, OneDrive Known Folder Move, and on-access antivirus on the corporate image also routinely conflict with build outputs and cause agent runs to fail in opaque ways.&lt;/P&gt;
&lt;P&gt;The safe, repeatable pattern is to host Visual Studio 2026 and the Copilot CLI inside an isolated environment that can be snapshotted, reset, or discarded. The following options are all suitable:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A &lt;STRONG&gt;Microsoft Dev Box&lt;/STRONG&gt; (preferred — already domain-joined, already monitored, and easily recreated from an image).&lt;/LI&gt;
&lt;LI&gt;An &lt;STRONG&gt;Azure VM&lt;/STRONG&gt; in your sponsored subscription, ideally with the Visual Studio image from the Marketplace.&lt;/LI&gt;
&lt;LI&gt;A local &lt;STRONG&gt;Hyper-V&lt;/STRONG&gt; or &lt;STRONG&gt;WSL2/Windows Sandbox&lt;/STRONG&gt;-based Windows 11 VM for offline experimentation.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important &lt;/STRONG&gt;Treat the VM as ephemeral. Retain customer artifacts, screenshots and reproductions only within the VM (or in a dedicated OneDrive/SharePoint location &lt;EM&gt;outside&lt;/EM&gt; the trusted Copilot directory). If something goes wrong, you reset the VM — not your corporate laptop.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Setting up the workspace&lt;/H2&gt;
&lt;P&gt;Select a workspace folder &lt;EM&gt;before&lt;/EM&gt; performing any other step, and observe two rules:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Use a &lt;STRONG&gt;local&lt;/STRONG&gt; path under your profile.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Do not&lt;/STRONG&gt; place it on OneDrive, Known Folders Move, or any other sync root.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The rationale is mundane but consequential: the Copilot agent writes files, MSBuild writes obj\ and bin\, and OneDrive's file-system filter will conflict with all of them. You will observe ghost lock files, partially rewritten .cs files, and "the process cannot access the file" errors that are extremely difficult to diagnose.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;# Recommended workspace root
mkdir "$env:USERPROFILE\AppData\Local\Projects"
cd    "$env:USERPROFILE\AppData\Local\Projects"
&lt;/LI-CODE&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Warning &lt;/STRONG&gt;Also avoid %TEMP% for build output. MSBuild emits warning MSB8029, and cleanup tasks in some scheduled jobs may delete your intermediates mid-build.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Installing the Copilot CLI&lt;/H2&gt;
&lt;P&gt;Open an &lt;STRONG&gt;elevated&lt;/STRONG&gt; PowerShell window — the package needs to register PowerShell 7 as a dependency on first run:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;winget install GitHub.Copilot&lt;/LI-CODE&gt;
&lt;P&gt;Winget downloads the CLI itself (currently 1.0.56) and, on a fresh installation, also installs &lt;STRONG&gt;PowerShell 7&lt;/STRONG&gt; as a dependency. Once the installation completes, the elevated shell can be closed — &lt;EM&gt;do not&lt;/EM&gt; run Copilot as administrator for day-to-day work.&lt;/P&gt;
&lt;P&gt;Confirm the install in a normal (non-elevated) terminal:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;copilot --version&lt;/LI-CODE&gt;
&lt;H2&gt;Installing Visual Studio 2026 Community&lt;/H2&gt;
&lt;P&gt;The CLI does not &lt;EM&gt;require&lt;/EM&gt; Visual Studio — it strictly requires only MSBuild and the appropriate toolchain. However, the Community edition is the most straightforward way to obtain a known-good, fully Microsoft-signed installation of MSBuild 18.6.x, the MSVC v145 toolset, and the Windows 10/11 SDK, all in a single step. Select the variant that matches your target workload:&lt;/P&gt;
&lt;H3&gt;Variant A — C# only (≈ 2.4 GB)&lt;/H3&gt;
&lt;LI-CODE lang=""&gt;winget install --id Microsoft.VisualStudio.Community -e --source winget `
  --override "--add Microsoft.VisualStudio.Workload.ManagedDesktop \
  --add Microsoft.Net.Component.4.8.1.SDK \
  --add Microsoft.Net.Component.4.8.1.TargetingPack \
  --add Microsoft.VisualStudio.Component.CSharp \
  --includeRecommended --passive --norestart"&lt;/LI-CODE&gt;
&lt;H3&gt;Variant B — C# + native C++ + C++/CLI (≈ 4.3 GB)&lt;/H3&gt;
&lt;LI-CODE lang=""&gt;winget install --id Microsoft.VisualStudio.Community -e --source winget `
  --override "--add Microsoft.VisualStudio.Workload.ManagedDesktop \
  --add Microsoft.VisualStudio.Workload.NativeDesktop \
  --add Microsoft.VisualStudio.Component.VC.CLI.Support \
  --add Microsoft.Net.Component.4.8.1.SDK \
  --add Microsoft.Net.Component.4.8.1.TargetingPack \
  --add Microsoft.VisualStudio.Component.CSharp \
  --includeRecommended --passive --norestart"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;A brief description of each component:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Component&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Why it's there&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Workload.ManagedDesktop&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Brings WPF, WinForms, the .NET Framework 4.8.1 target packs and Roslyn analyzers.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Workload.NativeDesktop&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Native C++ with the MSVC v145 toolset, Windows 10/11 SDK 10.0.26100, ATL/MFC if you add them.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;VC.CLI.Support&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The "&lt;EM&gt;C++/CLI support&lt;/EM&gt;" component. Without it, anything with &amp;lt;CLRSupport&amp;gt;true&amp;lt;/CLRSupport&amp;gt; fails to compile.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Net.Component.4.8.1.*&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SDK + targeting pack for the .NET Framework 4.8.1 surface that ships with Windows.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;As a Microsoft FTE you have access to Visual Studio Proffessional or Visual Studio Enterprise. If you already have installed a different version of Visual Studio, you don't need to install 2026 Community.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important &lt;/STRONG&gt;Visual Studio 2026 ships the new v145 platform toolset, not v143. Old .vcxproj files copied in from VS 2022 must be retargeted, otherwise the build fails with MSB8020 — build tools for v143 cannot be found. Copilot can perform this retargeting on request, but the requirement must be stated explicitly.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;First launch &amp;amp; sign-in&lt;/H2&gt;
&lt;P&gt;Change into your project folder and start Copilot. The default invocation recommended for day-to-day FTE work is:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;cd "$env:USERPROFILE\AppData\Local\Projects\Repro-12345"
copilot --yolo --no-ask-user --model "claude-opus-4.8" --effort "medium"&lt;/LI-CODE&gt;
&lt;P&gt;The flags are defined as follows:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Flag&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;What it does&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;--yolo&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pre-approves tool execution, file writes and shell commands for the session. Equivalent to --allow-all-tools --allow-all-paths --allow-all-urls. Use only within trusted folders.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;--no-ask-user&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Suppresses the interactive confirmation prompts mid-task — the agent continues without interruption.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;--model&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Pins a specific model. Useful when determinism across a team is required or when comparing runs. To see, which model best fits your needs, take a look at the model comparison at https://docs.github.com/en/copilot/reference/ai-models/model-comparison&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;--effort&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;low, medium, or high. Higher values allocate more reasoning tokens per turn — slower, but advantageous for complex build errors and architectural work.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Copilot first prompts you to confirm that you &lt;EM&gt;trust&lt;/EM&gt; the current folder. Select &lt;STRONG&gt;"Yes, and remember this folder for future sessions"&lt;/STRONG&gt; only for workspaces you control. Then run /login if you have not yet authenticated — this opens a browser tab in which you sign in with your FTE GitHub identity.&lt;/P&gt;
&lt;H2&gt;Sign in to Copilot on an unmanaged / non-FTE-domain machine&lt;/H2&gt;
&lt;P&gt;The Copilot CLI signs in with a &lt;STRONG&gt;GitHub identity&lt;/STRONG&gt;, not directly with your Microsoft corporate account. On a company-managed device this is transparent — your Enterprise Managed User (EMU) account &lt;EM&gt;&amp;lt;alias&amp;gt;_microsoft&lt;/EM&gt; is accepted without further action.&lt;/P&gt;
&lt;P&gt;On a fresh VM, an Azure VM image, or any other unmanaged device, /login will refuse the EMU account unless you have explicitly linked a &lt;STRONG&gt;personal&lt;/STRONG&gt; GitHub account to your EMU and granted it Copilot entitlement. The same pattern holds for engineers at other enterprises: they sign in with the GitHub identity their organization has provisioned with a Copilot seat. Individuals on a Copilot Pro or Pro+ plan can sign in directly with their personal GitHub handle, without any linking step.&lt;/P&gt;
&lt;P&gt;For Microsoft FTEs, linking is performed once, from any browser, at:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;https://aka.ms/copilot&lt;/LI-CODE&gt;
&lt;P&gt;Sign in with your Microsoft corporate account, link your personal GitHub handle (creating one first if necessary), and accept the prompts. When complete, the page should display every checkbox in green:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;A correctly linked account at&lt;/EM&gt;aka.ms/copilot&lt;EM&gt;. The first green check confirms Copilot on the EMU account; the bottom green check is the one that is relevant for unmanaged VMs — "GitHub Copilot enabled for your personal GitHub account for use everywhere", granted through your MicrosoftCopilot organization membership.&lt;/EM&gt;&lt;/img&gt;
&lt;P&gt;Once that bottom row is green, run copilot inside your VM, use /login, and select your&amp;nbsp;&lt;STRONG&gt;personal&lt;/STRONG&gt; GitHub handle when the browser device-code flow opens. From that point onward, every CLI session in that VM uses your linked personal identity, your Copilot entitlement follows you, and your activity remains attributable through the MicrosoftCopilot organization for audit purposes.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Tip &lt;/STRONG&gt;The link between the EMU and the personal account is per-user, not per-device. Once it is established, every new VM you provision will work after a single /login — there is no need to revisit aka.ms/copilot again unless you change your personal handle.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;The bootstrap prompt&lt;/H2&gt;
&lt;P&gt;This is arguably the most valuable step in the entire setup. Before asking Copilot to build anything, instruct it to&amp;nbsp;&lt;STRONG&gt;profile your machine&lt;/STRONG&gt; and write itself a memory file. Paste the following verbatim:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;I have Visual Studio 2026 Community Edition installed with C#,
.NET Framework 4.8.1 targeting pack, native C++ and C++/CLI.
Locate the installation paths using vswhere, verify that you can
create and compile a C# app, a native C++ app, and a C++/CLI app.
Then create a global copilot-instructions.md under
%USERPROFILE%\.copilot\ that documents the VS environment so
future sessions don't have to rediscover it.&lt;/LI-CODE&gt;
&lt;P&gt;The behavior that follows is informative to observe. Copilot uses vswhere.exe to locate the installation, reads setup.config.json, generates three disposable projects in your temp folder, builds them with MSBuild, parses the output, and on success writes a structured Markdown file to your user profile. That file is then automatically picked up by &lt;STRONG&gt;every future&lt;/STRONG&gt; Copilot CLI session on this machine. The discovery work is performed exactly once.&lt;/P&gt;
&lt;H2&gt;What a good copilot-instructions.md looks like&lt;/H2&gt;
&lt;P&gt;Copilot CLI reads instructions from several well-known locations, in this order of precedence:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;
&lt;PRE&gt;.github/copilot-instructions.md in the repo&lt;/PRE&gt;
&lt;/LI&gt;
&lt;LI&gt;AGENTS.md (or CLAUDE.md, GEMINI.md) in the repo root&lt;/LI&gt;
&lt;LI&gt;
&lt;PRE&gt;.github/instructions/**/*.instructions.md for path-scoped rules&lt;/PRE&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;PRE&gt;%USERPROFILE%\.copilot\copilot-instructions.md as a global fallback&lt;/PRE&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The machine-level file should be concise, declarative, and contain &lt;STRONG&gt;exact paths&lt;/STRONG&gt;. A verified skeleton is shown below:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;# Build environment on this PC (Visual Studio 2026)

- Visual Studio Community 2026, version **18.6.2**
- MSBuild **18.6.3**
- MSVC toolset **14.51.36231**, platform toolset name **v145**
- Windows 10/11 SDK: **10.0.26100**
- Default .NET Framework target: **net481**

## Key paths
| Purpose            | Path |
|--------------------|------|
| VS install root    | `C:\Program Files\Microsoft Visual Studio\18\Community`            |
| vswhere.exe        | `C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe` |
| MSBuild.exe        | `...\18\Community\MSBuild\Current\Bin\MSBuild.exe`                 |
| MSVC cl.exe (x64)  | `...\VC\Tools\MSVC\14.51.36231\bin\Hostx64\x64\cl.exe`             |
| vcvars64.bat       | `...\VC\Auxiliary\Build\vcvars64.bat`                              |

## Conventions
- For SDK-style csproj, always run `Restore` together with `Build`.
- New `.vcxproj` files must use `&amp;lt;PlatformToolset&amp;gt;v145&amp;lt;/PlatformToolset&amp;gt;`.
- For C++/CLI: `&amp;lt;CLRSupport&amp;gt;true&amp;lt;/CLRSupport&amp;gt;` and `&amp;lt;TargetFrameworkVersion&amp;gt;v4.8.1&amp;lt;/TargetFrameworkVersion&amp;gt;`.
- Never put build output under `%TEMP%`.&lt;/LI-CODE&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Tip &lt;/STRONG&gt;Treat copilot-instructions.md as a configuration file. Commit a repo-local version to your .github/ folder for projects with non-standard build flags (custom response files, signing scripts, and similar). The repo-local version overrides the global one.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Worked example: a C# console app on .NET Framework 4.8.1&lt;/H2&gt;
&lt;P&gt;Consider a task representative of customer-engineering work — a small utility that reads a registry key and emits JSON. Inside Copilot, enter:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;Create a new C# console project targeting net481 in
.\RegistryProbe\. The app should accept a registry key path as
its single argument, read all values under it, and print them as
JSON to stdout. Add a few unit tests with MSTest. Build the
project with MSBuild in Release and show me the dotnet run output.&lt;/LI-CODE&gt;
&lt;P&gt;Behind the scenes Copilot will:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Use vswhere to locate MSBuild (already cached via the instructions file).&lt;/LI&gt;
&lt;LI&gt;
&lt;PRE&gt;Generate RegistryProbe.csproj with &amp;lt;TargetFramework&amp;gt;net481&amp;lt;/TargetFramework&amp;gt;.&lt;/PRE&gt;
&lt;/LI&gt;
&lt;LI&gt;Write Program.cs with appropriate argument parsing and a Microsoft.Win32.RegistryKey reader.&lt;/LI&gt;
&lt;LI&gt;Add an MSTest project, wire it up via a .sln file.&lt;/LI&gt;
&lt;LI&gt;
&lt;PRE&gt;Run MSBuild /t:Restore,Build /p:Configuration=Release and read the output.&lt;/PRE&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;PRE&gt;Run the binary against a safe key like HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion and present the JSON output.&lt;/PRE&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;For a more deliberate workflow, press &lt;STRONG&gt;Shift+Tab&lt;/STRONG&gt; to toggle &lt;STRONG&gt;Plan mode&lt;/STRONG&gt;. Copilot will produce an implementation plan first and wait for approval before writing to disk — a recommended practice for any work involving a customer reproduction.&lt;/P&gt;
&lt;H2&gt;Worked example: a native C++ command-line tool&lt;/H2&gt;
&lt;P&gt;The same approach applied to native C++. Prompt:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;Create a new native C++ console project ".\PortPing\"
targeting x64, Release, using the v145 platform toolset and
Windows SDK 10.0.26100. The tool takes "host:port" on the
command line and prints "open" or "closed" depending on whether
a TCP connect succeeds within 1 second. Build it with MSBuild
and run it against microsoft.com:443.&lt;/LI-CODE&gt;
&lt;P&gt;The agent generates a PortPing.vcxproj that looks roughly like:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;&amp;lt;PropertyGroup Label="Globals"&amp;gt;
  &amp;lt;PlatformToolset&amp;gt;v145&amp;lt;/PlatformToolset&amp;gt;
  &amp;lt;WindowsTargetPlatformVersion&amp;gt;10.0.26100.0&amp;lt;/WindowsTargetPlatformVersion&amp;gt;
  &amp;lt;ConfigurationType&amp;gt;Application&amp;lt;/ConfigurationType&amp;gt;
&amp;lt;/PropertyGroup&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;…and builds it with:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;&amp;amp; $msbuild "PortPing.vcxproj" /p:Configuration=Release /p:Platform=x64&lt;/LI-CODE&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Tip &lt;/STRONG&gt;If you want Copilot to compile a single .cpp with cl.exe instead of going through MSBuild, instruct it to load vcvars64.bat first. This sets INCLUDE, LIB and PATH for the MSVC toolchain so that direct compiler invocations succeed.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Worked example: a C++/CLI interop assembly&lt;/H2&gt;
&lt;P&gt;C++/CLI is the workload that most commonly causes confusion in practice, because it requires the optional VC.CLI.Support component &lt;EM&gt;and&lt;/EM&gt; a few non-obvious project properties. With Copilot, the task reduces to:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;Create a C++/CLI class library ".\InteropBridge\" that targets
.NET Framework 4.8.1, uses the v145 toolset, and exposes a
managed wrapper around the native function CreateFileW. Add a
small C# console app in the same solution that consumes the
wrapper. Build everything Release|x64 and run the C# app to
prove the interop works.&lt;/LI-CODE&gt;
&lt;P&gt;The two critical lines that Copilot adds to the .vcxproj are:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;&amp;lt;CLRSupport&amp;gt;true&amp;lt;/CLRSupport&amp;gt;
&amp;lt;TargetFrameworkVersion&amp;gt;v4.8.1&amp;lt;/TargetFrameworkVersion&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;If the C++/CLI support component is not yet installed, Copilot will detect the corresponding "Cannot find &amp;lt;CLRSupport&amp;gt;" error, suggest the correct winget command to add the component, and offer to re-run the build.&lt;/P&gt;
&lt;H2&gt;Models, effort, and custom agents&lt;/H2&gt;
&lt;P&gt;Copilot CLI allows the model to be selected per session, and this selection should be made deliberately. The appropriate choice depends on the task at hand:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Profile&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Recommended invocation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;When to use&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Fast iteration&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;copilot --yolo --model "claude-opus-4.8" --effort "medium"&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Day-to-day work: scaffolding, small refactors, and build fixes.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Hard problems&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;copilot --yolo --model "claude-opus-4.7-1m-internal" --effort "high" --context "long_context"&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cross-file analysis, large reproductions, and complex C++ template errors.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Maximum autonomy&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;copilot --allow-all-urls --allow-all-tools --allow-all-paths --no-ask-user&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sandboxed Dev Box or VM only — never on a production laptop.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;To determine which model best suits your purpose, consult the model comparison at &lt;A href="https://docs.github.com/en/copilot/reference/ai-models/model-comparison" target="_blank" rel="noopener"&gt;https://docs.github.com/en/copilot/reference/ai-models/model-comparison&lt;/A&gt;. And if you have ever wondered what skills, tools, plugins and similar concepts actually are — or what an MCP server is for — the answers are available at &lt;A href="https://docs.github.com/en/copilot/concepts/agents/copilot-cli/comparing-cli-features" target="_blank" rel="noopener"&gt;https://docs.github.com/en/copilot/concepts/agents/copilot-cli/comparing-cli-features&lt;/A&gt;.&lt;/P&gt;
&lt;H3&gt;Useful slash commands within Copilot CLI&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;/plan — produce an implementation plan before any code is written.&lt;/LI&gt;
&lt;LI&gt;/review — run the code-review subagent against the local diff.&lt;/LI&gt;
&lt;LI&gt;/diff — display the changes Copilot has made to the working tree.&lt;/LI&gt;
&lt;LI&gt;/agent — select a custom agent (explore, task, general-purpose, rubber-duck, code-review, research).&lt;/LI&gt;
&lt;LI&gt;/mcp — register an MCP server (useful for Azure CLI, Kusto, or internal tooling).&lt;/LI&gt;
&lt;LI&gt;/instructions — show which instruction files are currently loaded — useful when investigating unexpected agent behavior.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Tip &lt;/STRONG&gt;Press &lt;STRONG&gt;Shift+Tab&lt;/STRONG&gt; at any time to toggle &lt;STRONG&gt;Plan mode&lt;/STRONG&gt;. For any action that would be recorded in a change ticket, planning first is inexpensive insurance.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Security &amp;amp; compliance for Microsoft FTEs&lt;/H2&gt;
&lt;P&gt;GitHub Copilot CLI falls within the scope of Microsoft's standard "responsible use of AI" guidance. Engineers at other enterprises should substitute the equivalent policy of their own employer, and individuals using a personal Copilot subscription should still treat these principles as a sensible default. The condensed guidance for engineers is:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Do not paste customer data&lt;/STRONG&gt; into prompts unless your engagement explicitly permits it. The agent will faithfully transmit such data to the model.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Do not use &lt;/STRONG&gt;--yolo&lt;STRONG&gt; on shared infrastructure.&lt;/STRONG&gt; The flag pre-approves shell execution and file writes. Reserve it for personal workspaces or sandboxed Dev Boxes.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Review the diff.&lt;/STRONG&gt; Use /diff or git status before committing — Copilot will, on occasion, refactor files you did not anticipate.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Secrets stay out of source.&lt;/STRONG&gt; If you ask Copilot to test something that requires credentials, direct it to use azd, the Az module, or your Key Vault — never inline secrets.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Telemetry and logs&lt;/STRONG&gt; from the CLI reside under %USERPROFILE%\.copilot\logs. If a customer escalation requires evidence of agent actions, those logs serve as your audit trail.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important &lt;/STRONG&gt;Any action Copilot performs on your machine still runs as &lt;EM&gt;you&lt;/EM&gt;. Treat agent sessions with the same care you would extend to a teammate with full access to your development machine.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H2&gt;Beyond Visual Studio: where else Copilot CLI helps&lt;/H2&gt;
&lt;P&gt;The Visual Studio scenarios in this article are the most obvious use case, but they are by no means the only one. The following list covers additional areas in which Copilot CLI has proven productive on real engagements.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Generating and maintaining tests&lt;/STRONG&gt; — Ask Copilot to write MSTest, NUnit or xUnit tests for an existing class, including mocks and boundary cases, or to fill coverage gaps in methods that were touched in the last commit.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Refactoring across files&lt;/STRONG&gt; — Rename a public API, extract an interface, or restructure a folder hierarchy and have Copilot propagate the change consistently throughout the solution, including project file references and unit tests.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Modernizing legacy code&lt;/STRONG&gt; — Port code from .NET Framework 4.8.1 to .NET 8/9, replace WebClient with HttpClient, or swap manual JSON parsing for System.Text.Json. Copilot handles the boilerplate; you review the deltas.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Building customer reproductions from scratch&lt;/STRONG&gt; — Translate a bug description from a support ticket into a minimal repro project. Copilot scaffolds the solution, simulates the failing call path, and runs it to confirm the symptom matches.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reviewing the local diff&lt;/STRONG&gt; — The /review slash command analyses staged or unstaged changes and surfaces real issues — race conditions, off-by-one errors, missing input validation, dropped exceptions — while suppressing style-only noise.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Writing and optimizing database code&lt;/STRONG&gt; — Generate Entity Framework Core models and migrations from an existing schema, draft complex LINQ or raw SQL queries, and ask Copilot to inspect an execution plan and propose targeted indexes or query rewrites.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Interpreting performance and memory profiles&lt;/STRONG&gt; — Hand Copilot a PerfView trace summary, a dotnet-counters capture, or a BenchmarkDotNet result table. It identifies hot paths, allocation spikes, and contended locks, then suggests concrete code changes to address them.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Generating documentation&lt;/STRONG&gt; — Produce XML doc comments for public APIs, README sections, architecture overviews, or migration guides — written directly from the current code, not from a stale design document.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Investigating unfamiliar codebases&lt;/STRONG&gt; — Drop into a foreign repository and ask &lt;EM&gt;"what does this service do?"&lt;/EM&gt;, &lt;EM&gt;"where is authentication enforced?"&lt;/EM&gt;, or &lt;EM&gt;"which class handles cache invalidation?"&lt;/EM&gt;. The explore subagent answers with file and line references rather than vague summaries.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Analyzing logs and traces&lt;/STRONG&gt; — Point Copilot at an ETW trace, an Event Viewer export, a Fiddler capture, or a multi-megabyte server log. It groups errors, identifies the dominant failure pattern, and suggests next steps for the investigation.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;PowerShell, Bicep and other operational scripting&lt;/STRONG&gt; — Beyond compiled applications, Copilot writes and debugs PowerShell modules, Bicep/ARM templates, Terraform configurations, and shell scripts — useful, among other things, for provisioning the very Dev Box or Azure VM described earlier in this article.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Drafting technical communication&lt;/STRONG&gt; — Generate the first draft of a customer-facing root-cause analysis, a pull request description, a release-note entry, or an internal incident retrospective directly from a diff or a chat transcript. The final wording remains yours; the boilerplate does not.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;EM&gt;On a slightly meta note: GitHub Copilot CLI can also take a surprising amount of work off your hands when, for instance, you set out to write a blog post like this one. :-)&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;A note on customer data.&lt;/STRONG&gt; Several of the scenarios above — building customer reproductions and analyzing customer-supplied logs in particular, but also any review, database or profiling task that involves production samples — may rely on material provided by a customer. Such data must always be handled with care: depending on the engagement, the customer's data-classification level, or the applicable regulatory regime, sharing it with a Copilot model may be restricted or outright prohibited. Public Sector engagements warrant particular caution. When in doubt, redact, reproduce against synthetic data, or confirm with your account team or compliance contact before pasting anything into a prompt.&lt;/P&gt;
&lt;H2&gt;Wrapping up&lt;/H2&gt;
&lt;P&gt;A clean Windows installation, two winget commands, one bootstrap prompt, and a global copilot-instructions.md are all that separate you from a fully working, AI-driven C# / C++ / C++/CLI workflow on Visual Studio 2026. From that point, the agent does what agents do best — it handles the routine work while you remain focused on the customer problem. The list of additional scenarios in the previous section is intentionally non-exhaustive — most engineering tasks that can be described in plain English are candidates, provided the agent has the relevant context and the required permissions.&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Productive prompting — and may your builds remain evergreen.&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2026 08:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/building-c-and-c-apps-with-github-copilot-cli-and-visual-studio/ba-p/4531648</guid>
      <dc:creator>hewagen</dc:creator>
      <dc:date>2026-07-02T08:00:00Z</dc:date>
    </item>
    <item>
      <title>Authenticating AWS Workloads to Azure Functions using Workload Identity Federation</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/authenticating-aws-workloads-to-azure-functions-using-workload/ba-p/4531603</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="none"&gt;What you will learn:&lt;/SPAN&gt;&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;What Workload Identity Federation is and how it works&lt;/LI&gt;
&lt;LI&gt;How to set up trust between AWS and Microsoft Entra ID&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;How to exchange AWS identity tokens for Azure access tokens&lt;/LI&gt;
&lt;LI&gt;How to securely call an Azure Function from AWS without storing credentials&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;This approach improves security, removes secret management overhead, and aligns with Zero Trust principles.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;Let’s start by understanding why this approach is needed in a multi-cloud environment.&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="none"&gt;Why this approach is needed&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;In today’s multi-cloud landscape, organizations&amp;nbsp;frequently&amp;nbsp;need to connect services across cloud providers like AWS and Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Traditionally, this required storing long-lived Azure client secrets within AWS environments. While functional, this introduces:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="48" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Security risks (secrets can leak or be misused)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="48" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Operational overhead (secret rotation and storage)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="48" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Increased maintenance complexity&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Microsoft Entra ID&amp;nbsp;provides&amp;nbsp;a modern alternative:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Workload Identity Federation&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;, which&amp;nbsp;eliminates&amp;nbsp;the need for static credentials entirely.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="none"&gt;What is Workload Identity Federation?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Workload Identity Federation is a feature in Microsoft Entra ID that allows you to trust identities from external providers like AWS, GCP, or GitHub. Instead of a secret, Azure&amp;nbsp;validates&amp;nbsp;the identity of the AWS resource based on its own native OIDC (OpenID Connect) token.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;This approach is particularly useful for:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="28" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;Securing Cross-Cloud Pipelines&lt;/STRONG&gt;:&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Enabling AWS Lambda or EC2 to call Azure APIs without managing keys.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="28" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Eliminating&amp;nbsp;Secret Rotation:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Removing the need to update expired secrets across different cloud providers.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="28" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Enhancing Security:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Using short-lived, verifiable claims that automatically expire.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;In this blog, we will cover the configuration for&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;service-to-service&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;&amp;nbsp;authentication&lt;/STRONG&gt; and&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;user-led validation&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;for troubleshooting. The following guide outlines the complete technical configuration&amp;nbsp;required&amp;nbsp;to implement this architecture.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;An overview of what we will be doing:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Generate AWS Token:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Your AWS resource (Lambda, EC2,&amp;nbsp;etc) generates a short-lived OIDC token signed by AWS.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Exchange for Azure Token:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;The AWS token is sent to Microsoft Entra ID. Azure&amp;nbsp;validates&amp;nbsp;the AWS signature using your Federated Credential and issues a native Azure Access Token in return.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Attach Verified Permissions:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;We configure an&amp;nbsp;App Role&amp;nbsp;on the&amp;nbsp;Function&amp;nbsp;App&amp;nbsp;and link it to our Caller App. This helps Azure&amp;nbsp;identify&amp;nbsp;the correct permissions to inject into the token, confirming the caller is officially&amp;nbsp;permitted&amp;nbsp;to access your API.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Authorize Azure Function:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt; The AWS resource calls the Function URL with the Azure token. The Function's authentication layer verifies the token's claims and grants access.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="auto"&gt;Section 1: AWS side setup&lt;/SPAN&gt;&lt;/H4&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-10"&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 1–Enabling Outbound Identity Federation&lt;/SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt; Go toIdentity and Access Management (IAM)-&amp;gt; Access Management-&amp;gt;Account Settings&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt; Scroll down to the Outbound Identity Federation section and enable it. Note down the &lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Token Issuer URL&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;—we will use it later to set up the Issuer claim in the federated credentials on the Azure side.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 2– Create a role for your AWS resource (Lambda, EC2)&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to Identity and Access Management (IAM) -&amp;gt; Access Management-&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Roles&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click on the Create role button on the top right and select the trusted entity type, I selected AWS service. For use case I selected EC2. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Under Permissions, click Add permissions &amp;gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Create inline policy&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Switch to the JSON tab and paste this:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;curl -X POST 
"https://login.microsoftonline.com/&amp;lt;TENANT_ID&amp;gt;/oauth2/v2.0/token" \ 
-H "Content-Type: application/x-www-form-urlencoded" \ 
-d "client_id=&amp;lt;CLIENT_ID&amp;gt; " \ 
-d "scope=api://&amp;lt;APP_URI&amp;gt; /.default" \ 
-d "grant_type=client_credentials" \ 
-d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \ 
-d "client_assertion=&amp;lt;WebIdentityToken&amp;gt; "&lt;/LI-CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Review and Save (name it something like&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;AllowSelfWebIdentityToken&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;). This permission allows the role to&amp;nbsp;generate its own OIDC token for external exchange&amp;nbsp;(you can do this step after the creation of role as well by editing the role)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;I named the role&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;aws-federation-role&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;. Review and create the role. After the creation is complete note down the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ARN&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;for the role.&lt;/SPAN&gt;&amp;nbsp;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="auto"&gt;Section 2: Azure side setup&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H4&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;3&amp;nbsp;— Register the AWS Caller&amp;nbsp;App in Entra ID&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This&amp;nbsp;registration&amp;nbsp;represents&amp;nbsp;the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;AWS resource&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that will request a token and call your API&amp;nbsp;in the Azure side.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Portal → Microsoft Entra ID → App registrations → +&amp;nbsp;New registration&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Fill in the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Name:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;aws-caller-app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Supported account types:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Single tenant (your tenant)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Register&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Now&amp;nbsp;you’ll&amp;nbsp;see&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Application (client) ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Directory (tenant) ID&lt;/STRONG&gt;.&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Copy both —&amp;nbsp;you’ll&amp;nbsp;need them later.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 4— Create Federated Credentials&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This allows&amp;nbsp;AWS&amp;nbsp;to impersonate this application by&amp;nbsp;establishing&amp;nbsp;a trust with an external OpenID Connect (OIDC) identity provider&amp;nbsp;and&amp;nbsp;get tokens to access Microsoft Entra ID resources.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;In the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;aws-caller-app&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;that you just created, go to Manage-&amp;gt;Certificates and Secrets. Go to the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Federated credentials&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;section on the page.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Fill the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Federated credential scenario&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;:&amp;nbsp;Other&amp;nbsp;issuer&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Issuer&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;Add the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Token Issuer URL&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that we copied in Step 1 from AWS.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Type&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;: &lt;/STRONG&gt;Explicit&amp;nbsp;subject&amp;nbsp;identifier&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Value&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;Add the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;ARN&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;of the AWS resource that we copied in Step 2&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Name:&lt;/STRONG&gt; aws-federation &lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Add Description and leave the Audience claim as is. Click &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Add.&lt;/SPAN&gt;&lt;BR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 5— Register your Function App in Entra ID &amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This registration represents the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Function App resource&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that will receive a token and be called on the Azure side. My Function App is an API called&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;aws-entra-federation-api.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Azure Portal → Microsoft Entra ID → App registrations → +&amp;nbsp;New registration&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Fill in the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Name:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;function-api-app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Supported account types:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Single tenant (your tenant)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Register&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Now&amp;nbsp;you’ll&amp;nbsp;see&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Application (client) ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Directory (tenant) ID.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Copy both —&amp;nbsp;you’ll&amp;nbsp;need them later.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;6– Create an App Role&amp;nbsp;in function-api-app&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;App roles&amp;nbsp;are custom role&amp;nbsp;templates which define&amp;nbsp;permissions&amp;nbsp;that can be assigned&amp;nbsp;to users or apps.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;In the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;that you just created&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;, go to Manage → App Roles in the left menu.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Create a new Role&amp;nbsp;and fill the following details:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Display Name:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;access_as_app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Allow Member Types:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Applications&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Value:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;access_as_app&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Description:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Allow application to application access&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Do you want to enable this app role?:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;True (Checked)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Click "Apply".&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;7– Assign API Permissions to the&amp;nbsp;aws-caller-app&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;In the&amp;nbsp;previous&amp;nbsp;step we created a role on the function-api-app, now we will assign this role to the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;aws-caller-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;so that it is able to authorize and call the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;function-api-app&lt;/STRONG&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;In the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;, go to Manage → API Permissions in the left menu.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Click "+ Add a permission".&amp;nbsp;Click on the "APIs my organization uses" tab.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;In the search bar, enter the name of the app/service principal created before&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Select Application permissions and, under the Permissions section, choose the role created before&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;(&lt;STRONG&gt;access_as_app&lt;/STRONG&gt;)&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Click the "Add permissions" button.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="none"&gt;Back in the Manage → API Permissions screen, click "&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Grant admin consent&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;&amp;nbsp;for Default Directory&lt;/STRONG&gt;".&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step 8— Configure Authentication on the Azure Function resource&amp;nbsp;(aws-entra-federation-api)&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Enable authentication on your function resource&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;(&lt;STRONG&gt;aws-entra-federation-api&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;) and link it to the app registration (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;) you created earlier.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Go to your&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Function App resource&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;in the Azure Portal&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-contrast="auto"&gt;(&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;aws-azure-federation-api&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;On the left menu, select&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Authentication.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;+ Add identity provider.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Add the following details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Identity provider:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;Microsoft&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;App registration type:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Provide details of an existing app registration&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Client ID:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Paste the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Application (client) ID&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;of your&amp;nbsp;function-api-app from step 5(&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;APP_URI&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Issuer URL:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://login.microsoftonline.com/%3ctenant-id%3e/v2.0" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;https://login.microsoftonline.com/&amp;lt;tenant-id&amp;gt;/v2.0&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;(Replace &amp;lt;tenant-id&amp;gt; with your Directory (tenant) ID)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Client application requirement:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Allow requests from any application&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Identity requirement&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; Allow requests from any identity&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Tenant requirement&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; Allow requests only from the issuer tenant&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Under&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Restrict access&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, select&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Require authentication&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Unauthenticated requests&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; HTTP 401&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:1080,&amp;quot;469777462&amp;quot;:[1440,1080],&amp;quot;469777927&amp;quot;:[0,0],&amp;quot;469777928&amp;quot;:[0,8]}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Any other field not listed should remain as default.&amp;nbsp;Click "Add" and refresh the&amp;nbsp;Settings&amp;nbsp;→ Authentication view.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;The new configured provider will appear. Click "Edit".&amp;nbsp;A list of fields will appear. Make the following changes:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Allowed token audiences&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;Lets&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;consider&lt;STRONG&gt; Application ID for&lt;/STRONG&gt; &lt;STRONG&gt;function-api-app&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;from step 5 as the value for variable&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;APP_URI&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;. Add the following three different audiences.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;&amp;lt;APP_URI&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;api://&amp;lt;APP_URI&amp;gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;api://&amp;lt;APP_URI&amp;gt;&amp;nbsp;/.default&lt;/SPAN&gt; &lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Any other field not listed should remain as default.&amp;nbsp;Save&amp;nbsp;the changes.&amp;nbsp;Now the Function App will&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;only accept calls with valid Azure AD access tokens&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Congratulations, you have successfully completed the setup&amp;nbsp;required&amp;nbsp;for using Federated Identity authentication. Now&amp;nbsp;let’s&amp;nbsp;test if the setup is working correctly.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="auto"&gt;Section 3: Validating the setup&lt;/SPAN&gt;&lt;/H4&gt;
&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;Step&amp;nbsp;9&amp;nbsp;–&amp;nbsp;Requesting Azure token and authenticating to the function app.&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In my case,&amp;nbsp;I’ve&amp;nbsp;logged&amp;nbsp;in to my AWS account using&amp;nbsp;my user account (not root user)&amp;nbsp;and then opened&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;AWS&amp;nbsp;CloudShell&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;. I will be&amp;nbsp;validating&amp;nbsp;the setup through user account as I have not deployed any AWS resource.&amp;nbsp;You should be able to request for Azure token through Lambda or other AWS resource in a similar manner.&amp;nbsp;&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;We will be using the following variable and values in the following steps:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ARN&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&amp;nbsp;&lt;/STRONG&gt;The ARN of the role created in step 2 on AWS.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;TENANT_ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;: &lt;/STRONG&gt;Your Azure tenant ID, you can find this by going to your Account-&amp;gt;All directories and copy the Directory ID&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;CLIENT_ID&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; The application (object) ID of the app registration created for the AWS caller app generated in step 3(&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;aws-caller-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, in this case).&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;APP_URI&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; The application (object) ID of the App registration created for the function app resource generated in step 5 (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, in this case).&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;DEFAULT_DOMAIN&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;:&lt;/STRONG&gt;&amp;nbsp;You can find this in the overview section of your Azure Function app&amp;nbsp;resource (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;aws-entra-federation-api&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, in this case).&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;We&amp;nbsp;need to follow&amp;nbsp;a few extra steps because this validation uses a user account. In production, the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;AWS SDK performs the ‘identity proofing’&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;step (step 4) for you. In your code, you simply take that identity, exchange it for an Azure token at the Microsoft Entra endpoint, and use the token to call your Azure Function. As a result, a production workload typically doesn’t need the first four steps.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Assume the Role that was created earlier for the AWS resource in Step 2, we are logged in to the AWS&amp;nbsp;CloudShell&amp;nbsp;with the user&amp;nbsp;account&amp;nbsp;but we need to use the role that we created earlier to generate AWS token and exchange it for Azure token.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;aws sts assume-role --role-arn &amp;lt;ARN&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;As&amp;nbsp;output,&amp;nbsp;we get&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;accesskeyid,&amp;nbsp;secretaccesskey&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;sessiontoken&lt;/STRONG&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;We will be using these as variables in the next step.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Set these&amp;nbsp;values&amp;nbsp;as variables:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;export AWS_ACCESS_KEY_ID="&amp;lt;accesskeyid&amp;gt; " 
export AWS_SECRET_ACCESS_KEY="&amp;lt;secretaccesskey&amp;gt; " 
export AWS_SESSION_TOKEN="&amp;lt;sessiontoken&amp;gt;"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Generate the AWS OIDC Token&amp;nbsp;that is specifically formatted for Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;aws sts get-web-identity-token \ 
--audience "api://AzureADTokenExchange" \ 
--signing-algorithm "RS256" \ 
--duration-seconds 3600&lt;/LI-CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;We get the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;WebIdentityToken&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;in the output.&amp;nbsp;Store it as we will be using it in the next step.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Now we will exchange the AWS token (&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;WebIdentityToken&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;) for an Entra ID token&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;curl -X POST 
"https://login.microsoftonline.com/&amp;lt;TENANT_ID&amp;gt;/oauth2/v2.0/token" \ 
-H "Content-Type: application/x-www-form-urlencoded" \ 
-d "client_id=&amp;lt;CLIENT_ID&amp;gt; " \ 
-d "scope=api://&amp;lt;APP_URI&amp;gt; /.default" \ 
-d "grant_type=client_credentials" \ 
-d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \ 
-d "client_assertion=&amp;lt;WebIdentityToken&amp;gt; "&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;We get the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;access_token&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;as the output of the last step. Store it as we will be using it in the next step.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Use the Entra ID token from the last step to send a request to&amp;nbsp;your&amp;nbsp;app—in this case, the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;function-api-app&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;BR /&gt;&lt;/SPAN&gt;&lt;LI-CODE lang=""&gt;curl -X GET "https://&amp;lt;DEFAULT_DOMAIN&amp;gt; " \ 
-H "Authorization: Bearer &amp;lt;access_token&amp;gt;" \ 
-H "Content-Type: application/json"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;You should get a&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;200 OK&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;response.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;SPAN data-contrast="none"&gt;Conclusion&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;By implementing&amp;nbsp;Workload&amp;nbsp;Identity Federation, you have moved away from the "Secret Management" era of cloud security. Instead of worrying about rotating client secrets or securing them in a vault, you are now using a short-lived, verifiable trust relationship between AWS and Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;What's Next?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Now that your authentication is secure, you can explore:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Fine-Grained Authorization&lt;/STRONG&gt;:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Use the claims inside the Azure Access Token to restrict specific actions within your Azure Function code.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Conditional Access Policies:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Layer on Azure Conditional Access to ensure requests only come from trusted locations, such as your specific AWS VPC or a designated IP range&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Automating with&amp;nbsp;Terraform/Bicep:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Now that&amp;nbsp;you've&amp;nbsp;done it manually, consider codifying this setup to ensure consistent security across all your environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jun 2026 04:38:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/authenticating-aws-workloads-to-azure-functions-using-workload/ba-p/4531603</guid>
      <dc:creator>kasturi</dc:creator>
      <dc:date>2026-06-29T04:38:32Z</dc:date>
    </item>
    <item>
      <title>Check This Out! (CTO!) Guide (May/June 2026)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-may-june-2026/ba-p/4529349</link>
      <description>&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/users/tysonpaul/322025" data-lia-auto-title="Member: TysonPaul | Microsoft Community Hub" data-lia-auto-title-active="0" target="_blank"&gt;Member: TysonPaul | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/triggering-azure-functions-from-blob-storage-using-event-grid/4518184" target="_blank" rel="noopener noreferrer"&gt;Triggering Azure Functions from Blob Storage Using Event Grid&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/andrewcoughlin/449905" target="_blank" rel="noopener noreferrer"&gt;AndrewCoughlin&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to trigger Azure Functions from Blob Storage events using Azure Event Grid for real-time file processing. It outlines a step-by-step approach: create and deploy an Azure Function with an Event Grid trigger, set up an Event Grid subscription for BlobCreated events, and validate the process by uploading a blob. The method minimizes latency and avoids polling, making it suitable for enterprise scenarios. Key pitfalls include creating subscriptions before the function exists and misconfigurations. The article provides sample code and emphasizes the solution's simplicity, reliability, and operational transparency.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/tls-certificate-pinning-and-best-practices-in-azure-open-source-relational-datab/4519531" target="_blank" rel="noopener noreferrer"&gt;TLS Certificate Pinning and Best Practices in Azure Open-Source Relational Databases&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/tameikal/394903" target="_blank" rel="noopener noreferrer"&gt;TameikaL&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/13/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt;&amp;nbsp;The article explains TLS certificate pinning and its implications for Azure open-source relational databases (PostgreSQL, MySQL). Certificate pinning enhances client-side security but increases operational risk, especially during certificate rotations, by causing connection failures if certificates change. Unlike Azure SQL, where certificate validation is platform-managed, Azure OSS databases use client-managed trust. The article advises against certificate pinning and recommends trusting documented root CAs, using standard TLS validation modes, and maintaining up-to-date trust stores to ensure secure and resilient client connections during certificate updates.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/azure-ddos-protection--azure-waf-a-layered-defense-for-modern-ddos-attacks/4523745" target="_blank" rel="noopener noreferrer"&gt;Azure DDoS Protection &amp;amp; Azure WAF: A Layered Defense for Modern DDoS Attacks&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/saikishor/2933317" target="_blank" rel="noopener noreferrer"&gt;saikishor&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how Microsoft Azure provides a layered defense against modern DDoS attacks by combining platform-level infrastructure protection, Azure DDoS Protection for network-level threats (Layers 3/4), and Azure Web Application Firewall (WAF) for application-layer (Layer 7) attacks. This multi-tiered approach ensures comprehensive mitigation by addressing both high-volume network floods and sophisticated application-level threats, using adaptive techniques, rate limiting, bot protection, and real-time analytics. The article emphasizes that a defense-in-depth strategy—leveraging both Azure DDoS Protection and WAF—is essential for safeguarding internet-facing applications and maintaining service availability.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/scaling-github-advanced-security-in-azure-devops-with-a-single-reusable-yaml-tem/4518410" target="_blank" rel="noopener noreferrer"&gt;Scaling GitHub Advanced Security in Azure DevOps with a single reusable YAML template&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azureinfrastructureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Infrastructure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/paulams732/3255182" target="_blank" rel="noopener noreferrer"&gt;Paulams732&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article describes how to streamline GitHub Advanced Security (GHAS) integration in Azure DevOps by using a single, reusable YAML pipeline template. This approach dynamically detects repository content, runs only relevant security scans for application code and infrastructure-as-code, and centralizes configuration and reporting. It eliminates the need for multiple pipelines, reduces maintenance, ensures consistent security coverage, and supports polyglot and mixed repositories, resulting in a scalable and efficient DevSecOps process. Key lessons include the importance of detection-driven execution, dynamic configuration, and unified workflows for effective security management across diverse codebases.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/building-ai-guardian-extension-ai-detection-and-enterprise-ai-security/4521125" target="_blank" rel="noopener noreferrer"&gt;Building AI Guardian Extension: AI Detection and Enterprise AI Security&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azureinfrastructureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Infrastructure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/ranjsharma/2999223" target="_blank" rel="noopener noreferrer"&gt;ranjsharma&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses the security and governance challenges posed by rapid enterprise adoption of generative AI tools, focusing on the risks of "Shadow AI"—the unauthorized use of AI platforms that can lead to data leakage and compliance violations. It introduces the AI Guardian Extension, a platform that autonomously detects and protects against Shadow AI by monitoring AI interactions, preventing sensitive data exposure, blocking risky prompts, and generating compliance reports, thereby enabling safe, compliant, and visible enterprise AI usage.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/public-preview-migrate-your-regional-virtual-machines-to-availability-zones/4517298" target="_blank" rel="noopener noreferrer"&gt;Public Preview: Migrate your regional virtual machines to availability zones&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/micahmckittrick/86476" target="_blank" rel="noopener noreferrer"&gt;micahmckittrick&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced a public preview feature enabling Azure users to migrate regional (nonzonal) Virtual Machines (VMs) and VM Scale Sets (VMSS Flex) into specific availability zones without rebuilding resources. The migration preserves VM names, disks, IPs, and other properties. This improves fault isolation, compliance, and disaster recovery. The process involves deallocating the VM, assigning it to a zone, and restarting it. Migration is one-way and must be done per VM. Certain configurations, like Basic SKU IPs and unmanaged disks, are not supported. Users are advised to roll out migrations in batches for production workloads.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/use-azure-container-registry-as-an-upstream-source-for-artifact-cache/4517102" target="_blank" rel="noopener noreferrer"&gt;Use Azure Container Registry as an Upstream Source for Artifact Cache&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/toddysm/931088" target="_blank" rel="noopener noreferrer"&gt;toddysm&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/05/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Container Registry (ACR) now supports using another ACR as an upstream source for artifact cache, enabling secure image promotion and distribution within organizations. This feature allows registries to cache images from other ACRs, with user-assigned managed identities (UAMI) supported for authentication, improving security by eliminating credential management. Common scenarios include promoting images between Dev and Prod registries and implementing hub-and-spoke registry topologies. The setup uses Azure CLI, requires proper RBAC permissions, and works best within the same tenant. Cross-tenant and some network configurations have limited support; portal integration is coming soon.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/how-to-use-instance-mix-with-azure-virtual-machine-scale-sets/4522574" target="_blank" rel="noopener noreferrer"&gt;How to use Instance Mix with Azure Virtual Machine Scale Sets&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/orinthomas/251291" target="_blank" rel="noopener noreferrer"&gt;OrinThomas&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/24/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Instance Mix for Azure Virtual Machine Scale Sets allows you to specify up to five compatible VM sizes in a single scale set (Flexible orchestration mode), enhancing scalability, cost optimization, and provisioning success. Azure selects VM sizes during scale-out based on your chosen allocation strategy (LowestPrice, CapacityOptimized, or Prioritized). Best for stateless, horizontally scalable workloads, Instance Mix requires similar VM types, compatible architectures, and pre-checked quotas. It’s configured via Azure CLI or portal, with operational tips for optimal use. Avoid mixing very different VM types, and always verify availability and quotas before production deployment.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/the-end-is-nigh-for-des-and-an-update-for-hunting-down-rc4/4499821" target="_blank" rel="noopener noreferrer"&gt;The End is Nigh for DES and an Update for hunting down RC4&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/askds" target="_blank" rel="noopener noreferrer"&gt;Ask the Directory Services Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/chris_cartwright/721086" target="_blank" rel="noopener noreferrer"&gt;Chris_Cartwright&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/08/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is finalizing the removal of DES and RC4 encryption types from Windows Kerberos authentication to enhance security. The article provides updated XML filters and event forwarding methods to help administrators identify and track the use of DES and RC4 in their environments. It also includes resources, scripts, and guidance for transitioning to stronger cryptography, with references to related Microsoft support articles and previous blog posts. Note: The described Event Forwarding methods are not yet compatible with Server 2025 but will be updated in the future.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/windows-365-for-agents-run-ai-agents-in-cloud-pcs-across-real-applications/4523433" target="_blank" rel="noopener noreferrer"&gt;Windows 365 for Agents: run AI agents in Cloud PCs across real applications&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Windows 365 for Agents, now in public preview, enables AI agents to autonomously execute real workflows across applications—including legacy and UI-based systems—within secure, policy-controlled Cloud PCs. This represents a shift from API-based automation, allowing agents to complete complex tasks like processing invoices or updating CRM data while maintaining enterprise security and control. Administrators can define boundaries and monitor agent activity, ensuring agents operate safely without impacting production systems. Windows 365 for Agents thus offers a secure, dedicated environment for scalable, autonomous AI workflow automation across diverse software environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/from-scale-to-breakthrough-azure-netapp-files-sets-a-new-cloud-benchmark-for-eda/4520890" target="_blank" rel="noopener noreferrer"&gt;From Scale to Breakthrough: Azure NetApp Files Sets a New Cloud Benchmark for EDA Performance&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/geertvanteylingen/222853" target="_blank" rel="noopener noreferrer"&gt;GeertVanTeylingen&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/22/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights Azure NetApp Files’ new “large volume breakthrough mode,” which sets a benchmark for cloud storage in Electronic Design Automation (EDA) workloads. Independently validated SPECstorage® 2020 benchmarks show this mode enables exceptional scalability and consistent sub-millisecond latency, supporting thousands of parallel EDA jobs without performance bottlenecks. Both single and scaled configurations demonstrated linear scaling in throughput and concurrency, empowering faster, more efficient chip design cycles. As a result, Azure NetApp Files transforms cloud storage from a limiting factor to a strategic enabler for modern, high-performance semiconductor design workflows.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/modernizing-azure-virtual-desktop-with-nerdio-and-azure-files/4516542" target="_blank" rel="noopener noreferrer"&gt;Modernizing Azure Virtual Desktop with Nerdio and Azure Files&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/vybava_ramadoss/70516" target="_blank" rel="noopener noreferrer"&gt;Vybava_Ramadoss&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/04/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how organizations scaling Azure Virtual Desktop (AVD) face challenges with user profile storage, identity management, and cost efficiency. Nerdio Manager streamlines AVD deployment by integrating compute, storage, and identity management, reducing complexity and configuration drift. Azure Files Provisioned v2 enhances storage performance and cost efficiency, while Entra ID authentication simplifies identity architecture. Together, Nerdio and Azure Files enable faster, more reliable, and cost-effective AVD environments with improved user experience, especially during peak loads, and ensure consistent, audit-ready governance at enterprise scale.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/cutover-strategy-for-azure-paas-services-a-step-by-step-guide-to-near-zero-downt/4517261" target="_blank" rel="noopener noreferrer"&gt;Cutover Strategy for Azure PaaS Services: A Step-by-Step Guide to Near Zero-Downtime Migrations&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/lapadman/3477420" target="_blank" rel="noopener noreferrer"&gt;lapadman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines a step-by-step cutover strategy for migrating enterprise applications to Azure PaaS with near zero downtime. Emphasizing phased parallel cutover, it recommends gradual traffic shifts, robust rollback plans, and continuous monitoring to minimize risk. High availability (HA) and disaster recovery (DR) must be integrated into each phase. Messaging systems, particularly Azure Service Bus, are highlighted as the most complex component. The guide details essential roles, tools, metrics, and checklists to ensure a safe, controlled migration, concluding that cutover and HA/DR should be treated as a unified process for successful Azure transitions.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/preview-cis-benchmarks-on-azure-now-for-windows-server/4523432" target="_blank" rel="noopener noreferrer"&gt;[Preview] CIS Benchmarks on Azure; Now for Windows Server&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/amirb/2954344" target="_blank" rel="noopener noreferrer"&gt;AmirB&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is announcing the preview of built-in CIS Benchmarks for Windows Server within Azure Policy and Machine Configuration, initially supporting Windows Server 2025. This expands their compliance offerings, which already cover Linux, to Windows environments managed by Azure and Arc. The solution allows flexible configuration, exportable compliance as code, and unified management across machine types. The preview starts in audit-only mode, with auto-remediation and enforcement planned. Future updates will add support for more Windows editions, granular rule enforcement, STIG baselines, and retire older, overlapping policies for streamlined compliance management in Azure.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/introducing-the-azure-resource-manager-mcp-server/4517521" target="_blank" rel="noopener noreferrer"&gt;Introducing the Azure Resource Manager MCP Server!&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/stevenbucher/1481362" target="_blank" rel="noopener noreferrer"&gt;stevenbucher&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article announces the public preview of the Azure Resource Manager MCP Server, a tool enabling AI agents to interact with Azure infrastructure via Azure Resource Manager. It allows agents to generate, validate, and execute Azure Resource Graph queries, deploy and manage ARM templates, and monitor deployments—all from natural language prompts. The server supports compliance audits, rapid provisioning, and policy checks, and integrates with GitHub Copilot. It respects Azure security policies and is initially available for VS Code, with more features and client support planned. Users can install and provide feedback during the preview phase.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/the-power-behind-ai-your-brain/4508109" target="_blank" rel="noopener noreferrer"&gt;The power behind AI: Your brain&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/nency_yera/3427044" target="_blank" rel="noopener noreferrer"&gt;Nency_Yera&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article shares Nency Yera’s journey as a neurodivergent professional with ADHD who, despite having no coding background, leveraged AI tools like GitHub Copilot and VS Code by customizing them to fit her thinking style. With supportive leadership and a personalized, step-by-step approach, she built practical solutions for her workplace. The story emphasizes that neurodivergent brains are assets, and that AI becomes powerful when adapted to individual needs, enabling anyone—regardless of technical background—to create impactful tools and unlock new potential.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/new-microsoft-certified-intelligent-applications-builder-associate-certification/4494118" target="_blank" rel="noopener noreferrer"&gt;New Microsoft Certified: Intelligent Applications Builder Associate Certification&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/libertymunson/50590" target="_blank" rel="noopener noreferrer"&gt;LibertyMunson&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced the Certified: Intelligent Applications Builder Associate Certification, aimed at professionals building AI-powered business solutions using Microsoft Power Platform, Copilot, and natural language tools. To earn the certification, candidates must pass Exam AB-410 (beta), which validates skills in creating intelligent applications, automation, data models, and integrating AI agents. The first 300 test-takers before June 17, 2026, receive an 80% discount. Candidates should have experience with Dataverse, Power Apps, Power Automate, and Copilot features. The certification becomes generally available in July 2026, with preparation resources and study guides provided by Microsoft.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/ansible--azure-arc-use-ansible-modules-to-deploy-and-manage-azure-arc-machine-ex/4521689" target="_blank" rel="noopener noreferrer"&gt;Ansible + Azure Arc: Use Ansible modules to deploy and manage Azure Arc machine extensions at scale&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alinetran/1972499" target="_blank" rel="noopener noreferrer"&gt;alinetran&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/20/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced new Ansible modules in the azure.azcollection for managing Azure Arc machine extensions at scale. These modules allow teams to automate the deployment, update, and removal of Azure Arc extensions through Ansible playbooks, streamlining extension lifecycle management across hybrid and multicloud environments. This integration eliminates the need for separate tools, enforces consistent configurations, supports compliance scenarios like centralized SSH access, and enhances visibility into extension states. The update strengthens Azure Arc’s position as a unified management platform for Windows and Linux servers using familiar automation workflows.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/simplified-access-to-hotpatching-enabled-by-azure-arc-for-windows-server-2025/4521251" target="_blank" rel="noopener noreferrer"&gt;Simplified access to Hotpatching enabled by Azure Arc for Windows Server 2025&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/sharmajyoti/2761878" target="_blank" rel="noopener noreferrer"&gt;sharmajyoti&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/19/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Windows Server 2025 introduces hotpatching enabled by Azure Arc, allowing security updates without reboots across hybrid and multicloud environments at no extra cost. Eligible servers must be connected to Azure Arc and have Virtualization-based Security enabled. Azure Update Manager and other tools enable centralized patch management, improving uptime and simplifying compliance. Hotpatching delivers monthly security updates, with quarterly cumulative updates requiring a restart. Existing enrolled machines continue receiving hotpatches without additional action, and hotpatching remains free for Azure-hosted servers. Azure Arc also provides unified governance, monitoring, and lifecycle management for diverse server environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/finopsblog/whats-new-in-finops-toolkit-14-%E2%80%93-april-2026/4519497" target="_blank" rel="noopener noreferrer"&gt;What's new in FinOps toolkit 14 – April 2026&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/finopsblog" target="_blank" rel="noopener noreferrer"&gt;FinOps&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/michael_flanakin/3099145" target="_blank" rel="noopener noreferrer"&gt;Michael_Flanakin&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/13/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; FinOps toolkit 14 introduces AI integration via a Copilot Studio agent template, enabling users to query FinOps hub data in natural language. It adds support for ingesting Azure Advisor and custom optimization recommendations, simplifies hub deployment options, and previews a new dataset for commitment discount eligibility. The release also delivers various fixes and enhancements across guides, Power BI, workbooks, and the PowerShell module. Looking ahead, the toolkit will deepen AI features, expand data support, and offer premium services to further help organizations optimize and manage cloud costs in Microsoft Azure environments.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuretoolsblog/azure-cli-on-macos-upcoming-installation-changes/4518596" target="_blank" rel="noopener noreferrer"&gt;Azure CLI on macOS: Upcoming Installation Changes&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuretoolsblog" target="_blank" rel="noopener noreferrer"&gt;Azure Tools&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alex-wdy/1467559" target="_blank" rel="noopener noreferrer"&gt;Alex-wdy&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is updating how Azure CLI is installed on macOS to better meet security and enterprise requirements. Starting with version 2.86.0 (Preview), Azure CLI will shift from Homebrew Core to new options: Homebrew Cask (recommended) and an offline tarball for air-gapped environments. These changes enable distribution of precompiled, signed, and notarized binaries, aligning with macOS security standards. Homebrew Core remains available during the transition, but users are encouraged to adopt the new methods and provide feedback. Full rollout details and installation instructions are available on Microsoft Learn.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuretoolsblog/from-prompt-to-production-open-in-vs-code-for-terraform-in-azure-copilot/4494931" target="_blank" rel="noopener noreferrer"&gt;From Prompt to Production: Open in VS Code for Terraform in Azure Copilot&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuretoolsblog" target="_blank" rel="noopener noreferrer"&gt;Azure Tools&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jingwei_wang/1561384" target="_blank" rel="noopener noreferrer"&gt;Jingwei_Wang&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/12/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced "Open in VS Code" for Terraform in Azure Copilot, enabling users to move seamlessly from AI-generated Terraform code in Azure Portal to real deployments within an integrated, guided workflow. This feature supports immediate editing, validation, and deployment in a browser-based VS Code environment, with built-in guidance for backend configuration and deployment. Users can select from Azure Storage, Terraform Cloud, or a temporary workspace for state management. The solution streamlines Infrastructure as Code processes for both beginners and enterprises, now in public preview, with future plans for enhanced CI/CD and editor integrations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/understanding-and-building-an-azure-hybrid-meshed-hub-spoke-topology/4516879" target="_blank" rel="noopener noreferrer"&gt;Understanding and building an Azure Hybrid Meshed Hub-Spoke Topology&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/svenbaeck/1876236" target="_blank" rel="noopener noreferrer"&gt;Svenbaeck&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/18/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to design a secure, scalable Azure hybrid network using a meshed hub-spoke topology. Centralized hubs control all traffic and security, preventing uncontrolled lateral communication between spokes and supporting hybrid connectivity. Key design principles include controlled routing in gateways and spokes, proper VNet peering, and meshing hubs for multi-region setups. Azure Firewalls or NVAs in the hub enable traffic inspection and policy enforcement. The approach simplifies management, enhances security, and supports regional independence and fault isolation, making it suitable for enterprise-scale Azure environments. Clear address planning and consistent configuration are emphasized for effective operation.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/simplify-virtual-wan-spoke-connectivity-at-scale-with-azure-virtual-network-mana/4523055" target="_blank" rel="noopener noreferrer"&gt;Simplify Virtual WAN Spoke Connectivity at Scale with Azure Virtual Network Manager&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jay-li/1197988" target="_blank" rel="noopener noreferrer"&gt;Jay-Li&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/26/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Virtual Network Manager (AVNM) integrates with Azure Virtual WAN to simplify and automate spoke connectivity, routing, and security policy management across large-scale hub-and-spoke network architectures. By grouping virtual networks and applying centralized connectivity and routing policies, AVNM reduces repetitive manual configuration, ensures operational consistency, and enables bulk onboarding, dynamic updates, and incremental deployments. This integration streamlines operations, enhances scalability, and provides robust security controls, making it easier for organizations to manage complex Azure networking environments confidently and efficiently.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurehighperformancecomputingblog/building-resilient-networks-for-ai-supercomputers/4516919" target="_blank" rel="noopener noreferrer"&gt;Building resilient networks for AI supercomputers&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurehighperformancecomputingblog" target="_blank" rel="noopener noreferrer"&gt;Azure High Performance Computing (HPC)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jithinjose/324164" target="_blank" rel="noopener noreferrer"&gt;jithinjose&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article details Microsoft’s networking innovations for the Fairwater AI supercomputer, focusing on resilience and efficiency at extreme GPU scale. Central to this is the Multipath Reliable Connection (MRC), a new, open-source transport protocol that distributes data across multiple paths, enabling robust, high-utilization GPU clusters even during routine network faults. Combined with a two-tier multiplane topology and static SRv6 routing, this approach minimizes disruptions, improves training throughput, and simplifies failure recovery. Microsoft, in partnership with industry leaders, is open-sourcing MRC and related tools to advance resilient AI infrastructure across the ecosystem.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurehighperformancecomputingblog/distributing-model-weights-to-your-ai-cluster-a-faster-pre-flight-on-aks-and-slu/4517294" target="_blank" rel="noopener noreferrer"&gt;Distributing model weights to your AI cluster: a faster pre-flight on AKS and Slurm&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurehighperformancecomputingblog" target="_blank" rel="noopener noreferrer"&gt;Azure High Performance Computing (HPC)&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/pauledwards/363080" target="_blank" rel="noopener noreferrer"&gt;pauledwards&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces "azcp-cluster", a tool for efficiently distributing large AI model checkpoints across multi-node GPU clusters on Azure. Instead of each node downloading the full dataset separately—causing slowdowns, increased costs, and potential Azure storage throttling—azcp-cluster shards the download across nodes, then broadcasts data at high-speed over InfiniBand. This approach reduces egress costs, maximizes fabric speed, and simplifies cluster setup on Slurm and AKS. Practical deployment examples, Docker integration, and Kubernetes scheduling strategies are provided, with recommendations for both merged-image and init-container patterns. Benchmarks show significant speedups and cost savings.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/windowsosplatform/share-the-moment-listen-together-with-shared-audio/4522401" target="_blank" rel="noopener noreferrer"&gt;Share the Moment: Listen Together with Shared Audio&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows/blog/windowsosplatform" target="_blank" rel="noopener noreferrer"&gt;Windows OS Platform&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/steven%20ilami/234436" target="_blank" rel="noopener noreferrer"&gt;Steven Ilami&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/26/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article introduces “Shared Audio,” a new Windows 11 feature that enables two users to wirelessly listen to audio from the same PC using separate Bluetooth LE Audio accessories, like headphones or hearing aids. This solves the longstanding limitation of one-audio-device connections, enhancing shared experiences during flights, study sessions, or road trips. Users can easily manage connections and individual volumes through Quick Settings. Shared Audio requires compatible LE Audio devices, Windows 11 (version 24H2 or newer), and suitable hardware. The feature aims to make group listening more accessible, convenient, and customizable for entertainment, productivity, and accessibility needs.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/how-to-secure-azure-databricks-without-public-exposure-using-waf--private-endpoi/4517721" target="_blank" rel="noopener noreferrer"&gt;How to Secure Azure Databricks without Public Exposure using WAF + Private Endpoints&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/faizaanmerchant/3432847" target="_blank" rel="noopener noreferrer"&gt;FaizaanMerchant&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/11/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines how to secure Azure Databricks using a Zero Trust Architecture by combining Azure Application Gateway with Web Application Firewall (WAF) and Private Endpoints. This approach eliminates public internet exposure, ensures all traffic is inspected and routed securely, and aligns with strict compliance requirements. The recommended architecture uses a Hub-and-Spoke model, disabling public access and enforcing internal and external access through WAF and private endpoints, respectively. Key considerations include proper DNS configuration, SSL setup, and custom WAF rules, ensuring secure, compliant, and seamless access for both internal and external users.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/cloud-native-platforms-evolve/4520195" target="_blank" rel="noopener noreferrer"&gt;Cloud Native Platforms: Evolve&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/kishorekumarpattabiraman/3426309" target="_blank" rel="noopener noreferrer"&gt;KishoreKumarPattabiraman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/21/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article argues that AI is transforming software engineering by augmenting workflows across the entire software development lifecycle—not just code generation. Success depends on disciplined adoption: turning individual AI prompts into reusable workflows, implementing robust guardrails, and maintaining clear boundaries for human judgment. Responsible AI, with practices ensuring fairness, transparency, safety, and accountability, is essential. Teams should measure AI by outcomes (like defect rates and lead time), not usage. The key is evolving engineering practices to leverage AI safely and effectively, making workflows, not individual suggestions, the core unit of value.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/new-platform-sso-with-registration-during-automated-device-enrollment-on-macos/4519846" target="_blank" rel="noopener noreferrer"&gt;New Platform SSO with registration during Automated Device Enrollment on macOS&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/14/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Intune now supports Platform Single Sign-On (PSSO) registration during Automated Device Enrollment (ADE) setup for macOS 26 and newer. With the new “Enable Registration During Setup” setting and Intune Company Portal version 5.2604.0+, users register their devices and sign in with Microsoft Entra credentials during Setup Assistant, enabling immediate access to work resources. This streamlines onboarding, reduces compliance gaps, authentication issues, and IT helpdesk tickets. The feature requires coordinated policies assigned to static user groups. Future updates aim to reduce multiple sign-in prompts for an even smoother enrollment experience.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/migrating-frontline-mobile-devices-aligning-stakeholders-before-real-world-testi/4516511" target="_blank" rel="noopener noreferrer"&gt;Migrating frontline mobile devices: Aligning stakeholders before real-world testing&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 05/01/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines the crucial steps for migrating frontline mobile devices by emphasizing the need to align stakeholders and processes before conducting real-world testing with Microsoft Intune. It highlights translating discovery findings into actionable decisions, identifying and aligning key operational and technical stakeholders, and ensuring readiness across licensing, identity, and device lifecycle areas. Real-world testing should validate end-to-end workflows, security, and supportability in operational conditions, not just device enrollment. Standardization can evolve post-testing, and clear ownership of success criteria is essential to achieve meaningful pilot outcomes and support future device management decisions.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;</description>
      <pubDate>Thu, 18 Jun 2026 21:36:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-may-june-2026/ba-p/4529349</guid>
      <dc:creator>TysonPaul</dc:creator>
      <dc:date>2026-06-18T21:36:23Z</dc:date>
    </item>
    <item>
      <title>Microsoft Security Copilot: AI-Driven Security Operations at Greater Scale</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-security-copilot-ai-driven-security-operations-at/ba-p/4528912</link>
      <description>&lt;P class="lia-align-justify"&gt;At its core, Security Copilot is &lt;STRONG&gt;built to enhance every facet of security operations at machine speed&lt;/STRONG&gt;. It translates a vast array of inputs (Microsoft’s cloud-scale telemetry, threat intelligence feeds, security best practices, and enterprise-specific data) into &lt;STRONG&gt;tailored recommendations and summaries&lt;/STRONG&gt;, helping security teams &lt;STRONG&gt;“catch what others miss,” respond faster, and strengthen their expertise&lt;/STRONG&gt;. In the sections below, I explore the key security benefits of Security Copilot, its extensibility via third-party plugins and skills, and the value of its deep integration with Microsoft’s security ecosystem.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Key Benefits for Security Operations&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P&gt;Security Copilot meaningfully improves &lt;STRONG&gt;threat detection, investigation, response, correlation of signals, and analyst productivity&lt;/STRONG&gt;. The table below summarizes these core security benefits and capabilities:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 98.1481%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Operations Aspect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Benefit with Security Copilot&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat Detection&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Augmented detection of elusive threats:&lt;/STRONG&gt; Security Copilot leverages broad threat intelligence and comprehensive signals to identify subtle threats, anomalies, and attack patterns that might be missed through manual analysis. By reasoning over Microsoft’s vast security graph and global threat telemetry, it helps analysts &lt;EM&gt;“catch what others miss,”&lt;/EM&gt; ensuring &lt;STRONG&gt;unique or stealthy threats are surfaced&lt;/STRONG&gt;.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident Investigation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Faster, context-rich investigations:&lt;/STRONG&gt; Security Copilot can swiftly &lt;STRONG&gt;summarize and analyze incident data&lt;/STRONG&gt; from multiple sources, enhancing incident details with additional context from logs, alerts, and threat intel. It correlates related events and highlights root causes, giving analysts a &lt;STRONG&gt;consolidated understanding of complex incidents in minutes&lt;/STRONG&gt;. This enables quicker triage and deeper insights, so investigators know what happened and where to focus next.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Response &amp;amp; Remediation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Guided response and remediation:&lt;/STRONG&gt; Security Copilot not only identifies issues but also &lt;STRONG&gt;provides prescriptive guidance&lt;/STRONG&gt; on how to respond. It can suggest &lt;STRONG&gt;remediation steps and mitigation strategies&lt;/STRONG&gt; in plain language, helping analysts act decisively. For example, it may outline containment steps or orchestrate automated actions through integrated tools, significantly &lt;STRONG&gt;reducing response time to incidents&lt;/STRONG&gt;.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Signal Correlation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Holistic cross-domain correlation:&lt;/STRONG&gt; Because it taps into signals across identities, endpoints, email, cloud workloads, and more, Security Copilot automatically &lt;STRONG&gt;connects the dots among disparate alerts and data streams&lt;/STRONG&gt;. It presents unified incident narratives by linking related indicators (e.g., matching an endpoint malware alert with identity login anomalies and cloud logs), &lt;STRONG&gt;eliminating manual cross-tool correlation and uncovering hidden attack paths&lt;/STRONG&gt;. Analysts get a &lt;STRONG&gt;single cohesive view&lt;/STRONG&gt; of an incident across the kill chain.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Analyst Productivity&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Boosted efficiency &amp;amp; skill elevation:&lt;/STRONG&gt; By automating repetitive tasks (like scanning logs, writing KQL queries, or summarizing reports) and supporting natural language interaction, Security Copilot &lt;STRONG&gt;reduces manual workload&lt;/STRONG&gt; and accelerates everyday tasks. This lets analysts focus on higher-value activities. In practice, teams using Security Copilot have seen &lt;STRONG&gt;significant productivity gains&lt;/STRONG&gt; – a recent study found &lt;STRONG&gt;23–47% improvement in SecOps task efficiency&lt;/STRONG&gt; after adoption. Junior analysts ramp up faster (learning from Copilot’s guidance), while senior analysts can handle more incidents with less fatigue.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;These improvements translate into &lt;STRONG&gt;measurable security outcomes&lt;/STRONG&gt;. &lt;STRONG&gt;Incident response becomes faster and more consistent&lt;/STRONG&gt;, with &lt;EM&gt;mean time to resolution&lt;/EM&gt; reduced by &lt;STRONG&gt;30% on average within a few months of use&lt;/STRONG&gt; according to early research. Security Copilot’s ability to &lt;STRONG&gt;accelerate investigations and streamline tasks&lt;/STRONG&gt; drives down risk exposure and helps organizations make the most of their security investments. Ultimately, it &lt;STRONG&gt;strengthens an organization’s security posture&lt;/STRONG&gt; by augmenting human analysts with AI-driven speed, scale, and intelligence.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Seamless Integration with the Microsoft Security Ecosystem&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P class="lia-align-justify"&gt;Another key strength of Security Copilot is its &lt;STRONG&gt;deep native integration with Microsoft’s security portfolio&lt;/STRONG&gt;. From day one, Security Copilot was &lt;EM&gt;“designed with integration in mind.”&lt;/EM&gt; It &lt;STRONG&gt;plugs directly into a broad range of Microsoft security products&lt;/STRONG&gt; — including &lt;STRONG&gt;Microsoft 365 Defender (XDR), Microsoft Sentinel (SIEM), Microsoft Entra (ID and access management), Microsoft Intune (endpoint management), Microsoft Purview (compliance), and more&lt;/STRONG&gt;. In practice, Security Copilot is available as both a &lt;EM&gt;standalone portal&lt;/EM&gt; and as an &lt;STRONG&gt;embedded side-by-side experience within these Microsoft security tools&lt;/STRONG&gt;. This means a security analyst working in Microsoft Sentinel or Defender can access Copilot’s capabilities without switching context: &lt;STRONG&gt;Copilot is right there in the workflow, ready to answer questions or assist with tasks in real time&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Because of this close integration, &lt;STRONG&gt;Security Copilot can access data and signals from across all Microsoft security solutions&lt;/STRONG&gt; that an organization uses. It operates over &lt;STRONG&gt;a unified security data estate&lt;/STRONG&gt; encompassing endpoints, identities, emails, applications, cloud workloads, data repositories, and beyond. The result is truly &lt;STRONG&gt;end-to-end visibility and protection&lt;/STRONG&gt;: Copilot can reason across diverse telemetry (e.g., correlating a device malware alert from Defender with cloud logs from Azure, or identity risk signals from Entra) to provide comprehensive insight. This unified approach &lt;STRONG&gt;eliminates silos and tool fragmentation&lt;/STRONG&gt; — analysts spend less time pivoting between separate consoles or manually stitching together information because Copilot synthesizes it automatically.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Moreover, &lt;STRONG&gt;leveraging the Microsoft ecosystem means Security Copilot can immediately add value without requiring a rip-and-replace of existing tools&lt;/STRONG&gt;. It acts as a &lt;STRONG&gt;“force multiplier” across the installed Microsoft Security stack&lt;/STRONG&gt;, maximizing the return on those investments by making them more effective and easier to use. For example, &lt;STRONG&gt;Copilot can turn a collection of raw alerts from different Microsoft products into a single, coherent incident storyline with actionable next steps&lt;/STRONG&gt;. This synergy leads to significant &lt;STRONG&gt;operational efficiency gains&lt;/STRONG&gt; and a more streamlined &lt;STRONG&gt;SOC workflow&lt;/STRONG&gt;, as analysts have a central AI assistant coordinating across all defenses on their behalf.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;By providing unified insights, reducing tool sprawl, and bringing together Microsoft’s best-in-class security technologies, &lt;STRONG&gt;Security Copilot emerges as a valuable asset for modern security teams&lt;/STRONG&gt;. It empowers organizations to practice &lt;STRONG&gt;“AI-first” security operations&lt;/STRONG&gt; – enabling defenders to work faster and smarter, while fully utilizing an integrated security ecosystem to protect the enterprise from evolving threats. In summary, Microsoft Security Copilot offers a &lt;STRONG&gt;compelling combination of advanced AI capabilities, extensibility, and seamless integration&lt;/STRONG&gt; that helps security teams achieve &lt;STRONG&gt;unprecedented speed, breadth, and efficiency&lt;/STRONG&gt; in defending their organizations. &lt;STRONG&gt;It enhances human expertise with machine-scale intelligence&lt;/STRONG&gt;, improving threat detection and response outcomes and transforming the way security operations centers operate for the better.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Open Extensibility with Third-Party Plugins and Skills&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P class="lia-align-justify"&gt;A standout capability of Security Copilot is its &lt;STRONG&gt;extensible plugin architecture&lt;/STRONG&gt;, which allows it to incorporate external data sources and integrate with third-party security tools. &lt;STRONG&gt;Plugins&lt;/STRONG&gt; in Security Copilot are modular connectors that bring in specific data or perform defined actions (each plugin encapsulates certain “&lt;STRONG&gt;skills&lt;/STRONG&gt;,” such as running a KQL query, calling an API, or searching threat intel). Microsoft provides numerous &lt;STRONG&gt;pre-installed plugins&lt;/STRONG&gt; out-of-the-box for common Microsoft security services and workflows, and administrators can easily &lt;STRONG&gt;add or develop custom plugins to connect 3rd-party systems or bespoke data sources&lt;/STRONG&gt;. This design ensures that Security Copilot’s capabilities can expand and adapt to different environments.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Through both &lt;STRONG&gt;Microsoft-built and third-party plugins&lt;/STRONG&gt;, Security Copilot can tap into a wide variety of security data beyond the Microsoft stack. For example, &lt;STRONG&gt;supported third-party plugins let Copilot pull context from external solutions such as IT service management tools (e.g., ServiceNow)&lt;/STRONG&gt;, vulnerability management platforms, identity providers, network security appliances, and others. Plugins feed &lt;STRONG&gt;additional logs, alerts, and intelligence&lt;/STRONG&gt; into Copilot’s analysis, thereby enriching its understanding of incidents with non-Microsoft data and events. This means a SOC can leverage &lt;STRONG&gt;existing investments in third-party security products by having Security Copilot analyze and correlate those systems’ outputs&lt;/STRONG&gt; alongside Microsoft’s telemetry.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft and its partners have already created an &lt;STRONG&gt;ecosystem of Security Copilot plugins&lt;/STRONG&gt;. For instance, Microsoft announced &lt;STRONG&gt;15+ new third-party plugins&lt;/STRONG&gt; at Ignite 2024, spanning categories like &lt;STRONG&gt;threat intelligence&lt;/STRONG&gt; (e.g., integrating feeds from providers like CrowdSec, Cybersixgill, GreyNoise) and &lt;STRONG&gt;device/network/identity management&lt;/STRONG&gt; tools (e.g., Red Canary, Netskope, Tanium, CyberArk, etc.). These plugins bring rich external data on threat actors, indicators of compromise, vulnerabilities, device health, user activity, and more, allowing Copilot to provide even more comprehensive analyses and recommendations.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Crucially, &lt;STRONG&gt;customers can build their own plugins and skills&lt;/STRONG&gt; if needed, using Security Copilot’s developer tools and APIs. This means an enterprise could integrate a proprietary threat feed, custom data store, or even trigger custom response workflows via Copilot, tailoring the AI assistant to their unique security environment. Thanks to &lt;STRONG&gt;secure design and admin controls&lt;/STRONG&gt;, organizations maintain full governance over which plugins are enabled and how they consume resources. In summary, Security Copilot’s open, plugin-based extensibility ensures that it can &lt;STRONG&gt;grow with an organization’s needs&lt;/STRONG&gt;, incorporating &lt;STRONG&gt;any relevant third-party data or workflow&lt;/STRONG&gt; to further &lt;STRONG&gt;enhance threat analysis and incident response&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-10"&gt;Technical Resources:&lt;/SPAN&gt;&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/" target="_blank"&gt;Security Copilot Main documentation site&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/agents-overview" target="_blank"&gt;Security Copilot agents&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/plugin-overview" target="_blank"&gt;Security Copilot plugins&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/whats-new-copilot-security" target="_blank"&gt;What’s new for Security Copilot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/security-copilot-application-card" target="_blank"&gt;Responsible AI in Security Copilot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://github.com/Azure/Security-Copilot/tree/main" target="_blank"&gt;Official Security Copilot GitHub&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/operationalizing-microsoft-security-copilot-to-reinvent-soc-productivity/3944877" data-lia-auto-title="How to operationalize Security Copilot and increase SOC productivity" data-lia-auto-title-active="0" target="_blank"&gt;How to operationalize Security Copilot and increase SOC productivity&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jun 2026 20:49:10 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-security-copilot-ai-driven-security-operations-at/ba-p/4528912</guid>
      <dc:creator>edgarus71</dc:creator>
      <dc:date>2026-06-18T20:49:10Z</dc:date>
    </item>
    <item>
      <title>Security Copilot RBAC for Embedded Experience in Unified Security Platform</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/security-copilot-rbac-for-embedded-experience-in-unified/ba-p/4528833</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Introduction&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The evolution of Security Operations Centers (SOC) is increasingly driven by AI-powered capabilities that improve efficiency, accuracy, and response time. Microsoft Security Copilot represents a significant advancement in this space by embedding AI-driven assistance directly within security platforms such as Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra.&lt;/P&gt;
&lt;P&gt;The concept of &lt;STRONG&gt;embedded experience&lt;/STRONG&gt; is central to this transformation. Rather than operating as a standalone interface, Security Copilot is integrated within existing security tools, allowing analysts to invoke AI-generated insights directly during investigations. This reduces the need for tool switching and accelerates decision-making.&lt;/P&gt;
&lt;P&gt;The purpose of this document is to define and explain the &lt;STRONG&gt;Role-Based Access Control (RBAC) model&lt;/STRONG&gt; required to securely enable this embedded experience. It provides a structured understanding of how access is governed across multiple layers, how these layers interact, and how organizations can align permissions with SOC workflows while maintaining a least-privilege security posture.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Understanding Embedded Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot in embedded mode operates within the context of the host platform. When invoked from Defender or Sentinel, it does not function independently but instead consumes data already accessible to the user. This model ensures that Copilot enhances visibility without expanding access boundaries.&lt;/P&gt;
&lt;P&gt;This behavior is governed by an &lt;STRONG&gt;On-Behalf-Of (OBO) model&lt;/STRONG&gt;, where Security Copilot leverages the permissions of the authenticated user. It does not introduce new entitlements or override existing RBAC configurations.&lt;/P&gt;
&lt;P&gt;As a result, the insights generated by Copilot are always limited to what the user is already authorized to see, reinforcing Zero Trust principles and preventing unauthorized data exposure.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Prerequisites for Embedded Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;To enable Security Copilot in an embedded environment, organizations must establish foundational prerequisites that ensure seamless and secure operation.&lt;/P&gt;
&lt;P&gt;First, access to underlying platforms such as Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra must already be provisioned. Since Copilot is not a standalone data source, it cannot function without these integrations.&lt;/P&gt;
&lt;P&gt;Second, RBAC alignment across identity, platform, and service layers must be configured correctly. Misalignment can lead to incomplete results, restricted functionality, or inconsistent analyst experiences.&lt;/P&gt;
&lt;P&gt;Finally, governance processes such as access review, monitoring, and adherence to least privilege principles should be implemented. These controls ensure that Copilot usage remains compliant, auditable, and aligned with organizational security policies.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;RBAC Framework for Security Copilot&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot adopts a &lt;STRONG&gt;multi-layer RBAC model&lt;/STRONG&gt; consisting of three tightly integrated layers. These layers collectively determine whether a user can access Copilot features and what data they can retrieve.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;RBAC Layer Mapping&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;RBAC Layer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Role Type&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Purpose&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Example Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Access Impact&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Security Copilot Platform&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Feature access control&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Determines who can use Copilot capabilities&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Copilot Owner, Security Copilot Contributor&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enables use of Copilot features but does not grant data access&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Microsoft Entra ID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Identity and directory governance&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Controls access to identity data and reports&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Reader, Reports Reader, Security Administrator&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Governs identity insights and directory visibility&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Service-Specific RBAC&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data access control&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defines access to security data within services&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender Security Reader, Sentinel Reader&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Determines what Copilot can retrieve and present&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;This layered approach ensures that no single role grants full access. All three layers must align for complete functionality.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Copilot Platform Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot platform roles control who can interact with the Copilot interface and execute AI-driven workflows.&lt;/P&gt;
&lt;P&gt;The &lt;STRONG&gt;Security Copilot Owner role&lt;/STRONG&gt; provides administrative control over Copilot configuration, including access management and platform-level settings. This role is typically assigned to administrators responsible for governance and operational enablement.&lt;/P&gt;
&lt;P&gt;The &lt;STRONG&gt;Security Copilot Contributor role&lt;/STRONG&gt; enables analysts to run prompts, perform investigations, and interact with Copilot features during daily SOC operations. However, this role does not grant visibility into security data by itself.&lt;/P&gt;
&lt;P&gt;This clear separation ensures that Copilot remains a controlled interface layer rather than a source of privilege escalation.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft Entra ID Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Microsoft Entra roles govern access to identity-related data, which is critical for security operations involving user behavior, sign-in logs, and directory insights.&lt;/P&gt;
&lt;P&gt;Roles such as &lt;STRONG&gt;Security Reader&lt;/STRONG&gt; provide read-only visibility into security data, while &lt;STRONG&gt;Reports Reader&lt;/STRONG&gt; enables access to reporting and analytics capabilities. In certain advanced cases, the &lt;STRONG&gt;Security Administrator role&lt;/STRONG&gt; may be required for configuration-level actions.&lt;/P&gt;
&lt;P&gt;The document emphasizes avoiding excessive privilege assignment, particularly the use of Global Administrator roles for daily operations, as this conflicts with least privilege principles.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Service-Specific RBAC Roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Service-level roles determine the data sources that Security Copilot can access when embedded in platforms.&lt;/P&gt;
&lt;P&gt;In Microsoft Defender XDR, roles such as Security Reader allow access to alerts, incidents, and endpoint data. In Microsoft Sentinel, Sentinel Reader provides access to log data, analytics, and incidents. In Microsoft Entra, roles like Reports Reader provide access to identity insights.&lt;/P&gt;
&lt;P&gt;Copilot cannot retrieve or analyze data beyond what these roles permit. The output it generates is always constrained to the user’s effective permissions across these services.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Unified RBAC Behavior in Embedded Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;In an embedded scenario, all three RBAC layers are evaluated simultaneously.&lt;/P&gt;
&lt;P&gt;When a SOC analyst invokes Copilot in Defender, the system validates whether the user has permission to use Copilot, access identity data, and retrieve Defender-specific insights. Only when all these conditions are satisfied does Copilot provide a comprehensive output.&lt;/P&gt;
&lt;P&gt;This ensures that Copilot responses are both &lt;STRONG&gt;contextually rich and access-compliant&lt;/STRONG&gt;, eliminating the risk of unauthorized data exposure while maintaining operational efficiency.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Copilot Core Use Cases&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot enables a layered set of capabilities that span both analyst interaction patterns and agent-driven execution models. These use cases collectively enhance SOC efficiency, decision-making, and operational scalability.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Use Case Mapping Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Use Case&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Embedded / Agent Example&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value to SOC&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Summarization&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Transforms complex alerts, incidents, and telemetry into structured, human-readable insights by correlating signals across multiple sources&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Summarizing a Defender XDR incident involving endpoint, identity, and cloud alerts into a unified attack narrative&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reduces analyst fatigue and significantly accelerates triage by eliminating manual data aggregation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Guided Response&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Provides contextual, step-by-step investigative guidance and recommended remediation actions based on observed patterns and threat intelligence&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Suggesting investigation paths in Sentinel, including pivoting to identity logs, device timeline, and lateral movement indicators&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves consistency in investigations and enables less experienced analysts to operate effectively&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Script Analysis&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Evaluates scripts, queries, and command-line activities to identify malicious patterns, errors, or optimization opportunities&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Analyzing PowerShell scripts or KQL queries used in threat hunting scenarios to detect obfuscation or suspicious logic&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enhances detection accuracy and reduces the risk of missing critical indicators&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Reporting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Generates structured incident summaries, executive reports, and compliance-ready documentation with contextual insights&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Producing incident summaries for leadership or compliance teams with both technical and business context&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves communication, supports audit readiness, and reduces manual reporting overhead&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;Agent-Driven SOC Use Cases (Expanded Capabilities)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;With the introduction of Security Copilot agents, the platform extends beyond assistance into orchestrated, intelligence-driven operations across SOC workflows.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Agent-Based Use Case&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Real Agent Example&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC Impact&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dynamic Threat Detection&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Continuously analyzes telemetry to identify previously undetected or weak signals across the attack surface&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dynamic Threat Detection Agent&lt;/STRONG&gt; correlates signals across Defender workload telemetry to surface hidden threats&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves detection coverage and reduces the likelihood of missed attacks&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat Intelligence Correlation &amp;amp; Briefing&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Aggregates internal and external intelligence sources to generate contextual threat insights aligned to organizational risk&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat Intelligence Briefing Agent&lt;/STRONG&gt; produces structured intelligence reports based on attack patterns and exposure context&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enhances situational awareness and supports proactive defense strategies&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Advanced Threat Hunting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enables hypothesis-driven and AI-assisted threat hunting by generating queries, exploring telemetry, and correlating historical data&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Advanced Threat Hunting Agent&lt;/STRONG&gt; builds and executes queries across Defender and Sentinel datasets for proactive investigation and telemetry exploration&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Accelerates threat discovery and reduces reliance on manual query development&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Analysis &amp;amp; Threat Prioritization&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Performs AI-driven analysis of security telemetry to identify high-risk patterns, prioritize threats, assess risk exposure, and recommend investigative actions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Analyst Agent&lt;/STRONG&gt; analyses password spray attacks, ransomware activity, malware campaigns, identity abuse, and other security risks by generating telemetry-driven assessments and recommendations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves analyst productivity, prioritizes high-impact threats, and enables faster decision making&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Triage Automation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Automates alert prioritization and classification by adding contextual enrichment and reducing noise&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Triage Agent / Phishing Triage Agent&lt;/STRONG&gt; evaluates alerts and distinguishes between real threats and false positives&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reduces alert fatigue and improves prioritization accuracy in high-volume environments&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;End-to-End Investigation Orchestration&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Performs multi-step investigation by gathering signals, correlating activity, and building attack timelines&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security Analyst Agent&lt;/STRONG&gt; investigates incidents across identity, endpoint, email, cloud, and data signals to produce a consolidated incident narrative&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reduces Mean Time to Investigate (MTTI) and ensures consistent investigation outcomes&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Cross-Domain Threat Correlation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Connects signals across identity, endpoint, cloud, email, and data domains to identify multi-stage attack chains&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agents operating across Defender, Entra, Sentinel, and Security Copilot correlate activities such as phishing leading to identity compromise and lateral movement&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Breaks down silos and enables holistic threat visibility across the environment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Remediation &amp;amp; Response Enablement&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Identifies vulnerable assets and supports remediation workflows through contextual recommendations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Agents integrated with endpoint and policy systems suggest patching actions, containment actions, and configuration changes based on detected risks&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Improves response effectiveness and strengthens overall security posture&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Each of these use cases operates within the RBAC boundaries defined earlier, ensuring secure and context-aware outputs.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Mapping Use Cases to SOC Processes&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The four core use cases align directly with SOC operational stages, enabling a consistent and repeatable analysis model.&lt;/P&gt;
&lt;P&gt;Summarization plays a significant role during the &lt;STRONG&gt;detection and triage phase&lt;/STRONG&gt;, where analysts need quick clarity on incoming alerts. Instead of manually analyzing raw data, Copilot provides a structured overview, helping analysts determine priority and relevance.&lt;/P&gt;
&lt;P&gt;Guided response becomes critical during the &lt;STRONG&gt;investigation and response phase&lt;/STRONG&gt;, where decision-making speed is essential. By suggesting next steps and correlating data points, Copilot assists analysts in navigating complex attack scenarios.&lt;/P&gt;
&lt;P&gt;Script analysis supports both &lt;STRONG&gt;threat hunting and investigation&lt;/STRONG&gt;, allowing analysts to validate scripts, queries, or automation logic. This reduces the risk of overlooking malicious behavior embedded in scripts.&lt;/P&gt;
&lt;P&gt;Reporting aligns with the &lt;STRONG&gt;post-incident and compliance phase&lt;/STRONG&gt;, where structured documentation is required. Copilot generates summaries that can be shared with leadership or compliance teams, ensuring clarity and consistency.&lt;/P&gt;
&lt;P&gt;Together, these use cases create a continuous cycle of detection, investigation, response, and reporting, fully integrated with SOC workflows.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Security Copilot’s embedded experience represents a transformative shift in how AI is integrated into security operations. By embedding intelligence directly within platforms such as Defender and Sentinel, it enhances analyst productivity while maintaining strict governance controls.&lt;/P&gt;
&lt;P&gt;The three-layer RBAC model, consisting of Security Copilot roles, Microsoft Entra roles, and service-specific roles, ensures that access is both secure and compliant with least privilege principles. The On-Behalf-Of model further guarantees that Copilot does not expand access beyond existing permissions.&lt;/P&gt;
&lt;P&gt;The inclusion of structured use cases such as summarization, guided response, script analysis, and reporting enables organizations to operationalize Copilot effectively across SOC processes.&lt;/P&gt;
&lt;P&gt;When RBAC is properly aligned and integrated with SOC workflows, Security Copilot becomes a powerful enabler of faster investigations, improved accuracy, and enhanced security posture—all while maintaining strict control over data access and governance.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jun 2026 11:10:30 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/security-copilot-rbac-for-embedded-experience-in-unified/ba-p/4528833</guid>
      <dc:creator>SantoshPargi</dc:creator>
      <dc:date>2026-06-17T11:10:30Z</dc:date>
    </item>
    <item>
      <title>Automating Daily MDE Compliance Monitoring Across Azure VMs</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/automating-daily-mde-compliance-monitoring-across-azure-vms/ba-p/4528274</link>
      <description>&lt;H2&gt;The Problem We’re Solving&lt;/H2&gt;
&lt;P&gt;Most security teams have no automated way to know when a VM silently falls out of MDE coverage, whether because the agent stopped, the VM was newly provisioned without onboarding, or the device stopped reporting. This Logic App closes that gap and puts the right information in front of the right people every day.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Disclaimer: This solution is designed for Azure Virtual Machines only. For non-Azure VMs onboarded to Microsoft Defender for Endpoint through Azure Arc, a separate companion blog will be published soon to cover that scenario.&lt;/EM&gt;&lt;/P&gt;
&lt;H3&gt;What changes once you deploy this&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Challenge Without This Logic App&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;How This Logic App Helps&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Security gaps go undetected for days or weeks&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Any VM that is not onboarded or has stopped reporting is caught within 24 hours of the daily run&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;No automated owner notification&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The VM's ServerOwner tag is read automatically, and the owner is emailed directly with full compliance details&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;VMs with no owner fall through the cracks&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Flagged explicitly in the IT summary report with instructions for how to assign the tag&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Manual compliance reporting is time-consuming&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Full CSV report auto-attached to every daily IT summary; no manual extraction needed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Agents silently stop reporting after onboarding&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Detects "Onboarded, Not Reporting" as a distinct status, separate from "Not Onboarded"&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Large multi-subscription environments are hard to cover&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Paginated queries across all enabled subscriptions; every running VM is checked&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Compliance States Detected&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Compliance Status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Priority&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What It Means&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Not Onboarded&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;P2, High&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The VM is running in Azure but has never appeared in MDE. There is zero security telemetry for this machine.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Onboarded, Not Reporting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;P3, Medium&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The VM was previously enrolled but has not checked in within the configured window. The MDE agent may be stopped or the VM may have lost network connectivity to MDE.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Compliant&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No alert&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;VM is onboarded and checked in within the required time window. It is excluded from all notifications.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Running VMs Only: &lt;/STRONG&gt;This workflow queries Azure Resource Graph with a filter of powerState == "VM running". Deallocated, stopped, and powered-off VMs are intentionally excluded — they are not expected to report to MDE while offline. Only machines that are turned on are evaluated.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Workflow Architecture&lt;/H2&gt;
&lt;P&gt;The workflow runs as a sequential daily pipeline. All Azure VM data and MDE device data are collected into memory first, then each VM is evaluated in a single For Each loop.&lt;/P&gt;
&lt;H3&gt;Execution Pipeline&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;Recurrence trigger fires daily at 08:00 IST.&lt;/LI&gt;
&lt;LI&gt;CONFIG compose action reads MDE_LASTSEEN_HOURS (default 24). This defines the compliance window: how recently a VM must have reported to MDE to be considered Compliant.&lt;/LI&gt;
&lt;LI&gt;Init-varITTeamEmail and Init-varSenderEmail load the configurable email addresses used for sending and receiving notifications.&lt;/LI&gt;
&lt;LI&gt;Get-AllSubscriptions calls the Azure Management API to discover all subscriptions in the tenant.&lt;/LI&gt;
&lt;LI&gt;ForEach-Subscription runs a paginated Azure Resource Graph query per enabled subscription, collecting all running VMs along with Private IP, OS Type, Location, ServerOwner tag, and VM UUID.&lt;/LI&gt;
&lt;LI&gt;Init-MDEVariables then Paginate-MDEDevices call the MDE Security Center API in pages of 10,000 to load every enrolled device into the AllMDEDevices array.&lt;/LI&gt;
&lt;LI&gt;ForEach-AzureVM looks each Azure VM up in AllMDEDevices and determines compliance status and priority.&lt;/LI&gt;
&lt;LI&gt;Non-compliant handling builds HTML and CSV rows. If the VM has a ServerOwner tag, a compliance alert email goes to the owner with the IT Team CC'd. If there's no owner, the VM is appended to NoOwnerList.&lt;/LI&gt;
&lt;LI&gt;IT Summary email is sent once all VMs are processed. If any non-compliant VMs were found, the consolidated IT report is sent with the CSV attachment. Otherwise an All Clear email is sent.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H3&gt;How Azure VM Data is Matched to MDE Data&lt;/H3&gt;
&lt;P&gt;Each Azure VM is matched against the MDE device list using a two-level strategy. Both checks run for every VM on every run.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Match Method&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;How It Works&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Primary: Azure VM ID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compares azureVmId from the MDE device record (lowercase) against the VmId captured from Azure Resource Graph (lowercase). Immune to hostname changes; this is the preferred match.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Fallback: Hostname + IP&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Checks that MDE computerDnsName starts with the Azure VM name (case-insensitive) AND lastIpAddress matches the Azure Private IP. Both conditions must be true.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Not Found&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;A synthetic MDE record with onboardingStatus: "NotFound" is created. The VM is treated as Not Onboarded and a P2 High alert is raised.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Pagination Design&lt;/H3&gt;
&lt;P&gt;The workflow handles large environments through two independent pagination mechanisms that run before any compliance evaluation begins.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data Source&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Page Size&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Mechanism&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1,000 VMs per page&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Uses $skipToken from the response. The Until loop re-queries with the token until no token is returned (last page). Variables VMSkipToken and VMFetchComplete manage loop state per subscription. Supports up to 50,000 VMs (50 pages).&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;MDE Security Center API&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;10,000 devices per page&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Uses the $skip offset parameter. MDESkip is incremented by 10,000 each iteration. The loop stops when a page returns fewer than 10,000 records. Supports up to 500,000 MDE devices (50 pages × 10,000).&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Prerequisites&lt;BR /&gt;Azure Resources&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Resource&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Requirement&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Notes&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Azure Logic App&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Standard plan, Stateful workflow&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Consumption plan also supported&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Managed Identity&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;System-assigned on the Logic App&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Enable under Logic App &amp;gt; Identity&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Sender mailbox (varSenderEmail)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Licensed Microsoft 365 account&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Emails are sent FROM this address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;IT Team email (varITTeamEmail)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Valid email address or distribution list&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Receives all reports; CC'd on owner alerts&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Azure VMs&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Running, with ServerOwner tag (recommended)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tag value must be a valid email address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;MDE licensing&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Defender for Endpoint P1 or P2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Tenant must be enrolled in MDE&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;The ServerOwner Tag&lt;/H3&gt;
&lt;P&gt;Server owner notifications rely on a VM-level Azure tag. Without it, the VM is included in the IT summary, but no individual alert is sent to an owner.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tag Name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Expected Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Effect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;ServerOwner&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Valid email, e.g. john@yourcompany.com&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compliance alert sent TO this address; IT Team CC'd&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;If the tag is missing or empty, the VM is flagged in the Action Required: No Owner Tag Found section of the IT summary email, with step-by-step instructions for tagging it in the Azure Portal.&lt;/P&gt;
&lt;H2&gt;Required Permissions &amp;amp; Why&lt;/H2&gt;
&lt;P&gt;The Logic App's Managed Identity must be granted three API permissions. These are Application permissions that cannot be assigned through the Azure Portal UI, so the PowerShell script in Section 4.3 must be used. Admin consent is required.&lt;/P&gt;
&lt;H3&gt;Permission Summary&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Permission&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;API / Service&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AppId&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Why It Is Required&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;user_impersonation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure Management&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;797f4846-ba00-4fd7-ba43-dac1f8f63013&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Allows the Managed Identity to call the Azure Resource Graph API to query VM inventory across all subscriptions. Without this, the workflow cannot discover VMs.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;WindowsDefenderATP.Read.All&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;MDE Security Center&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;fc780465-2017-40d4-a0c5-307022471b92&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Allows reading all device records from the MDE API (/api/machines). This returns onboarding status, last seen time, and health status — the core compliance data.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Mail.Send&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Graph&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;00000003-0000-0000-c000-000000000000&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Allows sending emails via the Graph /sendMail endpoint on behalf of the varSenderEmail mailbox. Without this, no alerts or reports can be sent.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Important: &lt;/STRONG&gt;The Azure Management and MDE permissions belong to separate service principals — they are NOT part of Microsoft Graph. Each permission must be assigned to its own service principal using the AppId shown above. The script in Section 4.2 handles this correctly.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Where to find the required values&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Parameter&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Where to find it in Azure Portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;$tenantID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure Portal &amp;gt; Microsoft Entra ID &amp;gt; Overview &amp;gt; Tenant ID&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;$managedIdentityObjectId&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Logic App &amp;gt; Settings &amp;gt; Identity &amp;gt; System assigned tab &amp;gt; Object (principal) ID&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3&gt;Permission Assignment Script&lt;/H3&gt;
&lt;P&gt;Run this in Azure Cloud Shell or any terminal with the Microsoft.Graph PowerShell module installed. Update $tenantID and $managedIdentityObjectId before running.&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;# PowerShell # ── Update these two values before running ─────────────────────────── $tenantID = "&amp;lt;tenantID&amp;gt;" # Your Tenant ID $managedIdentityObjectId = "&amp;lt;objectID&amp;gt;" # MI Object ID # Install Microsoft.Graph if not already present if (!(Get-Module -ListAvailable -Name Microsoft.Graph)) { Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force } # Connect to Microsoft Graph Connect-MgGraph -TenantId $tenantID ` -Scopes "AppRoleAssignment.ReadWrite.All","Application.Read.All" # MDE Compliance Logic App needs 3 permissions across 3 different service principals $permissions = @( @{ Permission="user_impersonation"; AppId="797f4846-ba00-4fd7-ba43-dac1f8f63013" }, @{ Permission="WindowsDefenderATP.Read.All"; AppId="fc780465-2017-40d4-a0c5-307022471b92" }, @{ Permission="Mail.Send"; AppId="00000003-0000-0000-c000-000000000000" } ) foreach ($entry in $permissions) { $sp = Get-MgServicePrincipal -Filter "AppId eq '$($entry.AppId)'" $appRole = $sp.AppRoles | Where-Object { $_.Value -eq $entry.Permission } if ($appRole -ne $null) { New-MgServicePrincipalAppRoleAssignment ` -ServicePrincipalId $sp.Id ` -PrincipalId $managedIdentityObjectId ` -ResourceId $sp.Id ` -AppRoleId $appRole.Id Write-Host "Assigned: $($entry.Permission)" -ForegroundColor Green } else { Write-Host "Not found: $($entry.Permission)" -ForegroundColor Yellow } } Write-Host "All permissions assigned." -ForegroundColor Green&lt;/LI-CODE&gt;
&lt;H3&gt;Verify Permissions Assigned&lt;/H3&gt;
&lt;LI-CODE lang="powershell"&gt;# PowerShell # Run after the assignment script to verify all 3 permissions are present Get-MgServicePrincipalAppRoleAssignment ` -ServicePrincipalId $managedIdentityObjectId | Select-Object AppRoleId, PrincipalDisplayName | Format-Table -AutoSize&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Note: &lt;/STRONG&gt;You should see three assignment rows in the output — one for each permission. If any are missing, re-run the assignment script. An error saying the assignment already exists is normal and can be safely ignored.&lt;/P&gt;
&lt;H2&gt;Creating the Logic App&lt;BR /&gt;Create the resource&lt;/H2&gt;
&lt;OL&gt;
&lt;LI&gt;Azure Portal &amp;gt; search Logic Apps &amp;gt; + Create.&lt;/LI&gt;
&lt;LI&gt;Select your Subscription and Resource Group. Logic App name: la-mde-compliance-monitor.&lt;/LI&gt;
&lt;LI&gt;Plan type: Standard &amp;gt; Windows &amp;gt; select or create a Hosting Plan &amp;gt; Review + Create &amp;gt; Create.&lt;/LI&gt;
&lt;LI&gt;Once deployed, click Go to resource.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H3&gt;Enable System-assigned Managed Identity&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;Open the Logic App &amp;gt; left menu: Settings &amp;gt; Identity.&lt;/LI&gt;
&lt;LI&gt;On the System assigned tab, toggle Status to On.&lt;/LI&gt;
&lt;LI&gt;Click Save &amp;gt; Yes on the confirmation dialog.&lt;/LI&gt;
&lt;LI&gt;The Object (principal) ID appears. Copy this value for the PowerShell script.&lt;/LI&gt;
&lt;LI&gt;Run the Permissions Assignment script to assign all three permissions to this identity.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Why Managed Identity: &lt;/STRONG&gt;A System-assigned Managed Identity is automatically scoped to this Logic App and deleted when the Logic App is deleted. It authenticates to Azure Management API, MDE API, and Microsoft Graph without any stored passwords or client secrets.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;Create the workflow and import the JSON&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;Logic App &amp;gt; left menu: Workflows &amp;gt; + Add.&lt;/LI&gt;
&lt;LI&gt;Workflow name: MDEComplianceMonitor. State type: Stateful. Click Create.&lt;/LI&gt;
&lt;LI&gt;Click the workflow name &amp;gt; left menu: Code.&lt;/LI&gt;
&lt;LI&gt;Press Ctrl + A &amp;gt; Delete to clear the editor completely.&lt;/LI&gt;
&lt;LI&gt;Paste the complete workflow JSON from the companion file (see Appendix A).&lt;/LI&gt;
&lt;LI&gt;Click Save. It should succeed with no validation errors.&lt;/LI&gt;
&lt;/OL&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Important: &lt;/STRONG&gt;Always use Stateful. Stateless workflows do not support run history, have a 5-minute timeout, and do not retain intermediate state — all of which are required by this workflow's pagination loops.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H2&gt;Configuration: What You Can Change&lt;/H2&gt;
&lt;P&gt;After importing the JSON, update only the values described below. Everything else runs automatically.&lt;/P&gt;
&lt;H3&gt;Email Address Variables&lt;/H3&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Variable&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Where to Update&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;varITTeamEmail&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The IT Team email address. All IT Summary reports are sent TO this address. All per-VM owner emails CC this address.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;3000&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;varSenderEmail&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The Microsoft 365 licensed account that emails are sent FROM via Graph API. Must have Mail.Send permission granted to the Managed Identity.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;3000&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H3&gt;Compliance look-up window: MDE_LASTSEEN_HOURS&lt;/H3&gt;
&lt;P&gt;This setting in the CONFIG compose action defines how recently a VM must have reported to MDE to count as Compliant. Default is 24 hours.&lt;/P&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Behaviour&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;24 (default)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Compliant if the VM checked in with MDE within the last 24 hours. Recommended starting point.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;12&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Stricter check; suitable for high-security environments requiring near-real-time coverage.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;48&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;More relaxed; suitable for environments with scheduled maintenance windows or intermittent connectivity.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H3&gt;Running VMs Only&lt;/H3&gt;
&lt;P&gt;The Azure Resource Graph query includes a filter for powerState == "VM running". This means:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Deallocated VMs are excluded (not expected to report to MDE while offline).&lt;/LI&gt;
&lt;LI&gt;Stopped (allocated) VMs are excluded.&lt;/LI&gt;
&lt;LI&gt;Newly started VMs are included and checked on the next daily run.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;To Change the Filter: &lt;/STRONG&gt;To change the power state filter, locate the "query" string inside the Build-VMQuery-Paged action and modify the | where powerState == clause. For example, removing the filter entirely will check all VMs regardless of state.&lt;/P&gt;
&lt;H2&gt;Sample Email Notifications&lt;/H2&gt;
&lt;P&gt;The screenshots below show actual emails generated by this workflow. All sensitive data (email addresses, VM names, subscription IDs, IP addresses) has been redacted.&lt;/P&gt;
&lt;H3&gt;Per-VM owner alert&lt;/H3&gt;
&lt;P&gt;Sent to the server owner (ServerOwner tag) when their VM is non-compliant. The IT Team is CC'd. The email contains full server details, compliance status, priority, last MDE check-in time, and resolution SLA.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Note: &lt;/STRONG&gt;If no ServerOwner tag is set the VM is skipped here and included in the "No Owner Tag Found" section of the IT summary instead.&lt;/P&gt;
&lt;H3&gt;IT Team Daily Summary Report&lt;/H3&gt;
&lt;P&gt;Sent once per day to the IT Team after all owner emails are dispatched. Shows up to 20 VMs inline with a full CSV attachment containing the complete list, plus a dedicated section for VMs with no owner tag.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Note: &lt;/STRONG&gt;The CSV attachment always contains the complete list of all non-compliant VMs regardless of count. The inline HTML table is limited to 20 rows to keep the email size manageable.&lt;/P&gt;
&lt;H3&gt;All Compliant VMs:&lt;/H3&gt;
&lt;P&gt;If all VMs are compliant, you’ll see email like this:&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Post-Deployment Checklist&lt;/H2&gt;
&lt;P&gt;Before you leave the workflow running unattended, walk through this checklist once.&lt;/P&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;#&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Item&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Logic App resource created (Standard plan, Stateful workflow)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;System-assigned Managed Identity enabled; Object ID copied&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;3&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;PowerShell script run; user_impersonation, WindowsDefenderATP.Read.All, and Mail.Send assigned&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;4&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Permissions verified using Get-MgServicePrincipalAppRoleAssignment (3 rows expected)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;5&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Workflow JSON pasted into Code view; saved without validation errors&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;6&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;varITTeamEmail updated to your IT security team or distribution list address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;7&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;varSenderEmail updated to a licensed Microsoft 365 mailbox&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;8&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;MDE_LASTSEEN_HOURS reviewed (default 24, adjust if needed)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;9&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;At least one Azure VM has the ServerOwner tag set with a valid email&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;10&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Manual run triggered: Logic App &amp;gt; Overview &amp;gt; Run Trigger &amp;gt; Run&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;11&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Run history shows Succeeded; no 401 or 403 errors on any HTTP action&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;12&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;IT Team received the daily summary email with CSV attachment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;13&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Server owner received a per-VM alert with the IT Team CC'd&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;14&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Recurrence trigger confirmed running daily at 08:00 IST&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2&gt;Wrapping Up&lt;/H2&gt;
&lt;P&gt;What I love about this is how much it accomplishes with so little: a Logic App, a Managed Identity, and three permissions. No connectors, no secrets to rotate, no third-party services. Yet every morning, your security team starts the day knowing exactly which VMs are out of MDE coverage and which owners have already been notified.&lt;/P&gt;
&lt;P&gt;If you adopt this pattern, here are a few natural next steps to consider:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Hook into Microsoft Sentinel by writing non-compliant VMs to a custom table for trend analysis.&lt;/LI&gt;
&lt;LI&gt;Auto-create ServiceNow or Jira tickets for VMs that remain non-compliant for more than 48 hours.&lt;/LI&gt;
&lt;LI&gt;Extend the match logic to include Arc-enabled servers, not just Azure VMs.&lt;/LI&gt;
&lt;LI&gt;Add a Teams adaptive card notification alongside email for faster response.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;I'd love to hear how you're solving MDE coverage gaps in your environment.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Appendix A: Workflow JSON&lt;/H2&gt;
&lt;P&gt;The complete Logic App workflow definition is provided below. To import it: open the Logic App in Azure Portal, navigate to the workflow, click Code view, press Ctrl + A to clear the existing content, paste the entire JSON, then click Save.&lt;/P&gt;
&lt;LI-CODE lang="json"&gt;{ "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "triggers": { "Recurrence": { "recurrence": { "frequency": "Day", "interval": 1, "schedule": { "hours": [ "8" ], "minutes": [ 0 ] }, "timeZone": "India Standard Time" }, "evaluatedRecurrence": { "frequency": "Day", "interval": 1, "schedule": { "hours": [ "8" ], "minutes": [ 0 ] }, "timeZone": "India Standard Time" }, "type": "Recurrence" } }, "actions": { "CONFIG": { "runAfter": {}, "type": "Compose", "inputs": { "MDE_LASTSEEN_HOURS": 24 } }, "Set-ExcludedSubscriptions": { "runAfter": { "CONFIG": [ "Succeeded" ] }, "type": "Compose", "inputs": [] }, "Init-varITTeamEmail": { "runAfter": { "Set-ExcludedSubscriptions": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "varITTeamEmail", "type": "string", "value": "admin@contoso.onmicrosoft.com" } ] } }, "Init-varSenderEmail": { "runAfter": { "Init-varITTeamEmail": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "varSenderEmail", "type": "string", "value": "admin@contoso.onmicrosoft.com" } ] } }, "Get-AllSubscriptions": { "runAfter": { "Init-varSenderEmail": [ "Succeeded" ] }, "type": "Http", "inputs": { "uri": "https://management.azure.com/subscriptions?api-version=2022-12-01", "method": "GET", "headers": { "Content-Type": "application/json" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://management.azure.com" }, "retryPolicy": { "type": "fixed", "count": 3, "interval": "PT60S" } } }, "Parse-AllSubscriptions": { "runAfter": { "Get-AllSubscriptions": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get-AllSubscriptions')", "schema": { "type": "object", "properties": { "value": { "type": "array", "items": { "type": "object", "properties": { "subscriptionId": { "type": "string" }, "displayName": { "type": "string" }, "state": { "type": "string" } } } } } } } }, "Init-AllVMs": { "runAfter": { "Parse-AllSubscriptions": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "AllVMs", "type": "array", "value": [] }, { "name": "VMSkipToken", "type": "string", "value": "INIT" }, { "name": "VMFetchComplete", "type": "boolean", "value": false } ] } }, "ForEach-Subscription": { "foreach": "@body('Parse-AllSubscriptions')?['value']", "actions": { "Check-SubscriptionEnabled": { "actions": { "Reset-VMSkipToken": { "type": "SetVariable", "inputs": { "name": "VMSkipToken", "value": "INIT" } }, "Reset-VMFetchComplete": { "runAfter": { "Reset-VMSkipToken": [ "Succeeded" ] }, "type": "SetVariable", "inputs": { "name": "VMFetchComplete", "value": false } }, "Until": { "actions": { "Build-VMQuery-Paged": { "type": "Compose", "inputs": { "subscriptions": [ "@{items('ForEach-Subscription')?['subscriptionId']}" ], "query": "Resources | where type == 'microsoft.compute/virtualmachines' | extend VMName = tostring(name), ResourceGroup = tostring(resourceGroup), Location = tostring(location), OSType = tostring(properties.storageProfile.osDisk.osType), VMSize = tostring(properties.hardwareProfile.vmSize), ServerOwner = tostring(tags.ServerOwner), Environment = tostring(tags.Environment), SubscriptionId = tostring(subscriptionId), nicId = tolower(tostring(properties.networkProfile.networkInterfaces[0].id)), VmId = tolower(tostring(properties.vmId)) | join kind=leftouter (Resources | where type == 'microsoft.network/networkinterfaces' | extend privateIP = tostring(properties.ipConfigurations[0].properties.privateIPAddress) | project nicId = tolower(id), privateIP) on nicId | join kind=leftouter (Resources | where type == 'microsoft.compute/virtualmachines' | extend powerState = tostring(properties.extended.instanceView.powerState.displayStatus) | project id, powerState) on id | where powerState == 'VM running' | project VMName, ResourceGroup, Location, OSType, VMSize, ServerOwner, Environment = 'Azure', SubscriptionId, PrivateIP = privateIP, VmId, CloudEnvironment = 'Azure'", "options": { "$skipToken": "@if(equals(variables('VMSkipToken'), 'INIT'), '', variables('VMSkipToken'))" }, "$top": 1000 } }, "Get-VMs-Paged": { "runAfter": { "Build-VMQuery-Paged": [ "Succeeded" ] }, "type": "Http", "inputs": { "uri": "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": "@outputs('Build-VMQuery-Paged')", "authentication": { "type": "ManagedServiceIdentity", "audience": "https://management.azure.com" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "ForEach-VM-Result-Paged": { "foreach": "@body('Get-VMs-Paged')?['data']", "actions": { "Append-SingleVM-Paged": { "type": "AppendToArrayVariable", "inputs": { "name": "AllVMs", "value": "@items('ForEach-VM-Result-Paged')" } } }, "runAfter": { "Get-VMs-Paged": [ "Succeeded" ] }, "type": "Foreach" }, "Check-VMSkipToken": { "actions": { "Set-VMFetchComplete": { "type": "SetVariable", "inputs": { "name": "VMFetchComplete", "value": true } } }, "runAfter": { "ForEach-VM-Result-Paged": [ "Succeeded" ] }, "else": { "actions": { "Set-VMSkipToken": { "type": "SetVariable", "inputs": { "name": "VMSkipToken", "value": "@body('Get-VMs-Paged')?['$skipToken']" } } } }, "expression": { "or": [ { "equals": [ "@string(body('Get-VMs-Paged')?['$skipToken'])", "" ] } ] }, "type": "If" } }, "runAfter": { "Reset-VMFetchComplete": [ "Succeeded" ] }, "expression": "@equals(variables('VMFetchComplete'), true)", "limit": { "count": 50, "timeout": "PT1H" }, "type": "Until" } }, "else": { "actions": {} }, "expression": { "and": [ { "equals": [ "@items('ForEach-Subscription')?['state']", "Enabled" ] } ] }, "type": "If" } }, "runAfter": { "Init-AllVMs": [ "Succeeded" ] }, "type": "Foreach" }, "Init-MDEVariables": { "runAfter": { "ForEach-Subscription": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "AllMDEDevices", "type": "array" }, { "name": "MDESkip", "type": "integer", "value": 0 }, { "name": "MDEFetchComplete", "type": "boolean", "value": false } ] } }, "Paginate-MDEDevices": { "actions": { "Get-MDEDevices-Page": { "type": "Http", "inputs": { "uri": "https://api.securitycenter.microsoft.com/api/machines?$select=computerDnsName,id,osPlatform,lastSeen,onboardingStatus,healthStatus,lastIpAddress&amp;amp;$top=10000&amp;amp;$skip=@{variables('MDESkip')}", "method": "GET", "headers": { "Content-Type": "application/json" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://api.securitycenter.microsoft.com" }, "retryPolicy": { "type": "fixed", "count": 3, "interval": "PT60S" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "Parse-MDEPage": { "runAfter": { "Get-MDEDevices-Page": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Get-MDEDevices-Page')", "schema": { "type": "object", "properties": { "value": { "type": "array", "items": { "type": "object", "properties": { "computerDnsName": { "type": [ "string", "null" ] }, "id": { "type": [ "string", "null" ] }, "osPlatform": { "type": [ "string", "null" ] }, "lastSeen": { "type": [ "string", "null" ] }, "onboardingStatus": { "type": [ "string", "null" ] }, "healthStatus": { "type": [ "string", "null" ] }, "lastIpAddress": { "type": [ "string", "null" ] }, "azureVmId": { "type": [ "string", "null" ] } } } } } } } }, "Append-MDEPage-ToArray": { "foreach": "@body('Parse-MDEPage')?['value']", "actions": { "Append-SingleMDEDevice": { "type": "AppendToArrayVariable", "inputs": { "name": "AllMDEDevices", "value": "@items('Append-MDEPage-ToArray')" } } }, "runAfter": { "Parse-MDEPage": [ "Succeeded" ] }, "type": "Foreach" }, "Check-PageSize": { "actions": { "Set-FetchComplete-True": { "type": "SetVariable", "inputs": { "name": "MDEFetchComplete", "value": true } } }, "runAfter": { "Append-MDEPage-ToArray": [ "Succeeded" ] }, "else": { "actions": { "Increment-MDESkip": { "type": "IncrementVariable", "inputs": { "name": "MDESkip", "value": 10000 } } } }, "expression": { "and": [ { "less": [ "@length(body('Parse-MDEPage')?['value'])", 10000 ] } ] }, "type": "If" } }, "runAfter": { "Init-MDEVariables": [ "Succeeded" ] }, "expression": "@equals(variables('MDEFetchComplete'), true)", "limit": { "count": 50, "timeout": "PT1H" }, "type": "Until" }, "Init-Variables": { "runAfter": { "Paginate-MDEDevices": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "EmailsSent", "type": "array", "value": [] }, { "name": "NoOwnerList", "type": "array", "value": [] }, { "name": "NonCompliantList", "type": "array", "value": [] }, { "name": "SummaryStats", "type": "object", "value": { "TotalNonCompliant": 0, "P1Critical": 0, "P2High": 0, "P3Medium": 0, "P4Low": 0, "EmailsSent": 0, "NoOwnerFound": 0 } }, { "name": "HTMLRows", "type": "string" }, { "name": "NonCompliantCount", "type": "integer", "value": 0 }, { "name": "CSVRows", "type": "string", "value": "@{concat('\"VM Name\",\"Private IP\",\"OS Type\",\"Location\",\"Server Owner\",\"MDE Status\",\"Last Seen\",\"Priority\",\"Action Taken\",\"Subscription ID\"', decodeUriComponent('%0A'))}" }, { "name": "HTMLRowCount", "type": "integer", "value": 0 } ] } }, "ForEach-AzureVM": { "foreach": "@variables('AllVMs')", "actions": { "Find-VMInMDE-Filter": { "type": "Query", "inputs": { "from": "@variables('AllMDEDevices')", "where": "@or(and(not(equals(item()?['azureVmId'], null)), not(equals(item()?['azureVmId'], '')), equals(toLower(item()?['azureVmId']), toLower(items('ForEach-AzureVM')?['VmId']))), and(or(equals(item()?['azureVmId'], null), equals(item()?['azureVmId'], '')), startsWith(toLower(item()?['computerDnsName']), toLower(items('ForEach-AzureVM')?['VMName'])), equals(item()?['lastIpAddress'], items('ForEach-AzureVM')?['PrivateIP'])))" } }, "Find-VMInMDE": { "runAfter": { "Find-VMInMDE-Filter": [ "Succeeded" ] }, "type": "Compose", "inputs": "@if(greater(length(body('Find-VMInMDE-Filter')), 0), first(body('Find-VMInMDE-Filter')), json('{\"computerDnsName\":\"NOT_FOUND\",\"onboardingStatus\":\"NotFound\",\"lastSeen\":\"1900-01-01T00:00:00Z\",\"lastIpAddress\":\"N/A\",\"healthStatus\":\"Unknown\"}'))" }, "Get-ComplianceStatus": { "runAfter": { "Find-VMInMDE": [ "Succeeded" ] }, "type": "Compose", "inputs": "@if(equals(outputs('Find-VMInMDE')?['computerDnsName'], 'NOT_FOUND'), 'Not Onboarded', if(equals(outputs('Find-VMInMDE')?['onboardingStatus'], 'Onboarded'), if(greater(outputs('Find-VMInMDE')?['lastSeen'], addHours(utcNow(), mul(-1, outputs('CONFIG')?['MDE_LASTSEEN_HOURS']))), 'Compliant', 'Onboarded - Not Reporting'), 'Not Onboarded'))" }, "Get-Priority": { "runAfter": { "Get-ComplianceStatus": [ "Succeeded" ] }, "type": "Compose", "inputs": "@if(equals(outputs('Get-ComplianceStatus'), 'Not Onboarded'), 'P2 - High', if(equals(outputs('Get-ComplianceStatus'), 'Onboarded - Not Reporting'), 'P3 - Medium', if(equals(outputs('Get-ComplianceStatus'), 'Compliant'), 'Compliant', 'P4 - Low')))" }, "Is-NonCompliant": { "actions": { "Append-CSVRows": { "type": "AppendToStringVariable", "inputs": { "name": "CSVRows", "value": "\"@{items('ForEach-AzureVM')?['VMName']}\",\"@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}\",\"@{items('ForEach-AzureVM')?['OSType']}\",\"@{items('ForEach-AzureVM')?['Location']}\",\"@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'No Owner Tag', items('ForEach-AzureVM')?['ServerOwner'])}\",\"@{outputs('Get-ComplianceStatus')}\",\"@{if(equals(outputs('Find-VMInMDE')?['onboardingStatus'], 'Onboarded'), if(equals(outputs('Find-VMInMDE')?['lastSeen'], '1900-01-01T00:00:00Z'), 'Never', concat(convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss'), ' (', string(div(sub(ticks(utcNow()), ticks(outputs('Find-VMInMDE')?['lastSeen'])), 864000000000)), ' days ago)')), concat(outputs('Find-VMInMDE')?['onboardingStatus'], ' - Last Seen: ', convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')))}\",\"@{outputs('Get-Priority')}\",\"@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'IT Team Notified', 'Email sent to Server Owner')}\",\"@{items('ForEach-AzureVM')?['SubscriptionId']}\"@{decodeUriComponent('%0A')}" } }, "Check-HTMLRowCount": { "actions": { "Append-HTMLRows": { "type": "AppendToStringVariable", "inputs": { "name": "HTMLRows", "value": "&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;font-weight:600;\"&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['OSType']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['Location']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'No Owner Tag', items('ForEach-AzureVM')?['ServerOwner'])}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;color:#c80000;\"&amp;gt;@{outputs('Get-ComplianceStatus')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(outputs('Find-VMInMDE')?['onboardingStatus'], 'Onboarded'), if(equals(outputs('Find-VMInMDE')?['lastSeen'], '1900-01-01T00:00:00Z'), 'Never', concat(convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss'), ' (', string(div(sub(ticks(utcNow()), ticks(outputs('Find-VMInMDE')?['lastSeen'])), 864000000000)), ' days ago)')), concat(outputs('Find-VMInMDE')?['onboardingStatus'], ' - Last Seen: ', convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')))}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{outputs('Get-Priority')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['ServerOwner'], ''), 'IT Team Notified', 'Email sent to Server Owner')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-break:break-all;\"&amp;gt;@{items('ForEach-AzureVM')?['SubscriptionId']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;" } }, "Increment-HTMLRowCount": { "runAfter": { "Append-HTMLRows": [ "Succeeded" ] }, "type": "IncrementVariable", "inputs": { "name": "HTMLRowCount", "value": 1 } } }, "runAfter": { "Append-CSVRows": [ "Succeeded" ] }, "else": { "actions": {} }, "expression": { "and": [ { "less": [ "@variables('HTMLRowCount')", 20 ] } ] }, "type": "If" }, "Increment-NonCompliantCount": { "runAfter": { "Check-HTMLRowCount": [ "Succeeded" ] }, "type": "IncrementVariable", "inputs": { "name": "NonCompliantCount", "value": 1 } }, "Check-ServerOwner": { "actions": { "Send-OwnerEmail": { "type": "Http", "inputs": { "uri": "@{concat('https://graph.microsoft.com/v1.0/users/', encodeURIComponent(variables('varSenderEmail')), '/sendMail')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "message": { "subject": "[@{outputs('Get-Priority')}] MDE Compliance Alert - @{items('ForEach-AzureVM')?['VMName']}", "body": { "contentType": "HTML", "content": "&amp;lt;html&amp;gt;&amp;lt;body style=\"font-family:Segoe UI,Arial,sans-serif;color:#1a1a1a;\"&amp;gt;&amp;lt;div style=\"max-width:680px;margin:24px auto;border:1px solid #e0e0e0;border-radius:8px;overflow:hidden;\"&amp;gt;&amp;lt;div style=\"background:#c80000;padding:20px 28px;\"&amp;gt;&amp;lt;h2 style=\"color:#fff;margin:0;\"&amp;gt;MDE Compliance Alert&amp;lt;/h2&amp;gt;&amp;lt;p style=\"color:#ffcccc;margin:6px 0 0;font-size:13px;\"&amp;gt;Priority: @{outputs('Get-Priority')}&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;div style=\"padding:28px;\"&amp;gt;&amp;lt;p style=\"margin-top:0;font-size:14px;\"&amp;gt;Your server &amp;lt;strong&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/strong&amp;gt; has a Microsoft Defender for Endpoint compliance issue requiring immediate attention.&amp;lt;/p&amp;gt;&amp;lt;table style=\"width:100%;border-collapse:collapse;font-size:14px;\"&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#f5f5f5;\"&amp;gt;&amp;lt;th style=\"text-align:left;padding:10px 14px;border:1px solid #ddd;width:38%;\"&amp;gt;Field&amp;lt;/th&amp;gt;&amp;lt;th style=\"text-align:left;padding:10px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Value&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Server Name&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Private IP&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;OS Type&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['OSType']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Location&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['Location']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Compliance Status&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;color:#c80000;font-weight:700;\"&amp;gt;@{outputs('Get-ComplianceStatus')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Priority&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:700;\"&amp;gt;@{outputs('Get-Priority')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;MDE Onboarding Status&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{outputs('Find-VMInMDE')?['onboardingStatus']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Last Seen in MDE (IST)&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(outputs('Find-VMInMDE')?['lastSeen'], '1900-01-01T00:00:00Z'), 'Never', concat(convertTimeZone(outputs('Find-VMInMDE')?['lastSeen'], 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss'), ' (', string(div(sub(ticks(utcNow()), ticks(outputs('Find-VMInMDE')?['lastSeen'])), 864000000000)), ' days ago)'))}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Resource Group&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{items('ForEach-AzureVM')?['ResourceGroup']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;font-weight:600;\"&amp;gt;Subscription ID&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 14px;border:1px solid #ddd;word-break:break-all;\"&amp;gt;@{items('ForEach-AzureVM')?['SubscriptionId']}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;table style=\"width:100%;border-collapse:collapse;\"&amp;gt;&amp;lt;tr style=\"background:#fff8e1;\"&amp;gt;&amp;lt;td style=\"padding:10px 14px;border:1px solid #ffe082;font-size:13px;\"&amp;gt;&amp;lt;strong&amp;gt;Resolution SLA:&amp;lt;/strong&amp;gt; P1 Critical - 24hrs | P2 High - 48hrs | P3 Medium - 72hrs&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;p style=\"font-size:13px;color:#555;\"&amp;gt;For assistance contact IT Security: &amp;lt;a href=\"mailto:@{variables('varITTeamEmail')}\"&amp;gt;@{variables('varITTeamEmail')}&amp;lt;/a&amp;gt;&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;" }, "toRecipients": [ { "emailAddress": { "address": "@{items('ForEach-AzureVM')?['ServerOwner']}" } } ], "ccRecipients": [ { "emailAddress": { "address": "@variables('varITTeamEmail')" } } ] }, "saveToSentItems": "true" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" }, "retryPolicy": { "type": "fixed", "count": 2, "interval": "PT60S" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "Append-EmailsSent": { "runAfter": { "Send-OwnerEmail": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { "name": "EmailsSent", "value": "@{items('ForEach-AzureVM')?['VMName']} → @{items('ForEach-AzureVM')?['ServerOwner']}" } } }, "runAfter": { "Increment-NonCompliantCount": [ "Succeeded" ] }, "else": { "actions": { "Append-NoOwnerList": { "type": "AppendToArrayVariable", "inputs": { "name": "NoOwnerList", "value": "&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;font-weight:600;\"&amp;gt;@{items('ForEach-AzureVM')?['VMName']}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{if(equals(items('ForEach-AzureVM')?['PrivateIP'], ''), 'N/A', items('ForEach-AzureVM')?['PrivateIP'])}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;@{outputs('Get-ComplianceStatus')}&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:8px 10px;border:1px solid #ddd;font-weight:700;\"&amp;gt;@{outputs('Get-Priority')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;" } } } }, "expression": { "and": [ { "not": { "equals": [ "@items('ForEach-AzureVM')?['ServerOwner']", "" ] } } ] }, "type": "If" } }, "runAfter": { "Get-Priority": [ "Succeeded" ] }, "else": { "actions": {} }, "expression": { "and": [ { "not": { "equals": [ "@outputs('Get-ComplianceStatus')", "Compliant" ] } } ] }, "type": "If" } }, "runAfter": { "Init-Variables": [ "Succeeded" ] }, "type": "Foreach", "runtimeConfiguration": { "concurrency": { "repetitions": 1 } } }, "Check-AnyNonCompliant": { "actions": { "Send-ITSummaryEmail": { "type": "Http", "inputs": { "uri": "@{concat('https://graph.microsoft.com/v1.0/users/', encodeURIComponent(variables('varSenderEmail')), '/sendMail')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "message": { "subject": "MDE Compliance Report (Azure Workloads) - @{variables('NonCompliantCount')} Non-Compliant VMs Found", "body": { "contentType": "HTML", "content": "&amp;lt;html&amp;gt;&amp;lt;body style=\"font-family:Segoe UI,Arial,sans-serif;color:#1a1a1a;\"&amp;gt;&amp;lt;div style=\"max-width:1400px;margin:24px auto;border:1px solid #e0e0e0;border-radius:8px;\"&amp;gt;&amp;lt;div style=\"background:#0078d4;padding:20px 28px;\"&amp;gt;&amp;lt;h2 style=\"color:#fff;margin:0;\"&amp;gt;MDE Compliance Daily Report&amp;lt;/h2&amp;gt;&amp;lt;p style=\"color:#cce4ff;margin:6px 0 0;font-size:13px;\"&amp;gt;Generated: @{convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')} IST&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;div style=\"padding:28px;\"&amp;gt;&amp;lt;table style=\"border-collapse:collapse;font-size:14px;margin-bottom:28px;\"&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#f0f0f0;\"&amp;gt;&amp;lt;th style=\"padding:10px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Metric&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Value&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Total Non-Compliant VMs&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;font-weight:700;color:#c80000;\"&amp;gt;@{variables('NonCompliantCount')}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr style=\"background:#fafafa;\"&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;Server Owners Notified&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;color:#107c10;font-weight:600;\"&amp;gt;@{length(variables('EmailsSent'))}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;word-wrap:break-word;\"&amp;gt;No Owner Tag&amp;lt;/td&amp;gt;&amp;lt;td style=\"padding:9px 18px;border:1px solid #ddd;color:#e65100;font-weight:600;\"&amp;gt;@{length(variables('NoOwnerList'))}&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;p style=\"background:#fff3cd;border:1px solid #ffc107;padding:10px 14px;border-radius:4px;font-size:13px;margin-bottom:16px;\"&amp;gt;This report shows the first &amp;lt;strong&amp;gt;20 non-compliant VMs&amp;lt;/strong&amp;gt; only. &amp;lt;strong&amp;gt;Please check the attached CSV file&amp;lt;/strong&amp;gt; for the complete list.&amp;lt;/p&amp;gt;&amp;lt;table style=\"width:100%;table-layout:fixed;border-collapse:collapse;font-size:13px;\"&amp;gt;&amp;lt;colgroup&amp;gt;&amp;lt;col style=\"width:120px\"&amp;gt;&amp;lt;col style=\"width:90px\"&amp;gt;&amp;lt;col style=\"width:70px\"&amp;gt;&amp;lt;col style=\"width:100px\"&amp;gt;&amp;lt;col style=\"width:160px\"&amp;gt;&amp;lt;col style=\"width:110px\"&amp;gt;&amp;lt;col style=\"width:165px\"&amp;gt;&amp;lt;col style=\"width:80px\"&amp;gt;&amp;lt;col style=\"width:90px\"&amp;gt;&amp;lt;col style=\"width:195px\"&amp;gt;&amp;lt;/colgroup&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#0078d4;color:#fff;\"&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;VM Name&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Private IP&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;OS Type&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Location&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Server Owner&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;MDE Status&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Last Seen (IST)&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Priority&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Action Taken&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #005a9e;\"&amp;gt;Subscription ID&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;@{variables('HTMLRows')}&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;h3 style=\"border-bottom:2px solid #e65100;padding-bottom:8px;\"&amp;gt;Action Required - No Owner Tag Found&amp;lt;/h3&amp;gt;&amp;lt;div style=\"background:#fff8f0;border:1px solid #ffccbc;padding:16px;border-radius:4px;font-size:13px;margin-bottom:16px;\"&amp;gt;&amp;lt;p style=\"margin:0 0 8px 0;\"&amp;gt;The following &amp;lt;strong&amp;gt;@{length(variables('NoOwnerList'))}&amp;lt;/strong&amp;gt; server(s) have no &amp;lt;strong&amp;gt;ServerOwner&amp;lt;/strong&amp;gt; tag assigned.&amp;lt;/p&amp;gt;&amp;lt;ol style=\"margin:0;padding-left:20px;\"&amp;gt;&amp;lt;li style=\"margin-bottom:6px;\"&amp;gt;Identify the owner of each server below&amp;lt;/li&amp;gt;&amp;lt;li style=\"margin-bottom:6px;\"&amp;gt;Go to the VM in Azure Portal → Tags → Add tag&amp;lt;/li&amp;gt;&amp;lt;li style=\"margin-bottom:6px;\"&amp;gt;&amp;lt;strong&amp;gt;Tag Name:&amp;lt;/strong&amp;gt; ServerOwner | &amp;lt;strong&amp;gt;Tag Value:&amp;lt;/strong&amp;gt; owner email address&amp;lt;/li&amp;gt;&amp;lt;li&amp;gt;Once tagged, the next daily report will automatically notify the owner&amp;lt;/li&amp;gt;&amp;lt;/ol&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;table style=\"width:100%;table-layout:fixed;border-collapse:collapse;font-size:13px;\"&amp;gt;&amp;lt;thead&amp;gt;&amp;lt;tr style=\"background:#e65100;color:#fff;\"&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;VM Name&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;Private IP&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;MDE Status&amp;lt;/th&amp;gt;&amp;lt;th style=\"padding:10px 12px;border:1px solid #bf360c;text-align:left;\"&amp;gt;Priority&amp;lt;/th&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/thead&amp;gt;&amp;lt;tbody&amp;gt;@{if(equals(length(variables('NoOwnerList')), 0), '&amp;lt;tr&amp;gt;&amp;lt;td colspan=\"4\" style=\"padding:12px;text-align:center;\"&amp;gt;None - All servers have owner tags assigned&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;', join(variables('NoOwnerList'), ''))}&amp;lt;/tbody&amp;gt;&amp;lt;/table&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;" }, "toRecipients": [ { "emailAddress": { "address": "@variables('varITTeamEmail')" } } ], "attachments": [ { "@@odata.type": "#microsoft.graph.fileAttachment", "name": "@{concat('MDE-Compliance-Report-', convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy'), '.csv')}", "contentType": "text/csv", "contentBytes": "@{base64(variables('CSVRows'))}" } ] }, "saveToSentItems": "true" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } } }, "runAfter": { "ForEach-AzureVM": [ "Succeeded" ] }, "else": { "actions": { "Send-AllClearEmail": { "type": "Http", "inputs": { "uri": "@{concat('https://graph.microsoft.com/v1.0/users/', encodeURIComponent(variables('varSenderEmail')), '/sendMail')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "message": { "subject": "[@{convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy')}] MDE Compliance Report - All VMs Compliant", "body": { "contentType": "HTML", "content": "&amp;lt;html&amp;gt;&amp;lt;body style=\"font-family:Segoe UI,Arial,sans-serif;color:#1a1a1a;\"&amp;gt;&amp;lt;div style=\"max-width:600px;margin:24px auto;border:1px solid #e0e0e0;border-radius:8px;overflow:hidden;\"&amp;gt;&amp;lt;div style=\"background:#107c10;padding:20px 28px;\"&amp;gt;&amp;lt;h2 style=\"color:#fff;margin:0;\"&amp;gt;MDE Compliance Report&amp;lt;/h2&amp;gt;&amp;lt;p style=\"color:#c8e6c9;margin:6px 0 0;font-size:13px;\"&amp;gt;Generated: @{convertTimeZone(utcNow(), 'UTC', 'India Standard Time', 'dd-MM-yyyy HH:mm:ss')} IST&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;div style=\"padding:28px;text-align:center;\"&amp;gt;&amp;lt;h2 style=\"color:#107c10;\"&amp;gt;All VMs Compliant&amp;lt;/h2&amp;gt;&amp;lt;p style=\"font-size:15px;color:#555;\"&amp;gt;All Azure Virtual Machines are onboarded to Microsoft Defender for Endpoint and reporting within the required 24-hour window.&amp;lt;/p&amp;gt;&amp;lt;p style=\"font-size:13px;color:#888;\"&amp;gt;No action required. The next report will be sent tomorrow at 08:00 IST.&amp;lt;/p&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/div&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;" }, "toRecipients": [ { "emailAddress": { "address": "@variables('varITTeamEmail')" } } ] }, "saveToSentItems": "true" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" } }, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } } } }, "expression": { "and": [ { "greater": [ "@variables('NonCompliantCount')", 0 ] } ] }, "type": "If" } }, "parameters": { "$connections": { "type": "Object", "defaultValue": {} } } }, "parameters": { "$connections": { "type": "Object", "value": {} } } }&lt;/LI-CODE&gt;</description>
      <pubDate>Mon, 15 Jun 2026 11:52:45 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/automating-daily-mde-compliance-monitoring-across-azure-vms/ba-p/4528274</guid>
      <dc:creator>SayanRoy</dc:creator>
      <dc:date>2026-06-15T11:52:45Z</dc:date>
    </item>
    <item>
      <title>Analyse Intune Diagnostics Logs with GitHub Copilot</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/analyse-intune-diagnostics-logs-with-github-copilot/ba-p/4527500</link>
      <description>&lt;P&gt;Hello everyone! I’m Stefan Röll, Cloud Solution Architect at Microsoft Germany for Cloud Endpoints. I work closely with IT Admins to improve their experience with everything around Intune, W365 and Windows. I know that troubleshooting an issue can be time consuming and challenging. In this blog I would like to show you how your troubleshooting skills can be supercharged with AI.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;TL;DR&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The way I troubleshoot issues has completely changed with GitHub Copilot. I just provide it with Intune Diagnostics Logs, network traces etc. and let the magic happen. The output still requires deep technical skills, but finding the root cause of an issue is just way faster and easier now.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;GitHub Copilot – not only for&amp;nbsp;&lt;/STRONG&gt;&lt;STRONG&gt;d&lt;/STRONG&gt;&lt;STRONG&gt;evelopers&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;GitHub Copilot is best known for helping developers to write and fix code.&lt;/P&gt;
&lt;P&gt;But it also has tremendous debugging and troubleshooting skills. And the best part is that it only takes two minutes to set up and you will never go back trying to manually find an issue if you must work through a lot of log files.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Getting started in two minutes&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Let’s get started:&lt;/P&gt;
&lt;P&gt;Go to &lt;A href="https://github.com/features/copilot/plans" target="_blank" rel="noopener"&gt;https://github.com/features/copilot/plans&lt;/A&gt; and get a GitHub Copilot Subscription. If you are interested in Business or Enterprise subscriptions, please reach out to your Customer Success Account Manager (CSAM) or sales team to get started. It is also likely that you company already has subscriptions that you can get internally.&lt;/P&gt;
&lt;P&gt;Once you’ve got your subscription, Install GitHub Copilot CLI via terminal:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;winget install GitHub.Copilot&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Now you can start Copilot via the command:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;copilot&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Next, type&amp;nbsp;&lt;/P&gt;
&lt;LI-CODE lang="powerquery"&gt;/login&lt;/LI-CODE&gt;
&lt;P&gt;and log in with your GitHub account.&lt;/P&gt;
&lt;P&gt;Now you should add the Microsoft Learn MCP Server and the included skills. This helps Copilot to search through the Microsoft documentation.&lt;/P&gt;
&lt;P&gt;You can do this with:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;/plugin install microsoftdocs/mcp&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Copilot is ready for your first troubleshooting session! 🎉&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Example &lt;/STRONG&gt;&lt;STRONG&gt;#1 – Why did our PCs restart during the day?&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Let’s start with a typical scenario: “All our PCs restarted during business hours. Can you please find the root cause for this?”&lt;/P&gt;
&lt;P&gt;Before Copilot, you had to manually check multiple places to find the root cause. Was it triggered by a Windows update, an app update, a driver issue, or another hidden background process?&lt;/P&gt;
&lt;P&gt;Now the only thing we need are Intune Diagnostics logs. Simply go to your Intune Console and collect diagnostics:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Once they are uploaded, download the .zip file to a local folder like C:\Temp\CopilotAnalysis.&lt;/P&gt;
&lt;P&gt;Next, open a command prompt and go to the folder with the extracted files and start Copilot&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;cd C:\Temp\CopilotAnalysis
copilot&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;With “Shift + TAB” we switch over to the “Autopilot” mode of GitHub Copilot. This will tell Copilot to do its magic without asking for confirmation for each step. You can find more information about this mode here: &lt;A href="https://docs.github.com/en/copilot/concepts/agents/copilot-cli/autopilot" target="_blank" rel="noopener"&gt;https://docs.github.com/en/copilot/concepts/agents/copilot-cli/autopilot&lt;/A&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;If you don’t want that, you can also continue in normal mode, but expect a lot of confirmation prompts.&lt;/P&gt;
&lt;P&gt;With a simple prompt, we can create a deep root cause analysis, and Copilot will use the provided diagnostics logs:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Based on the provided Intune Diagnostics logs, find out why the Windows 11 PC rebooted automatically during business hours. Once you have found the issue, confirm your findings with the configured Microsoft Learn MCP Server. Then create a Root Cause Analysis Report and save it as HTML in the same folder. Include a timeline with relevant events in the report. Extract all needed files like .zip, .cab that you need for the analysis.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;Now you can watch Copilot working through the logs and after some minutes you will get a report like this:&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;Here we go. You can see that the reboot was caused by a misconfigured Intune app deployment.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;⚠️Please be aware that AI can make mistakes. Never blindly trust the output, especially any recommendations for how to fix an issue. ⚠️&lt;/P&gt;
&lt;P&gt;However, now we have a fantastic starting point. In this case, Copilot correctly identified the root cause and we can fix this in Intune&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;It also created the requested timeline&lt;/P&gt;
&lt;img /&gt;
&lt;H4&gt;&lt;STRONG&gt;Example&amp;nbsp;&lt;/STRONG&gt;&lt;STRONG&gt;#2 – Why did the Autopilot deployment fail?&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;When Autopilot deployments fail, it can be hard to troubleshoot as you may not have the affected device in front of you. Therefore, it is great that Intune automatically uploads diagnostics logs when this happens. In this example, an Autopilot deployment failed, and we are going to analyse the logs with Copilot.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I downloaded the logs to a new folder, opened the terminal, navigated to the folder, and started Copilot:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Now I am going to analyse this with a different prompt:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Analyse the provided Intune Diagnostics logs and find out why this Windows 11 Autopilot deployment failed. Once you have found the issue, confirm your findings with the configured Microsoft Learn MCP Server. Then create a Root Cause Analysis Report and save it as HTML in the same folder. Include a timeline with relevant events in the report. Extract all needed files like .zip, .cab that you need for the analysis.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;After a beverage of choice, I had much more clarity on what happened:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Root cause:&lt;/STRONG&gt; Enrollment Status Page (ESP) remained blocked in &lt;STRONG&gt;Account setup&lt;/STRONG&gt; by a required &lt;STRONG&gt;user-targeted WinGet app&lt;/STRONG&gt; that did not complete download/install during the observed log window. The blocking app was &lt;STRONG&gt;Sysinternals Suite - Req - All Users&lt;/STRONG&gt; (Win32App_9c514d25-f55e-4177-af53-ca5ebbcf2619, package 9P7KNL5RWT25).&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Remarks&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;In this blog, I did not cover different models, credits, better prompting, and other improvements you can make to optimise the analysis. I wanted to give IT Pros a quick start with GitHub Copilot CLI.&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Summary&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;I highly recommend that you try GitHub Copilot yourself the next time you need to troubleshoot an issue. You will be amazed at how good it is at finding the root cause of an issue. This works with all kinds of log files, network traces, and more.&lt;/P&gt;
&lt;P&gt;GitHub Copilot does not replace endpoint expertise, but it can dramatically reduce the time needed to move from raw diagnostics to a validated root-cause hypothesis.&lt;/P&gt;
&lt;P&gt;I hope this blog helped you get started😊&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Stefan Röll&lt;/P&gt;
&lt;P&gt;Cloud Solution Architect – Microsoft Germany&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Helpful resources and references:&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/training/support/mcp" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/en-us/training/support/mcp&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/training/support/mcp-get-started" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/en-us/training/support/mcp-get-started&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://github.com/features/copilot/plans" target="_blank" rel="noopener"&gt;https://github.com/features/copilot/plans&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://github.com/features/copilot/cli" target="_blank" rel="noopener"&gt;https://github.com/features/copilot/cli&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Disclaimer:&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;This posting is provided "AS IS" with no warranties and confers no rights&lt;/P&gt;</description>
      <pubDate>Thu, 11 Jun 2026 12:15:59 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/analyse-intune-diagnostics-logs-with-github-copilot/ba-p/4527500</guid>
      <dc:creator>StefanRöll</dc:creator>
      <dc:date>2026-06-11T12:15:59Z</dc:date>
    </item>
    <item>
      <title>At-Scale Failure Reporting for Azure Update Manager</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/at-scale-failure-reporting-for-azure-update-manager/ba-p/4527378</link>
      <description>&lt;H3&gt;&lt;STRONG&gt;Introduction&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Update Manager simplifies patching across Azure virtual machines and Azure Arc-enabled servers by providing a centralized platform for patch assessment and installation. However, as environments scale, a key challenge emerges—&lt;STRONG&gt;efficiently identifying and troubleshooting patch failures across large fleets of machines&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;While Azure Update Manager surfaces detailed error messages in the Azure portal, this information is typically available &lt;STRONG&gt;only at an individual machine level&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;In enterprise environments managing hundreds or thousands of systems, drilling into each VM to find error details quickly becomes impractical.&lt;/P&gt;
&lt;P&gt;In this article, we walk through a real-world use case and demonstrate how to leverage &lt;STRONG&gt;Azure Resource Graph (ARG)&lt;/STRONG&gt; to extract &lt;STRONG&gt;failed machines along with their error details for a specific maintenance run&lt;/STRONG&gt;—using a single query.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;The Challenge: Scaling Patch Failure Visibility&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;In a large enterprise deployment, Azure Update Manager was configured to manage patching across:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Windows and Linux virtual machines&lt;/LI&gt;
&lt;LI&gt;Azure cloud VMs and Arc-enabled on‑premises servers&lt;/LI&gt;
&lt;LI&gt;Multiple regions and subscriptions&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;While patching operations were largely successful, a subset of machines experienced failures. The key challenges faced by the operations team were:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Error messages were visible &lt;STRONG&gt;only by drilling into each failed VM in the portal&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;No built‑in way to &lt;STRONG&gt;aggregate failures across all machines&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Lack of a simple mechanism to export:
&lt;UL&gt;
&lt;LI&gt;Failed VMs&lt;/LI&gt;
&lt;LI&gt;Error codes&lt;/LI&gt;
&lt;LI&gt;Error messages&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The team needed a &lt;STRONG&gt;scalable, query&lt;/STRONG&gt;‑&lt;STRONG&gt;driven approach&lt;/STRONG&gt; to analyze failures across an entire maintenance run.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Key Insight: Where Azure Update Manager Stores Data&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Update Manager does &lt;STRONG&gt;not&lt;/STRONG&gt; rely on Log Analytics to store operational results. Instead:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Patch assessment and installation results are stored in &lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Resource Graph acts as a &lt;STRONG&gt;centralized, queryable store&lt;/STRONG&gt; for update operations&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This design enables powerful querying without requiring additional ingestion, configuration, or cost overhead.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Understanding Maintenance Runs and Correlation IDs&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Each Azure Update Manager maintenance run generates a unique identifier:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;properties.correlationId&lt;/STRONG&gt; represents the maintenance (schedule) run ID&lt;/LI&gt;
&lt;LI&gt;All machines involved in the same patch cycle share this ID&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This allows all machines within a single patch execution to be correlated and queried collectively.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;The Solution: Query Failed VMs with Error Messages&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Azure Resource Graph allows querying failures at scale using the &lt;STRONG&gt;maintenanceresources&lt;/STRONG&gt; dataset.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Core Query (Kusto Query Language)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; maintenanceresources&lt;/P&gt;
&lt;P&gt;2&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where type =~ "microsoft.maintenance/applyupdates"&lt;/P&gt;
&lt;P&gt;3&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.correlationId) contains "&amp;lt;YourMaintenanceRunID&amp;gt;"&lt;/P&gt;
&lt;P&gt;4&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.status) =~ "Failed"&lt;/P&gt;
&lt;P&gt;5&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | project properties.resourceId, properties.errorCode, properties.errorMessage&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;What This Query Delivers&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;All machines that &lt;STRONG&gt;failed&lt;/STRONG&gt; in a specific maintenance run&lt;/LI&gt;
&lt;LI&gt;Error codes for troubleshooting&lt;/LI&gt;
&lt;LI&gt;Full error messages that are otherwise visible only in the Azure portal&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Note:&lt;/STRONG&gt; Property names for error information can vary by environment. Validate available fields using Azure Resource Graph Explorer and adjust the project clause if required.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Sample Output (Conceptual)&lt;/STRONG&gt;&lt;/H3&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Resource ID&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Error Code&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Error Message&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm-01&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0x80244007&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Windows Update API failed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm-02&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0x80072f8f&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Connectivity issue&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm-03&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1C&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;WSUS configuration issue&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Advanced Scenario: Automatically Detecting the Latest Failed Maintenance Run&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;In real-world scenarios, you may not always know the maintenance run ID. The following query dynamically identifies the &lt;STRONG&gt;most recent maintenance run that had failures&lt;/STRONG&gt;, and then retrieves all failed machines from that run.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; // Step 1: Identify the latest maintenance run ID with failures&lt;/P&gt;
&lt;P&gt;2&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; let lastFailedRun = toscalar(&lt;/P&gt;
&lt;P&gt;3&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;maintenanceresources&lt;/P&gt;
&lt;P&gt;4&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| extend runId = extract(@"applyupdates/(\d+)$", 1, properties.correlationId)&lt;/P&gt;
&lt;P&gt;5&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| where type =~ "microsoft.maintenance/applyupdates"&lt;/P&gt;
&lt;P&gt;6&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| where tostring(properties.status) =~ "Failed"&lt;/P&gt;
&lt;P&gt;7&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| order by tostring(properties.startDateTime) desc&lt;/P&gt;
&lt;P&gt;8&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| take 1&lt;/P&gt;
&lt;P&gt;9&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &amp;nbsp;&amp;nbsp;| project runId&lt;/P&gt;
&lt;P&gt;10&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; );&lt;/P&gt;
&lt;P&gt;11&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; // Step 2: Query all failed VMs from that run&lt;/P&gt;
&lt;P&gt;12&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; maintenanceresources&lt;/P&gt;
&lt;P&gt;13&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where type =~ "microsoft.maintenance/applyupdates"&lt;/P&gt;
&lt;P&gt;14&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.correlationId) contains lastFailedRun&lt;/P&gt;
&lt;P&gt;15&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | where tostring(properties.status) =~ "Failed"&lt;/P&gt;
&lt;P&gt;16&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; | project properties.resourceId, properties.errorCode, properties.errorMessage&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This approach is ideal for automation, scheduled reporting, and dashboard scenarios.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Why This Approach Matters&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;Operational Efficiency&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Eliminates manual portal navigation&lt;/LI&gt;
&lt;LI&gt;Provides consolidated failure insights in seconds&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Scalability&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Works across large, distributed environments&lt;/LI&gt;
&lt;LI&gt;Supports both Azure and hybrid (Arc‑enabled) machines&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Automation Ready&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Can be integrated into scripts, dashboards, and reporting pipelines&lt;/LI&gt;
&lt;LI&gt;Enables proactive monitoring and alerting scenarios&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Best Practices for Enterprise Patch Reporting&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;To maximize the value of this approach:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Capture and track &lt;STRONG&gt;maintenance run IDs&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Use &lt;STRONG&gt;Azure Resource Graph as the primary reporting layer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Build reusable queries for different patch scenarios&lt;/LI&gt;
&lt;LI&gt;Export reports for compliance and auditing&lt;/LI&gt;
&lt;LI&gt;Correlate failures with root‑cause trends over time&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Conclusion&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;As organizations scale patching operations with Azure Update Manager, &lt;STRONG&gt;visibility, speed, and automation become essential&lt;/STRONG&gt;. While the Azure portal is effective for per‑machine troubleshooting, it is not optimized for fleet‑level analysis.&lt;/P&gt;
&lt;P&gt;Azure Resource Graph fills this gap by enabling a shift from &lt;STRONG&gt;manual troubleshooting&lt;/STRONG&gt; to &lt;STRONG&gt;automated, query&lt;/STRONG&gt;‑&lt;STRONG&gt;driven failure analysis at scale&lt;/STRONG&gt;. By adopting this approach, teams can significantly improve operational efficiency, reduce mean time to resolution, and build a more mature patch management strategy.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Final takeaway:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Don’t rely only on the portal&lt;/LI&gt;
&lt;LI&gt;Leverage &lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt; to operationalize patch insights at enterprise scale&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;References&lt;/STRONG&gt;&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;Azure Update Manager – Query resources with Azure Resource Graph&lt;BR /&gt;&lt;A href="https://learn.microsoft.com/azure/update-manager/query-logs" target="_blank"&gt;https://learn.microsoft.com/azure/update-manager/query-logs&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Azure Update Manager – Troubleshooting guide&lt;BR /&gt;&lt;A href="https://learn.microsoft.com/azure/update-manager/troubleshoot" target="_blank"&gt;https://learn.microsoft.com/azure/update-manager/troubleshoot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Sample Azure Resource Graph queries for Azure Update Manager&lt;BR /&gt;&lt;A href="https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/update-manager/sample-query-logs.md" target="_blank"&gt;https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/update-manager/sample-query-logs.md&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 11 Jun 2026 06:32:42 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/at-scale-failure-reporting-for-azure-update-manager/ba-p/4527378</guid>
      <dc:creator>rajeshkumar30</dc:creator>
      <dc:date>2026-06-11T06:32:42Z</dc:date>
    </item>
    <item>
      <title>Redefining Security for an AI Driven World</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/redefining-security-for-an-ai-driven-world/ba-p/4521961</link>
      <description>&lt;P class="lia-align-justify"&gt;Vendors are being challenged to help customers address these challenges not as a point-solution vendor but as an &lt;STRONG&gt;end-to-end security and AI platform partner&lt;/STRONG&gt;. By integrating identity, data governance, threat protection, and AI services into a unified ecosystem, Microsoft can deliver coordinated defenses, continuous compliance monitoring, and operational efficiency gains that fragmented toolsets cannot match. The sections that follow examine each challenge in depth — why it persists, what makes it hard, and specifically how Microsoft helps organizations bridge the gap.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 1: Safeguarding Data Privacy in the AI Era&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;AI systems are voracious consumers of data, and their adoption is outpacing the governance structures meant to protect it.&lt;/STRONG&gt; More than &lt;STRONG&gt;80% of business leaders&lt;/STRONG&gt; cite leakage of sensitive data as their primary concern with generative AI, and nearly &lt;STRONG&gt;48%&lt;/STRONG&gt; have responded by banning all use of GenAI in the workplace entirely. Meanwhile, AI is raising the value of human-generated data as a critical training input while introducing entirely new avenues for potential data leakage through models and AI-powered applications.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Fragmented tooling&lt;/STRONG&gt; is the most immediate obstacle. Organizations are managing security, compliance, and data governance through disconnected platforms, creating siloed visibility that undermines cohesive protection. Only &lt;STRONG&gt;31%&lt;/STRONG&gt; of organizations have established a global data architecture, and just &lt;STRONG&gt;25%&lt;/STRONG&gt; maintain a global data quality program — two foundations essential for trustworthy AI innovation. Without enterprise-wide data classification and access controls, AI systems cannot distinguish what is too sensitive to surface.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At the same time, &lt;STRONG&gt;shadow AI&lt;/STRONG&gt; compounds the risk. When employees turn to unapproved AI tools to boost productivity, sensitive data can flow to services outside IT's purview. According to Microsoft's guide on securing the AI-powered enterprise, &lt;STRONG&gt;80% of business leaders worry that sensitive data could slip through the cracks due to unchecked AI use&lt;/STRONG&gt;. AI models also inherit the permissions of their users, meaning an over-permissioned employee can unknowingly expose critical data to an AI system. Gartner has estimated that by 2025, generative AI will account for&amp;nbsp;&lt;STRONG&gt;10% of all data produced&lt;/STRONG&gt;, further blurring the boundary between what is corporate-controlled and what is AI-generated.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Regulatory stakes add urgency: Gartner projects that by &lt;STRONG&gt;2027&lt;/STRONG&gt;, at least one global company will see its AI deployment banned by a regulator for non-compliance with data protection or AI governance legislation.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Microsoft Purview&lt;/STRONG&gt; provides a unified platform that combines data classification, data loss prevention (DLP), and AI-specific posture management to address fragmentation head-on. Its &lt;STRONG&gt;Data Security Posture Management (DSPM) for AI&lt;/STRONG&gt; centralizes visibility into how AI applications interact with sensitive data across the organization — including Microsoft 365 Copilot, enterprise AI apps, and third-party AI tools. Security teams can see, for example, how many unlabeled files were referenced by Copilot and where the greatest concentrations of unprotected data reside.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Sensitivity labels&lt;/STRONG&gt; created in Purview travel with documents and are enforced at inference time: when an AI app retrieves a file labeled "Highly Confidential," the system ensures the requesting user holds the required EXTRACT and VIEW usage rights before returning data. In practice, an executive running a Copilot query on a labeled strategy document would see the sensitivity label clearly marked alongside the response. Purview's DLP policies now extend to AI scenarios directly, including &lt;STRONG&gt;inline browser protection&lt;/STRONG&gt; that can block or warn users attempting to paste sensitive data into third-party generative AI sites such as ChatGPT in Microsoft Edge, Chrome, or Firefox.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For organizations handling the most sensitive workloads, &lt;STRONG&gt;Azure Confidential Computing&lt;/STRONG&gt; protects data even while it is being processed, using hardware-based Trusted Execution Environments (TEEs) that keep information encrypted in memory — invisible even to cloud operators. This capability is especially relevant for AI training and inference on regulated data, where customers need verifiable proof that their information was never exposed in plaintext during processing.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The net result is defense-in-depth for data: &lt;STRONG&gt;discover&lt;/STRONG&gt; where sensitive information lives, &lt;STRONG&gt;classify&lt;/STRONG&gt; it so AI systems respect boundaries, &lt;STRONG&gt;enforce&lt;/STRONG&gt; policies at the point of AI interaction, and &lt;STRONG&gt;encrypt&lt;/STRONG&gt; data in use for the highest-risk scenarios — all governed through a single compliance surface.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 2: The AI-Weaponized Threat Landscape&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Adversaries are using AI to accelerate, scale, and personalize attacks faster than traditional defenses can respond.&lt;/STRONG&gt; In the past year, &lt;STRONG&gt;67% of all phishing attacks&lt;/STRONG&gt; employed some form of AI, and organizations now face an average of &lt;STRONG&gt;66 data security alerts per day&lt;/STRONG&gt; — up from &lt;STRONG&gt;52 in 2023&lt;/STRONG&gt;. Under this pressure, &lt;STRONG&gt;73% of cybersecurity experts&lt;/STRONG&gt; admit they have missed, ignored, or failed to respond to high-priority security alerts.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;The speed differential&lt;/STRONG&gt; is the core problem. AI-enabled threat actors can now use models to autonomously discover, chain, and exploit vulnerabilities, compressing the window from discovery to exploitation &lt;STRONG&gt;from months to hours&lt;/STRONG&gt;. Attackers leverage generative AI for malware generation, automated vulnerability scanning, customized exploits, password cracking, sophisticated phishing and social engineering, and deepfake-based impersonation of data, email, and voice.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At the same time, &lt;STRONG&gt;AI systems themselves introduce novel attack surfaces&lt;/STRONG&gt;. A staggering &lt;STRONG&gt;88% of organizations&lt;/STRONG&gt;, according to a Gartner Peer Community survey of 332 participants, are concerned about indirect prompt injection attacks — where malicious instructions embedded in data manipulate an AI's behavior to reveal confidential information or bypass controls. AI models are also susceptible to fabrications, initially known as hallucinations, in essence biased outputs, and data poisoning — risks that traditional vulnerability management frameworks were never designed to address.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;From an &lt;STRONG&gt;operational standpoint&lt;/STRONG&gt;, SOC analysts already spend &lt;STRONG&gt;nearly three hours per day on incidents&lt;/STRONG&gt;, accumulating costs that reach billions in aggregate. Layering AI-driven attacks on top of this existing overload threatens to break conventional security operations entirely.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft counters the asymmetry with &lt;STRONG&gt;AI-powered defense at cloud scale&lt;/STRONG&gt;, grounded in threat intelligence no single organization could replicate alone. Microsoft processes &lt;STRONG&gt;more than 100 trillion security signals per day&lt;/STRONG&gt; from endpoints, cloud services, identity systems, and the edge, and tracks &lt;STRONG&gt;1,500 unique threat actor groups&lt;/STRONG&gt; — including &lt;STRONG&gt;600 nation-state actors, 300 cybercrime groups, and 200 influence operations groups&lt;/STRONG&gt;. This intelligence feeds directly into detection models and product updates, ensuring customers benefit from patterns observed across billions of users and devices worldwide.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Microsoft Security Copilot&lt;/STRONG&gt; is the most visible expression of this strategy. A generative AI security assistant combining advanced OpenAI models with a Microsoft-developed security-specific model, it helps analysts investigate and remediate incidents in natural language — from triaging complex alerts into actionable summaries, to reverse-engineering malicious scripts, to generating KQL queries for threat hunting. Early deployment data shows that Defender XDR customers using Security Copilot experienced a &lt;STRONG&gt;30% reduction in incident resolution time&lt;/STRONG&gt; in just three months.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For &lt;STRONG&gt;securing AI models themselves&lt;/STRONG&gt;, Microsoft Defender for Cloud now offers &lt;STRONG&gt;AI model security&lt;/STRONG&gt; (in public preview since March 2026), which scans custom AI models in Azure Machine Learning registries and workspaces for embedded malware, unsafe operators, and exposed secrets — integrated directly into CI/CD pipelines so risky models are stopped before reaching production.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The Microsoft Digital Defense Report 2025 reinforced this posture with seven top recommendations, led by managing cyber risk at the boardroom level, prioritizing identity protection, and investing in people alongside tools. Microsoft's approach treats AI threats not as a separate domain but as an intensification of the broader threat landscape that demands coordinated, platform-level defense.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 3: Identity and Access Governance for AI Agents&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;AI is creating an entirely new class of digital actors that most identity systems were never designed to manage.&lt;/STRONG&gt; According to IDC, there will be approximately &lt;STRONG&gt;1.3 billion AI agents&lt;/STRONG&gt; operating across enterprises by 2028. These agents — which range from simple automation bots to fully autonomous decision-making systems — require resource access, generate data, and interact with users and services in ways that fundamentally differ from traditional applications or human users.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Most organizations &lt;STRONG&gt;lack lifecycle management, ownership models, and policy controls&lt;/STRONG&gt; for non-human identities, and AI agents amplify these gaps significantly. Industry analysts argue that AI agents should not be treated as just another non-human identity; they introduce &lt;STRONG&gt;complex delegation chains&lt;/STRONG&gt; between humans, agents, and services that require distinct identity, accountability, and audit models. Traditional human-in-the-loop controls may not scale for agentic systems, yet new identity-centric governance mechanisms are only beginning to emerge.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Compounding the issue, the &lt;STRONG&gt;indeterministic nature of large language models&lt;/STRONG&gt; means that an AI agent with broad access privileges may behave unpredictably — potentially taking actions its developers did not anticipate. Without proper controls, forgotten or orphaned agent identities can become easy targets for attackers, and the resulting security incidents may be difficult to attribute or contain.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft extends its identity-first Zero Trust architecture to AI through &lt;STRONG&gt;Microsoft Entra Agent ID&lt;/STRONG&gt; (in public preview). The core idea: every AI agent receives a &lt;STRONG&gt;unique, first-class identity&lt;/STRONG&gt; — discoverable, manageable, and securable alongside human users, applications, and devices. Once registered, an agent's access can be scoped using the same enterprise-grade controls as any other identity: conditional access policies, role-based access control, lifecycle governance, and risk-based protection.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Conditional Access for Agents&lt;/STRONG&gt; allows organizations to evaluate an agent's context and risk level before granting a token. Policies can enforce controls such as restricting agents to specific network locations or blocking access when risk signals are elevated. Microsoft is also developing&amp;nbsp;&lt;STRONG&gt;RBAC guardrails&lt;/STRONG&gt; specifically tailored to AI agent behaviors, acknowledging that LLM-based agents present heightened risk when granted broad role assignments.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For lifecycle management, Microsoft provides mechanisms for IT administrators to create &lt;STRONG&gt;automated lifecycle policies for agent identities&lt;/STRONG&gt; — including periodic attestation by designated sponsors, automated cleanup of unmonitored agents, and notifications when agent identities approach expiration. This directly addresses the "agent sprawl" problem identified by CISOs and security architects.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At a broader level, &lt;STRONG&gt;Microsoft Agent 365&lt;/STRONG&gt; delivers a unified control plane for agents, aggregating posture, and real-time risk signals from Defender, Entra, and Purview into a single dashboard — providing discovery of both Microsoft and third-party agents, AI posture tracking, and governance controls to delegate remediation tasks to the appropriate teams. The &lt;STRONG&gt;Security Dashboard for AI&lt;/STRONG&gt; (in GA now) answers the executive-level questions: &lt;EM&gt;Which AI assets exist in our environment? What is their current security posture? Where must we take action? —&lt;/EM&gt;&amp;nbsp;covering Microsoft 365 Copilot, Copilot Studio agents, Foundry apps, and third-party AI including Google Gemini, OpenAI ChatGPT, and MCP servers&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 4: Regulatory Compliance and Ethical AI Governance&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;The regulatory landscape for AI is evolving faster than most organizations can track, and the stakes — legal, financial, and reputational — are escalating.&lt;/STRONG&gt; More than &lt;STRONG&gt;52% of business leaders&lt;/STRONG&gt; admit they are unsure how to navigate rapidly evolving AI regulations. Frameworks like the&amp;nbsp;&lt;STRONG&gt;EU AI Act&lt;/STRONG&gt; (whose first obligations took effect on &lt;STRONG&gt;February 2, 2025&lt;/STRONG&gt;), GDPR, and sector-specific rules such as DORA are converging to create a compliance environment that demands continuous adaptation.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;The EU AI Act alone adopts a &lt;STRONG&gt;risk-based approach&lt;/STRONG&gt; to AI regulation, classifying systems by their potential impact on health, safety, and fundamental rights and imposing corresponding obligations for documentation, transparency, human oversight, and testing. Organizations must map every AI deployment to the correct risk category — and misclassification can lead to regulatory violations. Simultaneously, the &lt;STRONG&gt;responsibilities of security leaders are expanding&lt;/STRONG&gt; to include governance and regulatory compliance oversight that traditionally belonged to legal or compliance teams.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The NC State University Executive Perspectives on Top Risks survey of &lt;STRONG&gt;1,540 board members and C-suite executives&lt;/STRONG&gt; ranked &lt;STRONG&gt;regulatory uncertainty and fragmentation&lt;/STRONG&gt; as the eighth-highest near-term risk (2026–2028), and &lt;STRONG&gt;AI implementation risks&lt;/STRONG&gt; as sixth. Among AI-specific concerns, &lt;STRONG&gt;24% of respondents&lt;/STRONG&gt; identified lack of governance and accountability for AI deployments as a top three worry. Culturally, building internal consensus around what constitutes "responsible" AI use — across diverse business units with different risk appetites — remains a persistent organizational challenge.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's &lt;STRONG&gt;Responsible AI program&lt;/STRONG&gt;, anchored by six durable principles established in &lt;STRONG&gt;2018&lt;/STRONG&gt; — Fairness, Reliability &amp;amp; Safety, Privacy &amp;amp; Security, Inclusiveness, Transparency, and Accountability — provides a governance blueprint that has proven stable even as AI technology evolves rapidly. These principles shape design, deployment, and oversight choices across Microsoft's products, and the company shares the lessons openly through its &lt;STRONG&gt;2025 Responsible AI Transparency Report&lt;/STRONG&gt; and customer guidance.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;In preparing for the EU AI Act specifically, Microsoft has taken a &lt;STRONG&gt;proactive, layered approach to compliance&lt;/STRONG&gt;, conducting impact assessments and adversarial red teaming on high-risk models and systems, and extending its Sensitive Uses governance program to ensure additional oversight for the most consequential AI deployments. Microsoft has also documented its approach to EU AI Act implementation to help customers understand how its products and services are being built to comply.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Operationally, the &lt;STRONG&gt;Security Dashboard for AI&lt;/STRONG&gt; provides board-ready analytics and compliance insights, aggregating risk signals across Entra, Defender, and Purview into a single executive view with recommendations and direct remediation paths. This makes AI governance visible and actionable within the same tools security leaders already use for broader risk management.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft also fosters community-driven governance through initiatives like the &lt;STRONG&gt;Security for AI Accelerated Collaboration Forum (ACF)&lt;/STRONG&gt;, which brings together CISOs, security architects, SOC leaders, identity and data owners, and platform engineers to share challenges, shape roadmap priorities, and develop reusable governance frameworks.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Challenge 5: Integration Complexity and Workforce Readiness&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;STRONG&gt;Even when the right AI security tools exist, most organizations struggle to integrate them into existing technology stacks and to equip their people to use them effectively.&lt;/STRONG&gt; Among executives surveyed by NC State University, &lt;STRONG&gt;31%&lt;/STRONG&gt; identified integrating AI with existing technologies, business processes, and workforce as a top-three AI concern, &lt;STRONG&gt;29%&lt;/STRONG&gt; pointed to equipping the workforce to realize AI's value proposition, and &lt;STRONG&gt;28%&lt;/STRONG&gt; flagged the inability to deploy AI at a competitive pace.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;Why This Challenge Persists&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Years of tool proliferation have left enterprises with fragmented security architectures. Organizations rely on disconnected platforms for endpoint protection, cloud workload security, identity management, and data governance — and AI capabilities are now being added to each domain independently. Microsoft's own research notes that organizations using fragmented platforms across security, compliance, and data teams see &lt;STRONG&gt;exacerbated security outcomes&lt;/STRONG&gt;. When a data loss prevention alert in one system cannot be correlated with an identity anomaly in another, threats slip through.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;At the same time, AI security as a discipline &lt;STRONG&gt;lacks comprehensive resources and seasoned experts&lt;/STRONG&gt;. Because major cloud AI platforms only became generally available in 2021–2023, organizations must often develop protective measures without much external guidance or established precedent. The cybersecurity workforce shortage is well documented; the additional demand for professionals who understand both machine learning and security compounds it further.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The broader threat environment amplifies the urgency: cyberthreats have grown &lt;STRONG&gt;5X&lt;/STRONG&gt; in scale, Microsoft now tracks over &lt;STRONG&gt;1,500 threat actor groups&lt;/STRONG&gt; (up from roughly 300 just a few years ago), and the median time for an attacker to access confidential data after a successful phishing attack is just &lt;STRONG&gt;1 hour 12 minutes&lt;/STRONG&gt;. Teams that cannot integrate and respond quickly are structurally disadvantaged.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H3&gt;How can organizations bridge the gap?&lt;/H3&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's primary answer to integration complexity is a &lt;STRONG&gt;unified, cloud-native security platform&lt;/STRONG&gt; in which AI, identity, data governance, and threat protection work as a coordinated system. Security Copilot, for instance, is embedded within and integrates across &lt;STRONG&gt;Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, and Microsoft Purview&lt;/STRONG&gt;. An analyst can use a single natural language interface to investigate incidents drawing on data from any of these products, generate remediation steps, build reports for stakeholders, and automate routine tasks with autonomous Security Copilot agents — all without switching consoles.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;The inclusion of Security Copilot in &lt;A href="https://learn.microsoft.com/en-us/copilot/security/security-copilot-inclusion" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Microsoft 365 E5 and E7&lt;/STRONG&gt;&lt;/A&gt; licensing simplifies adoption further. Customers receive &lt;STRONG&gt;a monthly allocation of SCUs or Secure Computing Units to empower Security Copilot&lt;/STRONG&gt;, eliminating the need for separate AI security procurement. This positions integrated, agentic AI-powered security as a default capability rather than an add-on.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;For &lt;STRONG&gt;endpoint-level visibility into AI agent sprawl&lt;/STRONG&gt;, Microsoft Defender for Endpoint now automatically discovers supported AI coding agents on onboarded Windows 11 devices — including OpenClaw, Claude Code, Codex, Cursor, GitHub Copilot CLI, ChatGPT Desktop, Gemini CLI, and others — and surfaces them in the Defender portal inventory for investigation and correlation with existing device telemetry.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;On &lt;STRONG&gt;workforce enablement&lt;/STRONG&gt;, Microsoft operates the &lt;STRONG&gt;Security Copilot Adoption Hub&lt;/STRONG&gt;, which provides role-specific guidance for CISOs, threat intelligence analysts, IT admins, and data security administrators on how to embed AI into their daily workflows. The broader Microsoft Learn platform now offers modules on securing AI applications and responsible AI governance.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's role here is as a &lt;STRONG&gt;force multiplier&lt;/STRONG&gt;: by consolidating tools, reducing integration burden, and actively investing in customer readiness, Microsoft enables organizations to convert AI from a source of complexity into an operational advantage — without leaving security behind.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Conclusion: Turning AI Security into Competitive Advantage&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;The five challenges examined here — &lt;STRONG&gt;data exposure, adversarial threats, identity sprawl, regulatory uncertainty, and integration complexity&lt;/STRONG&gt; — will only intensify as AI adoption accelerates. Yet for organizations that address them proactively, the payoff extends well beyond risk mitigation. Robust AI security has become a source of trust with customers and regulators, a prerequisite for bold innovation, and a differentiator in markets where competitors may still be scrambling to catch up.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;Microsoft's contribution is structural: an integrated platform where identity, data governance, threat intelligence, and compliance converge — backed by principles of Responsible AI that have remained durable since 2018 and by threat visibility at a scale (more than &lt;STRONG&gt;100 trillion signals per day&lt;/STRONG&gt;, &lt;STRONG&gt;1,500+ tracked threat actor groups&lt;/STRONG&gt;) that no single enterprise can replicate. For executive leadership, the actionable imperative is to treat AI security not as a technical footnote but as a boardroom priority — one that spans the CIO, CISO, Chief Data Officer, and business-unit leaders working together. As Microsoft's own AI security guidance articulates, cross-team collaboration, employee training, and transparent governance are just as essential as firewalls and encryption in building a secure AI future. The organizations that internalize this lesson will be those best positioned to harness AI's full potential — securely, responsibly, and at scale.&lt;/P&gt;
&lt;DIV class="lia-align-justify"&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-10"&gt;Tech Resources:&lt;/SPAN&gt;&lt;/H2&gt;
&lt;/DIV&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/?msockid=135fb85555cc6d1923eeaead54046cc6" target="_blank" rel="noopener"&gt;Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://www.microsoft.com/en-us/microsoft-cloud/blog/2025/04/23/securing-ai-navigating-risks-and-compliance-for-the-future/" target="_blank" rel="noopener"&gt;Securing AI and Navigating risks and compliance for the future&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/entra/agent-id/identity-professional/microsoft-entra-agent-identities-for-ai-agents" target="_blank" rel="noopener"&gt;Entra agent Identities for AI agents&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/security/security-for-ai/security-dashboard-for-ai" target="_blank" rel="noopener"&gt;Secure Dashboard for AI&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot" target="_blank" rel="noopener"&gt;Microsoft Security Copilot&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/copilot/security/faq-security-copilot" target="_blank" rel="noopener"&gt;Microsoft Security Copilot FAQ&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 22 May 2026 21:14:55 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/redefining-security-for-an-ai-driven-world/ba-p/4521961</guid>
      <dc:creator>edgarus71</dc:creator>
      <dc:date>2026-05-22T21:14:55Z</dc:date>
    </item>
    <item>
      <title>Build a Local Microsoft Sentinel Triage Agent in VS Code (Copilot + MCP)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/build-a-local-microsoft-sentinel-triage-agent-in-vs-code-copilot/ba-p/4520486</link>
      <description>&lt;P&gt;Modern SOC work is not limited by data—it’s limited by the friction of collecting it. This post shows a local-first workflow that lets you investigate Microsoft Sentinel incidents from inside VS Code using GitHub Copilot Chat for reasoning and a small, deterministic MCP toolset for evidence retrieval and (optionally) approval-gated writeback.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What you’ll take away:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;How to structure a Copilot + MCP triage loop that stays grounded in Azure evidence&lt;/LI&gt;
&lt;LI&gt;A reliability pattern: fall back to KQL when Sentinel subresource APIs are flaky&lt;/LI&gt;
&lt;LI&gt;A safety pattern: draft-first, explicit-approval writeback for incident comments&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Why This Exists&lt;/H2&gt;
&lt;P&gt;Sentinel triage is powerful but fragmented: you jump between the portal, KQL, entity pivots, and case notes just to answer “what happened?” The goal here is to collapse that into a single, repeatable loop inside the editor.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Resolve the incident and pull the underlying alerts/entities&lt;/LI&gt;
&lt;LI&gt;Pivot into AzureActivity (and other logs) to identify the actor and outcome&lt;/LI&gt;
&lt;LI&gt;Use threat intelligence (TI) for context—not as the decision&lt;/LI&gt;
&lt;LI&gt;Generate an evidence-backed narrative and draft comment; write back only on explicit approval&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Design Principles&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Evidence first:&lt;/STRONG&gt; every claim must be traceable to Sentinel APIs or Log Analytics results&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Small tool surface:&lt;/STRONG&gt; fewer tools, clearer prompting, easier hardening&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reliability by design:&lt;/STRONG&gt; if one API path fails, pivot to KQL and continue&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safety boundary:&lt;/STRONG&gt; investigation and writeback are separate, and writeback is approval-gated&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Architecture &amp;amp; Data Flow&lt;/H2&gt;
&lt;P&gt;A local TypeScript MCP server exposes a handful of triage tools to Copilot Chat in VS Code. Reads come from Sentinel + Log Analytics; writes (incident comments) are optional and require explicit approval.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Copilot Chat (VS Code)&lt;/STRONG&gt; decides the next step and summarizes outputs&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;MCP server&lt;/STRONG&gt; executes allowed tools: incident lookup, alert/entity retrieval, KQL queries, optional comment writeback&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Evidence sources&lt;/STRONG&gt;: Sentinel Incident APIs + Log Analytics tables (SecurityIncident, SecurityAlert, AzureActivity, TI tables)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safety gate&lt;/STRONG&gt;: writeback happens only after explicit approval; otherwise you get a draft&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Tool Surface&lt;/H2&gt;
&lt;P&gt;MCP is useful here because it separates reasoning from execution: Copilot can decide &lt;EM&gt;what&lt;/EM&gt; to do, but only the MCP server can do it—and only through tools you explicitly define and can audit.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;list_incidents&lt;/STRONG&gt; / &lt;STRONG&gt;get_incident&lt;/STRONG&gt; (ground the case)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;get_incident_alerts&lt;/STRONG&gt; / &lt;STRONG&gt;get_incident_entities&lt;/STRONG&gt; (fast path)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;run_incident_kql&lt;/STRONG&gt; (reliable fallback + pivots)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;add_incident_comment&lt;/STRONG&gt; (draft-first; writes only with approval)&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;The Investigation Loop (3 Steps)&lt;/H2&gt;
&lt;H3&gt;Prompt used&lt;/H3&gt;
&lt;LI-CODE lang="powershell"&gt;&lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2324605" data-lia-user-login="sentinel" class="lia-mention lia-mention-user"&gt;sentinel&lt;/a&gt;-triage-local Investigate Sentinel incident 1478 end to end in workspace Subscription ID/Resource Group/Workspace Name. Resolve the incident ID first, collect underlying alerts and entities, enrich with AzureActivity and TI, determine whether the activity is malicious or benign, and return:
1. Investigation summary
2. Key evidence
3. Entity analysis
4. TI enrichment result
5. Risk assessment
6. Recommended disposition
7. Final incident comment draft
Rules:
- Use tool output only, no guessing.
- If alert/entity subresource APIs fail, pivot to KQL and continue.
- Do not submit the comment unless I explicitly say: APPROVE COMMENT.
&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;1) Ground the incident&lt;/H3&gt;
&lt;P&gt;Resolve the human-friendly incident number to the Sentinel incident resource ID, then capture the metadata you need to drive every later pivot.&lt;/P&gt;
&lt;P&gt;Incident numbers are convenient for analysts, but the actual investigation flow depends on the underlying incident resource ID. Resolving that first gives the workflow a concrete anchor for:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Title&lt;/LI&gt;
&lt;LI&gt;Severity&lt;/LI&gt;
&lt;LI&gt;Owner&lt;/LI&gt;
&lt;LI&gt;Status&lt;/LI&gt;
&lt;LI&gt;Alert count&lt;/LI&gt;
&lt;LI&gt;Analytic rule IDs&lt;/LI&gt;
&lt;LI&gt;Incident URL&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This gives you the stable identifiers (and the URL) needed to retrieve alerts, entities, and supporting logs.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;2) Collect alerts and entities (fast path)&lt;/H3&gt;
&lt;P&gt;Pull the alerts behind the incident and the entities they reference. When the incident subresource APIs behave, this is the fastest way to assemble the working set.&lt;/P&gt;
&lt;P&gt;In the ideal path, the agent can call the incident alert and entity subresources directly. That gives fast access to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Alert IDs&lt;/LI&gt;
&lt;LI&gt;Alert names&lt;/LI&gt;
&lt;LI&gt;Timestamps&lt;/LI&gt;
&lt;LI&gt;Severities&lt;/LI&gt;
&lt;LI&gt;Entities&lt;/LI&gt;
&lt;LI&gt;Provider metadata&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;3) Stay reliable: pivot to KQL when APIs fail&lt;/H3&gt;
&lt;P&gt;In real environments, the incident subresource APIs for alerts/entities are not always dependable. When they fail, the workflow switches to Log Analytics and reconstructs the same evidence via KQL—so the investigation continues.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;SecurityIncident&lt;/STRONG&gt; to recover the incident record and alert IDs&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SecurityAlert&lt;/STRONG&gt; to retrieve alert details and entities&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;AzureActivity&lt;/STRONG&gt; to determine who or what performed the operation&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;ThreatIntelligenceIndicator&lt;/STRONG&gt; and &lt;STRONG&gt;ThreatIntelIndicators&lt;/STRONG&gt; for enrichment&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;The High-Signal Pivot: AzureActivity&lt;/H2&gt;
&lt;P&gt;In the incidents I tested, AzureActivity was the fastest way to classify “suspicious deployment” alerts: it tells you who did the action, what operation ran, and whether it succeeded.&lt;/P&gt;
&lt;P&gt;The evidence showed:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;The caller was a single Microsoft Entra ID object ID&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Claims_d.idtyp&lt;/STRONG&gt; = "app"&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Authorization_d.evidence.principalType&lt;/STRONG&gt; = "ServicePrincipal"&lt;/LI&gt;
&lt;LI&gt;The activity was tied to a policy assignment&lt;/LI&gt;
&lt;LI&gt;The operation was &lt;STRONG&gt;MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;The result was &lt;STRONG&gt;BadRequest&lt;/STRONG&gt; with &lt;STRONG&gt;InvalidTemplate&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;That pattern typically points to automation (service principal + policy-driven deployment) failing due to a bad template—not an interactive attacker.&lt;/P&gt;
&lt;H2&gt;Threat Intelligence: Use It as Context&lt;/H2&gt;
&lt;P&gt;Enrich observables against TI, but treat it as corroboration: a hit is not proof, and a miss is not a clean bill of health. In my test runs, TI mainly helped refine confidence after AzureActivity and alert evidence established the likely story.&lt;/P&gt;
&lt;H2&gt;Output: An Evidence-Backed Narrative (and a Draft Comment)&lt;/H2&gt;
&lt;P&gt;Once the tools return results, Copilot’s job is synthesis: turn structured evidence into a short narrative an analyst can paste into the case.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;What happened, who/what triggered it, and whether it succeeded&lt;/LI&gt;
&lt;LI&gt;Key supporting evidence (alerts, entities, AzureActivity pivots, TI context)&lt;/LI&gt;
&lt;LI&gt;A recommended disposition and a draft incident comment&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Incident comment written back automatically (after approval) (screenshot):&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Safety + Reliability: Approval-Gated Writeback&lt;/H2&gt;
&lt;P&gt;The agent can draft a comment automatically, but it cannot change incident state unless the analyst explicitly approves. That boundary is what makes the workflow usable in real operations.&lt;/P&gt;
&lt;P&gt;After approval, the tool submits the drafted comment directly to the Sentinel incident so the portal reflects the same evidence-backed narrative.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Default:&lt;/STRONG&gt; return the draft comment only&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;On approval:&lt;/STRONG&gt; acquire an ARM token via Azure CLI and submit via curl.exe (hardened with validation + retries)&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Why This Is Worth Building&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Less context switching:&lt;/STRONG&gt; investigation happens where you already work&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;More consistency:&lt;/STRONG&gt; the same loop runs every time, with deterministic tools&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Better classification:&lt;/STRONG&gt; AzureActivity pivots reduce false “user did X” assumptions&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safer automation:&lt;/STRONG&gt; drafts are automatic; writes are explicit and auditable&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Conclusion&lt;/H2&gt;
&lt;P&gt;AI is most useful in a SOC when it is constrained: deterministic tools fetch the evidence, the model synthesizes it, and humans keep control of state changes. A local Copilot + MCP workflow hits that sweet spot—faster triage for the SOC analysts.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 18 May 2026 04:28:02 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/build-a-local-microsoft-sentinel-triage-agent-in-vs-code-copilot/ba-p/4520486</guid>
      <dc:creator>absharan</dc:creator>
      <dc:date>2026-05-18T04:28:02Z</dc:date>
    </item>
    <item>
      <title>TLS Certificate Pinning and Best Practices in Azure Open-Source Relational Databases</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tls-certificate-pinning-and-best-practices-in-azure-open-source/ba-p/4519531</link>
      <description>&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;TLS certificate pinning in &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Azure Database for PostgreSQL and MySQL&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Transport Layer Security (TLS)&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;encrypts&amp;nbsp;data in transit between client applications and the&amp;nbsp;server and&amp;nbsp;authenticates&amp;nbsp;the service endpoint&amp;nbsp;in&amp;nbsp;client-server authentication.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Database server certificates are issued by well-known trusted public Certificate Authorities (CAs), including Microsoft-issued certificates, and are validated by clients during the TLS handshake. Customers do not manage certificates on the server side.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Certificate pinning&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;is&amp;nbsp;a&amp;nbsp;client-side&amp;nbsp;security technique where an application restricts trust to a specific certificate,&amp;nbsp;for example&amp;nbsp;by&amp;nbsp;thumbprint, public key, or CA,&amp;nbsp;rather than relying solely on the default OS or platform trust store. The trust store&amp;nbsp;contains&amp;nbsp;pre-installed root&amp;nbsp;CAs and may also include&amp;nbsp;additional&amp;nbsp;certificates configured by the client. During standard TLS validation, the client will trust any server certificate that chains to one of those root&amp;nbsp;CAs.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;When pinning is&amp;nbsp;used,&amp;nbsp;the client will only connect if the presented certificate chain matches&amp;nbsp;exactly&amp;nbsp;what it expects.&amp;nbsp;However, the server has no visibility into whether pinning is configured on the&amp;nbsp;client,&amp;nbsp;and&amp;nbsp;any&amp;nbsp;certificate&amp;nbsp;change (even a valid one) can cause connection failures.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Why detecting TLS certificate pinning is not possible by design&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Certificate pinning is entirely client-side logic&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;.&lt;/STRONG&gt; From the server’s&amp;nbsp;perspective,&amp;nbsp;the client either completes the TLS handshake or aborts it. The server never sees:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Which certificate(s) the client trusts&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Whether the client is comparing&amp;nbsp;root CA,&amp;nbsp;intermediate CA,&amp;nbsp;leaf&amp;nbsp;certificate&amp;nbsp;or SPKI hash&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Whether the trust decision was static or dynamic&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;TLS is designed so that trust evaluation happens entirely on the client, which is why the server has no visibility into the client’s software configuration or pinning behavior.&amp;nbsp;If the client rejects the certificate (for example, due to pinning or trust validation failures), the connection is&amp;nbsp;terminated&amp;nbsp;before any application-level error or authentication occurs.&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;What the server can see is TLS handshake failure patterns, TLS protocol, and cipher negotiation.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;TLS certificates in&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;Azure&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;OSS databases&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Heading 1 Char"&gt;&amp;nbsp;vs Azure SQL&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The way TLS certificates are handled in Azure OSS databases versus Azure SQL is a core architectural difference.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In Azure SQL (including Azure SQL Database and Azure SQL Managed Instance), the database engine does not directly present a certificate bound to a specific server or host instance. Instead, client connections&amp;nbsp;terminate&amp;nbsp;at a service-managed endpoint. This abstraction allows certificates to be issued and rotated centrally by the service.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;From the client’s perspective, it connects to a service-level endpoint (for example, &amp;lt;server&amp;gt;.database.windows.net), and the certificate chain&amp;nbsp;represents&amp;nbsp;the Azure SQL service rather than a specific machine. Clients are expected to trust the platform CA chain and&amp;nbsp;validate&amp;nbsp;the hostname. As a result, certificate pinning is&amp;nbsp;generally not&amp;nbsp;feasible&amp;nbsp;or useful for Azure SQL, because the TLS endpoint is abstracted and managed by the service.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This is also why Azure SQL client&amp;nbsp;configuration&amp;nbsp;guidance emphasizes using Encrypt=True and&amp;nbsp;TrustServerCertificate=False, ensuring that clients rely on standard TLS validation against the platform-managed certificate chain.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In contrast, Azure Database for PostgreSQL and MySQL expose a more traditional, database engine–level TLS surface where clients directly&amp;nbsp;validate&amp;nbsp;the server certificate chain, making certificate pinning possible. TLS is negotiated by the database engine itself, and the server presents a certificate chain anchored in public or regional certificate authorities.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This results in a fundamentally different trust model. In Azure OSS databases, TLS trust is primarily client-managed,&amp;nbsp;whereas&amp;nbsp;in Azure SQL it is platform-managed. While OSS customers have greater control over certificate validation, they are also responsible for&amp;nbsp;appropriately&amp;nbsp;managing trust configuration. Misconfigurations or overly rigid validation, such as pinning specific certificates, can increase operational risk, particularly during certificate rotations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;One of the most common complications during certificate rotations is certificate pinning.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Why certificate pinning is risky&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;While certificate pinning was historically used to reduce the risk of man-in-the-middle attacks, it introduces significant operational fragility in cloud environments, particularly during certificate rotations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Server certificates and certificate authorities (CAs) must be rotated periodically to&amp;nbsp;maintain&amp;nbsp;security and compliance. In Azure Database for PostgreSQL and MySQL,&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;when certificate pinning is used&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, clients bind trust to a specific certificate or CA. As a result,&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;any change to the server certificate chain—including CA updates—can cause connection failures&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;, even when the new certificates are fully valid and secure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Recommended TLS certificate trust model for Azure OSS databases&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Instead of pinning, adopt a&amp;nbsp;CA&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;based&amp;nbsp;trust model that allows certificates to change safely.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Trust root CAs, not individual certificates&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Configure clients to use standard TLS validation against Azure-documented root CAs, rather than restricting trust to specific certificates or a narrowly scoped set of certificate authorities. Avoid configurations that effectively implement certificate pinning—such as trusting only a single certificate, public key, or limited CA set—unless explicitly&amp;nbsp;required.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Maintain a flexible and up-to-date trust store&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Clients rely on a trust store, key store, or equivalent certificate bundle to&amp;nbsp;validate&amp;nbsp;server certificates during TLS negotiation. While the exact format and configuration vary by client and environment, the same core principles apply across PostgreSQL and MySQL implementations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Include the&amp;nbsp;appropriate root&amp;nbsp;and intermediate certificate authorities (CAs)&amp;nbsp;required&amp;nbsp;to&amp;nbsp;validate&amp;nbsp;the server certificate chain&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Ensure that trust stores are periodically reviewed and updated in line with provider guidance and announced certificate authority changes.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For the current TLS certificates visit the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/postgresql/security/security-tls" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Database for PostgreSQL documentation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/mysql/flexible-server/security-tls" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Database for MySQL documentation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Use certificate validation modes that rely on standard CA-based trust rather than pinning&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;PostgreSQL&lt;/STRONG&gt; client&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;configurations, prefer:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;sslmode=verify-ca&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Validates the server certificate chain against trusted&amp;nbsp;CAs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;sslmode=verify-full&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Verifies CA and hostname match&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;MySQL &lt;/STRONG&gt;client&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;configurations, prefer:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ssl-mode=VERIFY_CA&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Validates the server certificate chain against trusted&amp;nbsp;CAs&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;ssl-mode=VERIFY_IDENTITY&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Validates CA&amp;nbsp;and&amp;nbsp;hostname (like PostgreSQL verify-full)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These modes ensure that clients&amp;nbsp;validate&amp;nbsp;the&amp;nbsp;server&amp;nbsp;certificate chain against trusted&amp;nbsp;CAs, and in stricter modes, verify hostname identity. They do not imply certificate pinning by themselves. They rely on standard CA-based trust.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Configurations only become rigid when trust is narrowly restricted,&amp;nbsp;such&amp;nbsp;as to&amp;nbsp;a single certificate or limited CA set,&amp;nbsp;often through custom or overly constrained trust stores. This effectively introduces certificate pinning.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;When properly configured, these modes authenticate the service endpoint and protect against spoofing, while&amp;nbsp;remaining&amp;nbsp;resilient to certificate rotations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Maintain a combined&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;&amp;nbsp;CA&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;&amp;nbsp;during&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;certificate&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;rotations&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure may rotate root or intermediate&amp;nbsp;CAs&amp;nbsp;over time.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;When Azure announces a CA&amp;nbsp;rotation:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Add&amp;nbsp;the&amp;nbsp;new root&amp;nbsp;and intermediate CAs&amp;nbsp;to&amp;nbsp;the client&amp;nbsp;trust store before the rotation&amp;nbsp;begins&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Retain&amp;nbsp;existing root&amp;nbsp;or intermediate&amp;nbsp;CAs&amp;nbsp;until the transition is&amp;nbsp;fully&amp;nbsp;complete&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN data-contrast="auto"&gt;Avoid removing older&amp;nbsp;certificates&amp;nbsp;prematurely&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This combined CA approach, using both the current and upcoming certificate authorities during the transition window, allows clients to continue&amp;nbsp;validating&amp;nbsp;the&amp;nbsp;server&amp;nbsp;certificate chain without interruption.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&lt;SPAN data-contrast="auto"&gt;As you review your current client configurations, ensure your applications rely on CA-based trust, avoid overly restrictive certificate configurations such as certificate pinning, and are prepared to handle routine certificate rotations without disruption.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 15 Jun 2026 13:42:38 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tls-certificate-pinning-and-best-practices-in-azure-open-source/ba-p/4519531</guid>
      <dc:creator>TameikaL</dc:creator>
      <dc:date>2026-06-15T13:42:38Z</dc:date>
    </item>
    <item>
      <title>Check This Out! (CTO!) Guide (April 2026)</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-april-2026/ba-p/4519149</link>
      <description>&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/users/tysonpaul/322025" data-lia-auto-title="Member: TysonPaul | Microsoft Community Hub" data-lia-auto-title-active="0" target="_blank"&gt;Member: TysonPaul | Microsoft Community Hub&lt;/A&gt;&lt;/P&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/announcing-public-preview-for-essential-machine-management/4502721" target="_blank" rel="noopener noreferrer"&gt;Announcing Public Preview for Essential Machine Management&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/meagan%20mccrory/73917" target="_blank" rel="noopener noreferrer"&gt;Meagan McCrory&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/06/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced the public preview of Essential Machine Management within Azure’s Compute Infrastructure Hub. This new feature streamlines onboarding and management of servers and VMs across Azure and multi-cloud environments by enabling core capabilities like monitoring, updates, inventory, and configuration at the subscription level. It offers out-of-the-box best practices, automatic enrollment, and consistent operational coverage. Azure VMs and certain Arc-enabled servers can use these features at no extra cost, while other Arc-enabled servers will be charged $9 per server per month once billing begins. The preview is available in the Azure Portal.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/new-local-management-group-for-alz--updated-sovereign-policies-for-slz/4515156" target="_blank" rel="noopener noreferrer"&gt;New Local Management Group for ALZ &amp;amp; Updated Sovereign Policies for SLZ&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuregovernanceandmanagementblog" target="_blank" rel="noopener noreferrer"&gt;Azure Governance and Management&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jtracey93msft/1418804" target="_blank" rel="noopener noreferrer"&gt;jtracey93msft&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has introduced a new ‘Local’ Management Group in both Azure Landing Zone (ALZ) and Sovereign Landing Zone (SLZ) architectures to better govern Azure Local workloads and facilitate exit planning to Azure Local disconnected operations. Additionally, SLZ now uses new built-in policy initiatives aligned to sovereign control levels 1 (Data Residency), 2 (Encryption-at-Rest/Transit), and 3 (Encryption-in-Use), replacing previous broad baselines for clearer mapping, simplified compliance, and reduced maintenance. These updates improve governance, portability, and policy alignment for customers with sovereignty or resiliency requirements.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/copilot-agents-are-scaling-faster-than-most-organizations-expected/4510366" target="_blank" rel="noopener noreferrer"&gt;Copilot agents are scaling faster than most organizations expected&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/17/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how Copilot agents are being adopted rapidly across organizations, moving from small pilots to broader enterprise use. While early adoption is smooth, scaling introduces new challenges, such as overlapping efforts, unclear ownership, and the need for coordination. The focus shifts from building agents to managing them effectively at scale, requiring clear frameworks and leadership alignment. Microsoft recommends a CIO-level framework to address these issues, helping organizations balance experimentation with coherence and guide responsible growth as Copilot agents become integral to business operations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackblog/copilot-chat-in-financial-services-is-productivity-moving-faster-than-policy/4510910" target="_blank" rel="noopener noreferrer"&gt;Copilot Chat in financial services: Is productivity moving faster than policy?&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/juliehersum/2538158" target="_blank" rel="noopener noreferrer"&gt;JulieHersum&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/13/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article discusses how financial services organizations adopting Copilot Chat are experiencing increased productivity, but this rapid progress is challenging existing governance and compliance policies. As usage expands beyond initial experimentation, leaders are seeking structured approaches to ensure responsible, repeatable adoption without increasing risk. Microsoft 365 Accelerator offers a planning kit to help organizations scale Copilot Chat while maintaining oversight, audit readiness, and governance, focusing on decision-making and risk management rather than just features. The article invites readers to reflect on their experiences and consider how to balance productivity with regulatory requirements.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/flexible-cooling-for-ai-growth-how-zonal-architecture-supports-diverse-hardware-/4514042" target="_blank" rel="noopener noreferrer"&gt;Flexible Cooling for AI Growth: How Zonal Architecture Supports Diverse Hardware Needs&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/stsolo/3447054" target="_blank" rel="noopener noreferrer"&gt;stsolo&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft is introducing zonal cooling in its next-generation AI datacenters to address the diverse cooling needs of modern hardware, particularly AI accelerators requiring liquid cooling and general-purpose equipment relying on air cooling. Zonal cooling uses multiple independent water loops at different temperatures, improving energy efficiency, reducing carbon emissions, and supporting higher server density. This flexible architecture adapts to evolving hardware requirements, enhances performance, and aligns with Microsoft’s sustainability goals. Facility-level zonal cooling is expected to reduce Power Usage Effectiveness (PUE) by up to 10%, making datacenters more efficient and future-ready.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearchitectureblog/running-diffusion-models-at-scale-on-aks/4513687" target="_blank" rel="noopener noreferrer"&gt;Running Diffusion Models at Scale on AKS&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearchitectureblog" target="_blank" rel="noopener noreferrer"&gt;Azure Architecture&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/prabaldeb/3248371" target="_blank" rel="noopener noreferrer"&gt;PrabalDeb&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/29/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines best practices for running diffusion models at scale on Azure Kubernetes Service (AKS). It emphasizes separating API, dispatch, and GPU execution layers for flexible scaling, security, and observability. Key recommendations include isolating GPU workloads, leveraging Kubernetes-native or Service Bus/KEDA-based dispatch, using persistent storage for model caching, enforcing strong identity and secrets management, and instrumenting both application and hardware metrics. The architecture supports scalable, secure, and automated deployments, making AKS a robust platform for production-grade diffusion workloads beyond simple model hosting. Alternatives like KAITO suit less-customized scenarios.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/containers/announcing-log-monitor-v2-2-0-release-candidate/4511286" target="_blank" rel="noopener noreferrer"&gt;Announcing Log Monitor v2.2.0 Release Candidate&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/containers" target="_blank" rel="noopener noreferrer"&gt;Containers&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/bob_sira/2927623" target="_blank" rel="noopener noreferrer"&gt;Bob_Sira&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Log Monitor v2.2.0 Release Candidate introduces a switch from Boost.JSON to the lightweight nlohmann/json library, reducing dependencies and build complexity while remaining backward compatible. This version adds an IIS on AKS deployment example, fixes several configuration parsing bugs, and addresses a path traversal vulnerability. The build system now uses CMake and vcpkg. Upgrading from v2.1.x requires no config changes, but output paths have changed. Updated CI/CD pipelines support the new dependency. Release binaries and documentation are available on GitHub, and user feedback is encouraged.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/containers/simplifying-gmsa-for-windows-containers-on-aks-open-source-tooling-now-available/4512167" target="_blank" rel="noopener noreferrer"&gt;Simplifying gMSA for Windows Containers on AKS: Open-Source Tooling Now Available&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/containers" target="_blank" rel="noopener noreferrer"&gt;Containers&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/natashapolito/1956890" target="_blank" rel="noopener noreferrer"&gt;natashapolito&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/23/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has released an open-source tool, available on GitHub, to simplify configuring Group Managed Service Accounts (gMSA) for Windows containers on Azure Kubernetes Service (AKS). This tooling helps organizations modernize Active Directory-dependent Windows applications for Kubernetes without major code changes, enabling secure AD authentication without domain-joined nodes. The repository includes a PowerShell module, automation scripts, and documentation to streamline gMSA setup and validation. Aimed at teams running or modernizing AD-integrated workloads on AKS, the tool reduces manual configuration and invites community feedback to further improve usability.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/so-you%E2%80%99ve-disabled-windows-hello-for-business-but-the-user-can-still-sign-in-usi/4509318" target="_blank" rel="noopener noreferrer"&gt;So, You’ve disabled Windows Hello for Business, but the User can still Sign-in using a PIN&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/askds" target="_blank" rel="noopener noreferrer"&gt;Ask the Directory Services Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/brentcrummey/1728711" target="_blank" rel="noopener noreferrer"&gt;BrentCrummey&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/27/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Disabling Windows Hello for Business (WHfB) via Intune or Group Policy does not remove a user’s existing PIN sign-in if it was previously provisioned. The PIN option remains, and its removal button is greyed out due to policy design. To fully remove WHfB PIN sign-in, the user must manually delete their Windows Hello container using “certutil.exe -deleteHelloContainer,” after which they cannot re-enroll as long as the policy is disabled. This behavior is expected and documented by Microsoft.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/askds/troubleshooting-tpm-certificate-how-to-fix-the-missing-stored-keyset-error/4515646" target="_blank" rel="noopener noreferrer"&gt;Troubleshooting TPM Certificate: How to Fix the "Missing Stored Keyset" Error&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/askds" target="_blank" rel="noopener noreferrer"&gt;Ask the Directory Services Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/mdhabibnawaz/1129389" target="_blank" rel="noopener noreferrer"&gt;mdhabibnawaz&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains the "missing stored keyset" error in TPM certificates, which occurs when applications can’t access necessary keys due to corrupted registry entries, permission issues, or misconfiguration. It provides a step-by-step troubleshooting guide: updating Windows and TPM firmware, verifying TPM status, checking certificate keysets, repairing certificates, resetting permissions, and re-enrolling certificates if needed. The article emphasizes maintaining backups, staying updated, and consulting official documentation or support if problems persist, highlighting the importance of proper TPM management for system security.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/ahead-helps-us-launch-the-strategic-azure-storage-services-partner-program/4516355" target="_blank" rel="noopener noreferrer"&gt;AHEAD helps us launch the Strategic Azure Storage Services Partner Program&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/karautenmsft/70874" target="_blank" rel="noopener noreferrer"&gt;karautenMSFT&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; AHEAD, a premier Microsoft Cloud and AI Partner, has helped launch the Strategic Azure Storage Services Partner (SASS) Program, leveraging its extensive expertise in infrastructure, storage, and cloud solutions. AHEAD provides assessments, migration services, and access to best-of-breed ISV partners, ensuring Azure Storage customers receive optimal solutions for their needs. With over 1,000 Microsoft certifications and global reach, AHEAD delivers tailored guidance and implementation, driving innovation and resiliency for Azure users. Their collaboration has shaped the SASS channel strategy, benefiting customers with enhanced consulting, design, and migration services.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurestorageblog/prefix-scoped-access-for-user-delegation-sas-is-now-generally-available-for-azur/4516010" target="_blank" rel="noopener noreferrer"&gt;Prefix-scoped access for User Delegation SAS is now generally available for Azure Blob Storage&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurestorageblog" target="_blank" rel="noopener noreferrer"&gt;Azure Storage&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/despindola/3471420" target="_blank" rel="noopener noreferrer"&gt;despindola&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Prefix-scoped access for User Delegation SAS is now generally available in all Azure regions for Azure Blob and Data Lake Storage. This feature allows administrators to grant access to all blobs within a specific prefix or virtual directory, rather than at the container or individual blob level. This simplifies permission management, especially for multi-tenant or organized data structures, and reduces the need for multiple tokens. Prefix-scoped SAS incurs no additional cost and is supported in the latest REST API and .NET SDK versions. Microsoft recommends using prefix-scoped SAS for more granular access control when SAS is required.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/filecab/announcing-native-powershell-tooling-for-refs-snapshots/4516377" target="_blank" rel="noopener noreferrer"&gt;Announcing Native PowerShell Tooling for ReFS Snapshots&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/windows-server/blog/filecab" target="_blank" rel="noopener noreferrer"&gt;Storage at Microsoft&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/christina_curlette/3352446" target="_blank" rel="noopener noreferrer"&gt;Christina_Curlette&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has released an open-source PowerShell module for native ReFS snapshot management, streamlining scripting and automation tasks. The module wraps the refsutil streamsnapshot utility, offering cmdlets for creating, listing, deleting, comparing, restoring, and exporting file-level snapshots with pipeline support and structured error handling. Designed for Windows Server 2019+ and Windows 10+, it simplifies operational safety, automated comparison, maintenance, and development workflows. Documentation and examples are available on GitHub, enabling easier integration of ReFS snapshots into PowerShell-based storage management.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/public-preview-managed-identity-support-for-graphical-session-recording/4513139" target="_blank" rel="noopener noreferrer"&gt;Public Preview: Managed Identity support for graphical session recording&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/aarontsang/2719570" target="_blank" rel="noopener noreferrer"&gt;aarontsang&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Bastion now supports managed identities for graphical session recording in public preview. This feature allows Bastion to authenticate directly to an Azure storage account for saving session recordings using either a system-assigned or user-assigned managed identity, eliminating the need for manual credential management. Authentication is handled via Microsoft Entra ID, simplifying setup and aligning with Zero Trust principles. Administrators can centrally control access with Azure RBAC, streamlining management across multiple deployments. To use this feature, enable managed identity, assign appropriate roles, and configure the storage account as outlined in the Azure Portal.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/general-availability-of-default-ruleset-drs-2-2-for-web-application-firewall/4515762" target="_blank" rel="noopener noreferrer"&gt;General availability of Default Ruleset (DRS) 2.2 for Web Application Firewall&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener noreferrer"&gt;Azure Network Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/andrewmathu/1367090" target="_blank" rel="noopener noreferrer"&gt;andrewmathu&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/29/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Web Application Firewall (WAF) now supports Default Rule Set (DRS) 2.2 for Azure Front Door and Application Gateway, offering enhanced security based on OWASP CRS 3.3.4 and Microsoft Threat Intelligence. DRS 2.2 improves detection for web vulnerabilities, reduces false positives with configurable paranoia levels, and provides broader, modern protection. Upgrading resets customizations, so planning is advised. DRS 2.2 delivers consistent and advanced security for internet-facing applications, enabling organizations to better defend against evolving threats while maintaining operational flexibility.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/join-us-at-microsoft-azure-infra-summit-2026-for-deep-technical-azure-infrastruc/4509368" target="_blank" rel="noopener noreferrer"&gt;Join us at Microsoft Azure Infra Summit 2026 for deep technical Azure infrastructure content&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/pierre_roman/140097" target="_blank" rel="noopener noreferrer"&gt;Pierre_Roman&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/07/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Azure Infra Summit 2026 is a free, virtual event for IT professionals, platform engineers, SREs, and infrastructure teams, held May 19-21, 2026. Focused on advanced, engineering-led sessions (L300-400), it offers deep technical content on Azure infrastructure topics like hybrid operations, networking, storage, observability, and governance. The event emphasizes practical guidance, real-world examples, and peer-to-peer learning, aiming to equip attendees with actionable insights for building and operating Azure environments. Register at https://aka.ms/MAIS-Reg.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/itopstalkblog/internet-information-services-learning-path/4511332" target="_blank" rel="noopener noreferrer"&gt;Internet Information Services Learning Path&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/itopstalk/blog/itopstalkblog" target="_blank" rel="noopener noreferrer"&gt;ITOps Talk&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/orinthomas/251291" target="_blank" rel="noopener noreferrer"&gt;OrinThomas&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/14/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The "Internet Information Services Learning Path" provides a structured curriculum for learning to deploy, configure, manage, secure, and troubleshoot IIS on Windows Server and client systems. Covering both legacy and modern use cases, the modules include IIS installation, website and application configuration, administration, security best practices, and performance optimization. The learning path is relevant to most supported IIS versions and includes new features for Windows Server 2025, offering a comprehensive guide for effective IIS management and maintenance.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/from-discovery-to-executive-presentation-plan-your-migration-with-azure-migrate-/4508500" target="_blank" rel="noopener noreferrer"&gt;From Discovery to Executive Presentation: Plan Your Migration with Azure Migrate in Hours&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/shikher/934388" target="_blank" rel="noopener noreferrer"&gt;Shikher&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/03/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Migrate streamlines the migration planning process by consolidating environment discovery, workload tagging, application grouping, and executive reporting into a single workflow. Using the Azure Migrate Collector, organizations can quickly scan their infrastructure offline, classify assets, and auto-group workloads into applications. The tool generates executive-ready PowerPoint reports with modernization, migration recommendations, security insights, and cost analysis, replacing manual processes that previously took weeks. Application-level assessments provide detailed migration strategies, supporting informed decision-making. This approach accelerates Azure migration planning for IT teams and partners, enabling rapid, data-driven presentations to stakeholders.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azuremigrationblog/production-cutover-in-cloud-native-migrations/4509924" target="_blank" rel="noopener noreferrer"&gt;Production Cutover in Cloud-Native Migrations&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azuremigrationblog" target="_blank" rel="noopener noreferrer"&gt;Azure Migration and Modernization&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/dhruti/3444042" target="_blank" rel="noopener noreferrer"&gt;dhruti&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article highlights that production cutover during cloud-native migrations, such as to Azure Kubernetes Service (AKS), involves more than just successful deployment—it requires coordinated runtime orchestration across compute, networking, storage, and integrations. Operational issues often arise only after traffic is routed, emphasizing the need for thorough validation and alignment of all dependencies, including disaster recovery, batch processing, and security. Effective cutover is an orchestrated event ensuring runtime readiness, not just deployment, with success dependent on continuous validation and system-wide coordination throughout the migration lifecycle.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/fasttrackforazureblog/deploying-dns-private-resolvers-and-private-dns-zones-for-azure-ai-supported-ser/4515645" target="_blank" rel="noopener noreferrer"&gt;Deploying DNS Private Resolvers and Private DNS Zones for Azure AI Supported Services&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/fasttrack/blog/fasttrackforazureblog" target="_blank" rel="noopener noreferrer"&gt;FastTrack for Azure&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/munieswar_avulapalli/1127849" target="_blank" rel="noopener noreferrer"&gt;munieswar_avulapalli&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to deploy DNS Private Resolvers and Private DNS Zones for Azure AI-supported services within private networks. Private DNS Zones enable secure, internal domain resolution across global Azure VNets, while DNS Private Resolvers provide managed, regional DNS resolution between Azure and on-premises environments. It highlights the importance of linking VNets to DNS zones for name resolution and clarifies common misconceptions about VNet peering. The article includes a step-by-step end-to-end flow for DNS queries and emphasizes connectivity verification tools like PsPing. Public networks and DNS zones are mentioned but not discussed in detail.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurecompute/ai-powered-downtime-investigation-for-azure-vms-automating-root-cause-analysis/4513473" target="_blank" rel="noopener noreferrer"&gt;AI-Powered Downtime Investigation for Azure VMs: Automating Root Cause Analysis&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurecompute" target="_blank" rel="noopener noreferrer"&gt;Azure Compute&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/jon_andoni_baranda/3305512" target="_blank" rel="noopener noreferrer"&gt;Jon_Andoni_Baranda&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/22/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article describes how Microsoft Azure uses AI to automate and accelerate root cause analysis for virtual machine downtime. Leveraging the Model Context Protocol (MCP), the system automatically investigates incidents by querying live telemetry, analyzing logs, building recovery timelines, and generating structured reports. This reduces manual investigation time from up to an hour to under five minutes, ensures consistent, thorough analysis for every incident, and streamlines ownership assignment. The AI system encodes expert knowledge, allowing engineers to focus on decision-making rather than data gathering, significantly improving efficiency and incident response across Azure's infrastructure.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/designing-outbound-connectivity-for-private-subnets-in-azure/4514258" target="_blank" rel="noopener noreferrer"&gt;Designing Outbound Connectivity for "Private Subnets" in Azure&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alexeyn1/2185710" target="_blank" rel="noopener noreferrer"&gt;alexeyn1&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/23/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Private subnets in Azure disable default outbound internet access, requiring architects to deliberately design outbound connectivity. Three main patterns exist: NAT Gateway for scalable, predictable egress; Azure Firewall for secure, governed, and audited flows; and Load Balancer Outbound for legacy scenarios. Each has strengths and limitations, with NAT Gateway suited for simple, high-scale egress, Azure Firewall for compliance and security, and Load Balancer for transitional or legacy architectures. The key principle is to choose the outbound method based on workload risk and requirements, ensuring intentional, documented, and governed internet access.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/running-multimedia-ai-models-on-container-apps-with-serverless-gpu-a100--t4/4513063" target="_blank" rel="noopener noreferrer"&gt;Running multimedia AI models on Container Apps with Serverless GPU (A100 &amp;amp; T4)&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/cis/blog/coreinfrastructureandsecurityblog" target="_blank" rel="noopener noreferrer"&gt;Core Infrastructure and Security&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/houssemdellai/632520" target="_blank" rel="noopener noreferrer"&gt;HoussemDellai&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/20/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article guides users on deploying multimedia AI models, like ComfyUI, on Azure Container Apps using serverless GPU profiles (A100 &amp;amp; T4). It details infrastructure provisioning with Terraform, model downloading, and monitoring via Azure Log Analytics. Key notes cover storage setup, manual creation of GPU profiles, and protocol choices (SMB vs NFS). Cost optimization tips are provided by right-sizing resources. Users can run text-to-image and text-to-video workflows. The article includes disclaimers about the sample scripts' support and reliability, and highlights the need for manual steps due to Terraform limitations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/announcing-private-preview-deploy-ansible-playbooks-using-azure-policy-via-machi/4507848" target="_blank" rel="noopener noreferrer"&gt;Announcing Private Preview: Deploy Ansible Playbooks using Azure Policy via Machine Configuration&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/alinetran/1972499" target="_blank" rel="noopener noreferrer"&gt;alinetran&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/01/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft has announced a private preview allowing Ansible playbooks to be deployed via Azure Policy using Machine Configuration on Azure and Azure Arc-enabled Linux machines. This integration enables organizations to automate configuration management and compliance enforcement for Linux servers without needing an Ansible control node. The solution offers centralized policy-based governance, drift detection, and automatic remediation, with compliance results visible in Azure dashboards. This unifies management across Windows and Linux environments, whether in the cloud, on-premises, or at the edge, leveraging existing Ansible investments within Azure Arc’s unified security and compliance framework.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurearcblog/automating-arc-enabled-sql-server-license-type-configuration-with-azure-policy/4500326" target="_blank" rel="noopener noreferrer"&gt;Automating Arc-enabled SQL Server license type configuration with Azure Policy&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurearcblog" target="_blank" rel="noopener noreferrer"&gt;Azure Arc&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/tomclaes/1562753" target="_blank" rel="noopener noreferrer"&gt;TomClaes&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/12/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explains how to automate the configuration of SQL Server license types on Azure Arc-enabled resources using Azure Policy. It details steps for deploying and assigning policies via PowerShell, automating remediation tasks, and handling role assignments. The approach supports both existing (brownfield) and new (greenfield) environments, ensuring compliance and enabling pay-as-you-go billing. The policy can standardize, migrate, or selectively update license types at scale, and includes mechanisms for recurring billing consent. Tools for monitoring compliance, such as KQL queries and Azure Workbooks, are also provided.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurevirtualdesktopblog/app-attach-in-azure-virtual-desktop-now-supports-windows-server-2025-and-windows/4511729" target="_blank" rel="noopener noreferrer"&gt;App attach in Azure Virtual Desktop now supports Windows Server 2025 and Windows Server 2022&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurevirtualdesktopblog" target="_blank" rel="noopener noreferrer"&gt;Azure Virtual Desktop&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/michelle_moya/3222392" target="_blank" rel="noopener noreferrer"&gt;Michelle_Moya&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/16/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; App attach in Azure Virtual Desktop now supports Windows Server 2025 and 2022, allowing dynamic delivery of MSIX, AppX, and App-V applications to session hosts without embedding them in base images. This reduces image sprawl, simplifies management, and enables continued use of existing App-V packages as support for App-V Server ends in April 2026. Organizations can more easily onboard and update applications, manage a single golden image, and benefit from streamlined app delivery, especially in Azure Virtual Desktop Hybrid environments. For more details, users are encouraged to consult the App attach documentation.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurevirtualdesktopblog/announcing-public-preview-of-redundant-tcp-support-for-rdp-multipath-for-azure-v/4511241" target="_blank" rel="noopener noreferrer"&gt;Announcing public preview of redundant TCP support for RDP Multipath for Azure Virtual Desktop&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurevirtualdesktopblog" target="_blank" rel="noopener noreferrer"&gt;Azure Virtual Desktop&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/rinku_dalwani/1321337" target="_blank" rel="noopener noreferrer"&gt;Rinku_Dalwani&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/21/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Virtual Desktop (AVD) now supports redundant TCP transport paths for RDP Multipath, available in public preview. This enhancement improves session resiliency by enabling multiple network paths—both UDP and TCP—for reliable connectivity, even in restrictive or UDP-restricted environments. If a connection path degrades or fails, AVD automatically switches to the next best route without user intervention, ensuring session continuity. The feature is enabled by default for host pools in the validation ring and is supported on Windows App version 2.0.1069.0 or later. Users can opt out if needed.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurepaasblog/update-host-keys-to-use-sftp-on-azure-blob-storage/4515483" target="_blank" rel="noopener noreferrer"&gt;Update host keys to use SFTP on Azure Blob Storage&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurepaasblog" target="_blank" rel="noopener noreferrer"&gt;Azure PaaS&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/luisfilipe/741199" target="_blank" rel="noopener noreferrer"&gt;LuisFilipe&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Blob Storage users may receive alerts to update SFTP host keys, which are used to verify server identity for secure connections. To avoid disruptions, users should update their trusted hosts list with new host keys, either by pre-loading both current and next keys or by accepting the new key after rotation. The article provides guidance on listing SFTP-enabled storage accounts, identifying connected clients, and automating updates. Monitoring and diagnostic tools can help track SFTP connections, and users authenticating via SSH key must ensure their known_hosts file is updated to maintain uninterrupted access.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurepaasblog/leveraging-azure-resource-graph-queries-for-azure-redis-configuration/4509826" target="_blank" rel="noopener noreferrer"&gt;Leveraging Azure Resource Graph Queries for Azure Redis Configuration&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurepaasblog" target="_blank" rel="noopener noreferrer"&gt;Azure PaaS&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/soma_sekhara_raju/2181620" target="_blank" rel="noopener noreferrer"&gt;Soma_Sekhara_Raju&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/21/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article outlines how Azure Resource Graph Explorer streamlines the review of Azure Redis configurations across subscriptions using Kusto Query Language (KQL). It details queries for SKU tier, Redis version, TLS settings, public network access, and Microsoft Entra authentication, offering rapid, centralized visibility without the need for custom scripts. This approach accelerates audits, supports security compliance, and simplifies management compared to traditional methods like PowerShell or Azure CLI. The same methodology can be applied to other Azure resource types by querying their schemas.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/ai-at-every-career-stage-start-grow-lead/4494109" target="_blank" rel="noopener noreferrer"&gt;AI at every career stage (start, grow, lead)&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/ashleymastershall/2703917" target="_blank" rel="noopener noreferrer"&gt;AshleyMastersHall&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/28/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The article explores how AI can support professionals at every career stage, from newcomers to senior leaders. It provides practical examples of using AI tools like Microsoft Copilot to accelerate learning, streamline workflows, and enhance decision-making. Early-career individuals can use AI for onboarding and communication; midcareer professionals can scale impact and manage complexity; experienced leaders can leverage AI for strategy, coaching, and process improvement. The article also recommends Microsoft’s AI Skills Navigator for tailored AI skill development, emphasizing that it’s never too early or late to adopt AI in your career.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/skills-hub-blog/what%E2%80%99s-new-in-ai-skills-navigator-april-2026/4511273" target="_blank" rel="noopener noreferrer"&gt;What’s new in AI Skills Navigator: April 2026&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftlearn/blog/microsoftlearnblog" target="_blank" rel="noopener noreferrer"&gt;Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/priya_v/3438921" target="_blank" rel="noopener noreferrer"&gt;Priya_V&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/20/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The April 2026 update to AI Skills Navigator introduces improvements based on user feedback, including enhanced skilling playlists for clearer, scalable learning paths, and more flexible skilling sessions with better progress tracking and control for learners. The platform now features a directory for Microsoft Training Services Partners to support tailored, local training, and offers new certifications like AI Transformation Leader and AI Business Professional. All training and credentials are unified in one place, making it easier to build, track, and validate AI skills for individuals and organizations.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/azure-vnet-data-gateway-for-secure-power-bi--power-platform-access-in-enterprise/4511410" target="_blank" rel="noopener noreferrer"&gt;Azure VNet Data Gateway for Secure Power BI &amp;amp; Power Platform Access in Enterprises&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/kirankumar_manchiwar04/2465236" target="_blank" rel="noopener noreferrer"&gt;kirankumar_manchiwar04&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/22/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; The Azure VNet Data Gateway is a Microsoft-managed service that enables secure, private access to data sources for Power BI, Power Platform, and Microsoft Fabric without customer-managed infrastructure. Running within a delegated Azure Virtual Network subnet, it eliminates the need for VMs or manual maintenance, ensuring all data traffic stays on the Azure backbone. The gateway supports enterprise-scale deployments, enforces private-only connectivity, and aligns with Zero Trust and governance requirements, making it ideal for organizations prioritizing security and operational efficiency. Setup involves configuring the VNet, private endpoints, and integrating with Power Platform or Power BI.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/azurenetworkingblog/a-demonstration-of-virtual-network-tap/4479136" target="_blank" rel="noopener noreferrer"&gt;A demonstration of Virtual Network TAP&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog" target="_blank" rel="noopener noreferrer"&gt;Azure Networking&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/marc%20de%20droog/198661" target="_blank" rel="noopener noreferrer"&gt;Marc de Droog&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/15/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Azure Virtual Network Terminal Access Point (VTAP), in public preview as of April 2026, enables agentless, out-of-band copying of full network traffic (including payloads) from designated Azure VMs to traffic analytics tools or collectors, using VXLAN encapsulation. Unlike VNET Flow Logs, which only capture metadata, VTAP provides full packet capture without impacting VM performance. The article demonstrates VTAP’s functionality by capturing and analyzing traffic from a source VM to a destination VM running Wireshark. VTAP integrates with third-party security and analytics solutions available on the Azure Marketplace.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/speed-where-it-matters-how-microsoft-intune-helps-it-prioritize-time-sensitive-a/4515942" target="_blank" rel="noopener noreferrer"&gt;Speed where it matters: How Microsoft Intune helps IT prioritize time-sensitive actions&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/30/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; Microsoft Intune prioritizes and accelerates time-sensitive device updates, with 90% of actions completed in under an hour. Contrary to the “8-hour latency” myth, this delay applies only to routine maintenance check-ins, not critical updates. Intune uses notification-based, priority-driven processing to ensure high-impact actions like security and compliance changes are delivered quickly. Recent improvements focus on prioritization, resilience during bursts of changes, timely notifications, and optimized maintenance check-ins, enhancing speed and predictability for IT admins and security teams without requiring workflow changes.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;
&lt;DIV class="card"&gt;
&lt;H2&gt;&lt;A href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/unpacking-endpoint-management-is-back---and-we%E2%80%99ve-got-a-lot-to-talk-about/4514599" target="_blank" rel="noopener noreferrer"&gt;Unpacking Endpoint Management is back - and we’ve got a lot to talk about&lt;/A&gt;&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Team Blog:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/category/microsoftintune/blog/intunecustomersuccess" target="_blank" rel="noopener noreferrer"&gt;Intune Customer Success&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Author:&lt;/STRONG&gt; &lt;A href="https://techcommunity.microsoft.com/users/intune_support_team/226779" target="_blank" rel="noopener noreferrer"&gt;Intune_Support_Team&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Published:&lt;/STRONG&gt; 04/24/2026&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary:&lt;/STRONG&gt; "Unpacking Endpoint Management," a candid web series focused on practical strategies for managing and securing endpoints, is back with new episodes featuring Microsoft Intune experts and guest practitioners. Hosted by Danny Guillory and new co-host Rachelle Blanchard, the series offers live discussions, real-world insights, and answers to audience questions. Upcoming topics include policy transitions from hybrid to cloud-native. Episodes are streamed live on multiple platforms, and the community is encouraged to participate, submit questions, and suggest topics, ensuring content remains relevant and actionable for real-world endpoint management challenges.&lt;/P&gt;
&lt;IMG style="max-width: 10%; height: auto;" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAMAAAAPkIrYAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAHtQTFRFAAAA8lAi8lAi8lAi8lAif7oAf7oAf7oAf7oA8lAi8lAi8lAif7oAf7oAf7oA8lAi8lAif7oAf7oA8lAif7oAAaTvAaTvAaTvAaTv/7kB/7kB/7kB/7kBAaTvAaTvAaTv/7kB/7kB/7kBAaTvAaTv/7kB/7kBAaTv/7kBfMz9mwAAACl0Uk5TADt7ag4Oans7/90eHt3/wBoawAMDDh4aAwMaHg5q3cDA3Wp7//97OzspjeVtAAAAlElEQVR4nO3WqwqAQBSEYY+uWiyCBm/J4Pu/jRhMBi8IFsHLCoZ9gCkbRGby8OVfHHuTD1sCQBHtw89hLDdE1h4h6zxp0aJFixYtWrT+bXnA8mWL5QbWZSyFLG9NHmTd9hszhY05ZrAxB2NVsEWnPECf3lg1+F3HXAQKWB0tWrRo0aJFi9a/rUYjaymR5bb2G/OL1guM9e5M8yBd4gAAAABJRU5ErkJggg==" alt="Embedded Image" /&gt;&lt;/DIV&gt;</description>
      <pubDate>Wed, 13 May 2026 03:25:05 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/check-this-out-cto-guide-april-2026/ba-p/4519149</guid>
      <dc:creator>TysonPaul</dc:creator>
      <dc:date>2026-05-13T03:25:05Z</dc:date>
    </item>
    <item>
      <title>Triggering Azure Functions from Blob Storage Using Event Grid</title>
      <link>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/triggering-azure-functions-from-blob-storage-using-event-grid/ba-p/4518184</link>
      <description>&lt;H1&gt;Overview&lt;/H1&gt;
&lt;P&gt;Modern workloads increasingly rely on reacting to files as soon as they arrive in Azure Blob Storage. While Azure provides multiple ways to trigger computing from blob operations, choosing the right event-driven pattern is not always straightforward—especially in enterprise environments where latency, reliability, and operational transparency all matter.&lt;/P&gt;
&lt;H1&gt;Introduction&lt;/H1&gt;
&lt;P&gt;Hello everyone, Andrew Coughlin here, a Cloud Solution Architect specializing in Infrastructure as a Service on Azure.&lt;/P&gt;
&lt;P&gt;In this post, I am going to walk through how to implement a direct Event Grid to Azure Function pattern. This is the simplest and lowest-latency option when you want real-time reactions to blob uploads.&lt;/P&gt;
&lt;H1&gt;Scenario&lt;/H1&gt;
&lt;P&gt;Suppose you have a workload where files are continuously uploaded into Azure Blob Storage and you need to trigger downstream processing.&lt;/P&gt;
&lt;P&gt;Typical requirements include avoiding polling, achieving near real-time execution, and maintaining strong observability.&lt;/P&gt;
&lt;H1&gt;Architecture&lt;/H1&gt;
&lt;img /&gt;
&lt;P&gt;Blob Storage → Event Grid → Azure Function&lt;/P&gt;
&lt;H1&gt;The Process&lt;/H1&gt;
&lt;OL&gt;
&lt;LI&gt;Create and deploy the Azure Function&lt;BR /&gt;2. Validate the function&lt;BR /&gt;3. Create the Event Grid subscription&lt;BR /&gt;4. Upload a blob and validate the flow&lt;/LI&gt;
&lt;/OL&gt;
&lt;H1&gt;Step 1 — Create and Deploy the Azure Function (Function First)&lt;/H1&gt;
&lt;P&gt;The Function must exist before creating the Event Grid subscription because Event Grid validates the endpoint during creation.&lt;/P&gt;
&lt;P&gt;Steps:&lt;BR /&gt;1. Create a Function App (Consumption plan + storage account)&lt;BR /&gt;2. Open Function App → Functions → Create&lt;BR /&gt;3. Select Event Grid trigger&lt;BR /&gt;4. Provide function name&lt;BR /&gt;5. Create and save the function&lt;/P&gt;
&lt;P&gt;Note: A storage account is required for all Function Apps and is created or selected during app creation.&lt;/P&gt;
&lt;H1&gt;Implement the Function&lt;/H1&gt;
&lt;P&gt;Below are examples of the HandleBlobCreatedEvent.cs, EventGridListenerFunction.csproj, Program.cs, and host.json&lt;/P&gt;
&lt;P&gt;Example of &lt;STRONG&gt;HandleBlobCreatedEvents.cs&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="csharp"&gt;namespace EventGridListenerFunction
{
    public class HandleBlobCreatedEvent
    {
        private readonly ILogger _logger;

        public HandleBlobCreatedEvent(ILoggerFactory loggerFactory)
        {
            _logger = loggerFactory.CreateLogger&amp;lt;HandleBlobCreatedEvent&amp;gt;();
        }

        [Function(nameof(HandleBlobCreatedEvent))]
        public void Run([EventGridTrigger] string data)
        {
            // Event Grid sends events as a JSON array
            using var doc = JsonDocument.Parse(data);

            if (doc.RootElement.ValueKind == JsonValueKind.Array)
            {
                foreach (var ev in doc.RootElement.EnumerateArray())
                {
                    HandleOneEvent(ev);
                }
            }
            else
            {
                HandleOneEvent(doc.RootElement);
            }
        }

        private void HandleOneEvent(JsonElement ev)
        {
            if (ev.TryGetProperty("eventType", out var eventType))
                _logger.LogInformation("EventType: {EventType}", eventType.GetString());

            if (ev.TryGetProperty("subject", out var subject))
                _logger.LogInformation("Subject: {Subject}", subject.GetString());

            if (ev.TryGetProperty("data", out var dataObj)
                &amp;amp;&amp;amp; dataObj.ValueKind == JsonValueKind.Object
                &amp;amp;&amp;amp; dataObj.TryGetProperty("url", out var urlProp))
            {
                _logger.LogInformation("Blob URL: {Url}", urlProp.GetString());
            }
            else
            {
                _logger.LogWarning("No data.url found in payload.");
            }
        }
    }
}
&lt;/LI-CODE&gt;
&lt;P&gt;Example of &lt;STRONG&gt;Program.cs&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="csharp"&gt;var builder = FunctionsApplication.CreateBuilder(args);

builder.ConfigureFunctionsWebApplication();

builder.Services
    .AddApplicationInsightsTelemetryWorkerService()
    .ConfigureFunctionsApplicationInsights();

builder.Build().Run();
&lt;/LI-CODE&gt;
&lt;P&gt;Example of &lt;STRONG&gt;Host.json&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="json"&gt;{
    "version": "2.0",
    "logging": {
        "applicationInsights": {
            "samplingSettings": {
                "isEnabled": true,
                "excludedTypes": "Request"
            },
            "enableLiveMetricsFilters": true
        }
    }
}
&lt;/LI-CODE&gt;
&lt;P&gt;Example of&amp;nbsp;&lt;STRONG&gt;EventGridListenerFunction.csproj&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang="csharp"&gt;&amp;lt;Project Sdk="Microsoft.NET.Sdk"&amp;gt;

  &amp;lt;PropertyGroup&amp;gt;
    &amp;lt;TargetFramework&amp;gt;net8.0&amp;lt;/TargetFramework&amp;gt;
    &amp;lt;AzureFunctionsVersion&amp;gt;v4&amp;lt;/AzureFunctionsVersion&amp;gt;
    &amp;lt;OutputType&amp;gt;Exe&amp;lt;/OutputType&amp;gt;
    &amp;lt;ImplicitUsings&amp;gt;enable&amp;lt;/ImplicitUsings&amp;gt;
    &amp;lt;Nullable&amp;gt;enable&amp;lt;/Nullable&amp;gt;
  &amp;lt;/PropertyGroup&amp;gt;

  &amp;lt;ItemGroup&amp;gt;
    &amp;lt;FrameworkReference Include="Microsoft.AspNetCore.App" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.23.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker" Version="2.51.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="2.50.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.EventGrid" Version="3.5.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="2.1.0" /&amp;gt;
    &amp;lt;PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="2.0.7" /&amp;gt;
  &amp;lt;/ItemGroup&amp;gt;

&amp;lt;/Project&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;You will still need to publish this to the function app, which is outlined: &lt;A href="https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows" target="_blank"&gt;Deployment technologies in Azure Functions | Microsoft Learn&lt;/A&gt;.&lt;/P&gt;
&lt;H1&gt;Step 2 — Create the Event Grid Subscription&lt;/H1&gt;
&lt;P&gt;Navigate to the &lt;STRONG&gt;Storage Account&lt;/STRONG&gt; → &lt;STRONG&gt;Events &lt;/STRONG&gt;→ Create Event Subscription and select BlobCreated events targeting the Function.&lt;/P&gt;
&lt;H1&gt;Step 3 — Validate&lt;/H1&gt;
&lt;P&gt;Upload a blob and confirm the Function triggers and logs event data.&lt;/P&gt;
&lt;H1&gt;Common Pitfalls&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;Creating the subscription before the function exists&lt;BR /&gt;• Storage account misconfiguration&lt;BR /&gt;• Networking restrictions preventing Function access to storage&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Conclusion&lt;/H1&gt;
&lt;P&gt;The direct Event Grid to Azure Function pattern provides a simple and reliable approach for real-time blob processing without additional infrastructure.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Disclaimer&lt;/P&gt;
&lt;P&gt;The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 20:24:17 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/triggering-azure-functions-from-blob-storage-using-event-grid/ba-p/4518184</guid>
      <dc:creator>AndrewCoughlin</dc:creator>
      <dc:date>2026-05-11T20:24:17Z</dc:date>
    </item>
  </channel>
</rss>

