JSON Web Token (JWT) Validation in Azure Application Gateway: Secure Your APIs at the Gate
Hello Folks! In a Zero Trust world, identity becomes the control plane and tokens become the gatekeepers. Recently, in an E2E conversation with my colleague Vyshnavi Namani, we dug into a topic every ITPro supporting modern apps should understand: JSON Web Token (JWT) validation, specifically using Azure Application Gateway. In this post we’ll distill that conversation into a technical guide for infrastructure pros who want to secure APIs and backend workloads without rewriting applications. Why IT Pros Should Care About JWT Validation JSON Web Token (JWT) is an open standard token format (RFC 7519) used to represent claims or identity information between two parties. JWTs are issued by an identity provider (Microsoft Entra ID) and attached to API requests in an HTTP Authorization: Bearer <token> header. They are tamper-evident and include a digital signature, so they can be validated cryptographically. JWT validation in Azure Application Gateway means the gateway will check every incoming HTTPS request for a valid JWT before it forwards the traffic to your backend service. Think of it like a bouncer or security guard at the club entrance: if the client doesn’t present a valid “ID” (token), they don’t get in. This first-hop authentication happens at the gateway itself. No extra custom auth code is needed in your APIs. The gateway uses Microsoft Entra ID (Azure AD) as the authority to verify the token’s signature and claims (issuer/tenant, audience, expiry, etc.). By performing token checks at the edge, Application Gateway ensures that only authenticated requests reach your application. If the JWT is missing or invalid, the gateway could deny the request depending on your configuration (e.g. returns HTTP 401 Unauthorized) without disturbing your backend. If the JWT is valid, the gateway can even inject an identity header (x-msft-entra-identity) with the user’s tenant and object ID before passing the call along 9 . This offloads authentication from your app and provides a consistent security gate in front of all your APIs. Key benefits of JWT validation at the gateway: Stronger security at the edge: The gateway checks each token’s signature and key claims, blocking bad tokens before they reach your app. No backend work needed: Since the gateway handles JWT validation, your services don’t need token‑parsing code. Therefore, there is less maintenance and lower CPU use. Stateless and scalable: Every request brings its own token, so there’s no session management. Any gateway instance can validate tokens independently, and Azure handles key rotation for you. Simplified compliance: Centralized JWT policies make it easier to prove only authorized traffic gets through, without each app team building their own checks. Defense in depth: Combine JWT validation with WAF rules to block malicious payloads and unauthorized access. In short, JWT validation gives your Application Gateway the smarts to know who’s knocking at the door, and to only let the right people in. How JWT Validation Works At its core, JWT validation uses a trusted authority (for now it uses Microsoft Entra ID) to issue a token. That token is presented to the Application Gateway, which then validates: The token is legitimate The token was issued by the expected tenant The audience matches the resource you intend to protect If all checks pass, the gateway returns a 200 OK and the request continues to your backend. If anything fails, the gateway returns 403 Forbidden, and your backend never sees the call. You can check code and errors here: JSON Web Token (JWT) validation in Azure Application Gateway (Preview) Setting Up JWT Validation in Azure Application Gateway The steps to configure JWT validation in Azure Application Gateway are documented here: JSON Web Token (JWT) validation in Azure Application Gateway (Preview) Use Cases That Matter to IT Pros Zero Trust Multi-Tenant Workloads Geolocation-Based Access AI Workloads Next Steps Identify APIs or workloads exposed through your gateways. Audit whether they already enforce token validation. Test JWT validation in a dev environment. Integrate the policy into your Zero Trust architecture. Collaborate with your dev teams on standardizing audiences. Resources Azure Application Gateway JWT Validation https://learn.microsoft.com/azure/application-gateway/json-web-token-overview Microsoft Entra ID App Registrations https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app Azure Application Gateway Documentation https://learn.microsoft.com/azure/application-gateway/overview Azure Zero Trust Guidance https://learn.microsoft.com/security/zero-trust/zero-trust-overview Azure API Management and API Security Best Practices https://learn.microsoft.com/azure/api-management/api-management-key-concepts Microsoft Identity Platform (Tokens, JWT, OAuth2 https://learn.microsoft.com/azure/active-directory/develop/security-tokens Using Curl with JWT Validation Scenarios https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#request-an-access-token Final Thoughts JWT validation in Azure Application Gateway is a powerful addition to your skills for securing cloud applications. It brings identity awareness right into your networking layer, which is a huge win for security and simplicity. If you manage infrastructure and worry about unauthorized access to your APIs, give it a try. It can drastically reduce the “attack surface” by catching invalid requests early. As always, I’d love to hear about your experiences. Have you implemented JWT validation on App Gateway, or do you plan to? Let me know how it goes! Feel free to drop a comment or question. Cheers! Pierre Roman
Drive Microsoft 365 renewals and upgrades ahead of pricing and packaging updates
We recently announced that in 2026, we’re expanding the availability of security and management capabilities to the commercial Microsoft 365 suites. Along with these added features, there will also be a global price update to these suites across all purchasing channels effective July 1, 2026. As a Cloud Solution Provider (CSP) partner, this is a key moment for you to drive renewals and upgrades before July 1, 2026. Learn more about the pricing updates, as well as the promotions, offers, and go-to-market resources you can use to support your customer conversations. Learn more here Join the conversation by following the Cloud Solution Provider (CSP) partners discussion board where both direct bill and indirect resellers collaborate, troubleshoot, and stay informed on the latest developments in the CSP ecosystem.
Beyond Visibility: Hybrid Identity Protection with Microsoft Entra & Defender for Identity
In a previous blog, we explored how Microsoft Entra and Defender for Identity form a powerful duo for hybrid identity protection. But visibility alone isn’t enough. To truly defend your organization, you need to operationalize that visibility—turning insights into action, and strategy into security outcomes. Let’s explore how to take your hybrid identity protection to the next level. From Detection to Response: Building a Unified Identity SOC Security teams often struggle with fragmented signals across cloud and on-prem environments. Defender for Identity and Entra solve this by feeding identity-based alerts into Microsoft 365 Defender and Microsoft Sentinel, enabling: Centralized incident response: Investigate identity threats alongside endpoint, email, and cloud signals. Automated playbooks: Trigger actions like disabling accounts or enforcing stricter access policies. Advanced hunting: Use KQL queries to uncover stealthy attacks like domain dominance or golden ticket abuse. This unified approach transforms your SOC from reactive to proactive. Strengthening Identity Posture with Entra ID Protection Once threats are detected, Entra ID Protection helps you contain and prevent them: Risk-based Conditional Access: Automatically block or challenge risky sign-ins based on Defender for Identity signals. User risk remediation: Force password resets or MFA enrollment for compromised accounts. Policy tuning: Use insights from past incidents to refine access controls and reduce false positives. This adaptive security model ensures that your defenses evolve with the threat landscape. To learn more about these and additional policy-driven security mechanisms, please visit: Risk policies - Microsoft Entra ID Protection | Microsoft Learn Least Privilege at Scale with Entra ID Governance Identity protection isn’t just about stopping attacks—it’s about minimizing the blast radius. Entra ID Governance helps enforce least privilege by: Automating access reviews: Regularly audit who has access to sensitive resources. Just-in-time access: Grant temporary permissions only when needed. Entitlement management: Control access to apps and groups with policy-based workflows. By reducing unnecessary access, you make lateral movement harder for attackers—and easier for auditors. To learn more about least privilege, please visit: Understanding least privilege with Microsoft Entra ID Governance | Microsoft Learn Real-Time Insights with Microsoft Sentinel Sentinel supercharges your hybrid identity protection with: Custom dashboards: Visualize risky users, sign-in anomalies, and privilege escalations. Threat intelligence fusion: Correlate identity signals with external threat feeds. Data connectors: Stream Entra and Defender for Identity logs for deep analysis and long-term retention. This gives you the clarity to spot patterns and the context to act decisively. To learn more about Microsoft Sentinel, please visit: What is Microsoft Sentinel SIEM? | Microsoft Learn Next Steps: Operationalize Your Identity Strategy To move from visibility to action: Deploy Defender for Identity sensors across all domain controllers. Integrate with Microsoft 365 Defender and Sentinel for unified threat detection. Enable risk-based Conditional Access in Entra to respond to identity threats in real time. Implement least privilege policies using Entra ID Governance. Use Sentinel for advanced hunting and analytics to stay ahead of attackers. Final Thoughts Hybrid identity protection isn’t a checkbox—it’s a continuous journey. By operationalizing the integration between Microsoft Entra and Defender for Identity, you empower your security teams to detect, respond, and prevent identity threats with precision and speed.Siemens and Microsoft: Beyond Connectivity to Autonomous, Sustainable Manufacturing
Explore how Siemens Industrial Edge and Microsoft Azure IoT Operations enable secure edge-to-cloud integration, contextualized data, and AI-driven insights—transforming factories into adaptive, future-ready operations.Minecraft Education-Hour of AI- the First Night
Hello,I'm a Greek teacher of English (TESOL).Yesterday I tried the new Challenge, Hour of AI- the First Night. Playing with my student, I kind of "studied" the detailes of this world, and I would highly recommend it to language teachers,too, not only ITs or CSs. It can be used as part of reading,speaking, listening and writing skills development, as the core of a CLIL lesson and as general students' awareness raising of how we can use AI safely,ethically and to our benefit. Please note that safely,ethically and to our benefit aren't buzz or empty words,but have the whole issues that concern teachers ,parents and other members of society.Worth trying and taking seriously.
Azure IoT Hub with ADR (preview): Extending Azure capabilities and certificate management to IoT
Operational excellence in every industry begins by linking the physical world to the digital, enabling organizations to turn raw data from connected assets into actionable insights and real-world improvements. Azure IoT Hub and Azure IoT Operations make this possible by seamlessly integrating data from machines whether on a single factory floor or spread across the globe into a unified platform. Together, they serve as the backbone of connected operations, ensuring that assets, sensors this data is then moved to Microsoft Fabric for real-time analytics and further leveraged by AI agents to drive informed decisions. This approach lets organizations scale efficiently, unifying teams, sites, and systems under the Adaptive Cloud Strategy. It enables use of cloud-native and AI technologies across hybrid, multi-cloud, edge, and IoT environments in a single operational model. Azure IoT Hub empowers organizations to securely and reliably manage connected assets across the globe, providing real-time visibility and control over diverse operations. With proven scalability, broad device support, and robust management tools, IoT Hub delivers a unified platform for developing and operating IoT solutions. Organizations in various industries are using Azure IoT Hub to enhance their operations. In mining, sensors provide real-time safety data and support compliance. Fleet managers track equipment health to boost efficiency and prevent failures, while rail operators use GPS and vibration sensors for precise monitoring and issue detection. Ports utilize conveyor and loading system metrics to optimize scheduling and reduce delays. These examples show how Azure IoT Hub delivers actionable insights, greater safety, and operational efficiency through connected devices. As customers evolve, Azure IoT Hub continues to advance, deepening its integration with the Azure ecosystem and enabling AI-driven, connected operations for the next generation of applications. Today, we’re announcing the public preview of Azure IoT Hub integration with Azure Device Registry bringing IoT devices under the purview of Azure management plane via ARM resource representation and securing them with best-in-class Microsoft-backed X.509 certificate management capabilities. From Connected Devices to Connected Operations Ready-to-use AI platforms are enabling organizations to unlock untapped operational data and gain deeper insights. Organizations are leveraging AI to unify machine and enterprise data, extract actionable insights, and translate them into measurable business gains. They are broadly transitioning from connected devices that simply gather and transmit telemetry, to connected operations which empower supervisors and AI agents to interpret events and respond to scenarios in real time. The integration of Azure IoT Hub with ADR enhancements extends the comprehensive capabilities of Azure to IoT devices. With this integration, Azure Device Registry (ADR) acts as the unified control plane for managing both physical assets from Azure IoT Operations and devices from Azure IoT Hub. It provides a centralized registry, ensuring every entity whether an industrial asset or a connected device is uniquely represented and managed throughout its lifecycle. By integrating with Azure IoT Hub, ADR enables consistent device onboarding, certificate management, and operational visibility at scale. This integration simplifies large-scale IoT fleet management and supports compliance and auditability across diverse deployments. What’s New in this Preview We’re excited to announce the public preview of new capabilities that bring IoT devices into the broader Azure ecosystem. This integration allows IoT to be managed at scale through the Azure management plane. It also strengthens security and enables consistent governance across large deployments: Deep integration with Azure: The Azure Device Registry (ADR) now offers a unified control plane, simplifying identity, security, and policy management for millions of devices. New ADR features make it easier to register, classify, and monitor devices, supporting consistent governance and better operational insights. Combined with Device Provisioning Service (DPS), these enhancements help reduce deployment challenges, speed up time-to-value, and lower operational risks. With IoT Hub integration, IoT Hub devices are represented as Azure resources, providing: One unified registry across multiple IoT Hubs and Azure IoT Operations (AIO) instances. ARM-based management for all Azure resources from cloud to edge. A consolidated view of the entire IoT fleet, simplifying large-scale deployments, monitoring and management. Certificate lifecycle management: Now in public preview, this capability enables secure onboarding and automated certificate rotation for IoT devices, directly integrated with ADR and IoT Hub. X.509 certificates are widely recognized for providing a robust security posture by establishing trusted, cryptographically verifiable device identities. Starting today, customers can use a Microsoft-backed PKI to issue X.509 certificates across their IoT fleets. Devices receive operational certificates that authenticate with IoT Hub, chained to Certificate Authorities (CAs). Policy-driven lifecycle management makes certificate renewal simpler and keeps state in sync with your Hubs. This integration sets the stage for Physical AI by connecting digital and physical systems, thus unlocking new possibilities for data and artificial intelligence. Customer feedback from Private Preview This release has received positive feedback from private preview customers. Particularly the Microsoft-supported PKI and certificate management capabilities, highlighting that previous manual processes were inefficient and fragmented. Customers further noted the advantages of grouping devices from multiple IoT Hubs under a unified namespace, which streamlined management. Moreover, the integration of certificate management within ADR has diminished the reliance on custom solutions. “We were genuinely impressed by how seamless it was to implement. With just a few clicks, clear policy definitions, and two calls in firmware, the entire process became automated, frictionless, and reliable with no external dependencies.” – Uriel Kluk, CTO, Mesh Systems Why It Matters These investments make Azure IoT Hub the cornerstone for connected operations at scale, empowering customers to: Reduce manual cert ops with policy‑driven rotation (fewer outages due to expired certs). Consolidate device registry in ADR for cross‑hub fleet governance. Accelerate compliance audits with centralized certificate lineage. Apply advanced AI tooling for predictive insights and automation. Call to Action Explore the new capabilities in public preview today and start building the next generation of connected operations with Azure IoT Hub and ADR. Learn more on Azure IoT Hub documentationPartner Blog | Securing the future: How Microsoft partners are powering AI-ready organizations
The world of agentic AI is evolving quickly. According to the Microsoft 2025 Work Trend Index Annual Report, 82% of leaders say they’re confident they’ll use AI agents as digital team members to expand workforce capacity in the next 12 to 18 months. That pace of innovation introduces new challenges. As the AI landscape grows, so does the threat surface. This shift creates a critical opportunity for Microsoft partners: to lead with security as the foundation of every AI transformation. By doing so, you enable customers to innovate responsibly and position your organization at the center of lasting trust and growth. In recognition of Cybersecurity Awareness Month, this blog post explores how you can build a stronger security practice and empower your customers to innovate safely, backed by Microsoft partner resources, incentives, and solutions. Security is the foundation of innovation Innovation without strong security isn’t sustainable. The average cost of a data breach now exceeds $4.4 million globally, and beyond the financial cost, weak security erodes trust. As Amy Webb, CEO of Future Today Strategy Group, noted in this year’s Work Trend Index, “As multi-agent systems redefine the workplace, the challenge will be to integrate and manage them securely and effectively.” When partners lead with security, they unlock real business outcomes. Organizations using Microsoft Security Copilot are already seeing tangible results, including a 17% reduction17% reduction in breaches and up to 60% in cost savings. Our own Customer Zero journey at Microsoft reinforces that security and innovation go hand in hand. When security is embedded into every layer of AI transformation, it strengthens the relationship between IT and engineering. It enables teams to co-develop solutions and deliver innovation faster while reducing risk. As a Microsoft partner, you play an essential role in helping customers build secure foundations for AI transformation. We’re committed to supporting you with playbooks, tools, and incentives you need to turn security expertise into customer outcomes. Accelerate secure AI transformation at every stage Partners who lead with security become trusted guides for their customers. Through the Microsoft Security Customer Win Formula, you can access practical resources mapped to each stage of the customer journey—from early discovery to long-term management—and position yourself as a strategic resource your customers can turn to as their business needs and challenges evolve. 1. Build trust as Customer Zero Differentiate your practice by attaining a Solutions Partner designation for Security, and further validate your expertise through certifications and specializations. Plus, achieving an MXDR verification signals to customers that you have the skills to safeguard their AI and cloud environments. Continue expanding your capabilities through the Partner Skilling Hub, where you’ll find self-paced learning paths and instructor-led training to stay current in a constantly evolving threat landscape. 2. Develop an informed pipeline with customer insights Effective security transformation starts with listening. Leverage Microsoft intelligent propensity tools to identify customers ready for secure AI adoption: SPARK: Intelligent data models that predict customer propensity for Microsoft solutions CloudAscent: AI-powered targeting for small and medium-sized business (SMB) customers Microsoft 365 Lighthouse: ML-driven recommendations for customer acquisition, retention, and growth You can also accelerate demand generation with ready-to-launch, customizable campaigns in a box tailored for Security solution plays. Partners using these campaigns are already generating high-quality leads and engaging decision-makers faster. Explore the Partner Marketing Tool Guidance for more information. Continue reading hereUsing OSConfig to manage Windows Server 2025 security baselines
OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers. OSConfig has the following requirements: Windows Server 2025 (OSConfig is not supported on earlier versions) PowerShell version 5.1 or higher Administrator privileges OSConfig is available as a module from the PowerShell Gallery. You install it using the following command Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force If prompted to install or update the NuGet provider, type Y and press Enter. You can verify that the module is installed with: Get-Module -ListAvailable -Name Microsoft.OSConfig You can ensure that you have an up-to-date version of the module and the baselines by running the following command: Update-Module -Name Microsoft.OSConfig To check which OSConfig cmdlets are available, run: Get-Command -Module Microsoft.OSConfig Applying Security Baselines OSConfig includes predefined security baselines tailored for different server roles: Domain Controller, Member Server, and Workgroup Member. These baselines enforce over 300 security settings, such as TLS 1.2+, SMB 3.0+, credential protections, and more. Server Role Command Domain Controller Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default Member Server Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default Workgroup Member Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default Secured Core Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default Defender Antivirus Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default To view compliance from a PowerShell session, run the following command, specifying the appropriate baseline: Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap Whilst this PowerShell output gets the job done, you might find it easier to parse the report by using Windows Admin Center. You can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade. Another feature of OSConfig is drift control. It helps ensure that the system starts and remains in a known good security state. When you turn it on, OSConfig automatically corrects any system changes that deviate from the desired state. OSConfig makes the correction through a refresh task. This task runs every 4 hours by default which you can verify with the Get-OSConfigDriftControl cmdlet. You can reset how often drift control runs using the Set-OSConfigDriftControl cmdlet. For example, to set it to 45 minutes run the command: Set-OSConfigDriftControl -RefreshPeriod 45 Rather than just using the default included baselines, you can also customize baselines to suit your organizational needs. That’s more detail that I want to cover here, but if you want to know more, check out the information available in the GitHub repo associated with OSConfig. Find out more about OSConfig at the following links: https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines
