Announcing preview for the next generation of Azure Intel® TDX Confidential VMs
Today, we are excited to announce the preview of Azure’s next generation of Confidential Virtual Machines powered by the 5 th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). This will help to enable organizations to bring confidential workloads to the cloud without code changes to applications. The supported SKUs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. Confidential VMs are designed for tenants with high security and confidentiality requirements, providing a strong, attestable, hardware-enforced boundary. They ensure that your data and applications stay private and encrypted even while in use, keeping your sensitive code and other data encrypted in memory during processing. Improvements Azure’s next generation of confidential VMs will bring improvements and new features compared to our previous generation. These VMs are our first offering to utilize our open-source paravisor, OpenHCL. This innovation allows us to enhance transparency with our customers, reinforcing our commitment to the "trust but verify" model. Additionally, our new confidential VMs support Azure Boost, enabling up to 205k IOPS and 4 GB/s throughput of remote storage along with 54 GBps VM network bandwidth. We are expanding the capabilities of our Intel® TDX powered confidential VMs by incorporating features from our general purpose and other confidential VMs. These enhancements include Guest Attestation support, and support of Intel® Tiber™ Trust Authority for enterprises seeking operator independent attestation. Offerings The DCesv6-series VMs are designed to offer a balance of memory to vCPU ratio, with up to 128 vCPUs, and up to 512 GiB of memory. The ECesv6-series VMs are designed to offer an even higher memory to vCPU ratio, with up to 64 vCPUs, and 512 GiB of memory. Availability The DCesv6-series and ECesv6-series preview is available now in the East US, West US, West US 3 and West Europe regions. Supported OS images include Windows Server 2025, Windows Server 2022, Ubuntu 22.04, and Ubuntu 24.04. Please sign up at aka.ms/acc/v6preview and we will reach out to you.Security Review for Microsoft Edge version 135
We are pleased to announce the security review for Microsoft Edge, version 135. We have reviewed the new settings in Microsoft Edge version 135 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 128 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 135 introduced 5 new Computer and User settings, we have included a spreadsheet listing the new settings to make it easier for you to find. As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here. Please continue to give us feedback through the Security Baselines Discussion site or this post.
[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.
Best Practices for Securing Access to VMs
Azure Bastion and Microsoft Entra PIM work together to secure VM access by eliminating the need for public IPs, enabling identity-based authentication, and enforcing Just-In-Time (JIT) access. Bastion provides secure RDP/SSH connections through Entra ID without local credentials, while Entra PIM ensures that users only receive time-limited, approved access. This combination supports a Zero Trust model by minimizing persistent privileges and reducing the overall attack surface.Introducing XFF header for Azure Firewall: Gain crucial insights to help stay secure
The X-Forwarded-For (XFF) HTTP header provides crucial insight into the origin of web requests. The header works as a mechanism for conveying the original source IP addresses of clients, and not just across one hop, but through chains of multiple intermediaries. Information embedded in XFF headers is vital to network security to help with both enforcement and auditing. Thus, it’s important for proxies like Azure Firewall to preserve this information when packets flow through the networks. This blog shares Azure Firewall handling XFF headers. How does Azure Firewall handle XFF headers? Proxies can perform several actions on the XFF headers received. This includes preserving the XFF contents received before forwarding to the next hop, augmenting client IP to the XFF header and enforcing policies based on XFF contents. Azure Firewall preserves and augments XFF header based on how the traffic is received and processed. Behavior is detailed below. Traffic/Payload Rule Processed Preserves original content in the XFF header Augment Client IP to the XFF header HTTP payload Application Rules Preserved YES HTTPs payload Application Rules Preserved NO (XFF header is encrypted) HTTPs with TLS termination Application Rules Preserved YES HTTP or HTTPs payload DNAT/Network rules Preserved – Azure Firewall doesn’t impact HTTP headers as traffic is processed at layer 4 Validating Azure Firewall behavior: For this blog, I set up a local environment with NGINX to validate Firewall behavior. This includes a local client running in Azure, Internet client and a NGINX webserver to process http/s traffic. I used a private DNS zone to redirect traffic of a popular domain (example.com) to my NGINX server behind the firewall. HTTP/s client traffic and response: The client sends a http payload to example.com after adding 192.0.2.100 to XFF header. Azure Firewall output: The Azure Firewall receives both HTTP and HTTPs requests as the NGINX server redirects the client HTTP traffic to HTTPs listener. Server XFF header output: For HTTP requests, XFF output displays both the client IP and the appended IP in the curl request. For HTTPs requests, XFF output displays only the IP added by the client. DNAT traffic to the server: Internet clients send https traffic to the NGINX server via Azure Firewall Public IP. Azure Firewall receives the traffic as a DNAT rule and redirects the traffic to the translated destination server. Server XFF header output: Traffic is received with XFF header inserted by the client. Azure Firewall doesn’t impact this header as it receives the traffic on the network. Conclusion: In conclusion, the X-Forwarded-For (XFF) HTTP header plays a crucial role in providing insight into the origin of web requests. It helps convey the original source IP addresses of clients through multiple intermediaries, which is vital for network security, enforcement, and auditing. Azure Firewall's handling of XFF headers ensures that this information is preserved and augmented based on how the traffic is received and processed. By maintaining the integrity of XFF headers, Azure Firewall enhances security measures and provides a reliable mechanism for tracking the source of web traffic.Explore Azure Communication Services Email Telemetry: What You Can Do with Email Insights
We're halfway through our first season of the Azure Communication Services Fundamentals series, and we are excited to invite you to our next session - Maximizing Email Insights with Logs and Events on Azure Communication Services. Register here and join us on Thursday, April 17 @ 9 a.m. PT. What You Will Learn During this live session, we’ll guide you through the following key topics to help you make the most out your email communication service with Azure Communication Services. Introduction to Email Telemetry What email telemetry is and why it matters The differences between logs and events in the Azure portal Understanding Sender Reputation Gain insights into sender reputation and its impact on email delivery and engagement Explore how Azure Communication Services helps you manage sender reputation Live Demo: Email Insights & Logs Discover how to use sample log queries to analyze email performance and troubleshoot delivery issues Learn how to create custom queries and workbooks to visualize and understand the data available in your logs Live Demo: Email events Deploy and view live events in Event Grid Viewer Real-time monitoring and analysis of email events Why You Should Attend This session is perfect for developers, IT professionals, and tech enthusiasts who want to better understand email analytics. You'll gain practical knowledge on using Azure Communication Services to extract insights from email logs and events, helping you improve your email communication. How to Join To register for this event, sign up here on the Reactor event homepage. If you want to engage with members of the Email product team live during the session, log into a YouTube account during the live session and ask questions directly in the chat. If you missed the previous two sessions, you can watch the on-demand videos for those sessions here: WhatsApp Messaging and Azure Communication Services Exploring SMS Capabilities with Azure Communication Services
Summing it up: Aggregating repeating nodes in Logic Apps Data Mapper 🧮
Logic Apps Data Mapper makes it easy to define visual, code-free transformations across structured JSON data. One pattern that's both powerful and clean: using built-in collection functions to compute summary values from arrays. This post walks through an end-to-end example: calculating a total from a list of items using just two functions — `Multiply` and `Sum`. 🧾 Scenario: Line Item Totals + Order Summary You’re working with a list of order items. For each item, you want to: Compute Total = Quantity × Price Then, compute the overall OrderTotal by summing all the individual totals 📥 Input { "orders" : [ { "Quantity" : 10, "Price" : 100 }, { "Quantity" : 20, "Price" : 200 }, { "Quantity" : 30, "Price" : 300 } ] } 📤 Output { "orders" : [ { "Quantity" : 10, "Price" : 100, "Total" : 1000 }, { "Quantity" : 20, "Price" : 200, "Total" : 4000 }, { "Quantity" : 30, "Price" : 300, "Total" : 9000 } ], "Summary": { "OrderTotal": 14000 } } 🔧 Step-by-step walkthrough 🗂️ 1. Load schemas in Data Mapper Start in the Azure Data Mapper interface and load: Source schema: contains the orders array with Quantity and Price Target schema: includes a repeating orders node and a Summary → OrderTotal field 📸 Docked schemas in the mapper 🔁 2. Recognize the repeating node The orders array shows a 🔁 icon on <ArrayItem>, marking it as a repeating node. 📸 Repeating node detection 💡 When you connect child fields like Quantity or Price, the mapper auto-applies a loop for you. No manual loop configuration needed. ➗ 3. Multiply Quantity × Price (per item) Drag in a Multiply function and connect: Input 1: Quantity Input 2: Price Now connect the output of Multiply directly to the Total node under Orders node in the destination. This runs once per order item and produces individual totals: [1000, 4000, 9000] 📸 Multiply setup ➕ 4. Aggregate All Totals Using Sum Use the same Multiply function output and pass it into a Sum function. This will combine all the individual totals into one value. Drag and connect: Input 1: multiply(Quantity, Price) Input 2: <ArrayItem> Connect the output of Sum to the destination node Summary → OrderTotal 1000 + 4000 + 9000 = 14000 📸 Sum function ✅ 5. Test the Output Run a test with your sample input by clicking on the Open test panel. Copy/paste the sample data and hit Test. The result should look like this: { "orders": [ { "Quantity": 10, "Price": 100, "Total": 1000 }, { "Quantity": 20, "Price": 200, "Total": 4000 }, { "Quantity": 30, "Price": 300, "Total": 9000 } ], "Summary": { "OrderTotal": 14000 } } 🧠 Why this pattern works 🔁 Repeating to repeating: You’re calculating Total per order 🔂 Repeating to non-repeating: You’re aggregating with Sum into a single node 🧩 No expressions needed — it’s all declarative This structure is perfect for invoices, order summaries, or reporting payloads where both detail and summary values are needed. 📘 What's coming We’re working on official docs to cover: All functions including collection (Join, Direct Access, Filter, etc.) that work on repeating nodes Behavior of functions inside loops Real-world examples like this one 💬 What should we cover next? We’re always looking to surface patterns that matter most to how you build. If there’s a transformation technique, edge case, or integration scenario you’d like to see explored next — drop a comment below and let us know. We’re listening. 🧡 Special thanks to Dave Phelps for collaborating on this scenario and helping shape the walkthrough.
