Observability for the Age of Generative AI
Every generation of computing brings new challenges in how we monitor and trust our systems. With the rise of Generative AI, applications are no longer static code—they’re living systems that plan, reason, call tools, and make choices dynamically. Traditional observability, built for servers and microservices, simply can’t tell you when an AI agent is correct, safe, or cost-efficient. We’re reimagining observability for this new world. At Ignite, we introduced the next wave of Azure Monitor and AI Foundry integration—purpose-built for GenAI apps and agents. End-to-End GenAI Observability Across the AI Stack Customers can see not just whether their systems are up or fast, but also whether their agent responses are accurate. Azure Monitor, in partnership with Foundry, unifies agent telemetry with infrastructure, application, network, and hardware signals—creating a true end-to-end view that spans AI agents, the services they call, and the compute they run on. New capabilities include: Agent Overview Dashboard in Grafana and Azure – Gain a unified view of one or more GenAI agents, including success rate, grounding quality, safety violations, latency, and cost per outcome. Customize dashboards in Grafana or Azure Monitor Workbooks to detect regressions instantly after a model or prompt change—and understand how those changes affect user experience and spend. AI-Tailored Trace View – Follow every AI decision as a readable story: plan → reasoning → tool calls → guardrail checks. Identify slow or unsafe steps in seconds, without sifting through thousands of spans. AI-Aware Trace Search by Attributes – Search, sort, and filter across millions of runs using GenAI-specific attributes like model ID, grounding score, or cost. Find the “needle” in your GenAI haystack in a single query. Foundry Low-Code Agent Monitoring – Agents created through Foundry’s visual, low-code interface are now automatically observable. Without writing a single line of code, you can track reliability, safety, and cost metrics from day one. Full-Stack Visibility Across the AI Stack – All evaluations, traces, and red-teaming results are now published to Azure Monitor, where agent signals correlate seamlessly with infrastructure KPIs and application telemetry to deliver a unified operational view. Check out our get started documentation. Powered by OpenTelemetry Innovation This work builds directly on the new OpenTelemetry extensions announced in our recent Azure AI Foundry blog post. Microsoft is helping define the OpenTelemetry agent specification, extending it to capture multi-agent orchestration traces, LLM reasoning context, and evaluation signals—enabling interoperability across Azure Monitor, AI Foundry, and partner tools such as Datadog, Arize, and Weights & Biases. By building on open standards, customers gain consistent visibility across multi-cloud and hybrid AI environments—without vendor lock-in. Built for Enterprise Scale and Trust With open standards and deep integration between Azure Monitor and AI Foundry, organizations can now apply the same discipline they use for traditional applications to their GenAI workloads, complete with compliance, cost governance, and quality assurance. GenAI is redefining what it means to operate software. With these innovations, Microsoft is giving customers the visibility, control, and confidence to operate AI responsibly, at enterprise scale.Generally Available - Azure Monitor Private Link Scope (AMPLS) Scale Limits Increased by 10x!
Introduction We are excited to announce the General Availability (GA) of Azure Monitor Private Link Scope (AMPLS) scale limit increase, delivering 10x scalability improvements compared to previous limits. This enhancement empowers customers to securely connect more Azure Monitor resources via Private Link, ensuring network isolation, compliance, and Zero Trust alignment for large-scale environments. What is Azure Monitor Private Link Scope (AMPLS)? Azure Monitor Private Link Scope (AMPLS) is a feature that allows you to securely connect Azure Monitor resources to your virtual network using private endpoints. This ensures that your monitoring data is accessed only through authorized private networks, preventing data exfiltration and keeping all traffic inside the Azure backbone network. AMPLS – Scale Limits Increased by 10x in Public Cloud & Sovereign Cloud (Fairfax/Mooncake) - Regions In a groundbreaking development, we are excited to share that the scale limits for Azure Monitor Private Link Scope (AMPLS) have been significantly increased by tenfold (10x) in Public & Sovereign Cloud regions as part of the General Availability! This substantial enhancement empowers our customers to manage their resources more efficiently and securely with private links using AMPLS, ensuring that workload logs are routed via the Microsoft backbone network. What’s New? 10x Scale Increase Connect up to 3,000 Log Analytics workspaces per AMPLS (previously 300) Connect up to 10,000 Application Insights components per AMPLS (previously 1,000) 20x Resource Connectivity Each Azure Monitor resource can now connect to 100 AMPLS resources (previously 5) Enhanced UX/UI Redesigned AMPLS interface supports loading 13,000+ resources with pagination for smooth navigation Private Endpoint Support Each AMPLS object can connect to 10 private endpoints, ensuring secure telemetry flows Why It Matters Top Azure Strategic 500 customers, including major Telecom service providers and Banking & Financial Services organizations, have noted that previous AMPLS limits did not adequately support their increasing requirements. The demand for private links has grown 3–5 times over existing capacity, affecting both network isolation and integration of essential workloads. This General Availability release resolves these issues, providing centralized monitoring at scale while maintaining robust security and performance. Customer Stories Our solution now enables customers to scale their Azure Monitor resources significantly, ensuring seamless network configurations and enhanced performance. Customer B - Case Study: Leading Banking & Financial Services Customer Challenge: The Banking Customer faced complexity in delivering personalized insights due to intricate workflows and content systems. They needed a solution that could scale securely while maintaining compliance and performance for business-critical applications. Solution: The Banking Customer has implemented Microsoft Private Links Services (AMPLS) to enhance the security and performance of financial models for smart finance assistants, leading to greater efficiency and improved client engagement. To ensure secure telemetry flow and compliance, the banking customer implemented Azure Monitor with Private Link Scope (AMPLS) and leveraged the AMPLS Scale Limit Increase feature. Business Impact: Strengthened security posture aligned with Zero Trust principles Improved operational efficiency for monitoring and reporting Delivered a future-ready architecture that scales with evolving compliance and performance demands Customer B - Case Study: Leading Telecom Service Provider - Scaling Secure Monitoring with AMPLS Architecture: A Leading Telecom Service Provider employs a highly micro-segmented design where each DevOps team operates in its own workspace to maximize security and isolation. Challenge: While this design strengthens security, it introduces complexity for large-scale monitoring and reporting due to physical and logical limitations on Azure Monitor Private Link Scope (AMPLS). Previous scale limits made it difficult to centralize telemetry without compromising isolation. Solution: The AMPLS Scale Limit Increase feature enabled the Telecom Service Provider to expand Azure Monitor resources significantly. Monitoring traffic now routes through Microsoft’s backbone network, reducing data exfiltration risks and supporting Zero Trust principles. Impact & Benefits Scalability: Supports up to 3,000 Log Analytics workspaces and 10,000 Application Insights components per AMPLS (10× increase). Efficiency: Each Azure Monitor resource can now connect to 100 AMPLS resources (20× increase). Security: Private connectivity via Microsoft backbone mitigates data exfiltration risks. Operational Excellence: Simplifies configuration for 13K+ Azure Monitor resources, reducing overhead for DevOps teams. Customer Benefits & Results Our solution significantly enhances customers’ ability to manage Azure Monitor resources securely and at scale using Azure Monitor Private Link Scope (AMPLS). Key Benefits Massive Scale Increase 3,000 Log Analytics workspaces (previously 300) 10,000 Application Insights components (previously 1,000) Each AMPLS object can now connect to: Azure Monitor resources can now connect with up to 100 AMPLS resources (20× increase). Broader Resource Support - Supported resource types include: Data Collection Endpoints (DCE) Log Analytics Workspaces (LA WS) Application Insights components (AI) Improved UX/UI Redesigned AMPLS interface supports loading 13,000+ Azure Monitor resources with pagination for smooth navigation. Private Endpoint Connectivity Each AMPLS object can connect to 10 private endpoints, ensuring secure telemetry flows. Resources: Explore the new capabilities of Azure Monitor Private Link Scope (AMPLS) and see how it can transform your network isolation and resource management. Visit our Azure Monitor Private Link Scope (AMPLS) documentation page for more details and start leveraging these enhancements today! For detailed information on configuring Azure Monitor private link scope and azure monitor resources, please refer to the following link: Use Azure Private Link to connect networks to Azure Monitor - Azure Monitor | Microsoft Learn Design your Azure Private Link setup - Azure Monitor | Microsoft Learn Configure your private link - Azure Monitor | Microsoft LearnAdvancing Full-Stack Observability with Azure Monitor at Ignite 2025
New AI-powered innovations in the observability space First, we’re excited to usher in the era of agentic cloud operations with Azure Copilot agents. At Ignite 2025, we are announcing the preview of the Azure Copilot observability agent to help you enhance full-stack troubleshooting. Formerly “Azure Monitor investigate”, the observability agent streamlines troubleshooting across application services and resources such as AKS and VMs with advanced root cause analysis in alerts, the portal, and Azure Copilot (gated preview). By automatically correlating telemetry across resources and surfacing actionable findings, it empowers teams to resolve issues faster, gain deeper visibility, and collaborate effectively. Learn more here about the observability agent and learn about additional agents in Azure Copilot here. Additionally, with the new Azure Copilot, we are streamlining agentic experiences across Azure. From operations center in the Azure portal, you can get a single view to navigate, operate and optimize your environments and invoke agents in your workflows. You also get suggested top actions within the observability blade of operations center to prioritize, diagnose and resolve issues with support from the observability agent. Learn more here. In the era of AI, more and more apps are now AI apps. That’s why we’re enhancing our observability capabilities for GenAI and agents: Azure Monitor brings agent-level visibility and control into a single experience in partnership with Observability in Foundry Control Plane through a new agent details view (public preview) showcasing success metrics, quality indicators, safety checks, and cost insights in one place. Simplified tracing also transforms every agent run into a reasonable, plan-and-act narrative for faster understanding. On top of these features, the new smart trace search enables faster detection of anomalies—such as policy violations, unexpected cost spikes, or model regressions—so teams can troubleshoot and optimize with confidence. These new agentic experiences build upon a solid observability foundation provided by Azure Monitor. Learn more here. We’re making several additional improvements in Azure Monitor: Simplified Onboarding & More Centralized Visibility Streamlined onboarding: Azure Monitor now offers streamlined onboarding for VMs, containers, and applications with sensible defaults and abstraction layers. This means ITOps teams can enable monitoring across environments in minutes, not hours. Previously, configuring DCRs and linking Log Analytics workspaces was a multi-step process; now, you can apply predefined templates and scale monitoring across hundreds of VMs faster than before. Centralized dashboards: A new monitor overview page in operations center consolidates top suggested actions and Azure Copilot-driven workflows for rapid investigation. Paired with the new monitoring coverage page (public preview) in Azure Monitor, ITOps can quickly identify gaps based on Azure Advisor recommendations, enable VM Insights and Container Insights at scale, and act on monitoring recommendations—all from a single pane of glass. Learn more here. Richer visualizations: Azure Monitor dashboards with Grafana are now in GA, delivering rich visualizations and data transformation capabilities on Prometheus metrics, Azure resource metrics, and more. Learn more here. Cloud to edge visibility: With expanded support for Arc-enabled Kubernetes with OpenShift and Azure Red Hat OpenShift in Container Insights and Managed Prometheus, Azure Monitor offers an even more complete set of services for monitoring the health and performance of different layers of Kubernetes infrastructure and the applications that depend on it. Learn more here. Advanced Logs, Metrics, and Alert Management Logs & metrics innovations: Azure Monitor now supports the log filtering and transformation (GA), as well as the emission of logs to additional destinations (public preview) such as Azure Data Explorer and Fabric—unlocking real-time analytics and more seamless data control. Learn more here. More granular access for managing logs: Granular RBAC for Log Analytics workspaces ensures compliance and least privilege principles across teams, now in general availability. Learn more here. Dynamic thresholds for log search alerts (public preview): Now you can apply the advanced machine learning methods of dynamic threshold calculations to enhance monitoring with log search alerts. Learn more here. Query-based metric alerts (public preview): Get rich and flexible query-based alerting on Prometheus, VM Guest OS, and custom OTel metrics to reduce complexity and unblock advanced alerting scenarios. Learn more here. OpenTelemetry Ecosystem Expansion Azure Monitor doubles down on our commitment to OpenTelemetry with expanded support for monitoring applications deployed to Azure Kubernetes Service (AKS) by using OTLP for instrumentation and data collection. New capabilities include: Auto-instrumentation with the Azure Monitor OpenTelemetry distro for Java and NodeJS apps on AKS (public preview): this reduces friction for teams adopting OTel standards and ensures consistent telemetry across diverse compute environments. Auto-configuration for apps on AKS in any language already instrumented with the open-source OpenTelemetry SDK to emit telemetry to Azure Monitor. Learn more here. Additionally, we are making it easier to gain richer and more consistent visibility across Azure VMs and Arc Servers with OpenTelemetry visualizations, offering standardized system metrics, per-process insights, and extensibility to popular workloads on a more cost-efficient and performant solution. Learn more here. Next Steps These innovations redefine observability from cloud to edge—simplifying onboarding, accelerating troubleshooting, and embracing open standards. For ITOps and DevOps teams, this means fewer blind spots, faster MTTR, and improved operational resilience. Whether you’re joining us at Microsoft Ignite 2025 in-person or online, there are plenty of ways to connect with the Azure Monitor team and learn more: Attend breakout session BRK149 for a deep dive into Azure Monitor’s observability capabilities and best practices for optimizing cloud resources. Attend breakout session BRK145 to learn more about how agentic AI can help you streamline cloud operations and management. Attend breakout session BRK190 to learn about how Azure Monitor and Microsoft Foundry deliver an end-to-end observability experience for your AI apps and agents. Join theater demo THR735 to see a live demo on monitoring AI agents in production. Connect with Microsoft experts at the Azure Copilot, Operations, and Management expert meet-up booth to get your questions answered.
Simplify Application Monitoring for AKS with Azure Monitor (Public Preview)
As cloud-native workloads scale, customers increasingly expect application and infrastructure observability to be unified, automated, and devops-friendly. Azure Monitor is advancing this vision with Application Monitoring for Azure Kubernetes Service (AKS). With seamless onboarding and troubleshooting experiences in the Azure Portal, now in Public Preview. This new capability brings first-class OpenTelemetry support, seamless onboarding from the AKS cluster blade, and auto-instrumentation and auto-configuration options that make it easier than ever to collect application performance data into Azure Monitor and Application Insights—without modifying application code or maintaining custom agents. Enable application monitoring for your AKS deployed apps directly from the Azure Portal in two steps: 1. Enable application monitoring for the AKS cluster in Monitor Settings 2. Choose the namespaces for application monitoring and configure namespace-wide onboarding to route application signals to an App Insights resource. Optionally, leverage Custom Resource Definitions (CRDs) for more granular enablement and per-deployment onboarding. Feature Highlights Auto-instrumentation Auto-instrument Java and NodeJS applications without code changes. This approach instruments workloads with the AzureMonitor OpenTelemetry distro and routes telemetry to Application Insights. Now available in both CLI and Azure portal for addon enablement and namespace configuration. Unified Monitoring and Troubleshooting Switch seamlessly between infrastructure and application layers with improved navigation between Container Insights and Application Insights, curated OpenTelemetry workbooks, and Azure-curated Grafana dashboards. When looking into your deployment controllers from Container Insights, you can also see the application performance metrics alongside to identify problematic requests or failures. From there, you can seamlessly transition over to your Application Insights to get a more detailed diagnosis. View your application performance next to your infrastructure metrics in Container Insights Full-Stack Dashboards with Grafana This new application monitoring capability becomes even more powerful when paired with Dashboards with Grafana for Azure Monitor. With curated, Azure-hosted Grafana dashboards built specifically for Application Insights and OpenTelemetry data, teams can extend their AKS application monitoring experience with rich, full-stack visualizations tailored for cloud-native workloads. Application monitoring dashboards available through Dashboards with Grafana These dashboards allow you to: Bring application traces, requests, dependencies, and exception data from Application Insights into Grafana dashboards optimized for app-centric troubleshooting. Correlate application performance with AKS infrastructure metrics, including node, pod, and container health, to rapidly identify cross-layer issues. Visualize OpenTelemetry signals flowing through Azure Monitor in a unified, standards-based format without needing to build dashboards from scratch. Customize and extend dashboards with your own OTel metrics or additional Application Insights dimensions for deeper app performance analytics. By combining Application Monitoring for AKS with Dashboards for Grafana, developers and operators gain a complete, end-to-end view of application behavior, making it faster and easier to diagnose issues, validate deployments, and understand the health of microservices running on AKS. Call to Action Start simplifying application observability today with Azure Monitor for AKS. Unify your metrics, logs, and traces in a single monitoring experience powered by OpenTelemetry and Azure Monitor. Explore the documentation and get started: https://learn.microsoft.com/azure/azure-monitor/app/kubernetes-codeless Learn more about our new features for OpenTelemetry in Azure Monitor: https://aka.ms/igniteotelblog
Troubleshoot with OTLP signals in Azure Monitor (Limited Public Preview)
As organizations increasingly rely on distributed cloud-native applications, the need for comprehensive standards-based observability has never been greater. OpenTelemetry (OTel) has emerged as the industry standard for collecting and transmitting telemetry data, enabling unified monitoring across diverse platforms and services. Microsoft is among the top contributors to OpenTelemetry. Azure Monitor is expanding its support for the OTel standard with this preview, empowering developers and operations teams to seamlessly capture, analyze, and act on critical signals from their applications and infrastructure. With this limited preview (sign-up here), regardless of where your applications are running, you can channel the OpenTelemetry Protocol (OTLP) logs, metrics and traces to Azure Monitor directly. On Azure compute platforms, we have simpler collection orchestration that also unifies application and infrastructure telemetry collection with the Azure Monitor collection offerings for VM/VMSS or AKS. On Azure VMs/VMSS (or any Azure Arc supported compute), you can use the Azure Monitor Agent (AMA) that you are already using to collect infrastructure logs. On AKS, the Azure Monitor add-ons that orchestrate Container Insights and managed Prometheus, will also auto configure the collection of OTLP signals from your applications (or auto-instrument with Azure Monitor OTel Distro for supported languages). On these platforms or anywhere else, you can choose to use OpenTelemetry Collector, and channel the OTLP signals from your OTel SDK instrumented application directly to Azure Monitor cloud ingestion endpoints. OTLP metrics will be stored in Azure Monitor Workspace, a Prometheus metrics store. Logs and traces will be stored in Azure Monitor Log Analytics Workspace in an OTel semantic conventions-based schema. Application Insights experiences will light up, enabling all distributed tracing and troubleshooting experiences powered by Azure Monitor, as well as out of the box Dashboards with Grafana from the community. With this preview, we are also extending the support for auto-instrumentation of applications on AKS to .NET and Python applications and introducing OTLP metrics collection from all auto-instrumented applications (Java/Node/.NET/Python). Sign-up for the preview here: https://aka.ms/azuremonitorotelpreview.
Comprehensive VM Monitoring with OpenTelemetry performance counters
Monitoring virtual machines often requires multiple tools and manual investigation. You may see high CPU or memory usage, but identifying the process responsible usually means signing in to the VM and running diagnostic commands. Azure Monitor already provides Guest OS performance monitoring through Log Analytics‑based metrics, trusted for its flexibility, deep integration, and advanced analytics, including custom performance counters, extended retention, and powerful KQL queries. Many customers use LA‑based metrics to correlate performance with other log data sources and build rich operational insights. Today, we’re excited to introduce a new preview capability: OpenTelemetry (OTel) Guest OS metrics for VMs and Arc servers, with metric data stored in the metrics-optimized Azure Monitor Workspace (AMW). OTel provides a standards‑based pipeline with a unified schema, richer system and process counters, and streamlined integration with open‑source and cloud‑native observability tooling. It’s designed for simpler onboarding, cost‑efficient metric storage, and more granular visibility into what’s happening inside the VM. What are OpenTelemetry Guest OS metrics OTel Guest OS metrics are system and process‑level performance counters collected from inside a VM. This includes CPU, memory, disk I/O, network, and per‑process details such as CPU percent, memory percent, uptime, and thread count. This level of visibility helps you diagnose issues without signing into the VM. Why They Matter Azure Monitor continues to support Guest OS metrics through Log Analytics, and you now have the option to use OTel‑based Guest OS metrics. OTel offers richer insights, faster query performance, and lower cost, and is a good fit when you want a modern, standards‑based pipeline with deeper system visibility. Key Benefits Benefit Description Unified data model Consistent metric names and schema across Windows and Linux for easier, reusable queries and dashboards Richer, simplified counters More system and process metrics (e.g., per‑process CPU, memory, disk I/O) and consolidation of legacy counters into clearer OTel metrics. Easy onboarding Collect OTel metrics with minimal setup. Flexible visualization Use the Azure portal, Metrics Explorer, or Azure Monitor Dashboards with Grafana. Cost‑efficient performance Store metrics in Azure Monitor Workspace instead of Log Analytics ingestion for lower cost and faster queries. When to use LA‑based metrics (GA) vs OTel‑based metrics (Preview) LA-based metrics (GA) OTel-based metrics (Preview) Custom performance counters or extended retention Advanced KQL analytics and log‑metric correlation A mature, fully supported pipeline for operational analytics A standards‑based, unified schema across platforms Easier onboarding and broader system/process coverage Cost‑efficient metric storage with improved query performance We recommend evaluating your requirements to determine which approach best fits your needs. LA-based metrics remain the foundation for customers who need advanced analytics and correlation, while OTel-based metrics open new possibilities for modern VM observability. Onboarding VMs to OpenTelemetry performance counters Onboarding your virtual machines and Arc servers to OpenTelemetry-based counters is now both cost-efficient and easier than ever. With the new onboarding experience, you can enable guest-level metrics using a lightweight, standards-based OTel pipeline with no complex setup required. These system-level counters are available at no additional cost and provide deep visibility into CPU, memory, disk, network, and process activity from inside the VM. Azure Monitor automatically configures your Data Collection Rules (DCRs) to route these OpenTelemetry counters through the Monitor pipeline, ensuring you get full monitoring coverage with minimal configuration. Additionally, you can also onboard your VMs at scale using the new Monitoring Coverage experience or Essential Machine Management (EMM). For teams managing large fleets of virtual machines, these capabilities turn onboarding into a one-click operation, eliminating the need to repeat manual steps for each machine. This is especially valuable in enterprises or environments with dynamic VM creation, where maintaining consistent visibility across every machine is critical for performance, compliance, and troubleshooting. After onboarding at scale, you can further customize your monitoring. By editing the Data Collection Rule (DCR) created during onboarding, you can collect additional metrics and logs, then automatically apply those updates across all VMs associated with that DCR. This allows you to extend monitoring coverage beyond the default counters and adapt to your observability as your environment evolves. New Capabilities Powered by OpenTelemetry New VM monitoring experience powered by OpenTelemetry (preview) We're excited to announce the public preview of the enhanced monitoring experience for Azure Virtual Machines (VMs) and Arc servers. This redesign brings comprehensive monitoring capabilities in a single, streamlined view, helping you more efficiently observe, diagnose, and optimize your virtual machines. The new experience offers two levels of insight within one unified interface: Basic view (Host OS based): Available for all Azure VMs with no configuration required. This view surfaces key host level metrics including CPU, disk, and network performance for quick health checks. Detailed view (Guest OS based): Requires a simple onboarding step and is available at no additional cost. Azure Monitor already provides a GA detailed view powered by Log Analytics based Guest OS metrics, and this remains fully supported. This preview option is powered by OTel Guest OS metrics to provide expanded metric coverage and the new, streamlined monitoring experience introduced above Detailed view (Guest OS based with OTel) and enhanced monitoring experience for VMs You can access the new experience directly in the Azure portal under Virtual Machine → Monitoring → Insights. Building Custom Dashboards with Azure Monitor Dashboards in Grafana Azure Monitor Dashboards with Grafana lets you build custom visualizations on top of OTel Guest OS metrics. In addition to the out-of-the-box VM monitoring experience, you can create tailored dashboards to analyze the specific system or process-level signals that matter most to your workloads. For example, you can build a dashboard that breaks down CPU, memory, disk, and network usage at the process level. This helps you quickly identify unusual behavior or resource hotspots without signing in to the VM. Learn more. Query-based metric alerts (preview) Azure Monitor now supports PromQL-based metric alerts for OTel metrics stored in Azure Monitor Workspace, enabling flexible and powerful query-driven alerting. For example, you can configure an alert to notify you when a specific process shows unusual CPU usage, allowing you to detect issues earlier and take action before they impact users. PromQL based metric alert that triggers when the backupdatawarehouse.exe process exceeds 80% memory usage Get Started Explore the new OpenTelemetry-powered experiences today: Get started with VM Monitoring (Preview) Use Azure Monitor Dashboards with Grafana Query Based Metric Alerts Overview (Preview) We are also starting a limited public preview of application monitoring with OpenTelemetry signal collection from Azure VMs, VMSS and Arc Server. Learn more. Together, these previews mark a major step toward a unified and open monitoring platform designed to make observability simpler, faster, and aligned with open standards across every layer of your environment.Announcing resource-scope query for Azure Monitor Workspaces
We’re excited to announce the public preview of resource-scope query for Azure Monitor Workspaces (AMWs)—a major step forward in simplifying observability, improving access control, and aligning with Azure-native experiences. This new capability builds on the successful implementation of resource-scope query in Log Analytics Workspaces (LAWs), which transformed how users access logs by aligning them with Azure resource scopes. We’re now bringing the same power and flexibility to metrics in AMWs. What is resource-scope query? Resource-scope query has been a frequently requested capability that allows users to query metrics scoped to a specific resource, resource group, or subscription—rather than needing to know which AMW the metrics are stored in. This means: Simpler querying: users can scope to the context of one or more resources directly, without knowledge of where metrics are stored. Granular Azure RBAC control: if the AMW is configured in resource-centric access mode, user permissions are checked against the resources they are querying for, rather than access to the workspace itself - just like how LAW works today. This supports security best practices for least privileged access requirements. Why use resource-centric query? Traditional AMW querying required users to: Know the exact AMW storing their metrics. Have access to the AMW. Navigate away from the resource context to query metrics. This created friction for DevOps teams and on-call engineers who do not necessarily know which AMW to query when responding to an alert. With resource-centric querying: Users can query metrics directly from the resource’s Metrics blade. Least privilege access is respected—users only need access to the resource(s) they are querying about. Central teams can maintain control of AMWs while empowering app teams to self-monitor. How does it work? All metrics ingested via Azure Monitor Agent are automatically stamped with dimensions like Microsoft.resourceid, Microsoft.subscriptionid, and Microsoft.resourcegroupname to enable this experience. The addition of these dimensions does not have any cost implications to end users. Resource-centric queries use a new endpoint: https://query.<region>.prometheus.monitor.azure.com We will re-route queries as needed from any region, but we recommend choosing the one nearest to your AMWs for the best performance. Users can query via: Azure Portal PromQL Editor Grafana dashboards (with data source configuration) Query-based metric alerts Azure Monitor solutions like Container Insights and App Insights (when using OTel metrics with AMW as data source) Prometheus HTTP APIs When querying programmatically, users pass an HTTP header: x-ms-azure-scoping: <ARM Resource ID> Scoping supports a single: Individual resource Resource group Subscription At this time, scoping is only support at a single-resource level, but comma-separated multi-resource scoping will be added by the end of 2025. Who Can Benefit? Application Teams: Query metrics for their own resources without needing AMW access. Central Monitoring Teams: Maintain control of AMWs while enabling secure, scoped access for app teams. DevOps Engineers: Respond to alerts and troubleshoot specific resources without needing to locate the AMW(s) storing the metrics they need. Grafana Users: Configure dashboards scoped to subscriptions or resource groups with dynamic variables without needing to identify the AMW(s) storing their metrics. When Is This Available? Microsoft. dimension stamping* is already complete and ongoing for all AMWs. Public Preview of the resource-centric query endpoint begins October 10th, 2025. Starting on that date, all newly created AMWs will default to resource-context access mode. What is the AMW “access control mode”? The access control mode is a setting on each workspace that defines how permissions are determined for the workspace. Require workspace permissions. This control mode does NOT allow granular resource-level Azure RBAC. To access the workspace, the user must be granted permissions to the workspace. When a user scopes their query to a workspace, workspace permissions apply. When a user scopes their query to a resource, both workspace permissions AND resource permissions are verified. This setting is the default for all workspaces created before October 2025. Use resource or workspace permissions. This control mode allows granular Azure RBAC. Users can be granted access to only data associated with resources they can view by assigning Azure read permission. When a user scopes their query to a workspace, workspace permissions apply. When a user scopes their query to a resource, only resource permissions are verified, and workspace permissions are ignored. This setting is the default for all workspaces created after October 2025. Read about how to change the control mode for your workspaces here. Final Thoughts Resource-centric query brings AMWs in line with Azure-native experiences, enabling secure, scalable, and intuitive observability. Whether you’re managing thousands of VMs, deploying AKS clusters, or building custom apps with OpenTelemetry, this feature empowers you to monitor in the context of your workloads or resources rather than needing to first query the AMW(s) and then filter down on what you’re looking for. To get started, simply navigate to your resource’s Metrics blade after October 10 th , 2025 or configure your Grafana data source to use the new query endpoint.Making Azure the Best Place to Observe Your Apps with OpenTelemetry
Our goal is to make Azure the most observable cloud. To that end, we are refactoring Azure’s native observability platform to be based on OpenTelemetry, an industry standard for instrumenting applications and transmitting telemetry.General Availability of Azure Monitor Network Security Perimeter Features
We’re excited to announce that Azure Monitor Network Security Perimeter features are now generally available! This update is an important step forward for Azure Monitor’s security, providing comprehensive network isolation for your monitoring data. In this post, we’ll explain what Network Security Perimeter is, why it matters, and how it benefits Azure Monitor users. Network Security Perimeter is purpose-built to strengthen network security and monitoring, enabling customers to establish a more secure and isolated environment. As enterprise interest grows, it’s clear that this feature will play a key role in elevating the protection of Azure PaaS resources against evolving security threats. What is Network Security Perimeter and Why Does It Matter? Network Security Perimeter is a network isolation feature for Azure PaaS services that creates a trusted boundary around your resources. Azure Monitor’s key components (like Log Analytics workspaces and Application Insights) run outside of customer virtual networks; Network security perimeter allows these services to communicate only within an explicit perimeter and blocks any unauthorized public access. In essence, the security perimeter acts as a virtual firewall at the Azure service level – by default it restricts public network access to resources inside the perimeter, and only permits traffic that meets your defined rules. This prevents unwanted network connections and helps prevent data exfiltration (sensitive monitoring data stays within your control). For Azure Monitor customers, Network Security Perimeter is a game-changer. It addresses a common ask from enterprises for “zero trust” network security on Azure’s monitoring platform. Previously, while you could use Private Link to secure traffic from your VNets to Azure Monitor, Azure Monitor’s own service endpoints were still accessible over the public internet. The security perimeter closes that gap by enforcing network controls on Azure’s side. This means you can lock down your Log Analytics workspace or Application Insights to only accept data from specific sources (e.g. certain IP ranges, or other resources in your perimeter) and only send data out to authorized destinations. If anything or anyone outside those rules attempts to access your monitoring resources, Network Security Perimeter will deny it and log the attempt for auditing. In short, Network Security Perimeter brings a new level of security to Azure Monitor: it allows organizations to create a logical network boundary around their monitoring resources, much like a private enclave. This is crucial for customers in regulated industries (finance, government, healthcare) who need to ensure their cloud services adhere to strict network isolation policies. By using the security perimeter, Azure Monitor can be safely deployed in environments that demand no public exposure and thorough auditing of network access. It’s an important step in strengthening Azure Monitor’s security posture and aligning with enterprise zero-trust networking principles. Key Benefits of Network Security Perimeter in Azure Monitor With Network Security Perimeter now generally available, Azure Monitor users gain several powerful capabilities: 🔒 Enhanced Security & Data Protection: Azure PaaS resources in a perimeter can communicate freely with each other, but external access is blocked by default. You define explicit inbound/outbound rules for any allowed public traffic, ensuring no unauthorized network access to your Log Analytics workspaces, Application Insights components, or other perimeter resources. This greatly reduces the risk of data exfiltration and unauthorized access to monitoring data. ⚖️ Granular Access Control: Network Security Perimeter supports fine-grained rules to tailor access. You can allow inbound access by specific IP address ranges or Azure subscription IDs, and allow outbound calls to specific Fully Qualified Domain Names (FQDNs). For example, you might permit only your corporate IP range to send telemetry to a workspace, or allow a workspace to send data out only to contoso-api.azurewebsites.net. This level of control ensures that only trusted sources and destinations are used. 📜 Comprehensive Logging & Auditing: Every allowed or denied connection governed by Network Security Perimeter can be logged. Azure Monitor’s Network Security Perimeter integration provides unified access logs for all resources in the perimeter. These logs give you visibility into exactly what connections were attempted, from where, and whether they were permitted or blocked. This is invaluable for auditing and compliance – for instance, proving that no external IPs accessed your workspace, or detecting unexpected outbound calls. The logs can be sent to a Log Analytics workspace or storage for retention and analysis. 🔧 Seamless Integration with Azure Monitor Services: Network Security Perimeter is natively integrated across Azure Monitor’s services and workflows. Log Analytics workspaces and Application Insights components support Network Security Perimeter out-of-the-box, meaning ingestion, queries, and alerts all enforce perimeter rules behind the scenes. Azure Monitor Alerts (scheduled query rules) and Action Groups also work with Network Security Perimeter , so that alert notifications or automation actions respect the perimeter (for example, an alert sending to an Event Hub will check Network Security Perimeter rules). This end-to-end integration ensures that securing your monitoring environment with Network Security Perimeter doesn’t break any functionality – everything continues to work, but within your defined security boundary. 🤝 Consistent, Centralized Management: Network Security Perimeter introduces a uniform way to manage network access for multiple resources. You can group resources from different services (and even different subscriptions) into one perimeter and manage network rules in one place. This “single pane of glass” approach simplifies operations: network admins can define a perimeter once and apply it to all relevant Azure Monitor components (and other supported services). It’s a more scalable and consistent method than maintaining disparate firewall settings on each service. Network Security Perimeter uses Azure’s standard API and portal experience, so setting up a perimeter and rules is straightforward. 🌐 No-Compromise Isolation (with Private Link): Network Security Perimeter complements existing network security options. If you’re already using Azure Private Link to keep traffic off the internet, Network Security Perimeter adds another layer of protection. Private Link secures traffic between your VNet and Azure Monitor; Network Security Perimeter secures Azure Monitor’s service endpoints themselves. Used together, you achieve defense-in-depth: e.g., a workspace can be accessible only via private endpoint and only accept data from certain sources due to Network Security Perimeter . This layered approach helps meet even the most stringent security requirements. In conclusion, Network Security Perimeter for Azure Monitor provides strong network isolation, flexible control, and visibility – all integrated into the Azure platform. It helps organizations confidently use Azure Monitor in scenarios where they need to lock down network access and simplify compliance. For detailed information on configuring Azure Monitor with a Network Security Perimeter, please refer to the following link: Configure Azure Monitor with Network Security Perimeter.Introducing the Improved Search Job Experience in Azure Monitor Log Analytics
A search job is an asynchronous query that runs on any data in your Log Analytics workspace, including data from the long-term retention, making the results available for further queries in a new Analytics table within your workspace. To efficiently search massive datasets, Search Job divides queries into smaller time-based segments, processes them in parallel, and returns the results. This approach optimizes scalability and enables reliable analysis, even over petabytes of data. We’re excited to announce significant enhancements to Search Jobs, designed to make large-scale data exploration faster, easier, and more efficient. What’s New in Search Job Our latest update includes several powerful improvements: Intuitive and streamlined UI experience for faster and simpler setup. Cost estimation preview before running a Search Job. Previously, we had system limitations in place to ensure stability. Now, as more customers use Search Job, we’re removing most of these limits to enhance your experience: Result limits are being increased, with support for up to 100 million records coming soon. Enhanced concurrency, allowing more jobs to run in parallel. Removed the search date-range limit, now supporting any date range over the table’s retention. These updates make it easier to explore massive datasets while giving you greater control over costs and performance. Explore the New UI Experience Let’s walk through a familiar scenario to showcase the new UI. Imagine you want to check if a specific client IP address has repeatedly accessed your system over the past year, as part of investigating suspicious activity. With the new Search Job experience, scanning through massive volumes of logs is now fast, simple, and intuitive. Step-by-Step: Start by typing your query or selecting the relevant table - here, we’re querying the SecurityEvent table for a suspicious IP address. Open the ellipsis menu (…) on the right and choose "Search Job". Use the time picker to set your date range. For example, select ‘Last year’ to view a full year of activity, or choose a longer period if needed. Name your new results table, such as SecurityEventJuly25. Before running the job, you’ll see an approximate cost estimation, helping you decide if you want to proceed with the query. Click Run to launch the Search Job. A new table is created in your workspace, allowing you to analyze results efficiently without impacting performance. This new UI flow makes it seamless to handle even large-scale investigations like this, with fewer clicks and better visibility along the way. What’s Next? We’re continuing to enhance Search Job with broader KQL operator support and additional features. Stay tuned for more updates! For a deeper dive into all these improvements, check out the full documentation https://aka.ms/LogAnalyticsSearchJobs. For questions or feedback, feel free to leave a comment on the blog or use the “Give feedback” form directly in the Logs UI.
