r/AZURE

VMware used to be the go͏-to choice. After the Broadcom changes, a lot of us are in renew or rethink mode.

When people talk about how to migrate from VMware to Azure, the network side gets skipped almost every time, but it usually decides how fast you can actually move. AVS sounds like the easy option, but then it's months of planning and carrier timelines.

When a VMware to Azure project drags, what's usually the blocker? Connectivity planning, or cost control after cutover?

My department has had its own Azure tenant and subscriptions for about 4 years now. We have a handful of typical workloads including VMs, storage, SQL MI, and Synapse. There's been some reorg in recent months and now the central IT team is requiring us to migrate into new subscriptions within their new tenant (new enterprise agreement). This will likely be a long, manual process as we've been told by our MS team there isn't a simple way to just re-link our existing subscriptions to the new tenant. I'm ok with that as I don't want to just drag a bunch of junk forward. We had to get running in Azure fast so we didn't have much time to learn best practices, proper configs, etc in the beginning. I'm sure there's plenty of things I'd do differently now so I view this as a rare opportunity to start from scratch and implement some best practices and things learned along the way.

The reorg has a heavy focus on security so we're getting up to speed with Defender for Cloud, lots to do there. Also, now making use of Azure Update Manager. I've done a little with Azure Policy, but know there's a ton more we should leverage there. Seeking some advice on the top 3 to 5 areas we should focus on implementing from the start BEFORE we actually begin creating/migrating any resources. The tenant admins will create the subscriptions for us and they will manage Entra and provision the networking bits, but we will remain owners of these new subscriptions. Any advice is much appreciated. Thanks.

I’ve been working on a Microsoft 365 security tool focused on identity misconfigurations (things like MFA gaps, excessive admin roles, dormant accounts, etc.).

The core idea is:

• connect via OAuth (Entra ID)
• read tenant configuration
• highlight risky settings
• optionally help remediate them
• provide rollback option in case of mistaken operations carried out

Recently I shared it and got some strong (and fair) feedback from admins, mainly around trust and risk, not functionality.

Some of the concerns raised:

• “What stops any user in the tenant from authenticating to the app?”
• “How is admin consent handled and documented?”
• “How are enterprise app restrictions (users/groups/CA policies) expected to be configured?”
• “Where is tenant data stored, and how is isolation enforced?”
• “What guarantees are there that automated fixes won’t break things?”

None of these are unreasonable — and it made me realize that even if the implementation is secure, if the trust model isn’t clear and explicit, admins will (rightfully) reject it.

So I wanted to ask this community directly:

From your perspective as admins/security folks:

• What would you need to see before trusting a tool like this?
• What are non-negotiables when it comes to:
  • OAuth apps / enterprise app access
  • Graph permissions
  • data storage & isolation
• How should remediation be handled? (fully manual vs staged vs automated with guardrails)
• What kind of documentation or transparency would make you comfortable enough to even test something like this?

I’m not trying to sell anything here — just trying to understand how to build this in a way that aligns with how admins actually think about risk.

Appreciate any honest feedback, even if it’s blunt.

I am currently testing the migration of several virtual machines from Azure to Proxmox. I used Acronis for the backup and restoration process, and the VMs are running smoothly. However, I’ve encountered a licensing issue: since the VMs are no longer on the Azure platform, the Datacenter Azure Edition license is showing an error.

Does anyone know of a way to convert or "downgrade" the license to a standard Windows Server 2022 Datacenter edition? Has anyone successfully managed this?

Also, what would be the consequences of leaving the Azure Edition license active on Proxmox if I am unable to change it?

Hello

I want to use ROPC flow to authenticate a user using REST API and avoid any user interaction ( automation purposes ). However, azure still asks for MFA even though it is disabled. Is there some sort of policy that still enforces it even though it’s disabled? If so, how to disable it.

Hi everyone, I want to get the AZ-900 basic certification. I see there's a practice quiz on the Microsoft Learn website. Are the exam questions at the same level? Are they similar? Because, honestly, the practice quiz questions weren't that difficult. I'm worried the exam questions will be difficult

In azure pipelines, I am working on a repo test where 3 branches are there main , develop and ci . This repo is part of Azure Git Repos .
Now my ci branch contains an Azure Pipelines YAML file, and Azure Pipelines is created using that YAML.
Now I want to run an automatic trigger when a PR is raised from develop to main branch.
PLease note that main and develop does not contain pipeline yaml file.

Steps I have followed

1. Set branch build policy for automatic trigger as mentioned in here Build Validation
2. Change Pipeline default branch. Here I have set default branch to ci

Even after these settings, the automatic pipeline does not trigger when PR is raised from develop to main branch.

PR refer to pipeline but status stauck at [image below] -

https://preview.redd.it/tvny2xdwrbwg1.png?width=2015&format=png&auto=webp&s=3057648c9f63f4b195b89fcfc2bbd900898af094

Please help if this is possible. If yes, how to achieve this?

​

Stack: FastAPI backend, React frontend, Azure Data Lake Storage Gen2, deployed on Azure Container Apps

The setup:Building a RAG-based document chat app. When users click citation links, the backend generates a SAS token and returns a blob URL so Microsoft Office Online Viewer can render DOCX/XLSX/PPTX files in an iframe. PDF files are rendered natively in the browser using <object> tag.

The problem:SAS tokens generate successfully (200 OK from backend) but when the browser or Microsoft's viewer servers try to fetch the blob URL, they get:

'''

<Error>

  <Code>AuthorizationFailure</Code>

  <Message>This request is not authorized to perform this operation.</Message>

</Error>

'''

What we tried:

• Account key SAS — generates fine, still 403 on fetch

• User delegation SAS — same result

• URL encoding spaces in blob path — fixed signature mismatch

• Checked SAS token format — looks correct (sv, se, sp=r, sig)

Root cause we found:The storage account has Public network access: Disabled with private endpoints only. Everything only accessible within the VNet.

Interesting behavior:

• PDF works inside corporate VPN/PAM tool , browser is inside VNet, <object data={sasUrl}> fetches directly ✅

• PDF fails outside VPN — browser on public internet, same 403 ❌

• DOCX/XLSX/PPTX fail everywhere — Microsoft's viewer servers (view.officeapps.live.com) are always on public internet, always blocked ❌

The question:With a fully private storage account (private endpoints only, public access disabled), is there any way to make SAS tokens work for third-party viewers like Microsoft Office Online? Or is the only correct architecture to stream everything through the backend?

Current workaround:Routing all file fetches through our JWT-protected backend download endpoint, which is inside the VNet and can reach storage. Works for PDF and DOCX (client-side rendering). PPTX has no good client-side renderer so showing a download button instead.

Considering:

• LibreOffice backend conversion (PPTX → PDF, stream PDF)

• Asking infra team to enable public access from selected networks

• Google Docs Viewer as alternative to Microsoft Viewer (same problem — needs public URL)

Anyone dealt with this pattern before? Is LibreOffice conversion the standard approach for private storage + document preview?

**Hey everyone! 👋 Need some guidance on building a secure & scalable AKS setup**

So I've been working with Kubernetes for a while now and I feel pretty comfortable with the core concepts — but I recently started a project to build a **secure and scalable infrastructure on Azure AKS** and honestly… Azure-specific stuff is throwing me off big time 😅

I'm getting confused by things like:

- Managed Identity vs Service Principals in AKS

- Network policies and how they differ from vanilla K8s

- Best practices for node pool sizing and autoscaling on AKS

- Securing the cluster (RBAC, Azure AD integration, private clusters)

- What tools actually work well in the Azure ecosystem (Flux? Defender for Containers? etc.)

I've been googling around but most tutorials either assume zero K8s knowledge or go way too deep into enterprise setups without explaining the "why".

If you've built something similar or know good resources (docs, courses, repos, YouTube channels), I'd really appreciate the help! 🙏

Thanks in advance!

Hello all. I am creating my first Azure web app and need help getting started. I have been using AI to guide me but it is actually time to start programming.

To start, I am creating a website for the customer service representatives to upload purchase orders and then use document intelligence to process them and take out the key values and then have them approve it and write to NetSuite.

I have a react frontend written and running on my local machine but I don't know how to actually deploy it and make it interactable. Basically I am asking where do I put the code? Sorry if this is very basic, any resources would be greatly appreciated.

I have provisioned some resources on the Azure portal including a Web App, storage account, azure functions, and the document intelligence resource. I think that is all I will need but let me know how to get started.

We’re an MSSP using Azure Lighthouse to monitor many Microsoft Sentinel workspaces.

We’re trying to improve how we detect when a server stops sending logs to Sentinel, and ideally tell the difference between:

• a temporary ingestion drop, and
• a real issue (agent/DCR/connectivity).

Today we use a scheduled query checking for events over the last 2 hours, which triggers a ticket and customer notification. It works, but creates noise and isn’t very precise.

How are others handling this?

• Better KQL patterns or baselining?
• Using AMA / Arc signals instead of raw log presence?
• Grace periods to avoid false positives?
• Sentinel-native vs Logic Apps / external automation?

Interested in real-world approaches that scale across many workspaces.

Thanks!

Where ppl mess up in azure is that they get a VM azure assigns them an IP

You delete the VM and assume the IP is also delete but it’s still running your bill still is reading going up nickname it (silent killer )

In short

In azure networking resources live on their own

And can keep billing once compute is off

I'm new to Azure (I'm on the free tier) and cloud computing in general, I was creating resources on Azure using Terraform and I wasn't aware that Static Web Apps are only available for 'westus2,centralus,eastus2,westeurope,eastasia' so I had both my CosmosDB account and the SWA instance set to southeastasia.

So now I'm wondering whether it would be better to keep CosmosDB in southeastasia and SWA in eastasia or have them both in eastasia. Having lower latency would be nice since this is for an Edge AI/IoT project where the user would be able to control an end device through the website but I just wanted to know what would be the better option. Also it would be nice to know whether SWA is the best option for my use case, the website was created using react and there are some features like the dashboards, end device controls in the website, so I'm not sure whether SWA is the best option or whether running the website on an Azure VM would be better.

Hi Friends, I am planning to take Azure AI 102 Certification exam next week. Please help where I can get practice questions and help with any exam preparation tips.

Long time reader, first time writer for a Purview issue, so try not to belittle me right out the gate here Internet.

We're dabbling in world of "Insider Risk" with Purview and the issue I'm running into is it is marking thousands of .txt files from our Cisco AnyConnect program (which for those of you that aren't familiar handles VPN, Umbrella, Secure Connect, etc)

These "Alerts" get flagged for "File Deleted on Endpoint" and absolutely FLOOD the platform and makes parsing through potential problem users a real PITA. I'm sure I could filter it out but the Global Exclusion SHOULD work.

-----

The file path that these .txt files reside at is:

C:\Users\<username>\.cisco\vpn\log\UIHistory_20260419_192709_log.txt (the number part changes obviously).

-----

Inside Purview: "Settings" > "Insider Risk Management" > "Global Exclusions" > "File Paths" is where I am operating out of.

Microsoft has some default exclusions already in here that are structured like this:

\Users\*\AppData\Local\Temp (username wildcarded to cover all users, easy stuff)

\Users\*\AppData\Roaming

\Users\*\AppData\Local

\Users\*\AppData

----

So I made exclusions:

\Users\*\.cisco\vpn\log\* (didn't work)

\Users\*\.cisco\vpn\log\*.txt (didn't work)

\Users\*\.cisco\vpn\* (didn't work)

----

So I'm at a loss for this, perhaps it's just omitting it from scoring and still showing it, I can't find any info that states how this mechanic should fully work. The tool tip above the Default file paths states "These file paths are automatically excluded because activity in these paths is typically expected and including them could potentially increase the volume of non-actionable alerts."

To me that reads that they shouldn't be there in the alerts list at all, but perhaps I'm wrong -- BUT I've not seen any appdata related Alerts in the list so that further substantiates my thinking that I shouldn't see stuff related to Globally Excluded Paths.

----

I've got a ticket open with Microsoft, they've been useless thus far, now I have to get on a call with them tomorrow and it'll be a waste of time as usual with Microsoft support.

Hi,

We deployed a basic Chat Gpt-5.4 model to one of Azures smaller regions and began testing a few agentic tools. Last week we noticed increase in response times, like doubling from 20s avg to 40+s. Checking the models monitoring pane, we see spikes in time to first byte, and last byte. On Friday the time to first byte spiked by a factor of 7. Now We are trying to understand if these fluctuations are a result of our minor prompt adjustments or caused by Azure infrastructure.

Can anyone with experience comment on how consistent/reliable the model hosting service is? e.g. should we expect constantly changing response times from the model?

Thanks!

Hey all, solo developer here. Back in 2023, i first used PlayFab for one of my small game projects. I noticed that for the "Development" plan, you could have up to 100K unique players. i thought "That sounds incredible! Too bad i don't need it right now". Well, now it's 2026, and i planned a much larger online project, with PlayFab planned as the spine of the whole thing. I'm already about half-way done building my game, and i decided to start testing PlayFab. Well as it turns out, at some point during my hiatus, they have decreased the maximum player count to 1K! Microsoft has all the money in the world, why the hell do they need to make that huge of a cut when they know it only affects indie developers? PlayFab isn't even the most popular Azure service afaik, there's just no point. Anywho, i need an alternative to PlayFab, like pretty soon, and it needs to be free and preferably support 10K - 100K players. 100K would be preferred, and i'm 90% sure it doesn't get any bigger than that, which is fine. Does anybody know any service that can save text data to each account (stuff like levels, achievements, etc.)? Literally, i don't care how slow it is, as long as it works with Unity. I just need some text data for each unique user, i already have multiplayer figured out. It doesn't even need to have moderation tools. Please, are there any options?

A bit of an odd-ball question, but what are ye using for diagram generation, and are you using AI-type platforms to help.

I've never been good at generating diagrams from my architectures, and it's 100% the least favorite part of my job as an architect. I'm just not able to make anything look good. I've tried my best to keep it as basic as possible and been using Draw.io for the most part, but alas, it looks like the dogs breakfast on the best of days.

I had a look at two service now that will generate from prompt, both of which gave me some good, albeit different, visual styles from the same prompt. For the most part I am happy, but both of these don't get it quite exactly how I expect it, I am looking for something that I could export and then fine tune in Draw.io.

For some reference, I attached the output of both these services, along with the very basic example prompt I used. Of course, it is a very basic prompt, solely for the purpose of comparing apples with apples.

I guess my ask then:

Can you recommend any other AI-type services that I can use to generate an editable diagram (ideally draw.io, but Visio or other will be fine) that I can tweak and clean up specifically for Azure environments and services? Bonus points if I can import a technical spec or design document and it will generate a diagram based on that.

Thanks in advance

Prompt

Eraser Diagram

Infrasketch Diagram