This week in Azure
John Savill put out two deep dives this week. The first covers Agent 365, Microsoft’s framework for treating AI agents like employees with their own identities, policies, and lifecycle management. It’s a different way to think about it. Instead of building agents as code artifacts, you manage them through the same HR-like processes you’d use for people: onboarding, access reviews, offboarding. The second video walks through the new scalable ExpressRoute gateway, which auto-adjusts capacity based on load up to 40 Gbps and is always zone-redundant where the region supports it.
On to the weekly updates. WAF Insights is the one I find most useful here. If you’ve ever tried to troubleshoot App Gateway WAF rules by digging through raw logs, you’ll appreciate having an actual interactive view. The blob SAS + Entra ID integration also caught my eye because it closes a real security gap in how shared access signatures work.
| Category | Update | Status |
|---|---|---|
| Compute | AKS Windows Server Annual Channel retirement | Retiring |
| Networking | App Gateway WAF Insights | Preview |
| Storage | Premium SSD v2 regional expansion | GA |
| Storage | Blob user-delegated SAS + Entra ID | Preview |
| AI | Azure AI Search sensitivity labels | Preview |
| Database | PostgreSQL Premium SSD v2 geo backup | Preview |
| Database | MS SQL VS Code extension updates | GA + Preview |
| AI | New OpenAI models in Foundry | GA |
| Monitoring | Azure Monitor pipeline updates | Preview |
| Developer Tools | GitHub Copilot CLI | GA |
AKS Windows Server Annual Channel retirement
The Windows Server Annual Channel is being retired for AKS on May 15, 2026. If you’re running Windows node pools on the Annual Channel, switch to LTSC. It has longer support cycles and better stability for production workloads.
This shouldn’t be a hard migration for most teams, but it does need to happen before the deadline. Check your node pool OS channel settings and plan the switch.
App Gateway WAF Insights (preview)
App Gateway’s Web Application Firewall has a new interactive insights view in preview. If you’ve worked with WAF on App Gateway before, you know the pain: something gets blocked, and figuring out which rule triggered it means digging through diagnostic logs in Log Analytics.
WAF Insights gives you two modes:
WAF Insights├── Monitor View│ ├── Attack pattern trends│ ├── Blocked vs. allowed request ratios│ ├── Top triggered rules│ └── Traffic metrics over time│└── Triage View ├── Individual incident details ├── Rule match breakdown ├── Request headers and body └── Recommended actionsThe monitor view shows you the big picture: attack patterns, blocked requests, which rules fire most often. The triage view lets you drill into specific incidents when you need to figure out whether a block was legitimate or a false positive.
I’ve spent too many hours writing KQL queries to get this same information from raw WAF logs. Having it in an interactive dashboard is a real improvement for anyone running App Gateway with WAF enabled. If you also want to validate the TLS configuration on your App Gateway endpoints, the Azure TLS checker is worth a look.
Premium SSD v2 regional expansion
Premium SSD v2 is now available in three more locations: Brazil Southeast, Malaysia West, and Indonesia Central.
If you’re running databases, analytics workloads, or anything I/O-intensive in these regions and Premium SSD v1 wasn’t cutting it, SSD v2 is the upgrade path. You get the performance tuning without paying for Ultra Disk.
Blob user-delegated SAS tied to Entra ID (preview)
This is a meaningful security improvement for how shared access signatures work with blob storage.
The problem with traditional SAS tokens: they’re tied to one of the storage account access keys. Anyone who has the token can use it, there’s no identity trail, and if the token leaks, your options are limited. User-delegated SAS improved this by binding the token to an Entra identity instead of the account key.
This update takes it further. You can now restrict which Entra identities are allowed to use a generated SAS token:
Traditional SAS User-delegated SAS New: Entra-restricted SAS───────────────── ────────────────── ─────────────────────────Tied to account key Tied to Entra identity Tied to Entra identityAnyone can use it Anyone can use it Only specified users/No audit trail Has audit trail managed identities can use it Full audit trailSo instead of generating a SAS token and hoping it doesn’t end up somewhere unintended, you can lock it down to specific users or managed identities. If someone outside that list tries to use the token, it won’t work.
For environments where you’re sharing storage access with external partners or across teams, this gives you much tighter control. This builds on the user-delegated SAS expansion first covered in CW4, and if you’re thinking about how identity-based access fits into your broader access management strategy, the PIM deep dive covers the privileged access side of things.
Azure AI Search sensitivity label support
If you’re using Azure AI Search to power RAG (retrieval augmented generation) for your AI agents, you’ve probably run into this: any data with Microsoft Information Protection sensitivity labels was silently skipped during indexing. Your agent was grounding its answers on an incomplete dataset, and you might not have even realized what was missing.
With this update, you can opt in to indexing data that has sensitivity labels. The labels are preserved through the indexing process, so access control still applies. If a user searching doesn’t have permission for “Confidential” data, they won’t see it in results. And you can still exclude specific labeled data from being used for grounding if you want.
This matters most for enterprises where a big chunk of valuable data carries sensitivity labels. Your AI agents were blind to all of it. Now they aren’t, and the access controls still hold. Sensitivity labels are one piece of a broader data protection strategy; for more on building policy-driven controls across your Azure environment, see the governance framework post.
PostgreSQL Premium SSD v2 geo backup (preview)
Azure Database for PostgreSQL (flexible server) can now do geo-redundant backups when using Premium SSD v2 storage. The backup replicates to the paired secondary region, giving you cross-region restore.
Before this, if you picked Premium SSD v2 for your PostgreSQL storage (because you needed the IOPS flexibility), you gave up geo-redundant backups. That’s a lousy trade-off for production databases. Now you don’t have to choose.
MS SQL VS Code extension updates
The MSSQL extension for VS Code keeps getting more capable. This round adds a mix of preview and GA features:
| Feature | What it does | Status |
|---|---|---|
| Database management in Object Explorer | Create, rename, drop databases directly | Preview |
| CSV/text file import | Import CSV and text files into new SQL tables | Preview |
| Backup and restore | Back up and restore to disk or blob (full, differential, transaction log) | Preview |
| Query profiler | Capture and monitor real-time query events | Preview |
| Database project publishing | Deploy tables, views, stored procedures without sqlpackage commands | GA |
| Azure Data Studio migration | Import configurations from Azure Data Studio | GA |
| Database object search | Find tables, views, functions, stored procedures quickly | GA |
The backup and restore capability is the one that fills the biggest gap. Being able to do full, differential, and transaction log backups to disk or blob storage without leaving VS Code makes the extension a credible replacement for more and more SSMS workflows.
The Azure Data Studio migration path is also worth noting. Microsoft has been signaling for a while that the MSSQL extension is where the investment is going. If you’re still using Azure Data Studio, this makes the transition easier.
New OpenAI models in Azure AI Foundry
Three new OpenAI models landed in Azure AI Foundry this week:
GPT-5.3 Codex is the specialized coding model. It handles large-scale refactoring, legacy application modernization, multi-step migrations, and automated code reviews. If you’ve been using GPT-4o for coding tasks and hitting its limits on complex refactors, this is the step up.
GPT Realtime 1.5 and GPT Audio 1.5 are built for voice interactions. Low latency, high quality audio output, and speech understanding with reasoning capabilities. If you’re building voice agents or voice-enabled assistants, or want to replace keyboard input with audio in your applications, these models handle it natively rather than chaining speech-to-text and text-to-speech as separate steps.
Azure Monitor pipeline updates
Azure Monitor Pipelines, which went into preview a couple weeks ago, picked up two additions.
First, mutual TLS (mTLS) support. Regular TLS encrypts the connection and validates the server’s certificate. mTLS adds client certificate validation too, so both sides prove their identity. You can use your own certificates. This is relevant for environments with strict endpoint validation requirements.
Second, granular pod placement for the pipeline workers in your Kubernetes cluster. You can now target specific nodes and set up isolation boundaries for where the pipeline processing runs. Useful if you have compliance or performance isolation requirements for your telemetry processing.
Data Sources ──→ Monitor Pipeline ──→ Log Analytics / Sinks │ ┌────┴────┐ │ New: │ │ • mTLS │ │ • Node │ │ targeting│ └──────────┘These are incremental improvements, but they matter for production deployments where you need to control the security posture and placement of your observability infrastructure. If you missed the initial Pipelines announcement, I covered the core capabilities in CW7’s weekly update.
GitHub Copilot CLI (GA)
GitHub Copilot CLI is now generally available. This brings the Copilot coding agent experience from VS Code into the terminal.
- Autonomous coding via autopilot mode ("go do these tasks")
- Planning and architecture assistance
- Specialized agents: code review, build/test, codebase exploration
- Multiple model support: OpenAI, Anthropic, and Google models
If you work primarily in the terminal and found switching to VS Code for Copilot features annoying, this removes that friction. Same capabilities, different surface. The autopilot mode is particularly interesting for CI/CD workflows or automated code review pipelines where you want AI assistance without a GUI.
Final thoughts
WAF Insights is the update I’m happiest about this week. Troubleshooting App Gateway WAF rules has always been harder than it should be. An interactive view for attack patterns and incident triage beats writing KQL queries every time.
The blob SAS + Entra ID restriction is a security improvement that should’ve existed from the start. SAS tokens floating around with no restriction on who can use them has always felt wrong, even with user delegation. Now you can actually lock them down.
And keep an eye on that AKS Windows Server Annual Channel retirement date. May 15 sounds far away until it isn’t. If you’re running Windows node pools, check your OS channel setting this week and plan the LTSC migration.
Sources
- John Savill, “Azure Update - 27th February 2026,” YouTube, https://www.youtube.com/watch?v=Tnq0SmW5TPY
- John Savill, “Agent 365 Deep Dive,” YouTube, https://www.youtube.com/watch?v=WTcyL68qTo8
- John Savill, “Scalable ExpressRoute Gateway,” YouTube, https://www.youtube.com/watch?v=2OVNx2quVP0