This week in Azure

John just got back from Mexico City meeting customers and partners. Two new videos this week: one on generative AI for anyone and everyone (no technical background assumed), and another walking through setting up Terminal with GitHub Copilot connected to Work IQ for M365/Dynamics 365 access. The 400K subscriber AMA is next week on March 24.

This was a massive week for Fabric. The Fabric conference dropped a pile of updates: Databricks federation, new mirroring sources, shortcut transformations, and Fabric IQ going GA with data agents. On the Azure side, the Foundry Agent Service going GA with native voice is the headline. The Entra ID integration for Blob SFTP is a quiet but welcome fix for anyone who’s been maintaining local accounts.

Category Update Status
Compute AKS Flatcar Container Linux retirement (June 8, 2026) Retiring
Compute Azure Batch VM SKU and image retirements Retiring
Compute Azure Red Hat OpenShift managed identity support GA
Networking WAF Default Rule Set 2.2 GA
Storage Entra ID for Blob SFTP access GA
Storage Standard HDD retirement (September 8, 2028) Retiring
Database Databricks Lakeflow Connect free tier GA
Database Databricks to Fabric federation Preview
Database Azure SQL DB versionless TDE GA
Database SQL Server VS Code updates GA
Fabric Mirroring, shortcuts & Fabric IQ updates GA
AI Foundry Agent Service GA
AI Foundry Observability GA
AI OpenAI GPT-5.4 mini and nano in Foundry GA
AI NVIDIA Nemotron models in Foundry GA
Identity Entra ID backup and recovery Preview

AKS Flatcar Container Linux retirement

The AKS Flatcar Container Linux node pools are being retired. This was a preview feature, and it’s going away on June 8, 2026. After that date, you won’t be able to create new node pools with Flatcar, and the image won’t be updated.

Flatcar provided an immutable operating system to eliminate configuration drift and prevent unauthorized changes. Those were good properties, but AKS now has other capabilities that achieve the same outcome. Move to Azure Linux or Ubuntu.

Azure Batch VM SKU and image retirements

Several retirements coming for Azure Batch:

  • NV v3 and NV4 GPU SKUs retire September 30, 2026. Move to newer GPU-enabled SKUs.
  • Windows Server 2016 images retire January 12, 2027, in line with the OS support lifecycle. Move to newer Windows Server images.
  • Low priority VMs are already retired. Use spot instances instead (same idea: cheaper price for spare capacity).

If you’re running batch jobs on any of these, migrate before the dates. Or do it now and stop thinking about it.

Azure VMware Solution node retirements

The AV36P and AV52 nodes for Azure VMware Solution are being retired June 30, 2029. That’s a long runway, but you still need to move to a different supported node type before your current term ends for those SKUs.

Similarly, the HC, HBv2, and NP VM SKUs retire May 31, 2027.

Azure Red Hat OpenShift managed identity support (GA)

Azure Red Hat OpenShift now supports managed identities. This is the joint Microsoft/Red Hat managed offering, and now it gets the same passwordless cross-resource communication that other Azure services have had.

No more managing secrets or keys for service-to-service communication. The identity is inherent to the resource. If you’ve been maintaining credentials for your OpenShift workloads to talk to other Azure services, this simplifies that significantly.

WAF Default Rule Set 2.2 (GA)

The Web Application Firewall default rule set 2.2 is now GA for both regional (App Gateway) and global (Front Door) deployments. Going forward, the three most recent rule sets will be supported.

The default rule set is a superset of the OWASP Core Rule Set. It takes the standard OWASP rules and adds Microsoft Threat Intelligence Collection rules maintained by the Microsoft threat intelligence team. You get protection against well-known attack paths out of the box.

Entra ID for Blob SFTP access (GA)

If you’ve enabled SFTP on your blob storage accounts, you can now use Entra ID for authentication instead of maintaining local accounts on the storage account.

Before:
  SFTP client ──→ Local account (password/SSH key) ──→ Blob Storage
                  └── manually maintained per storage account


After:
  SFTP client ──→ Entra ID account ──→ Blob Storage
  Azure resource ──→ Managed identity ──→ Blob Storage
                     └── no passwords, no secrets, no keys

This also supports managed identities. So if you have an Azure resource that needs SFTP access to blob storage, it can use its managed identity. No passwords, no secrets, no keys. If you’ve been managing local SFTP accounts across multiple storage accounts, this is the fix you’ve been waiting for.

Standard HDD retirement

Standard hard disk drives will be retired on September 8, 2028. You can move to Standard SSD (or Premium, or whatever suits your workload) before then. If you do nothing, they’ll be automatically converted to Standard SSD on that date.

Standard SSD is better in every way that matters, so this is more of a cleanup than a disruption.

Databricks Lakeflow Connect free tier (GA)

Azure Databricks now gives you 100 free DBUs per workspace per day through the Lakeflow Connect free tier. This is aimed at ingesting data from SaaS applications (Dynamics 365, ServiceNow, etc.) and databases (SQL Server, Oracle, PostgreSQL) into your lakehouse.

100 DBUs
Free per workspace per day
~100M
Records per workspace per day

That 100 DBUs translates to roughly 100 million records per day. After that, you pay standard Lakeflow Connect pricing. For a lot of organizations, the free tier will cover their daily operational data ingestion entirely.

Databricks to Fabric federation (preview)

You can now federate from Azure Databricks to Microsoft Fabric. Your Databricks Unity Catalog gets connected to Fabric’s OneLake, and data in OneLake Lakehouse shows up in the Unity Catalog alongside your native Databricks data assets.

Azure Databricks Unity Catalog
  ├── Native Databricks data
  └── Fabric OneLake data (federated, no copy)
        └── Available for ML, Spark, analytics in Databricks

No data copying, no complex pipelines. When you need Databricks capabilities (machine learning, complex Spark workloads) on data that lives in Fabric, you just access it transparently. Many organizations are consolidating on Fabric’s OneLake as their single source of truth, and this lets them extend to Databricks without duplicating data.

Microsoft Fabric updates

Big Fabric conference this week. Here’s the condensed version:

Mirroring now supports SharePoint lists and Dataverse (preview), plus Oracle and SAP Data Sphere (GA). Mirroring copies data automatically without you maintaining pipelines.

Shortcuts got transformations in GA. Shortcuts access data where it lives without duplication. Now Fabric can convert structured files (CSV, Parquet, JSON) into queryable Delta tables on the fly. No ETL needed. AI-powered transformations are in preview for more advanced scenarios.

New security capabilities add row and column level controls on top of shortcuts and mirrored data. Expected GA in a few weeks.

Fabric IQ had the biggest set of updates:

  • MCP server to integrate with ontologies (your business entities, relationships, objectives)
  • Planning capability for budgets, forecasts, and scenario modeling
  • Data agents went GA: granular data interaction for humans and AI agents, publishable to Teams

Fabric IQ is the layer that gives AI an understanding of your business context. Instead of an AI trying to interpret raw data, IQ provides semantic models, business relationships, and ontologies so the AI knows what the data means.

Azure SQL DB versionless TDE (GA)

Versionless transparent data encryption for Azure SQL Database is now GA. If you’re using customer-managed keys (bring your own key), you normally have to specify a version number. When you rotate the key, you have to update every consumer with the new version.

With versionless TDE, you skip the version. When you rotate your key in Key Vault, SQL Database detects the new key and starts using it automatically. One less manual step in your key rotation process.

SQL Server VS Code updates

Three updates to the VS Code MSSQL extension:

  • Publish SQL database projects directly from VS Code. No more needing a separate tool to deploy your schema changes.
  • Graphical table data editing through the MSSQL extension. View and edit rows interactively.
  • GitHub Copilot AI assistance in the schema designer. Describe what you want, it generates the schema.

The MSSQL extension keeps absorbing functionality that used to require SSMS or dedicated database tools. Between the query profiler from CW11, the backup/restore from CW9, and now project publishing and interactive editing, VS Code is becoming a serious database management environment.

Foundry Agent Service (GA)

The Azure AI Foundry Agent Service is now generally available. It’s a fully managed platform for building and running AI agents with a few things worth highlighting:

  • Any framework: Use prompt agents (no code), the agent framework, LangGraph, or build your own
  • Any model: Huge model catalog to pick from
  • Native voice: Built-in speech-to-speech capability with 700+ voices across 140 locales
The voice part is the differentiator. Instead of chaining speech-to-text, reasoning, then text-to-speech yourself, it's just built in. If you're building a personal assistant, operations agent, or anything with voice interaction, that's a significant amount of plumbing you no longer have to maintain.

Full observability, enterprise governance, and identity integration are included. The service supports everything from simple prompt-based agents to fully coded custom agents.

Foundry Observability (GA)

Foundry Observability went GA, and this one deserves more attention than it typically gets. Models will change. Prompts will evolve. Traffic patterns will shift. What matters is whether you can trust that your agent still works correctly through all of that.

The observability layer provides:

  • Quality evaluation: Relevance, coherence, groundedness (are responses based on real data?)
  • Retrieval quality: Is your RAG pipeline actually retrieving the right documents?
  • Safety and policy alignment: Is the agent staying within your defined guardrails?
  • Custom evaluations: Build your own LLM-based or code-based evaluation criteria
  • End-to-end tracing: Full trace through the agent’s reasoning chain, integrated with Azure Monitor

If you’re deploying AI agents in production without this kind of evaluation layer, you’re flying blind. The model working well in your demo doesn’t mean it works well with real traffic, real edge cases, and real data.

NVIDIA Nemotron and new model updates

The NVIDIA Nemotron family landed in Azure AI Foundry, spanning from Nano (low latency, cost efficient) to Ultra (high reasoning, large scale).

Foundry Local now supports NVIDIA GPU acceleration, so you can run models on the edge with NVIDIA RTX cards. Use cases: super low latency requirements, safety-critical scenarios, or data sovereignty where public cloud regions don’t meet your compliance needs.

OpenAI GPT-5.4 mini and nano are available in Microsoft Foundry (mini is also in GitHub Copilot). Mini handles multimodal, tool use, and computer use at a lower cost than the full model. Nano is optimized for very high volume, very fast interactions.

Entra ID backup and recovery (preview)

Entra ID now takes daily backups of your directory objects, keeping five days of snapshots. You can restore properties of users, groups, apps, conditional access policies, service principals, authentication methods, authorization policies, and named locations.

Day 1  Day 2  Day 3  Day 4  Day 5 (today)
  ↑      ↑      ↑      ↑      ↑
  └──────┴──────┴──────┴──────┘
  Restore to any of these snapshots

This is specifically about property changes, not deleted objects (that’s what the recycle bin is for). If someone runs a script that accidentally modifies group memberships or conditional access policies across your tenant, you can revert to the state from up to five days ago. Combine it with soft delete and protected actions for a more complete defense against both accidental and malicious changes.

Final thoughts

The Fabric conference made this week feel like two weeks of updates compressed into one. The Databricks-to-Fabric federation stands out because it acknowledges the reality that organizations use both platforms and shouldn’t have to duplicate data to do so. OneLake as the single source of truth, with Databricks reaching in when you need its capabilities, is a pragmatic architecture.

Foundry Agent Service going GA with native voice is significant. Voice interaction in AI agents used to mean stitching together three separate services and hoping the latency stayed acceptable. Having it built into the platform removes a real barrier for production voice agents.

And the Entra ID backup quietly addresses something that keeps security teams up at night. The recycle bin handles deletions, but property modifications (an attacker changing conditional access policies, a script gone wrong modifying group memberships) were harder to recover from. Five days of snapshots with property-level restore is a meaningful safety net.

Sources

  1. John Savill, “Azure Update - 20th March 2026,” YouTube, https://www.youtube.com/watch?v=jkpcFAYJjvM