This week in Azure

John’s update dropped a day early this week since he’s traveling. Shorter video, but packed with practical updates. Two themes stand out: storage is getting a lot of attention (Smart Tiering GA, granular encryption-in-transit, minimum billable object sizes, cross-tenant CMK for Ultra/SSDv2), and identity keeps replacing legacy auth patterns (SFTP with Entra ID, Bastion managed identity for session recordings).

The Smart Tiering GA for blob and Data Lake is probably the most broadly useful announcement. If you’ve been manually managing lifecycle policies, this automates the hot/cool/cold movement based on actual access patterns.

SFTP with Entra ID integration

Azure Storage’s SFTP capability no longer requires local user accounts. You can now authenticate SFTP connections using Entra ID, which means centralized identity management, audit trails, conditional access, and MFA.

Before:
  SFTP Client ──→ Storage Account (local user/password)
                   └── No MFA, no conditional access, no central audit


After:
  SFTP Client ──→ Storage Account (Entra ID)
                   ├── Centralized identity
                   ├── Conditional access policies
                   ├── MFA enforcement
                   └── Full audit trail

If you’re running SFTP on Azure Storage today with local accounts, this is worth migrating to. Local accounts are a pain to manage at scale and don’t give you the security controls that Entra ID provides out of the box.

Standard V2 NAT Gateway as outbound for AKS

The Standard V2 NAT Gateway is now available as the outbound connectivity option for AKS workloads. V2 is a significant upgrade over the original NAT Gateway: it adds zone redundancy, IPv6 support, and 100 Gbps of throughput.

AKS Outbound Options:
  ├── Load Balancer (default)
  ├── NAT Gateway V1
  │     └── Single zone, IPv4 only
  └── NAT Gateway V2 (new)
        ├── Zone redundant
        ├── IPv6 support
        └── 100 Gbps throughput

This works for both managed VNet and bring-your-own VNet AKS deployments. If you’re running AKS clusters that need high-throughput outbound connectivity or zone resilience, V2 is the clear choice.

Azure Monitor OpenTelemetry for AKS workloads

Azure Monitor now supports OpenTelemetry (OTel) ingestion from AKS workloads. OpenTelemetry provides a vendor-neutral standard for emitting traces, logs, and metrics over the OTLP protocol. Azure Monitor Application Insights can now receive this data directly.

AKS Workload
  ├── Option A: Deploy Azure Monitor OTel distribution
  └── Option B: Auto-instrumentation (if OTel already wired up)
        
        
  OTLP ──→ App Insights (OTel ingestion)
             ├── Traces
             ├── Logs
             └── Metrics

Two paths to get there: deploy the Azure Monitor OpenTelemetry distribution into your cluster, or if your workloads already have OpenTelemetry instrumentation, use the auto-configuration capability to route signals to App Insights. Either way, you get standardized observability without vendor lock-in on the instrumentation side.

Azure Bastion managed identity for session recording

Azure Bastion can record both RDP and SSH sessions to a storage account. Previously, access to that storage account required a shared access signature (SAS) token. Now you can use a managed identity instead, either system-assigned or user-assigned.

This is a straightforward security improvement. SAS tokens are static credentials that can leak or expire at inconvenient times. Managed identities eliminate that problem entirely: no secrets to rotate, no tokens to manage.

Azure Site Recovery NVMe disk controller support

Azure Site Recovery now supports Gen 2 VMs with NVMe disk controllers. This expands the set of VMs you can protect with ASR. If you’ve been using NVMe-based VMs and couldn’t replicate them with Site Recovery, that gap is closed.

Azure Batch HBv2/HC/NP SKU retirement

The HBv2, HC, and NP VM SKUs are being retired for Azure Batch pools. Deadline: end of May 2027. If you’re using these SKUs in batch pools, migrate to their newer equivalents before they stop working.

Azure Files granular encryption-in-transit

Azure Files now supports granular control over encryption-in-transit at the protocol level. Previously, encryption settings applied broadly. Now you can set requirements independently for SMB and NFS.

Azure Files Share:
  ├── SMB ──→ Encryption: Required / Optional
  └── NFS ──→ Encryption: Required / Optional
              (set independently per protocol)

This matters when you have mixed protocol requirements. For example, you might require encryption for SMB but have NFS workloads where the performance overhead isn’t acceptable. Now you can configure each protocol based on your actual security and performance requirements.

Azure Storage Mover in Gov Cloud

Azure Storage Mover is now available in Azure Government. It handles large-scale migrations of file share content into Azure Files. If you’re in a government environment and need to move on-premises file shares to Azure, this is now an option.

Azure File Sync new regions

Azure File Sync is now available in Belgium Central, Malaysia West, and Indonesia Central. File Sync keeps Windows file servers in sync with each other through a cloud endpoint (Azure file share). The new regions help with data residency and regulatory requirements in those geographies.

Smart Tiering for Blob & Data Lake (GA)

Smart Tiering has gone GA for both blob storage and Data Lake Storage (hierarchical namespace enabled). It automatically moves data between hot, cool, and cold tiers based on access patterns, following the minimum retention periods for each tier.

Smart Tiering Flow:
  Hot ──(30 days no access)──→ Cool
  Cool ──(90 days no access)──→ Cold
  Cold ──(accessed)──→ Hot (restart cycle)


  ✗ Will NOT move to Archive (offline tier)
  ✓ Works with both Blob and Data Lake (HNS)

The key detail: Smart Tiering respects the early deletion penalties by waiting the minimum required time in each tier before moving data down. If data is accessed, it moves back to hot and the cycle restarts. It won’t move anything to archive since archive is an offline tier requiring rehydration.

If you’ve been manually managing lifecycle policies to shuffle data between tiers, Smart Tiering does this automatically based on real usage. Less policy maintenance, lower storage costs.

Minimum billable object size for cooler tiers

Starting July 1, 2026 for new storage accounts and July 1, 2027 for existing accounts, objects smaller than 128 KiB in the cool, cold, and archive tiers will be billed as if they were 128 KiB.

Minimum billable size:
  Hot     ──→ No minimum
  Cool    ──→ 128 KiB (effective July 2026/2027)
  Cold    ──→ 128 KiB (effective July 2026/2027)
  Archive ──→ 128 KiB (effective July 2026/2027)

This is a billing change, not a technical limitation. If you have lots of small files in cooler tiers, your costs will go up. Review your storage accounts and consider whether those small objects should stay in hot tier instead.

Cross-tenant CMK for Premium SSDv2 and Ultra Disk

Premium SSD v2 and Ultra Disk now support encryption with a customer-managed key (CMK) stored in a key vault under a different tenant. The key used in your disk encryption set can live in a subscription belonging to a different Azure AD tenant than the disks themselves.

Tenant A (ISV/SaaS provider):
  └── Premium SSDv2 / Ultra Disk
       └── Disk Encryption Set ──→ references key in Tenant B


Tenant B (Customer):
  └── Key Vault
       └── CMK (customer owns & controls)

This is particularly useful in SaaS and ISV scenarios where the customer wants to maintain ownership and control of the encryption keys while the provider manages the infrastructure. Cross-tenant CMK was already available for other disk types; this extends it to the premium tiers.

Event Grid Stripe event ingestion

Event Grid can now ingest events directly from Stripe. Stripe generates events for payments, disputes, refunds, subscription changes, and many other actions. Rather than building polling mechanisms to check for these events, Event Grid receives them and triggers your downstream processing.

Stripe ──→ Event Grid ──→ Azure Functions
                      ──→ Logic Apps
                      ──→ Event Hubs
                      ──→ Service Bus
                      ──→ Webhooks

Event Grid’s push model eliminates the need for your services to constantly poll Stripe’s API. You define what events you care about, and Event Grid routes them to whatever processing technology you’re using. If you’re building payment workflows on Azure with Stripe, this simplifies the integration significantly.

Azure Managed Grafana Basic SKU retirement

The Azure Managed Grafana Basic SKU is being retired at the end of March 2027. You need to migrate to the Standard SKU, which offers better reliability and a richer feature set. If you don’t migrate by the retirement date, your Basic instances will be deleted.

MAI-Image-2-Efficient

Microsoft released MAI-Image-2-Efficient, a lighter version of the recently released MAI-Image-2 text-to-image model. It’s 4x more efficient and 41% lower priced than the full model. If you’re doing high-volume image generation and don’t need the maximum quality, this gives you a cost-effective option.

Final thoughts

Storage-heavy week. Smart Tiering going GA is the kind of set-and-forget feature that will save money for most organizations without any ongoing management. The minimum billable object size change is worth auditing now, especially if you have lots of small files in cooler tiers since you have until July 2026/2027 depending on account age.

The identity improvements keep compounding: SFTP with Entra ID and Bastion with managed identity both remove static credentials from patterns that previously required them. If you’re still using SAS tokens or local accounts where managed identity or Entra ID is now supported, it’s time to migrate.

Event Grid picking up Stripe as a source is a nice addition for anyone building commerce on Azure. Push beats poll every time.

Sources

  1. John Savill, “Azure Update - 16th April 2026,” YouTube, https://www.youtube.com/watch?v=WjvN_XjMr6U