The last two weeks in Azure

I’m catching up on two weeks at once here, so this post bundles the 15th and 22nd of May. CW20 was a shorter week with a few standouts: Azure Container Apps Express for near-instant container hosting, Grafana dashboards inside the Azure portal, and a multi-agent vulnerability-scanning harness called MDASH. CW21 was the opposite — a firehose of networking, storage, database, and AI updates, headlined by Azure Files Entra-only identity, a much bigger Foundry Model Router (now including Claude Opus 4.7), and Azure Linux 4.0.

Jump to whichever week and update you care about.

CW20 — 15 May 2026

Azure Container Apps Express (preview)

Azure Container Apps already lets you host containerized apps and microservices without managing Kubernetes directly — it handles Dapr, KEDA scaling, and the rest of the plumbing for you. But there was still provisioning time and a handful of infrastructure choices to make up front. Container Apps Express removes those decisions for the simplest case.

Container Apps (standard):
  Configure environment, scaling, networking  →  Provision  →  Run


Container Apps Express:
  Bring container image  →  Done
    ├── Provisions in seconds
    ├── Sub-second cold starts
    ├── Scale to zero
    └── Per-second billing

You bring an image and you’re running — provisioning in seconds, sub-second cold starts, scale-to-zero, and per-second billing. The motivating use case is agents: spin up an agent or MCP server on demand, fast, pay only for the seconds it runs. It also fits SaaS apps and anything where you want the Container Apps experience without the setup overhead.

Azure Virtual Network Manager rule impact analyzer (GA)

Changing network security rules is one of the scariest operations in a production environment — it’s exactly where outages come from. AVNM now lets you simulate changes to your security admin rules (the centralized rules that apply before any VNet- or NIC-level NSG) and see precisely how your existing traffic would be affected before you push them live.

If the simulation shows you’d break something, you fix the rules first. This is the kind of feature that pays for itself the first time it stops a bad change. (Note CW21 ships a closely related analyzer in Network Watcher — see below — covering the NSG side of the same funnel.)

Azure Files SMB managed identity support (GA)

Azure Files SMB shares have had Entra authentication for a while; now they also work with managed identities. The win is the usual managed-identity win: no secret or key to store and rotate.

  • System-assigned: one-to-one with a single Azure resource.
  • User-assigned: one identity shared across multiple resources that need the same access.

So your pipelines, container workloads, or a process running in a VM can mount and access an Azure file share purely via their managed identity — more secure (only those resources can use it) and simpler (nothing to store) at the same time.

Azure NetApp Files large file support up to 64 TiB (GA)

Regular ANF volumes now support files up to 64 TiB, across all service levels. This matters for workloads that pack data into a small number of enormous files — hosting virtual hard disks for Azure VMware Solution is the obvious example.

Azure Service Bus Premium: four-nines SLA

Service Bus Premium namespaces now get a 99.99% SLA, provided they’re deployed in a region with availability zones. If you’ve been running messaging on Premium for the throughput and isolation, you now get the SLA to match — for free, as long as you’re zone-deployed.

Azure Service Bus Premium confidential compute: new regions (GA)

Confidential compute keeps data encrypted in use — the CPU and memory stay encrypted even during computation. Service Bus Premium confidential namespaces are now available in Korea Central and UAE North on top of the existing regions.

Encryption coverage with confidential compute:
  At rest      →  storage encryption
  In transit   →  TLS on the wire
  In use       →  CPU + memory encrypted during processing  ← this

That closes the last gap — hardware-backed, attested encryption from storage through the network all the way into the processor.

Azure Monitor dashboards with Grafana

You can now embed Grafana dashboards directly in the Azure portal. The point isn’t just nicer visualizations — it’s that Grafana pulls from sources Azure Monitor doesn’t natively cover: Prometheus (think container metrics), Azure Data Explorer, Azure Resource Graph, and more. So you get your usual Azure Monitor telemetry plus everything Grafana can reach, in one place.

Codename MDASH (preview)

This one’s interesting. Project Mythos — Microsoft’s advanced model for finding vulnerabilities in code — is locked down to roughly 40 vendors (OS makers, network infrastructure, cloud providers, browser teams) to keep it out of malicious hands. MDASH is a multi-model agentic scanning harness built on top of that idea (the “D” comes from the D in model; the naming clearly got desperate).

It runs ~100 specialized AI agents that discover, debate, and prove exploitable bugs end-to-end, and it reportedly outperforms the single-model Mythos. Unlike Mythos, you can actually sign up for the private preview. If you do any kind of security research or code auditing, this is worth a look.

Grok 4.3 in Foundry

xAI’s latest flagship, Grok 4.3, is available in Foundry as a global standard deployment. It’s tuned for agentic, productivity-focused workflows: strong tool calling, good instruction following, lower hallucination rates, and a 200K-token context window. Being in Foundry means it inherits the governance, private networking, identity, agent hosting, and evaluation tooling that make a model usable in an enterprise rather than just a demo.

CW21 — 22 May 2026

A genuinely huge week. Grouping by area.

Compute

AKS Application Insights auto-instrumentation (GA)

AKS can now auto-instrument workloads for Application Insights with no code changes — if you’re running Java or Node.js, it just lights up. It works in conjunction with the Azure Monitor OpenTelemetry distro, so traces, dependencies, and the telemetry you’d need to debug a problem flow into App Insights automatically.

App Configuration scorecards (preview)

Azure App Configuration centralizes settings and feature flags for distributed apps. Scorecards add a feedback loop on top: they show how the different variations behind your feature flags are actually performing in production, based on App Insights telemetry. So instead of guessing whether a flagged feature is helping, you can see how it influences behavior and make the next decision on data.

Networking

Functions Flex Consumption: per-app TLS certificates (preview)

Previously a single TLS certificate was shared across every app in the same web space (the logical container scoped to region + OS + resource group). Flex Consumption now scopes certificates to the individual function app — up to three certs per app. During preview, configure them through the portal. The result is far more flexibility in how each app presents its TLS identity.

TLS 1.0 and 1.1 App Service retirement

TLS 1.0 and 1.1 are being retired in May 2027 — you have a year. These legacy versions negotiate older, weaker cipher suites, and once they’re gone, anything still pinned to them won’t be able to negotiate a common version.

Affected: App Service, Functions, Logic Apps
          + any client app that talks to them


Action:   move to TLS 1.2 or later before May 2027

Audit your apps and the clients calling them. If a client can only speak TLS 1.0/1.1, it simply won’t connect after the cutoff.

Azure Front Door WebSocket (GA)

WebSocket support is GA on Front Door Standard and Premium, and it’s enabled by default — no extra configuration. WebSockets give you a long-lived, full-duplex TCP connection, which is what you want for interactive real-time scenarios: streaming, gaming, live dashboards, chat.

NSG and UDR limit increases

Across-the-board limit bumps for virtual networks, aimed at large, complex hub-and-spoke topologies:

Network security groups per VNet         →  2,000
Security rules per NSG                    →  2,000
Addresses or ports per rule              →  6,000
Routes per route table                    →  1,000
Route tables per subscription             →    600

If you’ve been bumping into these ceilings on a complex network, the headroom is now there.

Network Watcher rule impact analyzer

The NSG-side counterpart to the AVNM analyzer from CW20. Think of network filtering as a funnel: AVNM security admin rules apply first, then NSGs on the VNet or NIC. This analyzer lets you evaluate the impact on live traffic of an NSG change before you apply it — a real safeguard against breaking production.

ExpressRoute / VPN gateway summarized prefixes

In a complex network with many VNets and peered address ranges, the Azure-side gateway advertises a lot of separate IP prefixes back to on-premises or another cloud. You can now summarize those into a covering prefix — collapse a pile of /24s into a single /16, for example.

Before:  advertise 10.1.0.0/24, 10.1.1.0/24 … 10.1.255.0/24  (many prefixes)
After:   advertise 10.1.0.0/16                                (one covering prefix)

This solves a real problem: the system on the other end (or even the Azure side) may not support the number of prefixes you’d otherwise advertise.

Site-to-site VPN certificate authentication

You can now use certificate-based authentication for site-to-site VPN instead of the traditional pre-shared key. Certificates are more resistant to tampering and raise the security bar on the tunnel.

User-group-specific IP pools for point-to-site VPN

For P2S VPN, you can now assign distinct IP pools based on attributes of the authenticating user — RADIUS settings or Entra group membership, for example. Different users land in different IP ranges, which you can then use for finer-grained network segmentation downstream.

Storage

Azure Blob Storage SDK for Rust (GA)

A native Rust SDK for Blob, GA now. Rust’s memory safety makes it increasingly popular, and a native SDK beats hand-rolling REST calls: it supports Entra integrated auth, automatic retries, and OpenTelemetry tracing out of the box. It joins the existing Rust SDKs for Azure Identity and Key Vault, so you can now build a fully integrated Rust app against Azure storage.

Azure Storage Actions mock runs (GA)

Storage Actions are the successor to per-account lifecycle management — define conditions and actions centrally, then assign them to storage accounts across Blob and Data Lake (hierarchical namespace). That centralization makes them scalable, but it also makes mistakes scalable. Mock runs are the safety valve: they show you exactly which objects would be affected, without touching anything.

It’s a what-if for storage operations. Run the mock, inspect the blast radius, adjust, then execute for real.

ANF cache volumes (GA)

Cloud caches in Azure NetApp Files. They capture the hot, most-frequently-accessed data from an on-premises NetApp ONTAP or a Cloud Volumes ONTAP system in another cloud (AWS, GCP), so an app running in Azure gets a local low-latency copy.

App in Azure  ──→  ANF cache volume (hot data)
                        │ miss
                        
                   On-prem / other-cloud ONTAP

Two benefits: much lower latency after the first read, and lower cost because you’re not constantly pulling commonly-used data across an external network connection.

ANF S3-compatible object REST API (GA)

ANF now exposes an S3-compatible object REST API. Tons of systems speak S3 today — including Microsoft Fabric, whose shortcut technology likes to talk to S3 endpoints. So you can now integrate ANF data with Fabric via shortcuts with no duplication, no pipeline, no data movement — and the same goes for any other S3-speaking analytics, AI, or BI system.

Azure Storage Mover: blob-to-blob (GA)

Storage Mover now supports blob-to-blob transfers — moving data between containers across accounts, subscriptions, or regions. It works for both flat namespace and hierarchical namespace (Data Lake), and it’s only a couple of steps to configure.

Azure Storage Mover: scheduling (GA)

Storage Mover migrations can now run on a schedule: one-time (no schedule), or a daily/weekly/monthly recurrence. That turns it from a migration tool into a “keep these in sync over time” tool.

Azure Files Entra-only identity support (GA)

This is one of the bigger storage updates. Azure Files SMB shares are built on Kerberos, so historically using Entra authentication still required an old-style AD account somewhere — synced from Active Directory, i.e. a hybrid identity. Now you can use Kerberos authentication with a cloud-only Entra identity. No AD, no sync.

Before:  Entra auth on Azure Files  →  still needed a synced AD account (hybrid)
After:   Kerberos auth  →  cloud-only Entra identity (no AD at all)

And with that in place, you get the granular RBAC supported on SMB file shares based on the actual NTFS ACLs — the permissions you set at the file or folder level are respected.

Database

Event Grid subscription identifiers (preview)

When you subscribe to events over MQTT, the delivery can now carry an identifier for the specific filter that triggered it. If you’re a client subscribed to many topics, that lets you route processing by identifier — “this one’s a log, send it to storage; that one’s telemetry, write it to a dashboard” — without inspecting payloads to figure out where each message should go.

Event Grid MQTT updates (GA)

A batch of MQTT capabilities went GA, some of which work with the subscription identifier above:

  • Retain support — a new subscriber immediately gets the last known good state instead of waiting for the next message.
  • Shared subscriptions — distribute traffic across a group of clients for better scale.
  • Publish MQTT messages over standard HTTP requests.

Cosmos DB LangChain and LangGraph integration (GA)

A new Python package that makes it easy to use Cosmos DB for vector and hybrid search through LangChain and LangGraph — directly useful for RAG and agentic AI workloads built on those frameworks.

SQL Server on Azure VM: new regions (GA)

SQL Server on Azure VMs — managed via the SQL agent extension and Arc-enabled machines — is now available in Malaysia West and Indonesia Central. Relevant if you have specific data-residency requirements in those regions.

Azure PostgreSQL Flexible Server: token refresh

When using Entra integrated authentication against PostgreSQL Flexible Server from Python, .NET, or JavaScript, the Entra token now refreshes automatically. One less piece of auth plumbing to manage yourself.

AI and miscellaneous

Foundry role renames

A set of role renames in Microsoft Foundry, reflecting the rename from Azure AI Foundry. The old “Azure AI…” names become Foundry Account Owner, Foundry Owner, Foundry User, Foundry Project Manager, and so on. Account owners and owners can now also assign roles — to themselves and others — including Foundry User, Log Analytics Reader, and a couple of container-registry roles.

New Foundry Model Router models

The hardest problem in applied AI right now is that there is no single best model — there’s a best model for a given task on a given day. The Model Router solves that with a single endpoint: it evaluates each prompt’s complexity and routes to the most appropriate model to optimize performance, response quality, and spend.

Newly added to the router:
  GPT-5.4 · GPT-5.4 mini · GPT-5.4 nano
  GPT-5.3 chat · GPT-5.5
  Claude Opus 4.7
  Grok 4.1 fast reasoning
                              →  up to 28 selectable models

There’s also a separate new open-source auto-evaluation repository for checking how well the router itself is performing — distinct from the existing Foundry evaluations that keep your overall AI app from regressing.

Azure Linux 4.0 (preview)

Azure Linux has been around for a while (originally CBL-Mariner), focused on being a lightweight, hardened OS for containers. Version 4.0 introduces a split:

  • Azure Linux 4 (preview) — now a general-purpose OS for Azure VMs (and usable as a WSL distro). Derived from Fedora, open-source, Microsoft-maintained, free, with a kernel optimized for Azure infrastructure but still heavily hardened.
  • Azure Container Linux (GA) — based on the immutable Flatcar project, specifically for container hosts.

So the “lightweight container OS” mission moves to Azure Container Linux, and Azure Linux becomes a more general-purpose option you can run as your VM OS.

Final thoughts

Across the two weeks, the updates most likely to change something concrete:

Azure Files Entra-only identity (CW21). Dropping the AD-account requirement for Azure Files is a genuine simplification for cloud-only shops. If you’ve been maintaining a synced AD identity purely to satisfy SMB Kerberos, you can retire that dependency. Pair it with the new managed-identity support from CW20 and the access story for Azure Files gets meaningfully cleaner.

Container Apps Express (CW20). The agent-hosting angle is the real story. Sub-second cold starts plus scale-to-zero plus per-second billing is the right shape for spinning agents and MCP servers up on demand. Worth prototyping against if you’re building anything agentic.

Foundry Model Router expansion (CW21). Adding Claude Opus 4.7, GPT-5.5, and the rest takes the router to 28 models, and the new open-source eval repo means you can actually verify it’s routing well rather than trusting it blindly. If you’ve been hand-writing routing logic in your app, this is the moment to delete it.

The two rule impact analyzers. AVNM (CW20) for security admin rules and Network Watcher (CW21) for NSGs together cover the whole filtering funnel. “Simulate before you apply” should become the default habit for any network rule change.

And don’t sleep on the TLS 1.0/1.1 retirement — May 2027 sounds far off, but the work is in finding the long-tail clients that can’t negotiate TLS 1.2. Start the audit now.

Sources

  1. John Savill, “Azure Update - 15th May 2026,” YouTube, https://www.youtube.com/watch?v=yoVH_44xb_E
  2. John Savill, “Azure Update - 22nd May 2026,” YouTube, https://www.youtube.com/watch?v=pMfG-vYvnv8