The last two weeks in Azure

I’m catching up on two weeks at once, so this post bundles the 15th and 22nd of May. CW20 was a shorter week with a few things I want to call out: Container Apps Express, Grafana dashboards in the Azure portal, and a multi-agent vulnerability-scanning harness called MDASH. CW21 was the opposite, a huge week of networking, storage, database, and AI updates. The headlines for me are Azure Files Entra-only identity, a much bigger Foundry Model Router (Claude Opus 4.7 now included), and Azure Linux 4.0.

Jump to whichever week you care about.


CW20, 15 May 2026

Azure Container Apps Express (preview)

Azure Container Apps already lets you host containerized apps and microservices without dealing with Kubernetes directly. It takes care of Dapr, KEDA scaling, and the rest of the plumbing. But there was still provisioning time and a handful of infrastructure choices to make up front. Container Apps Express drops those decisions for the simplest case.

You bring an image, and it runs. Provisioning happens in seconds, cold starts are sub-second, you get scale-to-zero, and you pay per second. The use case Microsoft keeps pointing to is agents. Spin up an agent or MCP server on demand, fast, pay only for the seconds it’s actually running. SaaS apps fit the same shape if you want Container Apps without the setup overhead.

Azure Virtual Network Manager rule impact analyzer (GA)

Changing network security rules is one of the scariest things you can do in production. Outages live there. AVNM now lets you simulate changes to your security admin rules (the centralised rules that apply before any VNet- or NIC-level NSG) and see exactly what would happen to your existing traffic before you push them.

If the simulation says you’d break something, you fix the rules first. This is the kind of feature that pays for itself the first time it stops a bad change. CW21 ships a similar analyzer in Network Watcher (see below) covering the NSG side of the same funnel.

Azure Files SMB managed identity support (GA)

Azure Files SMB shares have had Entra authentication for a while. Now they also work with managed identities. The benefit is the usual one: no secret or key to store and rotate.

  • System-assigned: one-to-one with a single Azure resource.
  • User-assigned: one identity shared across multiple resources that need the same access.

So your pipelines, container workloads, or a process running in a VM can mount and access an Azure file share purely via their managed identity. More secure (only those resources can use it) and simpler (nothing to store) at the same time.

Azure NetApp Files large file support up to 64 TiB (GA)

Regular ANF volumes now support files up to 64 TiB across all service levels. This matters if you’re packing data into a small number of enormous files. Hosting virtual hard disks for Azure VMware Solution is the obvious one.

Azure Service Bus Premium: four-nines SLA

Service Bus Premium namespaces now get a 99.99% SLA, as long as they’re deployed in a region with availability zones. If you’ve been running messaging on Premium for the throughput and isolation, the SLA now matches. For free, as long as you’re zone-deployed.

Azure Service Bus Premium confidential compute: new regions (GA)

Confidential compute keeps data encrypted in use. The CPU and memory stay encrypted even during computation. Service Bus Premium confidential namespaces are now also available in Korea Central and UAE North.

With this, you can have hardware-backed, attested encryption all the way from storage, through the network, into the processor.

Azure Monitor dashboards with Grafana

You can now embed Grafana dashboards directly in the Azure portal. The point isn’t just nicer visualisations. Grafana pulls from sources Azure Monitor doesn’t natively cover: Prometheus (container metrics), Azure Data Explorer, Azure Resource Graph, and more. So you get your usual Azure Monitor telemetry plus everything Grafana can reach, in one place.

Codename MDASH (preview)

This one’s interesting. Project Mythos, Microsoft’s advanced model for finding vulnerabilities in code, is locked down to roughly 40 vendors (OS makers, network infrastructure, cloud providers, browser teams) to keep it out of malicious hands. MDASH is a multi-model agentic scanning harness built on top of that idea. The “D” comes from the D in model, the naming clearly got desperate.

It runs around 100 specialised AI agents that discover, debate, and prove exploitable bugs end-to-end. It reportedly outperforms the single-model Mythos. Unlike Mythos, you can actually sign up for the private preview. If you do any kind of security research or code auditing, take a look.

Grok 4.3 in Foundry

xAI’s latest flagship, Grok 4.3, is available in Foundry as a global standard deployment. It’s tuned for agentic, productivity-focused workflows: strong tool calling, good instruction following, lower hallucination rates, 200K-token context window. Being in Foundry means it inherits the governance, private networking, identity, agent hosting, and evaluation tooling that make a model usable in an enterprise rather than just a demo.


CW21, 22 May 2026

A huge week. Grouping by area.

Compute

AKS Application Insights auto-instrumentation (GA)

AKS can now auto-instrument workloads for Application Insights with no code changes. If you’re running Java or Node.js, it just lights up. It works with the Azure Monitor OpenTelemetry distro, so traces, dependencies and the telemetry you need for debugging flow into App Insights automatically.

App Configuration scorecards (preview)

Azure App Configuration centralises settings and feature flags for distributed apps. Scorecards add a feedback loop: they show how the different variations behind your feature flags are actually performing in production, based on App Insights telemetry. So instead of guessing whether a flagged feature is helping, you can see how it influences behaviour and make the next decision on data.

Networking

Functions Flex Consumption: per-app TLS certificates (preview)

Previously a single TLS certificate was shared across every app in the same web space (the logical container scoped to region + OS + resource group). Flex Consumption now scopes certificates to the individual function app, up to three certs per app. During preview, configure them through the portal. The result is much more flexibility in how each app presents its TLS identity.

TLS 1.0 and 1.1 App Service retirement

TLS 1.0 and 1.1 are being retired in May 2027. You have a year. These older versions negotiate weaker cipher suites, and once they’re gone, anything still pinned to them won’t be able to negotiate a common version.

This affects App Service, Functions, Logic Apps, and any client app that talks to them. Audit your apps and the clients calling them. If a client can only speak TLS 1.0/1.1, it won’t connect after the cutoff.

Azure Front Door WebSocket (GA)

WebSocket support is GA on Front Door Standard and Premium, enabled by default, no extra configuration. WebSockets give you a long-lived, full-duplex TCP connection. That’s what you want for interactive real-time scenarios: streaming, gaming, live dashboards, chat.

NSG and UDR limit increases

Across-the-board limit bumps for virtual networks, aimed at large hub-and-spoke topologies:

  • Network security groups per VNet: 2,000
  • Security rules per NSG: 2,000
  • Addresses or ports per rule: 6,000
  • Routes per route table: 1,000
  • Route tables per subscription: 600

If you’ve been bumping into these ceilings on a complex network, the headroom is now there.

Network Watcher rule impact analyzer

The NSG-side counterpart to the AVNM analyzer from CW20. Network filtering is basically a funnel: AVNM security admin rules apply first, then NSGs on the VNet or NIC. This analyzer lets you evaluate the impact on live traffic of an NSG change before you apply it. Same idea, different layer.

ExpressRoute / VPN gateway summarized prefixes

In a complex network with many VNets and peered address ranges, the Azure-side gateway advertises a lot of separate IP prefixes back to on-premises or another cloud. You can now summarise those into a covering prefix. Collapse a pile of /24s into a single /16, for example.

This solves a real problem. The system on the other end (or even the Azure side) may not support the number of prefixes you’d otherwise advertise.

Site-to-site VPN certificate authentication

You can now use certificate-based authentication for site-to-site VPN instead of the traditional pre-shared key. Certificates are more resistant to tampering and raise the security bar on the tunnel.

User-group-specific IP pools for point-to-site VPN

For P2S VPN, you can now assign distinct IP pools based on attributes of the authenticating user. RADIUS settings or Entra group membership, for example. Different users land in different IP ranges, which you can use for finer-grained segmentation downstream.

Storage

Azure Blob Storage SDK for Rust (GA)

A native Rust SDK for Blob, GA now. Rust’s memory safety makes it increasingly popular, and a native SDK beats hand-rolling REST calls. It supports Entra integrated auth, automatic retries, and OpenTelemetry tracing out of the box. It joins the existing Rust SDKs for Azure Identity and Key Vault, so you can build a fully integrated Rust app against Azure storage.

Azure Storage Actions mock runs (GA)

Storage Actions are the successor to per-account lifecycle management. You define conditions and actions centrally, then assign them to storage accounts across Blob and Data Lake (hierarchical namespace). That centralisation makes them scalable, but it also makes mistakes scalable. Mock runs are the safety valve. They show you exactly which objects would be affected, without touching anything.

It’s a what-if for storage operations. Run the mock, inspect the blast radius, adjust, then execute for real.

ANF cache volumes (GA)

Cloud caches in Azure NetApp Files. They capture the hot, most-frequently-accessed data from an on-premises NetApp ONTAP or a Cloud Volumes ONTAP system in another cloud (AWS, GCP), so an app running in Azure gets a local low-latency copy.

Two benefits: much lower latency after the first read, and lower cost because you’re not constantly pulling commonly-used data across an external network connection.

ANF S3-compatible object REST API (GA)

ANF now exposes an S3-compatible object REST API. Lots of systems speak S3 today, including Microsoft Fabric, whose shortcut technology likes to talk to S3 endpoints. So you can integrate ANF data with Fabric via shortcuts. No duplication, no pipeline, no data movement. Same goes for any other S3-speaking analytics, AI, or BI system.

Azure Storage Mover: blob-to-blob (GA)

Storage Mover now supports blob-to-blob transfers. Moving data between containers across accounts, subscriptions, or regions. Works for both flat namespace and hierarchical namespace (Data Lake), and it’s only a couple of steps to configure.

Azure Storage Mover: scheduling (GA)

Storage Mover migrations can now run on a schedule. One-time (no schedule) or a daily/weekly/monthly recurrence. That turns it from a migration tool into a “keep these in sync over time” tool.

Azure Files Entra-only identity support (GA)

This is one of the bigger storage updates. Azure Files SMB shares are built on Kerberos, so historically using Entra authentication still required an old-style AD account somewhere, synced from Active Directory (a hybrid identity). Now you can use Kerberos authentication with a cloud-only Entra identity. No AD, no sync.

And with that in place, you get the granular RBAC supported on SMB file shares based on the actual NTFS ACLs. The permissions you set at the file or folder level are respected.

Database

Event Grid subscription identifiers (preview)

When you subscribe to events over MQTT, the delivery can now carry an identifier for the specific filter that triggered it. If you’re a client subscribed to many topics, that lets you route processing by identifier (“this one’s a log, send it to storage; that one’s telemetry, write it to a dashboard”) without inspecting payloads to figure out where each message should go.

Event Grid MQTT updates (GA)

A batch of MQTT capabilities went GA, some of which work with the subscription identifier above:

  • Retain support: a new subscriber immediately gets the last known good state instead of waiting for the next message.
  • Shared subscriptions: distribute traffic across a group of clients for better scale.
  • Publish MQTT messages over standard HTTP requests.

Cosmos DB LangChain and LangGraph integration (GA)

A new Python package that makes it easy to use Cosmos DB for vector and hybrid search through LangChain and LangGraph. Directly useful for RAG and agentic AI workloads built on those frameworks.

SQL Server on Azure VM: new regions (GA)

SQL Server on Azure VMs (managed via the SQL agent extension and Arc-enabled machines) is now available in Malaysia West and Indonesia Central. Relevant if you have specific data-residency requirements in those regions.

Azure PostgreSQL Flexible Server: token refresh

When using Entra integrated authentication against PostgreSQL Flexible Server from Python, .NET, or JavaScript, the Entra token now refreshes automatically. One less piece of auth plumbing to manage yourself.

AI and miscellaneous

Foundry role renames

A set of role renames in Microsoft Foundry, reflecting the rename from Azure AI Foundry. The old “Azure AI…” names become Foundry Account Owner, Foundry Owner, Foundry User, Foundry Project Manager, and so on. Account owners and owners can now also assign roles to themselves and others, including Foundry User, Log Analytics Reader, and a couple of container-registry roles.

New Foundry Model Router models

The hardest problem in applied AI right now is that there is no single best model. There’s a best model for a given task on a given day. The Model Router solves that with a single endpoint. It evaluates each prompt’s complexity and routes to the most appropriate model to balance performance, response quality, and spend.

Newly added: GPT-5.4, GPT-5.4 mini, GPT-5.4 nano, GPT-5.3 chat, GPT-5.5, Claude Opus 4.7, Grok 4.1 fast reasoning. That brings it to up to 28 selectable models.

There’s also a new open-source auto-evaluation repository for checking how well the router itself is performing. Separate from the existing Foundry evaluations that keep your overall AI app from regressing.

Azure Linux 4.0 (preview)

Azure Linux has been around for a while (originally CBL-Mariner), focused on being a lightweight, hardened OS for containers. Version 4.0 introduces a split:

  • Azure Linux 4 (preview): now a general-purpose OS for Azure VMs (and usable as a WSL distro). Derived from Fedora, open-source, Microsoft-maintained, free, with a kernel optimised for Azure infrastructure but still heavily hardened.
  • Azure Container Linux (GA): based on the immutable Flatcar project, specifically for container hosts.

So the lightweight container OS mission moves to Azure Container Linux, and Azure Linux becomes a more general-purpose option you can run as your VM OS.


Final thoughts

Across the two weeks, a few things stand out.

Azure Files Entra-only identity is a real simplification for cloud-only shops. If you’ve been maintaining a synced AD identity purely to satisfy SMB Kerberos, you can retire that dependency. Pair it with the new managed-identity support from CW20 and the access story for Azure Files looks much cleaner.

Container Apps Express is the agent-hosting story. Sub-second cold starts plus scale-to-zero plus per-second billing is exactly what you want for spinning agents and MCP servers up on demand. If you’re building anything agentic, try it.

Foundry Model Router now covers 28 models including Claude Opus 4.7 and GPT-5.5. With the new open-source eval repo you can actually verify it’s routing well rather than trusting it blindly. If you’ve been hand-writing routing logic in your app, this is a good moment to throw that away.

The two rule impact analyzers (AVNM for security admin rules, Network Watcher for NSGs) together cover the whole filtering funnel. Simulate before you apply should be the default habit for any network rule change.

And don’t sleep on the TLS 1.0/1.1 retirement. May 2027 sounds far off, but the work is in finding the long-tail clients that can’t speak TLS 1.2. Start the audit now.


Sources

  1. John Savill, “Azure Update - 15th May 2026,” YouTube, https://www.youtube.com/watch?v=yoVH_44xb_E
  2. John Savill, “Azure Update - 22nd May 2026,” YouTube, https://www.youtube.com/watch?v=pMfG-vYvnv8