This week in Azure
A resilience-and-security week. John’s update runs long, and the through-line is testing that your platform survives failure and locking down who gets in. Chaos Studio gets a proper Workspaces model for scenario-driven resilience testing. Site Recovery pushes its churn ceiling to 500 MB/s. Both are still preview, but both change how you plan.
On the security side, two items are GA and worth acting on today: SFTP on Blob Storage now authenticates against Microsoft Entra ID, so you can retire local SFTP users, and Entra Backup and Recovery is generally available, so accidental or malicious directory changes are recoverable. The rest fills in observability, networking and end-user compute.
Compute and resilience
Azure Site Recovery: enhanced churn up to 500 MB/s per VM (preview)
Azure Site Recovery now protects workloads with much higher data-change rates. The old High Churn ceiling was 100 MB/s per VM. The new preview lifts that to 250 MB/s per disk and 500 MB/s per VM, which finally brings busy databases and analytics VMs inside the supported envelope for Azure-to-Azure DR.
The requirements are strict, so read them before you plan:
- Azure VM RAM of 256 GB or more. Below that, the limit stays at 100 MB/s. Site Recovery reserves up to 6.25% of RAM, capped at 16 GB.
- Source disks must be Premium SSD v1, Premium SSD v2 or Ultra. Per-disk churn scales with disk size and I/O size.
- Windows, or Linux on RHEL 9, SLES 15 or Ubuntu 24.04.
- Premium Block Blob storage for the cache account, which costs more than Standard.
It is available in selected regions only. France Central, Germany North, Norway East and UK South are in. Switzerland North is not on the preview list yet, so if you run DR out of a Swiss region this one doesn’t reach you today. Note the switch is not in-place: an already-protected VM stays at 100 MB/s until you disable and re-enable replication with High Churn. Nice to see the ceiling move, but treat it as preview and test the RTO before you lean on it.
RDP Multipath with redundant TCP: GA for Windows 365 and AVD
RDP Multipath adds redundant TCP transport, and it is now generally available for Windows 365 and Azure Virtual Desktop. The 2025 release did redundant UDP paths. This extends the same standby-path model to TCP, so a session can keep warm TCP Reverse Connect paths and switch to one if the active path degrades.
The point is the estimated 20 to 30 percent of enterprise networks where UDP is blocked or throttled. On those networks the UDP-only design gave you no redundancy. Now you get it. Rollout is phased, so it may not be lit on every host pool yet. If your users sit behind restrictive corporate networks, this is a straight reliability win once it reaches you.
Observability and resilience
Azure Chaos Studio: Workspaces and Scenarios (public preview)
The one to actually try this week. Azure Chaos Studio introduces Workspaces, a new top-level resource for resilience testing, in public preview since July 1st, 2026. GA is targeted for late 2026.
A Workspace connects to your environment through a scope, discovers your deployed resources, and recommends Scenarios that match. A Scenario is a preconfigured test that simulates a real outage pattern, composing actions into a sequence that mirrors how failures actually cascade. Built-in scenarios cover zone and networking outages, database failovers, cache stampedes and messaging disruptions. Where a template doesn’t fit, the Scenario designer lets you save your own. Execution is managed: Chaos Studio sequences the faults, runs safety validation, and pulls health checks from Azure Monitor and Application Insights. After a run you get a structured Scenario report you can hand to a retrospective or a compliance reviewer.
This is a real step up from wiring individual faults into an experiment by hand. Organise Workspaces however your teams are drawn: one per application, one per environment, one per compliance boundary. There is also a new Chaos Studio CLI, so you can drive scenarios from pipelines instead of the portal. If resilience testing has been on your backlog because the tooling was too low-level, that excuse is gone.
Log Analytics: export jobs for historical data
Log Analytics adds export jobs, a purpose-built way to export historical records from a single table by query and time range into Azure Blob Storage, written as Parquet. This is different from the existing continuous data-export rules, which stream new data as it arrives. Export jobs are on-demand and aimed at bulk historical pulls.
Supported table plans are Analytics and Basic. Auxiliary isn’t supported, and custom _CL tables only work when created through a data collection rule. The destination has to sit in the same region as the workspace, and it bills under the Log Analytics Data Export meter. If you have been paying for hot retention just to keep old data queryable, this gives you a clean path to move it out to cheap storage in an analytics-friendly format.
Storage
Azure Blob Storage SFTP: Microsoft Entra ID access GA
SFTP for Azure Blob Storage now authenticates against Microsoft Entra ID, generally available since June 23rd, 2026. You can drop local SFTP users entirely and use Entra identities, including guests through External Identities, to connect.
That means RBAC, MFA and Entra ACLs on your file transfers, and no more creating, rotating or decommissioning local SFTP credentials by hand. The flow is standard: authenticate with Entra ID, obtain an OpenSSH certificate, then connect with a compatible SFTP client or SDK. The GA also cleaned up ABAC on the Storage Blob Data Owner role, removing the timeout inconsistencies from preview and adding sub-operation support for finer-grained access.
Identity-based, audited, revocable. If you run SFTP into Blob today on local users, this is the week to plan the switch.
Networking and security
Azure Event Hubs: Network Security Perimeter and Confidential Computing
Two hardening items landed for Azure Event Hubs. Network Security Perimeter support lets you place an Event Hubs namespace inside a logical isolation boundary, restricting public access while allowing secure PaaS-to-PaaS traffic to services like Storage and Key Vault behind the same perimeter. It is the same NSP model rolling out across Azure PaaS, now covering Event Hubs.
Separately, Event Hubs Dedicated gains Confidential Computing, protecting streaming data while it is being processed in memory. That closes the data-in-use gap for regulated streaming workloads in finance, healthcare and government that already encrypt in transit and at rest. If you run a Dedicated cluster for sensitive streams, both are worth a look.
Azure WAF: exceptions (preview)
Azure Web Application Firewall on Application Gateway adds exceptions, in preview. An exception tells the WAF to skip inspection for requests that match attributes you define, and you can scope it to individual rules, rule groups or a whole rule set. Match operators are Starts with, Ends with and Contains.
It needs the next-generation WAF engine and CRS 3.2, DRS 2.1 or later. This is a more surgical alternative to broad exclusion lists: instead of switching off a rule for everyone, you carve out the specific trusted traffic that trips a false positive. Preview, so don’t lean on it in production yet, but if you fight WAF false positives it is the right shape.
Identity
Microsoft Entra Backup and Recovery: GA
Microsoft Entra Backup and Recovery is generally available. It takes a daily backup of supported directory objects and retains it for seven days, and it needs Entra ID P1 or P2 on a workforce tenant.
Backed-up objects include users, groups, applications, service principals, Conditional Access policies, named locations, and the authentication-method and authorization policies. Admins can view snapshots, generate difference reports to see exactly what changed, and run recovery jobs to restore objects to a prior state. The point is blunt: an accidental Conditional Access edit or a malicious change to a policy is now something you can roll back, natively, without a third-party tool or a scripted export you hope stayed current. If your directory has no recovery story, fix that this week.
Final thoughts
Two things to act on now, both GA.
SFTP with Entra ID: if you still run local SFTP users on Blob Storage, plan the migration. You get RBAC, MFA and audited, revocable access, and you delete a whole class of credential-management toil. Kill the local users.
Entra Backup and Recovery: turn it on. It’s daily, it’s native, and the first time someone fat-fingers a Conditional Access policy you’ll be glad the snapshot exists. Recovery you didn’t set up is recovery you don’t have.
The two previews are the ones to pilot, not deploy. Chaos Studio Workspaces is the more useful of the pair, worth an afternoon this week to point at a non-production app and run a zone-down scenario. Site Recovery’s 500 MB/s churn matters if you’ve been fighting the old limit, but it’s preview, region-limited, and doesn’t cover Switzerland North yet, so verify your region and RTO before you design around it.
Sources
- John Savill, “Azure Update - 10th July 2026,” YouTube, https://www.youtube.com/watch?v=6bIsgofHE_c
- “Azure Virtual Machines disaster recovery - High Churn support,” Microsoft Learn, https://learn.microsoft.com/en-us/azure/site-recovery/concepts-azure-to-azure-high-churn-support
- “RDP Multipath with redundant TCP is now generally available for Windows 365 and Azure Virtual Desktop,” Windows IT Pro Blog, https://techcommunity.microsoft.com/blog/windows-itpro-blog/rdp-multipath-with-redundant-tcp-is-now-generally-available-for-windows-365-and-/4534610
- “What are Workspaces in Azure Chaos Studio?,” Microsoft Learn, https://learn.microsoft.com/en-us/azure/chaos-studio/chaos-studio-workspaces-overview
- “Scenarios in Azure Chaos Studio,” Microsoft Learn, https://learn.microsoft.com/en-us/azure/chaos-studio/chaos-studio-scenarios
- “Log Analytics workspace data export in Azure Monitor,” Microsoft Learn, https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export
- “Enterprise Identity Meets Secure File Transfer: Entra ID on Azure Blob Storage SFTP,” Azure Storage Blog, https://techcommunity.microsoft.com/blog/azurestorageblog/enterprise-identity-meets-secure-file-transfer-entra-id-public-preview-on-azure-/4501937
- “Authorize SFTP access to blobs using Microsoft Entra ID,” Microsoft Learn, https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-entra-id-based-access
- “Network Security Perimeter - Azure Event Hubs,” Microsoft Learn, https://learn.microsoft.com/en-us/azure/event-hubs/network-security-perimeter
- “Protect Your Streaming Data in Use: Confidential Computing for Azure Event Hubs Dedicated,” Microsoft Community Hub, https://techcommunity.microsoft.com/blog/messagingonazureblog/protect-your-streaming-data-in-use-confidential-computing-for-azure-event-hubs-d/4515219
- “List of Azure Application Gateway WAF exceptions (Preview),” Microsoft Learn, https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-exceptions
- “Microsoft Entra Backup and Recovery is now generally available,” Microsoft Entra Blog, https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-backup-and-recovery-is-now-generally-available/4521997