Introduction
John Savill recorded this week’s update from a hotel room in San Francisco after visiting Microsoft’s Silicon Valley experience center.
Two things stood out to me: the ExpressRoute scalable gateway going GA with proper autoscaling, and the automatic passkey profile rollout that every Entra admin should know about before it lands on their tenant.
Passkey profile rollout: what you need to know
Microsoft is automatically enabling passkey profiles across all tenants. Commercial tenants get this in March with automatic enablement through April and May. GCC/GCC High/DoD follows a month later.
What actually happens depends on your current FIDO2 configuration:
- If you have attestation enabled, the default profile will only allow device-bound passkeys
- If attestation is disabled or not configured, you get both device-bound and synced passkeys
- Any existing group targeting carries over to the new default profile
Synced passkeys are the more consumer-friendly option. They sync within an ecosystem (all your Apple devices, all your Android devices, or Chrome) but not across ecosystems. The trade-off: synced passkeys can’t provide attestation because there’s no agreed-upon standard for proving a key’s hardware origin when it could live on multiple devices.
Worth remembering here: passkeys are about authentication, not authorization. Your conditional access policies still apply on top. Even if a synced passkey exists on a personal device, conditional access can still require a managed or compliant device. The passkey strength is just one signal in your policy.
The registration campaign is changing too. If you have it enabled or set to Microsoft managed, it’ll start nudging users toward passkeys instead of SMS or phone calls. Synced available? It pushes passkeys. Device-bound only? It pushes Microsoft Authenticator. Disabled stays disabled.
I’d recommend checking your current FIDO2 attestation settings now so you know what the default profile will look like when it arrives. Once it’s enabled, you can create multiple profiles with different rules for different groups.
ExpressRoute scalable gateway goes GA
The ExpressRoute scalable gateway SKU (ErGwScale) is now GA. It replaces the fixed-size gateway SKUs with something that actually makes sense for variable workloads.
You get 1 to 40 scale units, each providing 1 Gbps of bandwidth. Set a minimum and maximum, and it autoscales based on bandwidth or flow count. With more than one instance, it’s zone redundant. You pay per scale unit per hour.
So if your ExpressRoute traffic drops at night or on weekends, the gateway scales down and your bill follows. No more paying for peak capacity around the clock.
Migration from the ErGw1Az, ErGw2Az, or ErGw3Az SKUs is direct. It takes a couple of hours but stays up during the process, so no downtime.
New Intel VM SKUs: Dv7 and Ev7
Dv7 and Ev7 series VMs are in preview, running Intel Xeon 6 processors. Roughly 15% better processor performance over the previous generation, though that varies by workload. They go up to 372 vCPUs, and the Ev7 (memory optimized) tops out at 2.8 TB of memory.
On the largest sizes, Azure Boost gives you up to 400 Gbps networking, 800K IOPS, and 20 GB/s storage throughput. As always, D is general purpose and E is memory optimized, which is really about the vCPU-to-memory ratio.
New AMD VM SKUs: Dav7, Eav7, Fav7
AMD also got v7 SKUs running 5th generation EPYC with the Zen 5 core. These claim up to 35% CPU improvement over v6, though I’d expect that to vary a lot depending on the workload. Same naming conventions apply: D for general purpose, E for memory optimized, F for compute optimized.
Azure command launcher for Java (preview)
If you’re running Java on Azure compute and haven’t tuned your JVM parameters (be honest), this might interest you. The JVM defaults aren’t great for cloud environments, and you end up wasting memory and CPU without realizing it.
The Azure Command Launcher replaces the java command with jaz, which sets JVM parameters that are actually appropriate for where you’re running. Works across VMs, AKS, App Service, and other compute services.
Azure Functions: Python 3.10 end of support
Python 3.10 support for Azure Functions ends in early October 2026. You need to be on Python 3.13 or above by then.
Python version migrations are usually straightforward, but don’t leave it until the last week. Start testing now if you have Functions on 3.10.
OpenShift Virtualization: Azure NetApp Files support (preview)
OpenShift Virtualization, part of Azure Red Hat OpenShift, now supports Azure NetApp Files volumes as persistent storage for VMs. OpenShift Virtualization is the thing that lets you run VMs alongside containers on the same cluster. With this update, those VMs can use ANF volumes at any service level for persistent storage.
Relevant if you’re consolidating VM and container workloads on OpenShift and need shared storage that can actually keep up.
PostgreSQL Flexible Server: minor version updates
The usual batch: 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. These roll out automatically during your planned maintenance window. Nothing to do here.
Azure Databricks: Agent Bricks GA
The Databricks Agent Bricks knowledge assistants are now GA. You specify a use case and point it at your data, and it tries different models to find the best agent configuration. There’s an MCP catalog for additional tooling and knowledge sources.
The agent types cover information extraction, custom LLMs, knowledge assistants, multi-agent supervisors, a code-your-own option, and an AI BI genie for business intelligence. I haven’t tried this myself yet, but the idea of it automatically benchmarking models against your specific use case is appealing.
M365 tenant configuration management APIs (preview)
New Graph APIs let you snapshot and monitor your M365 tenant configuration across Entra ID, Exchange Online, Defender, Purview, Intune, and Teams.
The idea is configuration drift detection. Take a snapshot, set up monitoring on the parts you care about, and get notified when something changes. Fixed drifts auto-clean after 30 days. You need the /beta Graph endpoint for now.
If you manage multiple tenants, this is the kind of tooling that’s been missing. Being able to programmatically detect when someone changes a setting that shouldn’t have changed is genuinely useful.
RoboAlpha from Microsoft Research
RoboAlpha is a model built on the Phi vision-language family that converts natural language into robot control signals. It also processes tactile feedback so the robot can react to what it’s touching. Microsoft Research built this with the University of Washington and Nvidia.
Not something any of us will deploy anytime soon, but watching AI move from screens into the physical world is pretty wild.
Final thoughts
The passkey profile rollout is the one that needs your attention. It won’t break anything since it maintains your current configuration, but you should understand what your default profile will look like and think about how you want to structure profiles for different user groups going forward.
The ExpressRoute scalable gateway is how it should have worked from the start. Autoscaling and zone redundancy in one SKU, finally.
And if you’re due for a VM size review, the v7 series on both Intel and AMD are worth benchmarking. The AMD numbers in particular (up to 35% over v6) are hard to ignore, even if real-world gains will be smaller.
Sources
- John Savill, “Azure Update - 30th January 2026,” YouTube, https://www.youtube.com/watch?v=97b7TE_-kSM
- John Savill, “Entra Passkey Profile Rollout,” YouTube, https://www.youtube.com/watch?v=hAm_DcqH0nY