Browse Security Community (106)

In this community post, nishantmv breaks down a production-grade Azure serverless architecture for an enterprise facility-management IoT platform, covering a multi-provider telemetry pipeline, template-driven device modeling, an event-driven rule engine, and the security/resilience hardening that made it ready for production.

ManishChopra outlines six practical integration patterns for building agents and copilots that query Oracle Database@Azure with sub-millisecond proximity to Microsoft’s AI stack, covering options from Copilot Studio connectors to ORDS/PL/SQL, Azure Functions, and Logic Apps, plus the identity/governance controls typically needed for production.

jordanselig shows how to add runtime governance to a multi-agent ASP.NET Core travel planner on Azure App Service using the Microsoft Agent Governance Toolkit, including YAML policy allowlists, audit logging into Application Insights, and SRE controls like SLOs and circuit breakers.

fenildoshi2510 explains how to sync Azure Key Vault secrets into an AKS namespace managed by Rancher using External Secrets Operator (ESO) and Workload Identity, so apps can consume Kubernetes Secrets without storing any client secrets.

mosiddi explains how Microsoft’s open-source Agent Governance Toolkit implements production-grade security and reliability controls for autonomous AI agents, covering its package architecture, policy enforcement (Agent OS), zero-trust identity (Agent Mesh), privilege rings (Agent Hypervisor), and SRE/observability integrations, including Azure deployment patterns.

wesback breaks down what “sovereignty” can mean in Azure Belgium Central by mapping it to three practical technical layers: data residency/locality, encryption (including CMK with Key Vault or Managed HSM), and confidential computing with attestation for in-use protection.

AmitManchanda28 explains how reusing a User Assigned Managed Identity (UAMI) across Azure environments can unintentionally widen trust boundaries and increase blast radius, and proposes an environment-isolated identity model with tighter RBAC scoping.

theringe walks through deploying to Azure App Service from Azure DevOps using a user-assigned managed identity (UAMI), including the Azure DevOps service connection setup, required RBAC permissions, and how to validate the deployment identity via AppServiceAuditLogs.

jordanselig walks through building an MCP App (a tool plus a UI resource) with ASP.NET Core, rendering an interactive weather widget inside chat clients like VS Code Copilot, and deploying the MCP server to Azure App Service using azd and Bicep.

Shamir_AbdulAziz describes how Microsoft built Azure SRE Agent—an AI-powered ops agent—using “agentic workflows” across the SDLC, with human-in-the-loop governance, RBAC guardrails, and deep integration into telemetry and incident systems to reduce on-call toil and speed up incident mitigation.

alinetran explains how to automate Azure Arc server onboarding at scale using Ansible with a new purpose-built onboarding role, focusing on least-privilege permissions and removing manual steps that don’t scale.

joclemen breaks down what Azure Key Vault’s paired-region replication really guarantees during a regional outage, why it becomes read-only after Microsoft-managed failover, and how to build true multi-region continuity with two Terraform reference architectures (private and public endpoint designs).

Meagan McCrory announces a public preview “Essential Machine Management” experience in Azure’s Compute Infrastructure Hub, aimed at onboarding Azure VMs and Azure Arc-enabled servers at subscription scope for monitoring, updates, inventory, configuration, and security baselines.

MelanieKraintz007 announces GA support for managed identities and workload identity in Azure Red Hat OpenShift, explaining how ARO operators and Kubernetes workloads can use short-lived tokens with Azure RBAC to reduce reliance on long-lived service principals.

deepthihr walks through a real production incident running a private, enterprise AI platform on Azure, showing how DNS and private networking gaps (custom DNS, Private Endpoints, and Azure Container Apps internal ingress) caused intermittent failures—and the concrete fixes that stabilized the environment.

Pamela_Fox walks through implementing Model Context Protocol (MCP) server authentication with Microsoft Entra ID using the pre-registered (pre-authorized client) path, including Entra app registration setup, token validation in FastMCP, and an optional on-behalf-of flow to call Microsoft Graph securely.

EldertGrootenboer announces the general availability of Network Security Perimeter (NSP) support for Azure Service Bus, explaining how it complements existing network controls and how to roll it out safely using transition and enforced modes.

In this community post, lakshaymalik lays out a practical AKS DevSecOps model that prevents common Kubernetes misconfigurations by enforcing governance at admission time with Azure Policy/Gatekeeper, then backing it up with runtime detection (Defender for Containers) and continuous compliance to catch drift.

ShivaniThadiyan explains how Azure SQL Managed Instance is evolving from a SQL Server-compatible PaaS into an AI-enabled platform, covering built-in operational intelligence, vector search, in-database Python/R machine learning, and Copilot-assisted diagnostics with security and governance considerations.

ShivaniThadiyan outlines a shift-left approach to Azure infrastructure validation, using GitHub Copilot as an assistive layer to summarize Terraform plans, interpret drift signals, and help prioritize Azure Policy and Azure Resource Graph findings—without removing human approvals or governance.