PowerShell – Get Practical

Building an Azure “Super-Assistant” with Azure MCP (Preview)

Introduction

AI assistants for Azure are everywhere right now. Most of them fall into one of two categories:

Chatbots with documentation knowledge, but no access to your environment
ChatGPT + Azure CLI wrappers, which still require credentials, tokens, and a lot of trust

I wanted to explore something different:

Can we build a genuinely useful Azure assistant that can see my environment, query real data, and still be safe by design?

Continue reading “Building an Azure “Super-Assistant” with Azure MCP (Preview)”

Azure Health Check – A Free Script to Audit and Visualise Cloud Hygiene

Are you running Azure subscriptions and want a quick, human-friendly overview of your governance, compute, storage, network and Key Vault hygiene?
The Azure Health Check PowerShell script gives you exactly that — scanning multiple subscriptions, flagging weak spots, and producing a clean interactive HTML report (with charts!).

Why this matters

Large and growing Azure estates can easily drift into insecure or unsupported configurations: unprotected VMs, public storage blobs, missing resource locks, orphaned disks, exposed network ports — all of which can lead to security, availability or compliance issues.

Yet manually auditing each subscription is time-consuming. That’s where automation helps. With this script, you get a multi-subscription health summary, scored, visualised and exportable — ideal for periodic reviews, customer readiness checks, or even compliance audits.

Continue reading “Azure Health Check – A Free Script to Audit and Visualise Cloud Hygiene”

Automating a Monthly Azure Update Compliance Report with Logic Apps + Azure Resource Graph

Most patching dashboards are great for interactive views—but what if your stakeholders want a scheduled email that shows the current patch compliance for only a scoped set of servers (for example, those tagged for patch governance)? That’s where a small, reliable custom report shines.

In this post I’ll walk through the exact solution I built: a Logic App that queries Azure Update Manager data via Azure Resource Graph (ARG), filters to VMs tagged Monthly_Patch : yes, formats the results into a clean HTML email, and sends it on a monthly cadence.

Why a custom report?

No native email report: Azure Update Manager provides blades and workbooks, but not a ready-to-send, nicely formatted email.
Audience-specific scoping: We only want to report on VMs with a specific business tag (Monthly_Patch : yes).
Consistent sorting & formatting: Stakeholders wanted alphabetical order, readable timestamps, color-coded rows, and centered table content.
Lightweight & fast: With ARG we can query Update Manager resources directly—no Log Analytics workspace required for this report.

Continue reading “Automating a Monthly Azure Update Compliance Report with Logic Apps + Azure Resource Graph”

Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs

On 26 August 2025, Microsoft announced the general availability (GA) of Entra ID authentication and role-based access control (RBAC) for several supplemental Azure Storage APIs. This update improves security and gives administrators more precise control over sensitive operations such as managing container, queue, and table access permissions.

What has changed

The following APIs now support Entra ID and RBAC:

GetAccountInfo
GetContainerACL / SetContainerACL
GetQueueACL / SetQueueACL
GetTableACL / SetTableACL

These APIs now support OAuth 2.0 authentication via Entra ID.
A key change is the way error responses are returned:

Before: using OAuth without the right permissions resulted in 404 (not found).
Now:
- 403 (forbidden) is returned when OAuth is used but the caller does not have the required permission (for example, Microsoft.Storage/storageAccounts/blobServices/getInfo/action for GetAccountInfo).
- 401 (unauthorised) is returned for anonymous requests.
- 404 (not found) is still possible if the resource itself does not exist.

If your application logic depends on the old 404 behaviour, you should update it to handle both 404 and 403 responses. Microsoft also recommends not relying on error codes to detect unsupported APIs but instead following the Entra ID authorization guidance.

Why this matters

Improved security – no more reliance on shared keys.
Granular access – assign only the necessary permissions.
Consistent responses – OAuth error codes now match industry standards.
Application impact – developers may need to update their code to support the new response model.

Continue reading “Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs”

Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell

As a Cloud Engineer, I’m always looking for ways to automate processes and streamline the management of our Azure environment. Recently, a customer approached me with a challenge: they needed to extract the last sign-in date for every user in their tenant. Although the Entra ID portal provides this information, the customer required it in a CSV format so that their security team could review the data, collaborate with user managers, and determine if certain accounts were still needed.

The Challenge

The customer needed a consolidated CSV report that contained each user’s:

Display Name
User Principal Name
Email Address
Last Sign-In Date
Manager Information (which includes the manager’s display name and email)

Although the Entra ID portal displays sign-in data, it has its limitations:

Data Extraction vs. Portal View

While the Entra ID portal provides sign-in data, having it in CSV format enables deeper analysis and easier sharing among teams. This approach consolidates all the required information into one single report. Currently, the portal doesn’t allow you to add a manager column in the view, meaning that extracting manager details would otherwise be an extremely manual process.

Continue reading “Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell”