Azure AD – Get Practical

Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs

On 26 August 2025, Microsoft announced the general availability (GA) of Entra ID authentication and role-based access control (RBAC) for several supplemental Azure Storage APIs. This update improves security and gives administrators more precise control over sensitive operations such as managing container, queue, and table access permissions.

What has changed

The following APIs now support Entra ID and RBAC:

GetAccountInfo
GetContainerACL / SetContainerACL
GetQueueACL / SetQueueACL
GetTableACL / SetTableACL

These APIs now support OAuth 2.0 authentication via Entra ID.
A key change is the way error responses are returned:

Before: using OAuth without the right permissions resulted in 404 (not found).
Now:
- 403 (forbidden) is returned when OAuth is used but the caller does not have the required permission (for example, Microsoft.Storage/storageAccounts/blobServices/getInfo/action for GetAccountInfo).
- 401 (unauthorised) is returned for anonymous requests.
- 404 (not found) is still possible if the resource itself does not exist.

If your application logic depends on the old 404 behaviour, you should update it to handle both 404 and 403 responses. Microsoft also recommends not relying on error codes to detect unsupported APIs but instead following the Entra ID authorization guidance.

Why this matters

Improved security – no more reliance on shared keys.
Granular access – assign only the necessary permissions.
Consistent responses – OAuth error codes now match industry standards.
Application impact – developers may need to update their code to support the new response model.

Continue reading “Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs”

How to Troubleshoot High Memory Pressure on an Azure VM Using Performance Diagnostics

Recently, I had to troubleshoot a case of performance degradation on an Azure VM. The key symptom was high memory pressure, which in Azure means the system is under heavy strain to fulfill memory requests — often leading to lag, paging, and slow performance.

To get to the root cause, we used Azure Performance Diagnostics (PerfInsights) — a powerful and easy-to-use troubleshooting tool. Here’s how you can install and use it from the Azure Portal, without needing to log in to the VM.

Continue reading “How to Troubleshoot High Memory Pressure on an Azure VM Using Performance Diagnostics”

Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell

As a Cloud Engineer, I’m always looking for ways to automate processes and streamline the management of our Azure environment. Recently, a customer approached me with a challenge: they needed to extract the last sign-in date for every user in their tenant. Although the Entra ID portal provides this information, the customer required it in a CSV format so that their security team could review the data, collaborate with user managers, and determine if certain accounts were still needed.

The Challenge

The customer needed a consolidated CSV report that contained each user’s:

Display Name
User Principal Name
Email Address
Last Sign-In Date
Manager Information (which includes the manager’s display name and email)

Although the Entra ID portal displays sign-in data, it has its limitations:

Data Extraction vs. Portal View

While the Entra ID portal provides sign-in data, having it in CSV format enables deeper analysis and easier sharing among teams. This approach consolidates all the required information into one single report. Currently, the portal doesn’t allow you to add a manager column in the view, meaning that extracting manager details would otherwise be an extremely manual process.

Continue reading “Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell”

Step-by-Step Guide: Setting Up a Banned Password List in Azure

Recently, a customer raised a ticket asking us to implement a banned password list. In this guide, I’ll walk you through how we successfully tackled this request and configured it in Entra ID.

Enforcing strong password policies in Entra ID is crucial for improving organisational security. One effective method is implementing a custom banned password list to prevent users from selecting weak or predictable passwords. Here’s how to set this up step-by-step:

Prerequisites

Before starting, ensure you have the following:

Entra ID Premium P1 or P2 licence
- The banned password list feature is available only in Entra ID Premium editions.
Administrator permissions
- You need Global Administrator or Privileged Role Administrator rights in Entra ID to configure password policies.

Continue reading “Step-by-Step Guide: Setting Up a Banned Password List in Azure”

How to Create a Secure SFTP Service Using Azure Storage Account and Make It Publicly Accessible

Creating a Secure File Transfer Protocol (SFTP) service using an Azure Storage Account offers a cost-effective, scalable, and highly available solution for transferring files. This guide will walk you through the process of setting up an SFTP service on Azure Storage and configuring it to be publicly accessible while focusing on the most secure options.

Step 1: Create an Azure Storage Account

1.1 Sign in to Azure Portal

Go to the Azure Portal and sign in with your Azure account.

1.2 Create a New Storage Account

In the Azure portal, select Create a resource > Storage > Storage account.
In the "Basics" tab, configure the storage account:
- Subscription: Select your subscription.
- Resource group: Create a new resource group or select an existing one.
- Storage account name: Enter a unique name for your storage account.
- Region: Select the region closest to you.
- Performance: Choose Standard.
- Redundancy: Choose the redundancy option that fits your needs (e.g., Locally-redundant storage (LRS)).
In the "Advanced" tab, configure the storage account:

Hierarchical Namespace: Enable hierarchical namespace.
Access Protocols: Enable SFTP.

Click Review + create and then Create.

Continue reading “How to Create a Secure SFTP Service Using Azure Storage Account and Make It Publicly Accessible”