Tag: DevOps

Automating a Monthly Azure Update Compliance Report with Logic Apps + Azure Resource Graph

Most patching dashboards are great for interactive views—but what if your stakeholders want a scheduled email that shows the current patch compliance for only a scoped set of servers (for example, those tagged for patch governance)? That’s where a small, reliable custom report shines.

In this post I’ll walk through the exact solution I built: a Logic App that queries Azure Update Manager data via Azure Resource Graph (ARG), filters to VMs tagged Monthly_Patch : yes, formats the results into a clean HTML email, and sends it on a monthly cadence.

Why a custom report?

  • No native email report: Azure Update Manager provides blades and workbooks, but not a ready-to-send, nicely formatted email.
  • Audience-specific scoping: We only want to report on VMs with a specific business tag (Monthly_Patch : yes).
  • Consistent sorting & formatting: Stakeholders wanted alphabetical order, readable timestamps, color-coded rows, and centered table content.
  • Lightweight & fast: With ARG we can query Update Manager resources directly—no Log Analytics workspace required for this report.

Continue reading “Automating a Monthly Azure Update Compliance Report with Logic Apps + Azure Resource Graph”

Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs

On 26 August 2025, Microsoft announced the general availability (GA) of Entra ID authentication and role-based access control (RBAC) for several supplemental Azure Storage APIs. This update improves security and gives administrators more precise control over sensitive operations such as managing container, queue, and table access permissions.

What has changed

The following APIs now support Entra ID and RBAC:

  • GetAccountInfo
  • GetContainerACL / SetContainerACL
  • GetQueueACL / SetQueueACL
  • GetTableACL / SetTableACL

These APIs now support OAuth 2.0 authentication via Entra ID.
A key change is the way error responses are returned:

  • Before: using OAuth without the right permissions resulted in 404 (not found).
  • Now:
    • 403 (forbidden) is returned when OAuth is used but the caller does not have the required permission (for example, Microsoft.Storage/storageAccounts/blobServices/getInfo/action for GetAccountInfo).
    • 401 (unauthorised) is returned for anonymous requests.
    • 404 (not found) is still possible if the resource itself does not exist.

If your application logic depends on the old 404 behaviour, you should update it to handle both 404 and 403 responses. Microsoft also recommends not relying on error codes to detect unsupported APIs but instead following the Entra ID authorization guidance.

Why this matters

  • Improved security – no more reliance on shared keys.
  • Granular access – assign only the necessary permissions.
  • Consistent responses – OAuth error codes now match industry standards.
  • Application impact – developers may need to update their code to support the new response model.

Continue reading “Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs”

How to Troubleshoot High Memory Pressure on an Azure VM Using Performance Diagnostics

Recently, I had to troubleshoot a case of performance degradation on an Azure VM. The key symptom was high memory pressure, which in Azure means the system is under heavy strain to fulfill memory requests — often leading to lag, paging, and slow performance.

To get to the root cause, we used Azure Performance Diagnostics (PerfInsights) — a powerful and easy-to-use troubleshooting tool. Here’s how you can install and use it from the Azure Portal, without needing to log in to the VM.

Continue reading “How to Troubleshoot High Memory Pressure on an Azure VM Using Performance Diagnostics”

Enable OpenTelemetry in Azure Functions: The Easiest Way via Azure Portal

Good news! As of June 2025, OpenTelemetry is now in preview for Azure Functions. If you want basic observability without writing code or installing libraries, you can now enable distributed tracing directly from the Azure Portal.

This quick guide shows the simplest way to enable OpenTelemetry in Azure Functions using built-in features — no NuGet packages or custom code needed.

What You Need

  • An existing Azure Function App (v4)

  • Application Insights already enabled (most new Function Apps have this by default)

Continue reading “Enable OpenTelemetry in Azure Functions: The Easiest Way via Azure Portal”

Azure Resource Locks – The One Feature You’re Probably Not Using (But Should Be)

Accidental deletion or modification of critical resources in Azure is more common than most teams would like to admit. And unlike on-prem environments, where layers of approvals or access barriers might slow someone down, Azure’s agility can sometimes be its own worst enemy — especially when production workloads are one click away from disappearing.

Enter: Azure Resource Locks — your environment’s seatbelt.

What Are Azure Resource Locks?

Azure Resource Locks are a built-in feature that allow you to restrict operations on resources, resource groups, or subscriptions. These locks act as a last line of defense — even if someone has Contributor or Owner permissions, a lock will block unwanted actions like deletion or configuration changes.

Continue reading “Azure Resource Locks – The One Feature You’re Probably Not Using (But Should Be)”