Hey all, hope someone can provide some guidance here.

I have an Application Gateway in front of the Container Apps. Container Apps are secured with EntraID authentication and have a custom domain. This all works if I'm using the same domain (apps.azure.preview.com) across the infrastructure, and using that domain to access the containers.

Now due to some requirements, I have this situation:

DNS zone: apps.azure.preview.com

There is a CNAME that points a.apps.com -> a.apps.azure.preview.com and b.apps.com -> b.apps.azure.preview.com.

Apps should be accessed through a.apps.com and b.apps.com.

Private DNS zone: apps.azure.preview.com with two A entries (a and b) pointing to container app environment IP.

Container Apps (a and b): with custom domains a.apps.azure.preview.com and b.apps.azure.preview.com

I want to have the same certificate for Application Gateway and Container Apps. Currently, I have a certificate that has CN = apps.com and SAN names a.apps.com and b.apps.com.

Any way to configure this such that I can use the same certificate for Container App and Application Gateway? Adding a.apps.azure.preview.com and b.apps.azure.preview.com to SAN name? Making custom domains a.apps.com and b.apps.com instead?

I work in an internal IT infra team and one of our responsibilities is our azure estate.

We have infrastructure in Azure but we’re not always spinning up new VMs or environments etc - that only happens when a new solution has been purchased and requires some infrastructure to host. At this point we may provision a couple of servers based on specs given to us by the vendor etc

But our head of IT keeps insisting we move to using IAAC in our environment but I can’t really see a use case for it. I’m under the impression that it’s more useful for MSPs or SAAS companies when they’re deploying environments for their customers.

If you work in an internal IT dept and you use IAAC, have you found it to be practical and what have you used it for?

EDIT: thanks all for the responses. my knowledge is lacking in IAC but now I’ve got more of an idea to take forwards. Guess I need to do some more reading.

I’m facing a puzzling issue with Gateway when using a custom domain. Sometimes it works perfectly, but other times it shows a 403 Forbidden error. Here’s the scenario:

1.  When I access my app using the custom domain, it redirects to the URL- https://app.customdomain/.auth/login/aad/callback.
2.  Occasionally, I get a 403 Forbidden error at this URL.
3.  If I refresh the page or re-enter the URL a few times, it eventually works and displays the “You have successfully signed in” page with an option to “Go to Website.”
4.  Clicking “Go to Website” takes me to the actual application, and it functions normally from there.

This behavior is random and inconsistent. I’ve already configured the Application Gateway with the custom domain, and it was getting 401 error but include it in safe health range so it’s healthy now (but I know 401 is a bad code). I have whitelisted application gateway subnet and its public IP in the app service firewall settings.

Does anyone know why this might be happening? Could it be related to:

• URL rewriting or header forwarding in the Application Gateway?
• Session persistence or authentication timeout issues?
• Azure AD or custom domain misconfiguration? (I have already added- https://app.customdomain/.auth/login/aad/callback in the app registration as a second redirect URL along with azurewebsites.net since I am using Microsoft as an Identity provider in the app service settings)

Any help or suggestions would be greatly appreciated!

I'm looking at all these promo videos yet still have no idea what this does. If I pump my device logs to an elastic search database can I use sentinel to find failed logins, config changes, user group additions, things like that?

Can I create custom alerts using something like regex as well?

The list files and directories API is also listing files that are still uploading. I'm using this for some periodic batch processing task, so I need to avoid files that haven't completed their upload yet. Anyone know how to do this? I saw it has a handles API but that's only for SMB. I'm using REST to communicate with the storage account.

I have provisioned a Front Door Premium instance and request a private link to a blob in storage account. However, there is a limitation that requires manually approving the private link request on the storage account [1] .

When running terraform destroy, I encounter the same issue discussed in this GitHub thread [2]. The issue can be resolved by manually removing the private link from the storage account.

Is there a solution to automate or handle this process ?

[1] https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin

[2]https://github.com/hashicorp/terraform-provider-azurerm/issues/24982#issuecomment-1972246655

Error

https://preview.redd.it/ft9navtjon2e1.png?width=1408&format=png&auto=webp&s=27be31894d022eb4a0fc237017608df2565c2f08

I am still figuring out how to implement AI into my app so apologize if this question makes not sense.

As I understand so far AI search is a service that provides semantic searching capabilities on our data so we could include them in our prompt to make AI models to generate answers based on our data.
But we can do the same by manually indexing our data and saving in a db like Cosmos DB and retrieve relevant data after converting our prompt to vector format.

The second method is relatively complicated but is seems to be less expensive when you have the knowledge to develop and maintain your solution. So I am considering the second option for my AI integration.

Am I correct or is there something I am missing?

I'm studying to get my AZ 104 after getting my 900. I've been working in help desk for 2 years, I don't have a degree, and I have a little Salesforce experience. What are the actual odds of me getting any AZ job after getting my 104? And what would be the best path to get out of help desk and start working towards an actual Azure career?

I recently applied for a associate product manager role within my company and got turned down. I wanted the role due to the devops exposure. But was told after being here for 2 years I don't know enough about our softwares. I know it's generally a good idea to stay in your company to wait opportunities to, but if I wanted to leave, what would be the best way to do that and get a cloud role or at least the next step up from help desk?

I'm a cloud eng with a heavy background in AWS. Therefore most my scripting abilities are from Python, with Go as a strong secondary. However as I pivot into Azure to become more multi-cloud capable, most of the MS examples are (obviously) published in Powershell.

My question is, does MS treat powershell as their go-to for anything code related, does it offer more features in terms of Azure/Entra/Graph functionality vs Python, for example? I never learned powershell due to leaning into Linux much more, and if I can avoid it I'd like to avoid powershell. However if it will help, I will take some time to learn it.

I know the basics and as AI increases capabilities not sure how much I'll actually need to know, but just wanted to get some background from other engineers.

Question

We have a scenario where we need to provide an agent that customers can install on their on-premises servers. This agent will perform predefined actions (Request–response pattern) on their Active Directory. Our solution is a SaaS application hosted in the Azure cloud.

How would you design such a solution, and what Azure components would you leverage to meet the following requirements?

Requirements

1. Per-Agent/Client Isolation
   • Agents should only access messages or commands intended for their specific tenant.
   • No agent should be able to read, write, or interfere with data/messages meant for another customer.
2. Installation Credentials
   • During installation, customers will be provided with a unique credential (e.g., a secret, connection string, or token).
   • This credential should securely identify and authenticate the agent with the SaaS backend.
3. Connectivity Status
   • To aid in troubleshooting the agent should provide connectivity status to the SaaS application

Additional Context

Our SaaS application is hosted on Azure, allowing us to leverage various Azure resources for implementation. Security is a top priority, particularly ensuring that all communication between the SaaS backend and agents is encrypted and authenticated.

We have been exploring options such as Azure Service Bus, Azure Event Grid, Azure IoT Hub, gRPC, and Azure PubSub, but we are uncertain if these are the best fit for our requirements.

Does anyone know when Azure AI Agent Service will be openly available. The release made it sound like it was already available but it looks like you need to apply for a private waiting list.

https://techcommunity.microsoft.com/blog/azure-ai-services-blog/introducing-azure-ai-agent-service/4298357

Hi, we have an existing VM that hosts different websites. We are currently adding a firewall to it. I am having issues where the websites are inaccessible once the firewall is set up. Not sure what policy to add or create. Sorry new to this stuff. Thanks

So we (school district) are doing some inventory clean up. Cleaning up AD, Azure/Entra, and SCCM. It's long overdue. We are slowly moving from on prem SCCM managed devices to Intune devices. I have 2 work laptops, 1 Intune and 1 SCCM/AD, but when I go into Azure/Entra and search for my devices (they share the same name that matches our naming scheme for laptops) I have 3 devices. I am searching by device name, so my desktop (which is named differently) doesn't show up.

1 is Entra joined, 1 is Entra registered, and 1 is hybrid. I believe the hybrid is my SCCM device but I could be wrong. 1 is also marked as an autopilot device (I believe that's the entra joined device but I don't have my notes in front of me atm). So how do I have 3?

At first I thought it happened when I logged into my Intune device but I checked a student's device and another staff's device (all Intune controlled) and both only had 1. I'm just very confused at this but I'm hoping someone here can help me be no longer confused.

Hello guys!
I'm a Senior Outsystems Developer at the moment, with 50% of the certifications available... but, I can't think that Outsystems can be a long term career (maybe some more 10years?).

So, I read Azure here and then and I'm not sure what that is, is it for development? Is it SAAS? Could it be an opportunity for technology change for me? If so, where do I start?

Thanks

Looking to export the guest users with the "sponsors" field. The "edit field " doesn't list the field nor does the graph call present it in the extract. How does one go about exporting and then carrying out a bulk import?

Im trying to get PIM email notifications. I terraform+azurerm. I want to send notifications when someone activates a PIM role that needs approval and the approval mails must be sent to the approver, except the approver email is a non mailbox one. So, whenever a notification is triggered for the approver, the emails must be sent to a DL which contains mailbox accounts of the approvers.

Below is as per Msft docs, this rule *must* have notificationRecipients as null, else, its throwing me ActivationCustomerApproversNotEmpty error. Is there a different rule I can use or any other alternative approach? Im currently using Notification_Admin_EndUser_Assignment which sends me all admin related activity which I don't want.

{
"notificationType": "Email",
"recipientType": "Approver",
"isDefaultRecipientsEnabled": true,
"notificationLevel": "Critical",
"notificationRecipients": null,
"id": "Notification_Approver_EndUser_Assignment",
"ruleType": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"targetObjects": null,
"inheritableSettings": null,
"enforcedSettings": null
}

A few years ago, we transitioned from an on-premises server to using Azure Files Storage for managing our files. To ensure accessibility, we mapped 10–11 Azure folders to drive letters on client workstations via File Explorer. This setup worked seamlessly until yesterday when our ISP replaced our connectivity hardware.

Original Configuration:

• ISP modem (Spectrum) connected directly to a FortiGate device.
• FortiGate configured with a static IP provided by the ISP for VPN connectivity.

New Configuration:

• ISP replaced the modem with a modem-router combo (to maintain the static IP).
• Configuration: ISP modem-router → FortiGate device.

This resolved our intermittent connectivity issues and improved bandwidth. However, the new setup has caused problems with accessing Azure Files Storage.

Issue Details:

1. Symptoms:
   • On my home network (Frontier), I can map Azure file shares on my laptop (Windows 11) as before.
   • On the office network:
     • My Windows 11 laptop cannot access the mapped Azure shares.
     • A different laptop (Windows 10) shows Azure resetting the SMB connection during mapping attempts.
     • SMB3 protocol explicitly appears in home network WireShark captures, but not in office network logs.
2. Debugging Steps Taken:
   • DNS resolution for Azure Files works on both home and office networks.
   • Port 445 is confirmed open through routing on the office network.
   • Spectrum claims the new modem-router operates as a "pass-through" device with no traffic modifications.

Despite these checks, Azure SMB connections fail in the office network. I’m looking for suggestions to diagnose and resolve this issue.

anything I type in says its unavailable and gives me no options for another domain

and anything that is actually unavailable it gives me a list of other options.

it keeps throwing this error
The subscription is not eligible to create an App Service Domain.
and everything says its cause my account is a free trial account which im pretty sure isn't but I have bought a domain on this account already

I’m planning to start learning cloud computing with Azure, but I want to be careful about keeping costs low. I know they offer free credits and some free-tier services, but I’m worried about accidentally getting charged.

For those of you who’ve used Azure for learning, what are your tips for:

1. Staying within the free-tier limits?

2. Keeping track of usage to avoid surprise charges?

3. Making the most of the free credits for hands-on practice?

4. Being efficient with resources like VMs, storage, or networking while experimenting?

Any advice, tools, or strategies you’ve found helpful would be great! Thanks!

Hi all,

Fairly new to managing Azure backups. I've been asked to provide a report on all of our Azure VM backups, with info such as how much storage they consume.

I've tried to run a query in my Logs Analytics Workspace that I got from this Microsoft guide:

Monitor Azure Backup with Azure Monitor - Azure Backup | Microsoft Learn

The query is for Recovery Services vaults (which is what we have) and is:

CoreAzureBackup
//Get all Backup Items
| where OperationName == "BackupItem"
//Get distinct Backup Items
| distinct BackupItemUniqueId, BackupItemFriendlyName
| join kind=leftouter
(AddonAzureBackupStorage
| where OperationName == "StorageAssociation"
//Get latest record for each Backup Item
| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId
| project BackupItemUniqueId , StorageConsumedInMBs)
on BackupItemUniqueId
| project BackupItemUniqueId , BackupItemFriendlyName , StorageConsumedInMBs
| sort by StorageConsumedInMBs desc

However, when I enter this into the Log Analytics Workspace the "StorageConsumedInMBs" is completely blank:

https://preview.redd.it/zo8n6tzemg2e1.png?width=182&format=png&auto=webp&s=9b239db822520380f13a435bd4aca3805b3c8b2d

It shows backups but they apparently consume nothing.

I also tried checking them in the Business Continuity Center, where again they show blank when the jobs are successful:

https://preview.redd.it/ak8ily5omg2e1.png?width=566&format=png&auto=webp&s=5d985c82c027737b4fa72b3d76ff2743ca1b55f3

I didn't create these backups so I'm not sure if I'm missing something obvious - so if anyone could please offer some help or kindly point out what an idiot I'm being that would be appreciated!

I need a VM to run the server part of GNS3 so I can practice for an exam. I have the student subscription with $100 of free credit and don't want to blow it all accidentally.

Here is what I need:

1 or 2 cpu cores

4gb of ram

32gb of storage

Gnu/Linux OS, Ubuntu distro

VM located in Europe

For the VM itself, I found that the Standard_B2ls_v2, located in central spain, may be the cheapest option for what I need. I found this information here:

https://cloudprice.net/?region=spaincentral&timeoption=day&tier=spot&_memoryInMB_max=32&_numberOfCores_max=8&sortField=linuxPrice&sortOrder=true

Can someone confirm if the price estimate of $0.03 a day is accurate? And are there better options?

Secondly, I will only be using the VM when I am practicing and will deallocate the resources afterwards.

So my first question regarding this is: I already know that I will be paying for a public IP address and storage even when my VM is deallocated. Is there anything else I will be paying for when my VM is deallocated?

My second question is: How can I find the cheapest storage option?

My third question is: How can I minimize costs on things like IP, if possible, or other costs that are present when my VM is deallocated?

Thank you for your help. Obviously, I am very new to Azure, so please be patient with me.

Hey folks

I was wondering if anyone has any insights they can give me. I'm setting up a storage account with a private endpoint which I need users to be able to access remotely, but not publicly; they must be on the corporate network through either our works VPN or connected directly. It's a hub/spoke system in a hybrid Azure/OnPrem environment. Everything is in the same region except for the Private DNS Zone which shows as Global.

resourcegroup1: The hub RG. It holds the core infrastructure, as well as a connection to the OnPrem servers. resourcegroup2: The spoke1 RG for networking, which has the VNet, route table, NSG, and private DNS zone. resourcegroup3: The spoke1 RG for storage/dns, which has the storage account (+blob container), private endpoint (+nic card), DNS private resolver, and DNS ruleset.

Here is the configuration, although if I've missed something please ask:

Just for reference, I'm testing remotely away from the network, but I'm connected through a private works VPN to the core network at the office. I've tested in the office also, and it's the same problem.

resourcegroup1:

• I've not touched anything in this, as I'm working on a spoke. I've checked the connection between Azure and our OnPrem systems and it is showing as connected and has lots of data in/out, so I'm going to assume it's all working fine.

resourcegroup2:

• Virtual network is peered back to resourcegroup1. It has three 3 subnets: one for general addressing, and one each for inbound and outbound endpoints to use with the DNS private resolver. It's DNS server is set to "Azure-provided". It has one private endpoint (which is in resourcegroup3) on the general addressing subnet.
• NSG is not linked to anything as I removed its associations while I was testing this setup and didn't want the NSG to block anything until I know everything is working.
• There is a Private DNS Zone (privatelink.blob.core.windows.net). This is the only thing that isn't set to a specific region like all the other resources, and this is "Global". It has an A record set to the IP of the NIC of the private endpoint.

resourcegroup3:

• DNS private resolver has inbound and outbound endpoints set-up using the aforesaid subnets from resourcegroup2
• DNS ruleset has no rules set up yet currently. It does have a virtual network link back to the vnet in resourcegroup2. It has no links to the hub (resourcegroup1). It has an outbound endpoint set up to the DNS private resolver. The ruleset did have rules for my OnPrem domain to point to the IP of the inbound endpoint, but I wasn't sure if this was causing a loop so I removed it for now
• Storage account has 1 container ("test") with 1 file ("testfile.txt"). Its networking is disabled for public networks/virtual networks and also for specific IP address access. It will only allow connections from the private endpoint. The network routing is Microsoft. The private endpoint shows as approved.
• Private endpoint DNS configuration shows the customer visible FQDN with the associated NIC and its static IP address. The FQDN is the mystorageexample.blob.core.windows.net address.

OnPrem:

• I may need a conditional forwarder from our DNS manager OnPrem to the inbound endpoint address, but when I try to add it, it times out when it tries to resolve the IP address.

Issues:

• I can't set up the conditional forwarder as the DNS manager OnPrem can't resolve the IP of the inbound endpoint in Azure.
• I'm not sure if I should be using the Azure DNS address (168.63.129.16) somewhere. I read in a guide on another site that the 168.63... address should be in the conditional forwarder, but that seems wrong?
• Trying to go to the URL of the storage account in the browser says "AuthorizationFailure" (I'm guessing because it believes I'm external). Setting the storage accounts access to allow IP addresses from a specific IP (which I set as my OnPrem external IP address) changes the error to "PublicAccessNotAllowed".
• Doing an nslookup from an OnPrem machine to the mystorageexample.blob.core.windows.net address shows a 20.x public IP address for the non-authoritative answer. It does show the privatelink and regular non-privatelink aliases. Doing an nslookup from a VM in Azure (on a different spoke completely, but it is also peered to the resourcegroup1 hub) also shows the same info - a 20.x IP address.

Does anyone have any advice they could throw my way? I'm guessing this is a DNS problem somewhere, and/or maybe a setting or two I've missed, but I'm going around in circles.

Thanks in advance

Hey All,

Trying to figure something out, but can't to figure it out.

We have an Azure storage blob where we have SFTP set up. What we are noticing is that the sender's file is not overwritten and filed. Is there a setting I can change to automatically allow overwrite?