Browse All Security Content (464)
mosiddi explains how the Agent Governance Toolkit (AGT) tackles post-hoc accountability for autonomous agents: proving who authorized an action, what scope was delegated across multi-agent chains, and whether audit evidence was tampered with, using cryptographic identities, signed delegation links, and append-only audit logs.
Sunitha Muthukrishna announces a public preview feature in Microsoft Fabric API for GraphQL that lets you enforce custom authorization rules via an Authorizer User Data Function, enabling policy-based access decisions using request context like user identity, roles, and tenant information.
rbhatia explains how Azure Application Gateway’s Layer 4 TCP/TLS proxy can centralize ingress for non-HTTP workloads, including legacy TCP protocols and Kubernetes-hosted TCP services. The post covers TCP/TLS listeners, TLS pass-through, Proxy Protocol v1 for preserving client connection details, and practical recommendations for production deployments.
Imran Siddique and Shawn Henry explain how Microsoft Agent Framework and the Agent Governance Toolkit (AGT) fit together to run AI agents safely in production, with deterministic runtime policy checks, budget enforcement, and end-to-end auditability across local and cross-boundary (A2A) agent interactions.
Alyssa Ofstein and Elliot H Omiya explain how defense in depth needs to adapt for autonomous AI agents, focusing on application-layer controls that bound what agents can do, how they get permissions, when humans must approve actions, and how identity makes agent behavior auditable.
Ronnie Geraghty announces the GA (stable) release of the Azure SDK for Rust, covering the now-stable core, identity, Key Vault, and Storage crates. The post highlights API stability and semver guarantees, improved paging and long-running operations primitives, built-in resilience, and OpenTelemetry-based observability, with a quickstart example for authenticating and listing blobs.
RoaaSakr explains how AKS Pod Sandboxing startup time for large-memory pods improved dramatically after Azure Linux kernel changes for Microsoft Hypervisor (MSHV), shifting from eager memory allocation to deferred page allocation and making sandbox VM boot time largely independent of requested memory size.
Jim Harrer announces the VSLive! Microsoft AI Hackathon 2026 at Microsoft HQ in Redmond, a hands-on evening build event designed to help teams ship real prototypes using Azure OpenAI, Azure AI Foundry, GitHub Copilot, and agent-based patterns, with judging criteria that emphasize architecture, security, and practical value.
stclarke summarizes SAP Sapphire 2026 announcements focused on running SAP workloads on Azure and moving enterprise AI from pilots to production, including Azure OpenAI + Copilot Studio scenarios, Microsoft Fabric connectivity to SAP data, sovereign cloud options for regulated industries, and Sentinel-based monitoring for SAP landscapes.
Microsoft Defender Security Research Team and Yossi Weizman break down real-world “exploitable misconfigurations” in cloud-native AI apps—especially Kubernetes deployments where exposed services and weak auth can lead to RCE, credential theft, and data leaks—and show what to harden and what Defender for Cloud can detect.
vikas_gautam describes an end-to-end architecture for bringing Databricks Genie into Microsoft Teams using an Azure AI Foundry agent, focusing on what breaks in private, regulated environments and how to handle networking isolation, multi-hop identity, and per-user authorization when querying governed data.
Rob Bos introduces the GitHub Copilot App technical preview and shares a practical first look at using it for repository maintenance, including parallel agent sessions, session modes (Interactive/Plan/Autopilot), and the Agent Merge workflow for handling CI failures, merge conflicts, and security-related alerts.
simranparkhe announces general availability of Azure Integrated HSM for select AMD v7 Trusted Launch VM sizes, explaining how it caches keys and offloads cryptographic operations locally to reduce Key Vault round-trips while keeping key material inside a FIPS 140-3 Level 3 hardware boundary.
Allison announces the GitHub Enterprise Server (GHES) 3.21 release candidate, highlighting updates for enterprise admins and platform teams across governance, GitHub Projects, REST API versioning, GitHub Actions workflow UI performance, secret scanning permissions, and storage configuration for MySQL and repository data.
Amir Jafari announces preview support for service principal (SPN) authentication for Microsoft Fabric data agents, explaining why app identities matter for production deployments and outlining two common patterns: calling a data agent directly from a custom app, or routing through a Microsoft Foundry agent.
John Edward explains how GitHub Copilot changes team workflows around pull requests, code review expectations, and knowledge sharing. The article focuses on the trade-offs of faster AI-assisted coding, why review discipline matters more, and how teams can add guardrails like testing and security scanning without losing collaboration.
Max Uritsky announces general availability of a new Azure Boost hardware platform underpinning Esv7, Dsv7, and Dlsv7 VMs, detailing the PCIe card architecture (ASIC/FPGA, MANA NIC, Arm SoC), the performance gains for networking and storage, and the security model built around hardware root of trust and continuous attestation.
Satya Nadella shares an update on Microsoft’s multi-model agentic security system, which uses 100+ specialized agents across frontier and custom models to find exploitable bugs, topped the CyberGym benchmark, and helped identify and fix 16 vulnerabilities ahead of Patch Tuesday, with a private preview now available.
Taesoo Kim announces MDASH, Microsoft Security’s multi-model agentic scanning harness, and explains how it uses specialized AI agents to find, validate, and prove vulnerabilities end-to-end. The post shares benchmark results, details 16 Patch Tuesday CVEs found in Windows networking/auth components, and includes two technical deep dives.
Taesoo Kim introduces MDASH, Microsoft’s multi-model agentic scanning harness, and explains how it’s being used to find and validate real Windows vulnerabilities end-to-end. The post breaks down the pipeline stages (prepare/scan/validate/dedup/prove), shares benchmark results, and details 16 Patch Tuesday CVEs plus two technical deep dives.
stclarke summarizes Microsoft and Red Hat’s Red Hat Summit 2026 updates for Azure Red Hat OpenShift, focusing on running modern apps and production AI with enterprise governance. It highlights OpenShift Virtualization for VM-to-Kubernetes migration, identity and confidential computing features, GPU-backed AI workloads, and expanded regional availability.
Rahul Bhandari (MSFT) and Tara Overfield recap the May 2026 servicing releases for .NET and .NET Framework, including security and non-security fixes, the CVEs addressed, and where to find release notes, installers, container images, Linux packages, and known issues.
Allison summarizes what’s new in CodeQL 2.25.4 for GitHub code scanning, including Swift 6.3.1 support, improved C# and ASP.NET taint-flow modeling, expanded Java/Kotlin query sanitizers to reduce false positives, and new data-flow barrier extensions to tune results across many languages.
Sandra Ahlgrimm explains how to customize GitHub Copilot’s modernization task lists so teams can modernize legacy Java apps safely: set constraints, split risky upgrades into smaller reviewable steps, validate the current state first, and ensure Copilot surfaces CVEs without making silent changes.
Allison announces the deprecation of GitHub’s synchronous SBOM REST endpoint and explains how to migrate scripts and integrations to the newer asynchronous SBOM report generation flow ahead of the November 13, 2026 removal date.
Kumar Srinivasamurthy outlines how modern DDoS campaigns have shifted toward multi-vector and application-layer abuse, and shares a defense-in-depth approach for keeping consumer-facing services usable under sustained attack, including edge filtering, resilient architecture, and planned graceful degradation.
kinfey explains why AI agents running model-generated code need stronger isolation than standard containers, then walks through deploying a GitHub Copilot SDK agent on AKS using Kata Containers (kata-vm-isolation) plus layered hardening like seccomp, NetworkPolicy egress allowlists, and deny-by-default tool permissions.
vikas_gautam introduces PII Shield, a privacy proxy that sits in front of LLM calls to detect and anonymize PII (with optional reversal) so raw identifiers don’t leak through prompts, gateways, logs, or observability pipelines.
vyomnagrani explains why Microsoft built Azure AI Foundry Agent Service on Azure Container Apps, focusing on what changes when AI agents move from prototypes to production: bursty execution, long-running workflows, secure tool execution, isolation, state persistence, and the operational requirements for running agent fleets reliably at scale.
FaizaanMerchant explains a Zero Trust network design for Azure Databricks that avoids public workspace exposure by fronting external access with Azure Application Gateway WAF and routing traffic to the workspace through Private Endpoints, while keeping internal access on private connectivity (VPN/ExpressRoute).
stclarke summarizes the April 2026 Copilot Studio updates, focusing on scaling AI agents with stronger governance, clearer analytics visibility, and more capable workflows. It also covers new integration options like apps-in-agents, MCP-enabled tools (preview), evaluation automation APIs, and multi-agent collaboration features.
grace_kim explains a Windows Kerberos hardening change rolling out from April–July 2026 that can break Kerberos-based SMB access to Azure Files when AD DS objects are still using (or defaulting to) RC4. The post shows how to detect impacted configurations and migrate to AES-256 before rollback is removed after July 2026.
Alex-wdy explains why Azure CLI on macOS is moving away from Homebrew Core and introducing new Preview installation options in Azure CLI 2.86.0, including a Homebrew Cask package and an offline tarball for restricted environments, with a focus on signed, notarized binaries and future enterprise authentication needs.
osmancokakoglu announces the winners of the AI Dev Days Hackathon and summarizes the projects and the Microsoft stack they used, including Azure AI Foundry, Azure OpenAI models, and the Microsoft Agent Framework, plus common Azure services and DevOps practices used to ship production-grade agentic apps.
EldertGrootenboer announces the general availability of confidential computing for Azure Service Bus Premium, explaining how TEEs protect message data while it’s being processed and how it complements existing encryption and network controls. The post also covers regional availability and how to enable the feature in the portal or via templates.
Shireesh Thota summarizes the main architecture trends from Cosmos DB Conf 2026, focusing on how teams are building AI-native apps on Azure Cosmos DB with flexible data models, serverless scale, and first-class semantic/vector search, plus practical patterns for agent memory, cost visibility, and multi-user security.
Allison announces an update to Dependabot that lets enterprises grant it access to internal repositories across organizations, enabling dependency update pull requests even when dependencies live in a different org within the same enterprise.
Paulams732 describes a reusable Azure DevOps YAML pipeline template for scaling GitHub Advanced Security across many repositories by detecting repo contents, running CodeQL only when relevant, and adding IaC scanning with centralized reporting and SARIF artifacts.
This roundup tracks a clear shift from agent capability to agent governance: more context, more observability, and more policy controls across Copilot, VS Code, and the CLI. On the platform side, Microsoft tightened the path from prototype to production with .NET agent building blocks, Azure AI Foundry deployment patterns, and data governance improvements that make RAG and operations easier to standardize. We also cover the less flashy work that keeps systems dependable at scale, including Fabric and Databricks operational updates, GitHub migration and ruleset changes, and security research that keeps token theft, privilege escalation, and supply chain risk in focus.
mkachare explains how Azure NetApp Files depends on DNS when using Active Directory-backed SMB, dual-protocol, and NFSv4.1 Kerberos volumes, and why hub-spoke or Virtual WAN designs with an external DNS forwarder often fail. The post focuses on the two separate DNS paths ANF uses, plus the forward and reverse rulesets required to avoid hard-to-diagnose errors.