Generally Available: Entra-only identities with Azure Files

Generally Available: Entra-only identities with Azure Files

Azure Files announces general availability of Entra-only identities for SMB access, enabling organizations to securely access file shares using cloud-native identities without requiring Active Directory or hybrid identity infrastructure. With Microsoft Entra ID as the authentication authority, users can access Azure Files using Kerberos-based authentication backed entirely by cloud identities - eliminating dependency on domain controllers and simplifying storage and identity architecture.

Key capabilities

• Cloud-native authentication with Entra ID: Secure SMB access using Kerberos without Active Directory or domain controllers
• Simplified permissions management: Configure granular NTFS ACLs for Entra users and groups directly through the Azure portal
• Role-based access control (RBAC): Assign share-level access using built-in roles for least-privilege administration
• Secure access from anywhere: Enable identity-based access over the internet without VPN dependencies
• Support for modern workloads: Power Azure Virtual Desktop (AVD), general-purpose file sharing, and distributed collaboration scenarios

Generally Available: Azure NetApp Files object REST API
The Object REST API (an S3-compatible REST API) on Azure NetApp Files bridges the gap between traditional file-based storage and modern cloud services, enabling you to use your existing data in new ways. With the Object REST API, you can seamlessly integrate Azure NetApp Files data with Microsoft Fabric, Azure AI services, and other Azure offerings without the need to move or replicate data. This unlocks new use cases such as advanced analytics, machine learning, and real-time business intelligence, while reducing costs and accelerating innovation.

The Object REST API introduces native S3-compatible read/write access, allowing modern applications to interact with your data directly and efficiently. Enterprises benefit from simplified integration, enhanced productivity, and improved data security, as data remains in place and protected by Azure NetApp Files’ robust security measures. This feature is ideal for organizations looking to leverage AI-driven insights, streamline workflows, and maintain compliance with industry standards.

Public Preview: TLS/SSL certificate support for Azure Functions Flex Consumption
Flex Consumption introduces a site-scoped certificate model in public preview in all the regions where Flex Consumption is available. Unlike webspace-scoped certificates on other hosting plans which are shared across apps in the same region + resource group, Flex certificates are scoped to an individual function app.

Each function app can hold up to 3 private (.pfx) and 3 public (.cer) certificates uploaded directly, imported from Azure Key Vault, or issued as free App Service Managed Certificates to enable custom domains, client-certificate authentication, and mutual TLS scenarios on Flex Consumption.

To access certificates from code Flex Consumption uses a per-certificate "Accessible to app code" toggle in the portal instead of the WEBSITE_LOAD_CERTIFICATES app setting used on other plans. Because Flex Consumption runs on Linux, code reads certificates from file paths (/var/ssl/certs for public, /var/ssl/private for private) rather than from a Windows certificate store.

Currently, the Azure portal is the recommended path for configuring certificates during preview. Apps migrating from another plan should add their certificates to the new Flex Consumption app rather than carrying webspace-scoped certificates across.

Generally Available: User Groups and IP address pools for P2S connections
User Groups and IP Address Pools for Point-to-Site connections in VPN Gateway enable customers to assign distinct IP address pools to remote users based on their credentials.

With this capability, customers can organize remote users into separate groups and assign a unique IP address range to each group, enabling more granular access control for Azure workloads. User groups within a VPN Gateway can be defined based on Microsoft Entra ID group membership, certificate common name domains, or custom RADIUS attributes.

This feature helps customers strengthen security, enabling finer-grained access segmentation and policy enforcement for Azure workloads.

Update: Microsoft Entra ID token refresh support for Python, .NET, and JavaScript in Azure Database for PostgreSQL
You can now take advantage of Microsoft Entra ID token refresh support in Python, .NET, and JavaScript client libraries to simplify authentication in your applications backed by Azure Database for PostgreSQL. With this release, your applications can automatically refresh access tokens, helping you avoid authentication interruptions caused by token expiration. This update makes it easier for you to build resilient, long‑running services and background workloads without adding custom token‑management logic.

Generally Available: SQL Server on Azure VMs in Malaysia West, Indonesia Central
SQL Server on Azure Virtual Machines is now generally available in the Malaysia West and Indonesia Central Azure regions. With this regional expansion, you can deploy and manage SQL Server workloads closer to your users while helping meet data residency requirements in Malaysia and Indonesia.

Note: SQL Server unified management is not included in this regional enablement. You can learn more in the SQL Server Unified Management documentation.

Generally Available: langchain-azure-cosmosdb python package for Azure Cosmos DB
You can now build production-ready AI and agent applications faster using the new LangChain and LangGraph integration for Azure Cosmos DB. This Python package enables you to directly use Cosmos DB for vector and hybrid search, semantic caching, chat history storage, checkpointing, and long-term memory, all within familiar LangChain and LangGraph workflows.

You can store and retrieve embeddings, combine full-text and vector search for more relevant results, cache LLM responses to reduce cost and latency, persist conversational history, and manage agent state with checkpointing for reliable execution. You no longer need to stitch together multiple services or databases for retrieval, memory, and orchestration. With Cosmos DB’s global distribution, scalability, and enterprise-grade reliability, you can build copilots, multi-agent systems, and knowledge assistants that operate efficiently at scale while keeping your operational and agentic data all in one place.

Generally Available: Schedule one-time or recurring migrations with Azure Storage Mover
Azure Storage Mover now supports built-in job scheduling, giving customers more control over when migrations run and making it easier to automate repeatable data transfers into Azure. Customers can configure jobs to start automatically at a specific date and time, or set up recurring runs to keep their target storage in sync with data from on-premises environments.
In the portal, customers can choose No schedule, a one-time schedule, or a recurring schedule. Recurring schedules support daily, weekly, and monthly frequency options. Schedules can also be enabled or disabled as needed, giving teams flexibility to align migrations with maintenance windows, business operations, or phased cutover plans.

Scheduling is designed to help teams reduce manual intervention while improving operational consistency for ongoing migrations and sync scenarios. This capability is positioned for scenarios such as off-hours movement, staged cutovers, and incremental syncs before final migration completion.

Generally Available: Azure Storage Mover Blob-to-Blob migration
Azure Storage Mover now supports Blob container-to-Blob container data transfers, enabling customers to move data seamlessly across regions, subscriptions, and accounts with a fully managed experience.

Customers can now use Azure Storage Mover to migrate data directly between Azure Blob containers with:

• Agentless, fully managed transfers—no infrastructure deployment required
• Support for large-scale parallel data movement, optimized for high throughput migrations
• Integrated job management, including progress tracking, resumability, and reliability controls across migrations.
• Support for both flat namespace (FNS) and hierarchical namespace (HNS) accounts

Azure Storage Mover is optimized for high-throughput data transfer scenarios:

• Proven performance with multi-GB/s transfer speeds depending on workload characteristics and region topology
• Ability to handle large object counts and deep directory structures, enabling enterprise-grade migrations at scale
• Support for parallel job execution to maximize throughput across multiple workloads

Generally Available: site-to-site VPN connections with certificate authentication
Azure Site-to-Site VPN with digital certificate authentication provides an alternative to the traditional pre-shared key (PSK) model by using a certificate-based asymmetric trust model. In this configuration, Azure and the on-premises VPN device authenticate each other by using separate inbound and outbound certificates. The outbound authentication certificate is stored in Azure Key Vault and is accessed by the VPN Gateway through a user-assigned managed identity with the required Role-Based Access Control (RBAC) permissions. Because X.509 certificates use asymmetric keys and a trusted certificate chain to validate identity, this approach helps reduce the risk of impersonation and Internet Key Exchange (IKE) negotiation tampering.

Public Preview: Summarized advertised gateway prefixes for route advertisement
Summarized advertised gateway prefixes for route advertisement is now in public preview, enabling you to define summarized prefixes that Azure gateways, including ExpressRoute and VPN Gateway, advertise to on-premises networks, instead of advertising all individual virtual network address spaces.

With this capability, you can reduce the number of prefixes advertised to on-premises in large hub-and-spoke topologies, staying within ExpressRoute and VPN Gateway advertised-prefix quota. Instead of advertising hundreds of individual spoke prefixes, you can advertise covering prefixes (for example, 10.0.0.0/16), enabling larger-scale Azure environments without redesigning address plans or splitting virtual networks. Spoke address spaces not covered by the summarized prefix continue to be advertised individually, ensuring backward compatibility.

It supports both IPv4 and IPv6 configurations and works across ExpressRoute Gateway and VPN Gateway.

Generally Available: Azure Event Grid releases for April 2026
Azure Event Grid namespaces are expanding MQTT capabilities to help organizations build more connected, scalable, and MQTT V5 standards-based real-time solutions. These updates make it easier to deliver responsive device experiences, simplify backend integration, and accelerate modern IoT application development.

• MQTT Retain support: Deliver a better subscriber experience by ensuring new subscribers can immediately receive the latest known state for a topic, without waiting for the next message.
• Shared Subscriptions: Scale message processing more efficiently by distributing traffic across multiple consumers in the same subscription group, helping support higher throughput and more resilient architectures.
• HTTP Publish of MQTT messages: Bring HTTP-based applications into MQTT workflows with a simple publishing path that helps connect backend services, business applications, and device ecosystems more seamlessly.

Public Preview: Azure Event Grid Subscription Identifiers
Gain more flexibility in message handling with Subscription Identifiers by enabling subscribers to identify which subscription triggered delivery, helping streamline client-side processing in more advanced MQTT scenarios.

Together, these enhancements strengthen Azure Event Grid namespaces as a powerful foundation for modern MQTT messaging—making it easier to connect devices, applications, and cloud services with greater scale, flexibility, and operational simplicity.