Trips
Notes, experiences, and practical thinking from the Azure world.
Identity / Microsoft Entra ID57
- Access package needs approval
- Access should expire automatically
- Admin account needs extra protection
- Admin must approve app access
- Admin needs role for 1 hour
- Admin role should be temporary
- Admin tasks need stronger login
- App needs certificate authentication
- App needs custom authorization
- App needs Entra login
- App needs Microsoft Graph access
- App needs secret authentication
- App uses Authorization Code Flow
- Automation needs identity
- Azure DevOps pipeline needs Azure access
- Background app needs access
- CLI/device app needs login
- Company wants branded login page
- Company wants custom domain login
- Company wants passwordless login
- Company wants phishing-resistant login
- Contractor needs temporary access
- Contractor needs time-limited access
- Cross-tenant partner needs access
- Customer identities need sign-up/sign-in
- Department needs collaboration mailbox/team
- Device must join cloud identity
- Devices should join group automatically
- GitHub workflow needs Azure access
- Guest access must be reviewed
- Helpdesk should manage only one department
- HR sends 50 new users
- Lost laptop needs recovery key
- Need to inspect login token
- Need to know who changed identity settings
- Need to know why login failed
- New employee needs Azure access
- Old apps use insecure sign-in
- On-prem device needs cloud identity
- Only office countries should sign in
- Partner tenant must be trusted
- Partner users must sync automatically
- PIM request needs manager approval
- Risky user sign-in detected
- SaaS app needs SSO
- Sign-in risk must be remediated
- SPA app needs secure login
- Team needs shared permissions
- User forgot password
- User has no phone yet
- User left company
- User needs verifiable digital credential
- User risk must be remediated
- User was deleted by mistake
- Users need password reset without admin
- Users should join group automatically
- Workload should not store secrets
Governance, Subscriptions, Cost, and Resource Management29
- Built-in role is too broad
- Cloud adoption needs standard patterns
- Company needs custom rule
- Compute usage should be discounted
- Costs must be split by team
- Costs need department tracking
- Deployment fails because provider missing
- Leadership needs cloud cost view
- Monthly spend must be controlled
- Multiple policies must apply together
- Multiple subscriptions need hierarchy
- Need access only to one resource
- Need cost/security recommendations
- Need least-privilege access
- Need search across subscriptions
- Need standard enterprise structure
- Need to check why user has access
- New subscriptions must be created consistently
- Predictable usage should cost less
- Region deployment fails because quota
- Resource is in the wrong group
- Resource must not be deleted
- Resource must not be modified
- Resources must only be in approved regions
- Subscription needs governance
- Team needs spend warning
- Temporary exception is needed
- User needs limited Azure access
- You need a clean project boundary
Networking54
- Admin needs secure VM access
- App needs private network
- Branch traffic must be forced through firewall
- Custom service should expose Private Link
- Datacenter needs Azure tunnel
- DNS name must point to app
- Encrypted traffic needs inspection
- Enterprise needs private circuit
- Firewall rules need central policy
- Front Door needs multiple origins
- Front Door needs routing logic
- Global branch network needs hub
- Global DNS failover needed
- Global traffic needs regional balancing
- Global web app needs edge entry
- Headers/URLs need modification
- HTTP app needs Layer 7 routing
- Hybrid DNS needs resolver
- Inbound firewall publishing needed
- Internet egress needs static IP
- Load balancer needs health check
- Many VNets need central governance
- Need packet-level evidence
- Need to see why traffic is blocked
- Need traffic flow records
- Network issue must be diagnosed
- Network needs firewall inspection
- Office needs private Azure connection
- PaaS access should stay on Azure backbone
- PaaS network boundary needed
- Port 443 must be allowed
- Private service needs private name
- Public app needs DDoS protection
- Rule should target app servers only
- Secure hub needs central inspection
- Spoke networks need central hub
- Storage must be private only
- Subnet needs custom route
- Subnet needs traffic filtering
- Threat traffic must be blocked
- Traffic must use custom path
- Traffic needs next-hop control
- Two ExpressRoute circuits must connect
- Two VNets need private communication
- URLs need different backend pools
- User needs laptop VPN to Azure
- Virtual WAN traffic needs control
- VM cannot reach endpoint
- VM needs internet address
- VM needs network adapter
- VNets in different regions need connection
- Web app needs OWASP protection
- Web app needs traffic distribution
- Workload needs network segment
Compute, Web, and Serverless41
- API endpoint needed fast
- App Service needs VNet access
- Batch processing needed
- Cheap interruptible VM needed
- Code must be deployed quickly
- Container app must scale by traffic
- Container app needs revision rollout
- Dedicated hardware required
- Fast temporary OS disk needed
- Lightweight container needs hosting
- Long workflow function needed
- Low-latency VM placement needed
- Many tasks need parallel execution
- Need command without RDP/SSH
- Need Linux server quickly
- Need many identical VMs
- Need reusable VM template
- Need Windows server quickly
- New version must go live safely
- Patch management needed
- Scheduled job needed
- Sensitive workload needs hardware isolation
- Short background container task needed
- Simple web app needs hosting
- Small code should run on event
- Spot workload needs eviction control
- VM boot chain must be protected
- VM configuration needs automation
- VM is too small
- VM needs agent/script install
- VM needs extra storage
- VM won’t boot
- VMs must scale automatically
- VMs need datacenter fault protection
- VMs need zone resilience
- Web app needs backup
- Web app needs custom domain
- Web app needs HTTPS
- Web app needs more instances
- Web app needs more power
- Web app needs staging environment
Storage34
- Admin needs GUI for storage
- App needs blob change tracking
- App needs cloud storage
- App needs shared file system
- App needs simple key-value table
- App needs simple queue
- App sends background work
- App uses account key
- Blob must keep old versions
- Blob must not be modified
- Blob must replicate to another account
- Browser app needs cross-origin access
- Data lake analytics needed
- Deleted blob must be recoverable
- Different data needs different encryption
- File must be uploaded to cloud
- File share needs high performance
- File share needs point-in-time recovery
- Files need object storage
- Large file transfer needed
- Legal hold required
- Linux app needs NFS share
- Need inventory of blobs
- Old data must move to cheaper tier
- Partner needs SFTP upload
- Retention period required
- SAS access must be revocable
- Static website needs cheap hosting
- Storage must block public networks
- Storage needs customer keys
- Storage needs regional redundancy
- Storage needs zone redundancy
- Temporary file access needed
- VM needs mounted shared drive
Databases, Data, and Analytics37
- App needs cache
- App needs consistency control
- App needs MySQL
- App needs NoSQL globally
- App needs PostgreSQL
- App needs relational database
- App reacts to Cosmos changes
- Cache data must persist
- Cosmos app needs container
- Cosmos data needs analytics
- Cosmos needs backup policy
- Cosmos needs multi-region writes
- Cosmos performance depends on design
- Data pipelines needed
- Database must be private
- Database was damaged
- Developer needs SQL connection
- ETL workflow needed
- Large-scale analytics workspace needed
- On-prem data source needed
- PostgreSQL needs backup restore
- PostgreSQL needs high availability
- Read-heavy PostgreSQL app
- Real-time analytics needed
- SQL access must be restricted
- SQL database needs scaling
- SQL needs auditing
- SQL needs automatic failover
- SQL needs multiple databases with shared resources
- SQL needs point-in-time recovery
- SQL needs secondary region
- SQL needs tamper evidence
- SQL needs threat protection
- SQL needs very large scale
- SQL Server compatibility needed
- Time-series analytics needed
- Visual data transformation needed
Containers, Kubernetes, and DevOps34
- Admin needs cluster access
- AKS needs monitoring
- AKS needs separate machine pools
- AKS scaling by events needed
- App needs internal/external endpoint
- App needs managed replicas
- App needs zero-downtime update
- App package needs installation
- Basic overlay networking needed
- Cluster config should come from Git
- Cluster needs controlled upgrade
- Cluster should be private
- Code needs CI/CD
- Container images need registry
- Dev environment needed on demand
- End-to-end tests need cloud scale
- Flux should sync manifests
- GitHub repo needs deployment
- HTTP routing needed
- Kubernetes app needs more replicas
- Local image must go to Azure
- Microservices need sidecars
- Need run one container in AKS
- Nodes must autoscale
- Pods need Azure identity
- Pods need network restrictions
- Pods need resource recommendation
- Pods need VNet IPs
- Production Kubernetes needed
- Release needs safe cutover
- Runtime needs image from registry
- Services need mesh traffic control
- Simple container needs hosting
- Team needs isolation in cluster
Security34
- Admin login needs conditional access
- AI assistance needed for security
- App needs encryption key
- App needs secret storage
- App should access secrets without password
- Certificate must be managed
- Cloud security posture needed
- Compliance status needed
- Customer-owned HSM needed
- Data governance needed
- Data leakage must be blocked
- Dedicated HSM needed
- External access must be reviewed
- Identity risk needs protection
- Incident must be investigated
- Incident needs workflow
- Insider risk must be detected
- Managed identity needs secret access
- Password must be stored securely
- Privacy requests need tracking
- Privileged admin needs approval
- Repeated response must be automated
- Security logs must be ingested
- Security score needs improvement
- Sensitive data needs labels
- SIEM workspace needed
- SOC dashboard needed
- Storage needs customer key
- Suspicious activity needs detection
- Threat list needed
- User/app needs vault access
- VM admin port should open only when needed
- VM disk must be encrypted
- Vulnerabilities must be checked
Monitoring and Observability27
- Alert needs notification
- Alert should learn normal behavior
- Alerts need suppression window
- App dependencies need visualization
- App performance needs monitoring
- App should detect failures automatically
- App telemetry should use open standard
- Container workload needs monitoring
- Dashboard-style report needed
- Distributed app needs tracing
- Failed deployment needs diagnosis
- Kubernetes metrics needed
- Logs need central workspace
- Logs need querying
- Metrics dashboard needed
- Metrics need alerting
- Operations need visual dashboard
- Recent platform changes need review
- Resource logs must be collected
- Resource needs monitoring
- Server dependency map needed
- SQL performance needs monitoring
- Storage performance needs monitoring
- VM logs need modern collection
- VM performance needs monitoring
- Web requests need tracing
- Website uptime must be checked
Integration, Messaging, and APIs25
- API needs OAuth protection
- API needs transformation/security
- API needs versioning
- APIs need central gateway
- App must send message
- App needs event routing
- App needs reliable queue
- App reads event stream
- App sends telemetry events
- B2B integration needed
- Business workflow needed
- EDI documents need processing
- Enterprise workflow needed
- Event must trigger another service
- Events need automatic archive
- Existing API needs publishing
- Failed messages need investigation
- High-volume event streaming needed
- HTTP trigger workflow needed
- Many apps need event domains
- Many subscribers need same event
- On-prem API needs gateway
- Ordered processing needed
- Subscriber needs filtered messages
- Worker must receive message
Hybrid, Migration, and Virtual Desktop28
- Arc machine needs extension
- AVD costs need control
- Cloud desktop needed
- Cloud sync rules needed
- Data services need hybrid deployment
- Database must move to Azure
- Domain users need seamless login
- Hybrid platform needs bridge
- Hybrid servers need policy
- Kubernetes outside Azure needs management
- Large data transfer needed
- Lightweight sync needed
- Migration inventory needed
- Migration readiness needed
- Multiple forests must sync
- On-prem app needs remote access
- On-prem environment needs Azure-style platform
- On-prem identities need cloud sync
- On-prem server needs Azure management
- Password hashes need sync
- Passwords must stay validated on-prem
- Private app access needed
- Server admin needs browser management
- SQL outside Azure needs Azure governance
- Sync health must be monitored
- User needs virtual desktop session
- User profiles need persistence
- VM must move to Azure
Backup, Disaster Recovery, and Resilience22
- App needs multi-region design
- App Service needs disaster recovery
- ASR agent needed
- Azure backup boundary needed
- Backup failures need alerts
- Backup must not be deleted
- Backup must restore in paired region
- Backup reporting needed
- Backup schedule needed
- Cosmos DB needs disaster recovery
- DR must be tested safely
- Modern backup boundary needed
- Outage failover needed
- Planned maintenance failover needed
- Resilience needs validation
- SQL database needs backup
- SQL needs disaster recovery
- Storage account region failed
- Storage needs regional recovery
- VM must be backed up
- VM needs disaster recovery
- VM was deleted/damaged
AI, Search, and Machine Learning31
- AI app must be attacked safely
- AI project workspace needed
- Answers need source validation
- App must choose best model
- App needs autonomous workflow
- App needs content moderation
- App needs GPT model
- App needs speech-to-text
- App needs text intelligence
- App needs translation
- Chatbot needs company knowledge
- Documents must enter search
- Documents need search
- Enterprise AI hub needed
- Forms need extraction
- Harmful output must be filtered
- Invoice/form needs structured data
- ML project needed
- ML workflow needs automation
- Model needs customization
- Model needs deployment
- Model needs training
- Model output must be measured
- Multiple agents need collaboration
- Need test prompts quickly
- Prompt workflow needed
- RAG output must be tested
- Search needs schema
- Search needs vector retrieval
- Search relevance must improve
- Unstructured files need understanding
IoT, Edge, Developer Tools, and Extra Azure Services17
- API landscape needs inventory
- App needs load testing
- App resilience needs fault injection
- App settings need central management
- Code/artifacts need signing
- Developers need test labs
- Devices need cloud messaging
- Edge device needs local processing
- Low-code internal app needed
- Many devices need auto-enrollment
- Mobile app needs push notifications
- Physical environment needs digital model
- Real-time maps needed
- Secrets/config need feature flags
- Static frontend needs simple hosting
- Users need SMS/voice/email/chat
- Web app needs real-time messaging