A Cloud Guy – Azure, M365, AWS and IT in general

A Cloud Architect’s Guide to Azure SQL Service Selection and Pricing

September 29, 2025September 14, 2025 by Kumaran

For cloud architects, designing the right database platform in Azure is never just a question of “where should SQL Server live?” The real challenge lies in matching the correct Azure SQL deployment option with workload requirements while keeping cost predictable and optimized.

Azure SQL offers multiple deployment models, pricing levers, and architectural trade-offs. This guide unpacks those details, giving architects a framework to design solutions that balance performance, availability, and cost.

Azure SQL Deployment Models: Choosing the Right Service

Azure SQL exists in three primary forms, each targeting different modernization or migration scenarios:

Azure SQL Database (Single Database or Elastic Pools)

What it is

Fully managed database service.
Ideal for new apps, SaaS solutions, or when you don’t need full SQL Server feature parity.
Target Workloads: Modern cloud-native apps, SaaS multi-tenant apps, microservices.
Service Nature: Microsoft manages patching, backups, HA, and DR.
Granularity: Provisioned as a single logical database or grouped into elastic pools to share resources across multiple databases.
Architectural Fit: Best when apps can tolerate some redesign and do not depend on server-level features (SQL Agent, cross-database queries).

Pros

No patching, backups, or HA configuration needed → Microsoft handles it.
Automatic scalability with options like serverless compute.
High availability built-in (99.99% SLA).
Geo-replication is a couple of clicks away.
Elastic pools save costs when workloads vary.
Lowest administrative overhead → focus shifts from infrastructure to schema design and performance.

Cons

Feature gaps vs. on-prem SQL (no SQL Agent, limited cross-database queries, no CLR).
Limited control (can’t access OS, registry, or certain trace flags).
Migration friction → legacy apps that rely on SQL Server features might break.

Azure SQL Managed Instance (MI)

What It Is

Target Workloads: Enterprise apps requiring high SQL Server compatibility.
Service Nature: Managed PaaS with near 100% SQL Server feature parity.
Key Features: SQL Agent, linked servers, cross-database queries, CLR, Service Broker.
Architectural Fit: Lift-and-shift scenarios from on-prem SQL Server without major refactoring.

Pros

Instance-level features supported (SQL Agent, cross-database queries, Service Broker, CLR, linked servers).
Easier migration → lift-and-shift many existing apps.
Same PaaS perks as Azure SQL Database → backups, patching, HA, geo-replication, and scaling.
Native VNET support → better isolation and security for enterprises.

Cons

Higher cost than Azure SQL Database.
Longer deployment times (can take hours to provision).
Less flexibility than SQL on VM (e.g., OS-level customization not possible).
Scaling isn’t instantaneous – downtime may be needed to resize.

SQL Server on Azure Virtual Machines (IaaS)

What It Is

Target Workloads: Legacy workloads, OS-level dependencies, or when granular control over patching/registry/config is required.
Service Nature: IaaS: full control of the VM OS, SQL Server, and patching.
Architectural Fit: Transitional strategy or last resort when dependencies block PaaS adoption.

Pros

Full control over SQL Server and OS (registry edits, custom trace flags, SSRS/SSIS, third-party agents).
Feature parity with on-prem SQL → nothing is missing.
Migration simplicity → true lift-and-shift; just move your VM.
Choice of HA/DR strategy (AlwaysOn AG, Failover Cluster, log shipping).

Cons

You manage everything → patching, backups, HA, DR, monitoring.
High operational overhead → DBAs become sysadmins again.
Scaling is manual and disruptive (resize VM, manage storage IOPS, etc.).
More expensive in the long run when you include ops and licensing overhead.

Tip: Start with a PaaS-first mindset (SQL Database or Managed Instance). Default to VMs only if blockers exist (custom extensions, OS-level agents).

Azure SQL Options: Side-by-Side Comparison

Feature / Factor	Azure SQL Database	Azure SQL Managed Instance	SQL Server on Azure VMs
Service Type	PaaS (database-level)	PaaS (instance-level)	IaaS (full VM + SQL Server)
Admin Overhead	Lowest (Microsoft handles HA, patching, backups)	Low (Microsoft manages infra; you manage schema & jobs)	Highest (you manage OS, SQL, HA/DR, patching, backups)
Compatibility	Limited (no SQL Agent, limited cross-DB)	Near 100% with on-prem SQL	Full parity (exact same as on-prem)
Scalability	Serverless, auto-scale, elastic pools	Scale up/down (some downtime)	Manual VM resize; downtime
HA / DR	Built-in, automatic 99.99% SLA	Built-in, automatic 99.99% SLA	You design and manage AlwaysOn, Failover Clusters, etc.
Networking	Public endpoint or Private Link	Native VNET integration	Full VNET and OS-level networking
Best For	Modern apps, SaaS, dev/test, greenfield workloads	Migrating existing apps needing SQL Agent / cross-DB queries	Legacy apps, full OS control, custom SQL features
Cost	Lowest overall	Moderate (higher than SQL DB)	Highest (infra + admin + licensing)

Deployment Methods, Service Tiers, and Compute Tiers

One reason Azure SQL pricing can feel complex is the number of layers that influence cost. Your bill depends not only on the pricing model (DTU or vCore) but also on the deployment method, service tier, and compute tier you choose.

Deployment Methods

Azure SQL supports three deployment approaches:

Single Database – A dedicated database with isolated resources. Best for applications requiring their own database or where workloads are independent.
Elastic Pool – A group of databases sharing a common resource pool. Ideal when you have multiple small databases with varying usage patterns.

Service Tiers

Service tiers define performance, availability, and resilience:

General Purpose (Standard) – Balanced performance and cost. Uses remote storage and is sufficient for most production workloads.
Business Critical (Premium) – Built on SSD-based local storage with low latency and higher resilience (Always On availability groups). Best for mission-critical OLTP workloads.
Hyperscale – A distributed architecture scaling up to 100 TB. Ideal for massive OLTP or hybrid transactional/analytical systems. Offers fast scaling, rapid backups, and read-scale out replicas.

Compute Tiers

Compute is billed in one of two ways:

Provisioned Compute – Fixed number of vCores allocated and always running. Best for steady, predictable workloads that require consistent performance.
Serverless Compute – Automatically scales with demand and can auto-pause during idle times. Billed per second of usage, making it excellent for dev/test or production workloads with unpredictable demand.

Provisioned vs. Serverless Compute Tiers

Within the General Purpose and Hyperscale service tiers of Azure SQL Database, you have two choices for compute: Provisioned or Serverless. Each model is designed for different workload patterns.

Provisioned Compute

How it works: You pre-allocate a fixed number of vCores that are always running.
Best for: Predictable, steady workloads with consistent CPU demand (e.g., production OLTP systems).
Pricing: You pay for the compute at the provisioned rate, regardless of whether the database is actively used.
Advantages:
- Predictable performance.
- Easier to estimate monthly costs.
- Ideal for 24×7 production workloads.

Serverless Compute

How it works: Compute scales automatically based on workload demand, measured in vCores per second. The database can auto-pause during idle times and resume on activity.
Best for: Bursty, intermittent, or unpredictable workloads (e.g., development/test databases, SaaS apps with variable usage).
Pricing:
- Billed by the second for actual vCore usage.
- You also pay for storage and backup regardless of activity.
Advantages:
- Significant cost savings for infrequently used databases.
- Auto-pause eliminates unnecessary compute costs.
- Ideal for dev/test or seasonal apps.
Considerations:
- Cold-start latency when resuming from auto-pause.
- Less predictable monthly cost if workload patterns fluctuate heavily.

Architectural Guidance

Use Provisioned when your database is part of a business-critical production system that needs consistent throughput.
Use Serverless for non-production or spiky workloads where compute demand is irregular, and cost efficiency outweighs absolute performance consistency.
Both tiers are available in General Purpose (balanced performance) and Hyperscale (for very large databases with auto-scale capability).

Tip: Think of these decisions as layers. Choose the deployment method (Single, Elastic Pool, Managed Instance), the service tier (General Purpose, Business Critical, Hyperscale), and then the compute tier (Provisioned or Serverless). Together, these define your performance profile and cost structure.

Pricing Models in Depth

Azure SQL has two distinct billing approaches:

DTU-Based Model (Simplified)

Bundles compute + storage + I/O into Database Transaction Units.
Pros: Easy to size small workloads, predictable flat pricing.
Cons: Limited transparency and flexibility; not ideal for scaling or enterprise workloads.

vCore-Based Model (Flexibility and Transparency)

Separates compute, memory, and storage, priced per virtual core.
Licensing Advantage: Supports Azure Hybrid Benefit, allowing reuse of existing SQL Server licenses with Software Assurance.
Performance Tiers:
- General Purpose – Balanced, built on remote storage.
- Business Critical – Premium SSD, low latency, built-in HA.
- Hyperscale – Cloud-native architecture with distributed log and page servers; supports up to 100 TB.

Another key difference: in the vCore model, costs are itemized. You pay separately for compute, storage, I/O, and backup retention. This provides transparency and control but also requires more planning.

One of the most valuable features for enterprises is the ability to apply the Azure Hybrid Benefit. If you already own SQL Server licenses with Software Assurance, you can bring them to Azure and save 25–30% on vCore costs. It’s a cloud equivalent of “bring your own license,” similar to how you can bring Windows Server licenses to Azure VMs.

In short: vCores deliver granularity and cost optimization opportunities, making them the preferred model for complex or enterprise workloads that demand control and transparency.

It’s important to note that vCores are not a direct replacement for DTUs. Instead, the vCore model represents the next level of Azure SQL Database, designed for more complex scenarios where organizations require greater control over the allocation of CPU, memory, and storage resources.

Tip: For enterprise-grade deployments, vCore is the default choice. It aligns with on-prem licensing models, offers reserved capacity discounts, and provides transparency into resource allocation.

Azure SQL Deployment Options: Architecture & Pricing Comparison

Service	Service Type	Best-Fit Workloads	Pricing Model(s)	Performance Tiers	Key Strengths	Key Considerations
Azure SQL Database (Single DB / Elastic Pool)	PaaS	Cloud-native apps, SaaS multi-tenant DBs, microservices	DTU (legacy) or vCore	GP, BC, Hyperscale, Serverless	Fully managed; auto-scale; elastic pools for cost efficiency	Limited SQL Server feature set (no SQL Agent, limited cross-DB features)
Azure SQL Managed Instance (MI)	PaaS (near-full SQL Server compatibility)	Lift-and-shift enterprise apps, monolithic DBs needing SQL Agent/cross-DB joins	vCore only	GP, BC, Hyperscale (preview in some regions)	High compatibility; automatic patching/HA; Hybrid Benefit support	Higher base cost vs SQL DB; some network isolation/latency considerations
SQL Server on Azure Virtual Machines (IaaS)	IaaS	Legacy workloads with OS-level dependencies, apps requiring custom agents or specific SQL configs	Pay-as-you-go or Reserved VM pricing + SQL License (License Included or Hybrid Benefit)	Depends on VM size and storage	Full control (OS, registry, SQL versioning); easy migration path	Full responsibility for patching, backups, HA/DR; more ops overhead
Azure SQL Hyperscale (subset of SQL DB/MI)	PaaS (distributed architecture)	Large OLTP or analytical workloads >1TB scaling up to 100TB	vCore	Hyperscale only	Cloud-native architecture; instant scale-out read replicas; rapid auto-grow	Higher cost if workload doesn’t need hyperscale; feature differences vs BC

Cost Components and Architectural Impact

When planning an Azure SQL deployment, architects must account for multiple pricing levers:

Compute – Scales by vCores; reserved capacity can cut cost by up to 33%.
Storage – Performance tier matters (standard vs premium SSDs, hyperscale distributed).
Backup Storage – 7–35 days included; Long Term Retention adds Blob storage charges.
Licensing – Hybrid Benefit reduces compute costs by up to 55%.
HA/DR – Geo-replication and zone redundancy add cost but may be non-negotiable for SLAs.

Service Selection Framework for Architects

When designing, use these guiding questions:

Is workload cloud-native and isolated per app? → Azure SQL Database (single/elastic pool).
Is workload monolithic or requires server-level features? → Managed Instance.
Is workload highly legacy-dependent with OS-level needs? → SQL on VM.
Does workload require >100 TB? → Hyperscale.
Do SLAs demand low latency and multiple replicas? → Business Critical tier.
Is budget licensing-sensitive? → Leverage Hybrid Benefit and reserved capacity.

Cost Optimization Strategies for Architects

Designing for performance is only half the story, true architectural success in Azure SQL also requires cost optimization. Here are the most impactful strategies cloud architects should apply:

Leverage Azure Hybrid Benefit for Licensing Savings
If you own on-premises SQL Server licenses with Software Assurance, apply Azure Hybrid Benefit to reduce vCore costs. This is particularly valuable for production workloads running in provisioned compute tiers, where dedicated resources are always billed.
Right-Size Workloads with Telemetry
Continuously monitor performance using Azure Monitor, Query Performance Insight, and Advisor recommendations. These tools help you identify underutilized resources, high-cost queries, or inefficient scaling patterns so you can adjust compute, storage, or tier accordingly.
Choose the Correct Service Tier for the Workload
Don’t overprovision. Use General Purpose/Standard for most workloads, and only choose Business Critical/Premium or Hyperscale when latency, throughput, or database size requirements justify the added cost.
Use Serverless Compute for Variable or Intermittent Demand
In General Purpose and Hyperscale tiers, serverless compute automatically scales based on demand and can auto-pause when idle. This ensures you only pay for compute when it’s used, making it ideal for dev/test, SaaS with unpredictable workloads, or seasonal applications.
Consolidate Databases with Elastic Pools or Multi-Tenant Models
Running many small, underutilized databases separately increases both compute and administrative overhead. Elastic pools allow databases with varying usage patterns to share a common pool of resources, improving efficiency and lowering costs.
Commit to Reserved Capacity for Predictable Workloads
If you know your workload will run continuously, commit to 1- or 3-year reserved capacity. This can reduce compute costs by up to 30–33% compared to pay-as-you-go.
Optimize Backup and Retention Policies
Automated backups are included, but long-term retention adds extra cost. Define retention policies that match business and compliance needs, and periodically prune old backups to avoid unnecessary storage charges.
Plan Geo-DR Strategically
High availability and geo-replication provide resilience but come at a cost since each replica incurs additional compute. Evaluate whether geo-replicas are required for all workloads, or if backup-based disaster recovery is sufficient for less critical databases.
Leverage Dev/Test Pricing for Non-Production
For development and testing environments, use discounted Dev/Test subscriptions to save significantly on licensing and compute.

Closing Thoughts

For cloud architects, Azure SQL pricing is an architectural decision as much as it is a financial one. Choosing between Database, Managed Instance, or VM-based SQL requires evaluating workload architecture, licensing posture, SLAs, and growth trajectory.

The good news: Microsoft has matured Azure SQL into a flexible platform. With the right design approach, PaaS-first mindset, workload alignment, and proactive cost governance, architects can deliver resilient, performant, and cost-effective SQL services that scale with the business.

Key takeaway: Don’t default to “lift and shift”. Evaluate features, tiers, and pricing levers deliberately. Cost optimization starts at design.

Thank you for stopping by. ✌️

Microsoft 365 Admins: September 2025 Retirements, Security Shifts, and Copilot Usage Insights – Here’s Your Definitive Guide

September 5, 2025September 1, 2025 by Kumaran

September 2025 is shaping up to be one of the most impactful months for Microsoft 365 admins this year. From long-awaited retirements (farewell, Classic eDiscovery and Azure AD Graph API) to robust new features (Progressive Alert Scoring, SharePoint smart tagging, and Copilot usage metering), this month is packed with changes that demand action and attention.

Whether you’re in charge of compliance, identity, collaboration, or cloud security, this comprehensive guide gives you what you need to stay one step ahead.

Table of Contents

September at a Glance

Category	Count
🔻 Retirements	9
🆕 New Features	13
🔧 Enhancements	10
🔄 Changes in Functionality	4
⚠️ Action Required	6

Retirements: Legacy Features You Can Let Go

1. Classic Message Trace (Exchange Online)

Sep 1, 2025 – Legacy UI and cmdlets (Get-MessageTrace, Get-MessageTraceDetail) retired.
Do this: Update to Get-MessageTraceV2 and use the modern EAC interface.
🔗 Ref

2. Client Access Rules (Exchange Online)

Sep 1, 2025 – Deprecated in favor of Conditional Access with Continuous Access Evaluation.
Do this: Migrate access controls to Entra Conditional Access.
🔗 Ref

3. Classic eDiscovery (Premium)

Sep 1, 2025 – Fully removed from Purview.
Do this: Move to Unified eDiscovery for better search and case handling.
🔗 Ref

4. Mobile Devices Page in Outlook Web

Sep 9, 2025 – Removed from OWA and New Outlook.
Do this: Use the My Account portal or native device management tools.
🔗 Ref

5. Cognitive Services & Azure ML in Power BI

Sep 15, 2025 – AI features being pulled in favor of Microsoft Fabric AutoML.
Do this: Transition to Microsoft Fabric for ML workloads.
🔗 Ref

6. Microsoft To Do Ends Support for iOS 16/macOS 12

Mid-Sep 2025 – No updates for outdated devices.
Do this: Update org device baselines to iOS 17 / macOS 13+.
🔗 Ref

7. Defender for Cloud Apps: Sub-Domains Visibility

Sep 22, 2025 – Low-use feature retired.
🔗 Ref

8. Legacy MFA & SSPR Method Management

Sep 30, 2025 – Management of authentication methods moves to the unified policy.
Do this: Transition to converged authentication methods now.
🔗 Ref

9. Azure AD Graph API

Early Sep 2025 – All apps must migrate to Microsoft Graph.
Do this: Use Entra admin center’s Recommendations tab to identify affected apps.
🔗 Ref

New Features: Worth the Hype

1. Progressive Alert Scoring in Insider Risk Management
Assess user activity multiple times per day instead of once every 24 hours. Get near real-time insights into risky behavior.
🔗 Ref

2. High Volume Exchange Email (HVE)
Send large volumes of internal mail for LOB applications and SMTP use cases—beyond standard Exchange Online limits.
🔗 Ref

3. Information Barriers in Microsoft Planner
Prevents users from discovering non-segmented users while sharing Planner plans via web and Teams.
🔗 Ref

4. Silent Test Calls in Teams
Simulate Teams call quality for network diagnostics—now available for Windows and Mac (Teams Premium required).
🔗 Ref

5. Rule-Based App Management in Teams
Set app permissions and availability based on scopes and publisher trust—control Microsoft 365 certified apps centrally.
🔗 Ref

6. New Secure Score Recommendations
Enhance security posture with new recommendations:
• Remove inactive service accounts
• Remove passwords from AD attributes
🔗 Ref

7. Teams + Defender for Office 365 Integration
Manage allow/block lists for external domains using the Tenant Allow/Block List (TABL) in Microsoft Defender.
🔗 Ref

8. New SharePoint Workflows
Power Automate-based automation embedded in SharePoint with natural language, Madlib-style editor, and better UI.
🔗 Ref

9. Retention Based on Last Accessed
Configure Purview retention policies for OneDrive and SharePoint based on when files were last accessed.
🔗 Ref

10. Priority Cleanup in Data Lifecycle Management
Allows deletion of SharePoint/OneDrive items before retention expires. Includes dual admin approval, simulation mode, and logs.
🔗 Ref

11. Copilot Usage Report
Monitor and manage costs from Copilot Chat with detailed reporting on metered message usage by user, agent, and policy.
🔗 Ref

12. Smart Tags for eSigned Docs in SharePoint
Automatically tag signed documents and add metadata columns for signature status and provider.
🔗 Ref

13. Teams Private Channel Expansion
Big lift for Teams limits:
• 1000 private channels per team
• 5000 members per private channel
• Meeting scheduling and DLP support
🔗 Ref

Enhancements: Small but Mighty

Auto Work Location Detection in Teams – Based on Wi-Fi or peripherals.
Updated SharePoint Page Analytics – Up to 365-day view history, reactions, shares, and Excel exports.
Purview Diagnostics Access – Now available to more admin roles.
Outlook Mail Merge (Advanced) – Dynamic fields and personalizations now in web and Windows clients.
Authenticator Improvements – No more number matching for same-device logins, cleaner FRX setup.
SharePoint Smart Tagging – Auto-adds metadata for eSigned documents.
Teams Join URL Validation – Ensure rewritten links don’t break meeting joins.
License Assignment Path in Admin Center – Easily view direct vs group-based license sources.
Streamlined Purview DLP Alert Settings – Sync alert states between portal and PowerShell.
Teams Auth Module Updates – New app permissions required: GroupMember.Read.All, RoleManagement.Read.Directory.

Functionality Changes: Take Note

Access Review History Limited to 12 Months
Export old data now using Microsoft Graph or Azure Data Explorer.
🔗 Ref
Defender for Identity Alert Migration to XDR
Update alert workflows and exclusions for XDR platform.
🔗 Ref
OneDrive: Unlicensed Accounts Enter Read-Only Mode
Deadline: July 28 → Enforcement: Sep 26, 2025
🔗 Ref
DLP Rule Visibility Fix in Portal
Now reflects accurate status if disabled via PowerShell.
🔗 Ref

Action Items: Handle These Before the Alarm Bells Ring

Deadline	Task
Sep 1, 2025	Migrate to new Message Trace, Unified eDiscovery, Conditional Access
Sep 2, 2025	Create Azure DevOps–specific Conditional Access policy
Sep 14, 2025	Update Teams PowerShell app permissions
Sep 15, 2025	MFA required for credential management in Entra
Sep 30, 2025	Converge legacy MFA and SSPR policies
Ongoing	Migrate apps from Azure AD Graph to Microsoft Graph

Final Thoughts

September 2025 is a turning point month for Microsoft 365 environments. Between the retirement of major legacy features and a flood of next-gen tools and AI insights, it’s clear that Microsoft is pushing the ecosystem toward tighter security, smarter automation, and more control for admins.

Bookmark this guide.
Review your tenant configurations.
Communicate changes to your teams.
Knock out required actions before deadlines bite.

Because in enterprise IT, proactive beats reactive every time.

Thank you for stopping by. ✌️

Microsoft 365 Admins: August 2025 Ushers in Major Retirements, AI-Powered Features & Key Compliance Shifts – Here’s Your Definitive Guide

July 31, 2025 by Kumaran

If you thought July was intense, buckle up, August 2025 is a heavyweight month for Microsoft 365 changes. Between legacy retirements, AI-driven security enhancements, and new controls across Teams, Outlook, and Purview, this is not the month to sleep on your Message Center.

Whether you’re managing governance, fine-tuning DLP, or trying to avoid last-minute fire drills, this guide breaks it all down into what’s retiring, what’s new, and what needs your immediate attention.

Table of Contents

August at a Glance

Category	Count
🔻 Retirements	4
🆕 New Features	7
🔧 Enhancements	3
🔄 Changes in Functionality	1
⚠️ Action Needed	3

Retirements: Say Farewell to These Legacy Tools

1. Classic eDiscovery in Microsoft Purview

August 1, 2025 — Say goodbye to Classic eDiscovery, including Content Search, eDiscovery (Standard), and (Premium).
What to do: Migrate to the unified eDiscovery experience for better search, performance, and compliance.
🔗 Learn more

2. Project for the Web & Project in Teams

Early-August 2025 — Microsoft is sunsetting Project for the web. Users will be redirected to Planner and Portfolios.
What to do: Migrate Roadmap data to Portfolios and update any pinned tabs in Teams.
🔗 Details

3. Outlook for Mac: Legacy Switch Retires

Mid-August 2025 — New Outlook becomes default for Mac (v16.100+). Admin toggle to revert will be retired.
What to do: Prepare users for permanent shift by October 2025 (v16.102).
🔗 More info

4. Speaker Coach in Microsoft Teams

Mid-August 2025 — The preview feature providing real-time feedback during meetings will be retired.
What to do: Inform users and explore alternatives like Copilot-generated meeting recaps.
🔗 Announcement

New Features: Worth Your Immediate Attention

AI-Powered Data Security Investigations in Purview

An all-new AI-driven tool for visualizing data risk, investigating incidents, and refining policies, now built into Microsoft Purview.
🔗 Details

Advanced Mail Merge in Outlook for Web & New Outlook

August 2025 — Personalize email templates with dynamic fields, custom formatting, and preview features.
🔗 Roadmap

Copilot Blocked from Processing Labeled Emails via DLP

August 2025 — Microsoft Purview DLP will block Copilot from interacting with labeled content in chat.
🔗 Read more

Risky AI Usage Detection in Insider Risk Management

Early-August 2025 — Detect prompts, intents, and AI-generated content using Microsoft 365 Copilot, Copilot Studio, and ChatGPT Enterprise.
🔗 More info

Silent Test Calls in Teams for Network Diagnostics

Early-August 2025 — Run silent test calls via Teams Premium to proactively check network readiness.
🔗 Message Center

Rule-Based Management of Certified Teams Apps

Mid-August 2025 — Automatically manage apps based on permission access and publisher trust status.
🔗 Roadmap

Independent DLP Email Notification Settings

August 2025 — Decouple policy tips and notifications in SharePoint/OneDrive DLP settings.
🔗 Roadmap

Enhancements: Quiet but Important

Updated Audit Logs in Purview – Better granularity and new Pre/Post Execution messages for role group changes.
🔗 Read more
Microsoft Fabric Workspace User Limit – Enforcing a max of 1,000 users/groups per workspace role.
🔗 Details
Apple/Google Sign-In on Teams Web – New SSO methods are coming for consumer users (preview).
🔗 Message Center

Functionality Change: Stay Updated

Updated Sender for Teams DLP Incident Emails

August 20, 2025 — Teams DLP GIR emails will only come from no-reply@teams.mail.microsoft.com.
What to do: Update inbox rules and alert filters if needed.
🔗 Message Center

Action Needed: These Deadlines Are Not Flexible

Entra ID Retention Policy for Access Reviews

August 15, 2025 — Only 12 months of access review data will be available via UI/API.
What to do:

Export old data using Graph API
Store reports securely
Create an annual backup process
🔗 More info

Legacy Message Trace Retires in Exchange Online

August 31, 2025 — New Message Trace UI and V2 cmdlets become the default.
What to do: Update any scripts to use Get-MessageTraceV2 and Get-MessageTraceDetailV2.
🔗 Read more

Azure AD Graph API Retirement

August 31, 2025 — Azure AD Graph API officially ends; apps using it will stop working.
What to do: Migrate to Microsoft Graph API. Use Entra admin center to identify impacted apps.
🔗 Migration Help

Final Thoughts

August 2025 is a pivotal month between the rise of AI-enhanced compliance tools and the retirement of legacy Microsoft features, the Microsoft 365 ecosystem is evolving fast.

If you’re responsible for security, collaboration, or compliance, now’s the time to document changes, communicate with your teams, and adjust scripts and policies. Waiting until the last minute will put you behind both operationally and reputationally.

Bookmark this.
Share it with your team.
Knock out the action items before they knock on your door.

Thank you for stopping by. ✌️

Microsoft 365 Admins: July 2025 Brings Major Retirements, Game-Changing Features & Critical Actions – Here’s Your Definitive Guide

July 1, 2025July 1, 2025 by Kumaran

Alright admins, deep breath. July is rolling in hot with some of the biggest Microsoft 365 updates, retirements, and must-do tasks of the year. Whether you’re wrangling SharePoint, securing sensitive data, or prepping Teams for your org, this month has something that will definitely land on your radar and maybe on your weekend schedule if you don’t plan ahead.

Consider this your field guide to navigate July 2025 without missing a beat.

Table of Contents

July at a Glance

Category	Count
🔻 Retirements	7
🆕 New Features	11
🔧 Enhancements	8
🔄 Changes in Functionality	5
⚠️ Action Needed	7

Retirements: Say Goodbye to These

Microsoft 365 Business Premium & Office 365 E1 Grants for Non-Profits
Retiring July 1, 2025 — Non-profits must move to Microsoft 365 Business Basic grants or discounted plans.
➡️ Learn more
Viva Engage Private Content Mode
Retiring June 30, 2025 — All tenants will lose access to Private Content Mode across Viva Engage, Teams, and Outlook.
➡️ Details
Monitor Action in Defender Safe Attachments Policies
Gone Early-July 2025 — Monitor mode will be switched to Block; evaluate Safe Attachments settings now.
➡️ More info
SharePoint Alerts
Phased retirement starts July 2025 — Power Automate or SharePoint Rules recommended as replacements.
➡️ Guidance
OneNote .DOC Export Option
Ending July 28, 2025 — Shift to modern formats like .docx now.
➡️ Message Center
Organization Data Type in Excel
Retiring July 31, 2025 — Switch to Get Data > From Power BI or custom data types via add-ins.
➡️ Learn more
TLS 1.1 & Older on Fabric Platform
Deprecated July 31, 2025 — Update systems to TLS 1.2+ to avoid data connectivity issues.
➡️ Blog post

New Features: Hot Off the Press

Native Forms in SharePoint Libraries — Build forms directly inside document libraries for smoother file uploads.
➡️ Roadmap
Cold File Scanning for Sensitive Info — Microsoft Purview now scans old, untouched files in SharePoint/OneDrive.
➡️ Details
Unit-Level Backup Deletion in Microsoft 365 Backup — Delete backups for specific OneDrive, SharePoint, or Exchange units.
➡️ Roadmap
External Chat File Attachments in Teams — Finally attach files in 1:1 and group chats with external users.
➡️ Message Center
Detailed Audit Logs for Screen Sharing in Teams — Gain full transparency over Give/Take Control and sharing events.
➡️ Read more
Facilitator Agent in Teams — Automated meeting summaries and real-time note collaboration (Copilot license required).
➡️ Details
Multi-Admin Notifications for M365 Backup — Configure centralized alerts for backup events.
➡️ Roadmap
AI Posture Management in Purview — Manage security of AI activity across Copilot and other AI apps.
➡️ Message Center
Drag & Drop Between Accounts in New Outlook — Attach emails/files across accounts or shared mailboxes seamlessly.
➡️ Details
Network-Level Detection of AI Activity in Insider Risk Management — Identify sensitive data shared with cloud/AI apps.
➡️ Message Center
Scoped AD Domain Access in Defender for Identity — Apply RBAC at the AD domain level for tighter security.
➡️ Details

Enhancements: Small Changes, Big Impact

Attachment Previews in Purview Content Explorer — View flagged attachments directly in the console.
➡️ Details
Recording & Transcription by Default in Teams Calls — Enabled by default for new tenants and global policies.
➡️ More info
New Outlook: S/MIME Signature Inheritance Setting — Control signature behavior in replies via NoSignOnReply.
➡️ Message Center
User Activity Timeline in Purview Compliance Portal — See flagged user interactions on a single timeline.
➡️ Details
IRM + Data Security Investigation Integration — Launch investigations faster with combined tools.
➡️ Message Center
Secure by Default Settings in Microsoft 365 — Block legacy auth and enforce admin consent by default.
➡️ Details
Best Practice Dashboard Expansion in Teams Admin Center — Monitor new meeting-related issues.
➡️ Read more
On-Demand File Classification — Discover/classify old files in SharePoint/OneDrive (pay-as-you-go).
➡️ Details

Existing Functionality Changes: Adjust Your Ops

Teams Live Event Assistance Becomes Paid — LEAP moves under Unified as a paid service on July 1, 2025.
➡️ More info
Insider Risk Policy Limits Increased — Up to 100 total active policies across templates.
➡️ Roadmap
Outlook Blocks More File Types — .library-ms and .search-ms added to the blocked list.
➡️ Details
Improved B2B Guest Sign-In — Guests redirected to their home org’s sign-in page for clarity.
➡️ Message Center
Unified Teams App Management Paused — Rollout delay with updates expected by late July.
➡️ Details

Action Needed: Don’t Procrastinate

Azure AD PowerShell Retirement After July 1 — Migrate scripts to Microsoft Graph or Entra PowerShell ASAP.
➡️ Details
DNS Provision Change — Update automation scripts to retrieve MX records via Graph API to avoid mail flow issues.
➡️ Message Center
Classic Teams App Retirement — All users must move to New Teams or web app by July 1, 2025.
➡️ Details
Reshare SharePoint Content Post-Entra B2B — External users lose access to pre-integration OTP shares. Reshare content now.
➡️ Message Center
Teams Android Devices Must Update Apps — Move to supported versions by Dec 31, 2025, to enable modern auth.
➡️ Details
Graph Beta API Permissions Update — Adjust apps to use new permissions for device management by July 31, 2025.
➡️ Message Center

Final Thoughts

July 2025 is a make-or-break month for Microsoft 365 admins. There’s a mountain of changes, but staying ahead means no late-night incidents, no broken workflows, and definitely no panicked calls from leadership.

Bookmark this guide, share it with your team, and start planning now. Because in IT, the only thing worse than unexpected downtime is knowing you could’ve avoided it.

Thank you for stopping by. ✌️

Generate Multi-Subscription Azure Cost Reports Using REST API and PowerShell

July 9, 2025June 29, 2025 by Kumaran

Managing cloud costs is like trying to diet at a buffet. Tempting services everywhere, and one bad decision can blow your budget wide open. So, I was tasked for a breakdown of Azure usage across 50+ subscriptions for the month of June, I knew this wasn’t going to be a quick Azure Portal copy-paste job.

Instead, I rolled up my sleeves and built a PowerShell script that uses the Azure REST API to automatically:

Query all accessible subscriptions
Fetch usage-based cost data for a given time range
Export it into a clean Excel report

And I made it smart enough to handle throttling too. Here’s how it all came together.

Table of Contents

Goals

Pull Azure cost data from multiple subscriptions
Offer flexible time range selection (this month, last month, custom, etc.)
Authenticate securely with Entra ID (Service Principal)
Export to Excel in a way leadership can digest (bonus points if it opens without errors)

Authentication with Entra ID

I created a Service Principal and assigned it the “Global Billing Reader” role at the billing account level. The script uses the client_credentials flow to authenticate and obtain an access token.

Yes, I temporarily stored the client secret in a plain text variable $clientSecretPlain = 'ENTER_SECRET' because I was still prototyping. Don’t judge me. But for production? Vault it or a managed identity.

Handling Throttling (429 Errors)

Azure’s APIs like to throw shade when you hit them too hard. I added retry logic with exponential backoff and jitter.

PowerShell Script

# Author: Kumaran Alagesan

# Requires: Az CLI, ImportExcel module (Install-Module -Name ImportExcel)
# Authenticate using Entra Application (Service Principal)

$clientId = 'ENTER_APP_ID'
$tenantId = 'ENTER_Tenant_ID'
$clientSecretPlain = 'ENTER_SECRET'

# Get access token using Service Principal
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecretPlain
    scope         = "https://management.azure.com/.default"
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $body -ContentType "application/x-www-form-urlencoded"
if (-not $tokenResponse.access_token) {
    Write-Host "Failed to acquire token. Check credentials." -ForegroundColor Red
    exit 1
}
$token = @{ accessToken = $tokenResponse.access_token }


$selection = $null
while (-not $selection) {
    $selection = Read-Host "Select time range: `n1) This month`n2) Last month`n3) This quarter`n4) Last quarter`n5) This year`n6) Last 6 months`n7) Last 12 months`n8) Custom`nEnter number"
    if ($selection -notmatch '^[1-8]$') {
        Write-Host "Invalid selection. Please enter a number from the list (1-8)." -ForegroundColor Yellow
        $selection = $null
    }
}

$today = Get-Date
switch ($selection) {
    '1' { # This month
        $startDate = Get-Date -Year $today.Year -Month $today.Month -Day 1
        $endDate = $today
    }
    '2' { # Last month
        $lastMonth = $today.AddMonths(-1)
        $startDate = Get-Date -Year $lastMonth.Year -Month $lastMonth.Month -Day 1
        $endDate = (Get-Date -Year $lastMonth.Year -Month $lastMonth.Month -Day 1).AddMonths(1).AddDays(-1)
    }
    '3' { # This quarter
        $quarter = [math]::Ceiling($today.Month / 3)
        $startMonth = (($quarter - 1) * 3) + 1
        $startDate = Get-Date -Year $today.Year -Month $startMonth -Day 1
        $endDate = $today
    }
    '4' { # Last quarter
        $currentQuarter = [math]::Ceiling($today.Month / 3)
        if ($currentQuarter -eq 1) {
            $lastQuarterYear = $today.Year - 1
            $lastQuarter = 4
        } else {
            $lastQuarterYear = $today.Year
            $lastQuarter = $currentQuarter - 1
        }
        $startMonth = (($lastQuarter - 1) * 3) + 1
        $startDate = Get-Date -Year $lastQuarterYear -Month $startMonth -Day 1
        $endDate = (Get-Date -Year $lastQuarterYear -Month $startMonth -Day 1).AddMonths(3).AddDays(-1)
    }
    '5' { # This year
        $startDate = Get-Date -Year $today.Year -Month 1 -Day 1
        $endDate = $today
    }
    '6' { # Last 6 months
        $startDate = $today.AddMonths(-5)
        $startDate = Get-Date -Year $startDate.Year -Month $startDate.Month -Day 1
        $endDate = $today
    }
    '7' { # Last 12 months
        $startDate = $today.AddMonths(-11)
        $startDate = Get-Date -Year $startDate.Year -Month $startDate.Month -Day 1
        $endDate = $today
    }
    '8' { # Custom
        $startDate = Read-Host "Enter start date (yyyy-MM-dd)"
        $endDate = Read-Host "Enter end date (yyyy-MM-dd)"
        try {
            $startDate = [datetime]::ParseExact($startDate, 'yyyy-MM-dd', $null)
            $endDate = [datetime]::ParseExact($endDate, 'yyyy-MM-dd', $null)
        } catch {
            Write-Host "Invalid date format. Exiting." -ForegroundColor Red
            exit 1
        }
    }
}

$startDateStr = $startDate.ToString("yyyy-MM-dd")
$endDateStr = $endDate.ToString("yyyy-MM-dd")

# Set headers for REST calls using the service principal token
$headers = @{
    'Authorization' = "Bearer $($token.accessToken)"
    'Content-Type'  = 'application/json'
}

# Get all subscriptions
$subsUrl = "https://management.azure.com/subscriptions?api-version=2020-01-01"
$subscriptions = Invoke-RestMethod -Uri $subsUrl -Headers $headers -Method Get | Select-Object -ExpandProperty value

Write-Host "Fetching cost data for $($subscriptions.Count) subscriptions: " -NoNewline

$totalCost = 0
$results = @()

foreach ($sub in $subscriptions) {
    $costQueryBody = @{
        type       = "Usage"
        timeframe  = "Custom"
    timePeriod = @{
        from = $startDateStr
        to   = $endDateStr
    }
    dataSet    = @{
        granularity = "None"
        aggregation = @{
            totalCost = @{
                name     = "Cost"
                function = "Sum"
            }
        }
    }
} | ConvertTo-Json -Depth 10

    $costUrl = "https://management.azure.com/subscriptions/$($sub.subscriptionId)/providers/Microsoft.CostManagement/query?api-version=2024-08-01"

    $maxRetries = 7
    $retryDelay = 5
    $attempt = 0
    $success = $false

    while (-not $success -and $attempt -lt $maxRetries) {
        try {
            $costData = Invoke-RestMethod -Uri $costUrl -Headers $headers -Method Post -Body $costQueryBody

            $subscriptionCost = 0
            if ($costData.properties.rows -and $costData.properties.rows.Count -gt 0) {
                $subscriptionCost = $costData.properties.rows[0][0]
            }

            $results += [PSCustomObject]@{
                'Subscription Name' = $sub.displayName
                'Total Cost'        = [math]::Round([double]$subscriptionCost, 2)
            }

            $totalCost += $subscriptionCost
            Write-Host "." -NoNewline
            $success = $true
        }
        catch {
            if ($_.Exception.Response.StatusCode.value__ -eq 429 -and $attempt -lt ($maxRetries - 1)) {
                # Add random jitter to delay
                $jitter = Get-Random -Minimum 1 -Maximum 5
                $sleepTime = $retryDelay + $jitter
                Write-Host "`n429 received, retrying in $sleepTime seconds..." -ForegroundColor Yellow
                Start-Sleep -Seconds $sleepTime
                $retryDelay *= 2
                $attempt++
            }
            else {
                Write-Host "x" -NoNewline
                Write-Host "`nError getting cost for subscription $($sub.displayName): $($_.Exception.Message)" -ForegroundColor Red
                $success = $true
            }
        }
    }
}

# Export results to Excel
$excelPath = Join-Path -Path $PSScriptRoot -ChildPath ("AzureCostReport_{0}_{1}.xlsx" -f $startDateStr, $endDateStr)
if ($results.Count -gt 0) {
    # Do not pre-format 'Total Cost' as string; keep as number for Excel formatting

    # Check if file is locked
    $fileLocked = $false
    if (Test-Path $excelPath) {
        try {
            $stream = [System.IO.File]::Open($excelPath, 'Open', 'ReadWrite', 'None')
            $stream.Close()
        } catch {
            $fileLocked = $true
        }
    }
    if ($fileLocked) {
        Write-Host "Excel file is open or locked: $excelPath. Please close it and run the script again." -ForegroundColor Red
    } else {
        $results | Export-Excel -Path $excelPath -WorksheetName 'CostReport' -AutoSize -TableName 'CostSummary' -Title "Azure Cost Report ($startDateStr to $endDateStr)" -TitleBold -ClearSheet
        Write-Host "Excel report saved to: $excelPath"
        # Optionally open the file
        if ($IsWindows) {
            Start-Sleep -Seconds 2
            Invoke-Item $excelPath
        }
    }
}

If you want to email the output as a table in the body to a mailbox, you can replace the ‘Export results to Excel’ section with the code below. Yup! I know Send-MailMessage is obsolete and ideally I’d run this script with in an Azure automation account and set app permissions for the identity to be able to send emails. I’ll cover it in a later post.

# Prepare HTML table for email
if ($results.Count -gt 0) {
    # Add $ symbol to each Total Cost value
    $resultsWithDollar = $results | ForEach-Object {
        $_ | Add-Member -NotePropertyName 'Total Cost ($)' -NotePropertyValue ('$' + [math]::Round([double]$_.('Total Cost'), 2)) -Force
        $_
    }

    $htmlTable = $resultsWithDollar | Select-Object 'Subscription Name', 'Total Cost ($)' | ConvertTo-Html -Property 'Subscription Name', 'Total Cost ($)' -Head "<style>table{border-collapse:collapse;}th,td{border:1px solid #ccc;padding:5px;}</style>" -Title "Azure Cost Report"
    $htmlBody = @"
<h2>Azure Cost Report ($startDateStr to $endDateStr)</h2>
$htmlTable
<p><b>Total Cost (all subscriptions):</b> $([string]::Format('${0:N2}', [math]::Round([double]$totalCost,2)))</p>
<p style='color:gray;font-size:small;'>This is an automatically generated email - Please do not reply.</p>
"@

    # Email parameters (update these as needed)
    $smtpServer = "smtpserver@domain.com"
    $smtpPort = 587
    $from = "alerts@domain.com"
    $to = "emailaddress@domain.com"
    $subject = "Azure Cost Report ($startDateStr to $endDateStr)"

    Send-MailMessage -From $from -To $to -Subject $subject -Body $htmlBody -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
    Write-Host "Cost report sent via email to $to"
} else {
    Write-Host "No results to send."
}

What You’ll Get

The final Excel report displays each subscription’s name alongside its total cost for your chosen time period. Whether you’re reviewing it manually or feeding it into FinOps tools, the format is designed for quick analysis and clean presentation.

Practical Applications

Scenario	How It Helps
Automation and scheduling	Supports routine reporting via scheduled tasks or DevOps flows
Multi-subscription environments	Consolidates cost data across departments or teams
Governance and FinOps	Enables proactive budget tracking and reporting

With just a PowerShell script and the Azure Cost Management API, you can unlock instant insights into your cloud spend across all Azure subscriptions. Whether you’re part of a DevOps team, driving FinOps initiatives, or simply managing cloud budgets, this automation makes cost visibility one less thing to worry about.

Lessons Learned

Azure Cost Management API is powerful, but throttling is real.
Microsoft will be retiring the Consumption Usage Details API at some point in the future and does not recommend that you take a new dependency on this API.
Export-Excel is a lifesaver, especially when you want your report to actually be readable.

Room for Improvement

Add Azure MeterCategory per subscription in the email report to give a better idea of where the cost usage is
Move secrets to Azure Key Vault or use Managed Identity
Add monthly trend analysis and forecasting
Push the data to Power BI for richer dashboards

Final Thoughts

This script is now my go-to tool for quickly generating Azure cost reports across environments. It’s flexible, reliable, and gives my leadership team the visibility they need to make informed decisions, without logging into the portal.

Because let’s face it: if you’re managing Azure at scale, you shouldn’t be clicking through billing blades. You should be scripting your way to clarity.

Keep those costs in check, one API call at a time.

Thanks for stopping by. ✌