r/AZURE

GuardFall: 10/11 open-source AI coding agents fail a shell trick that's been public since Bash 1.0 (1989)
▲ 9 r/AZURE+1 crossposts

GuardFall: 10/11 open-source AI coding agents fail a shell trick that's been public since Bash 1.0 (1989)

Adversa AI just published research on something they're calling GuardFall — not a single CVE, but a structural gap in how AI coding agents (Hermes, OpenCode, Roo-Code, and others) validate shell commands before execution.

The core issue: these agents filter the literal text of a command against regex/wildcard patterns. But Bash rewrites that text at runtime — quote removal, $IFS substitution, command substitution — so a string that passes the filter can still evaluate to the exact dangerous command the filter was supposed to block. Tested against 11 agents, 10 failed in at least one of four bypass classes. Only Continue reportedly closed the majority of the surface.

The worst variant doesn't even need the operator to opt into anything — a malicious repo's config (e.g. an .aider.conf.yml with auto-test: true and a poisoned test command) can fire on first accepted edit.

I previously covered a related failure mode here if you want more background: CISA Confirms Langflow RCE CVE-2026-33017 — different mechanism, same root problem: AI tooling given privileged execution with a safety layer that doesn't actually model what the underlying interpreter will do.

Curious what this sub thinks: is sandboxing/credential isolation the only real fix here, or is there a filtering approach that could actually work against a shell that rewrites its own input?

https://www.techgines.com/post/guardfall-ai-coding-agent-shell-injection-vulnerability

u/Expert_Sort7434 — 2 hours ago
▲ 6 r/AZURE

AWS user considering Azure

AWS has been my whole world for a long time. It's where I'm comfortable, and honestly I've never had a real reason to leave it.

But "only knows one cloud" is starting to feel like a limitation I've put on myself rather than a real constraint. So I'm thinking about picking up Azure, mostly to broaden out and not be a single-cloud person forever.

For people who've actually worked in both: what did learning Azure give you that AWS didn't? And on the flip side, what did you find yourself missing once you were in it?

reddit.com
u/Loyd2888 — 9 hours ago
▲ 0 r/AZURE

HELP: my Angular + ASPNET application works very well on the localhost, but the API doesn't work on the Azure cloud

I have this application built with Angular and ASPNET, which is working perfectly on the localhost, but after i did all the process to publish it on Azure (give my credit card data, create a resource group, app service, SQL server, app service plan and SQL database), the back-end doesn't work there.

When I first open the app on Azure, I already receive an error on the console, which is the one shown in the 2nd attached image. The 3rd attached image shows the state of my network.

Is this error well known? What's the logic of an issue happening only on the published app and not on localhost?

I'd really appreciate it if someone could help me here.

u/DouglasJoel123 — 15 hours ago
▲ 22 r/AZURE+1 crossposts

Deploy Azure Virtual Desktop Host Pools with the New Session Host Configuration Using Azure Bicep

Azure Virtual Desktop Session Host Configuration introduces a modern way to deploy and manage session hosts by defining their configuration directly within the Host Pool. Instead of manually provisioning virtual machines and configuring them individually, Session Host Configuration enables a standardized and automated deployment experience. This helps ensure that every session host is deployed with the same settings, image, networking, identity, and security configuration, making Azure Virtual Desktop environments easier to manage at scale. In this blog, we will explore how to automate the deployment of Azure Virtual Desktop by using the new Session Host Configuration feature together with Azure Bicep.

cloudtips.nl
u/brianveldman — 18 hours ago
▲ 1 r/AZURE

Sysdig documented the first ransomware op run entirely by an AI agent (JADEPUFFER) — thoughts on detection at this speed?

Sysdig's TRT published a report on JADEPUFFER, which they're calling the first fully agentic ransomware operation. Entry via Langflow CVE-2025-3248 (missing auth, patched since May 2025, CVSS 9.8). Once in, the agent harvested LLM provider keys + cloud creds, dumped Postgres, then pivoted to a production MySQL/Nacos box via a 2021 auth bypass and encrypted 1,342 config items — never saving the encryption key, so it's unrecoverable regardless of payment.

What stood out to me technically: the agent adapted mid-attack — rewrote a parser on the fly when it got XML instead of expected JSON, and reportedly fixed a failed login in ~31 seconds. None of the individual techniques are new. The orchestration speed is the whole story.

Open question for the sub: if detection tooling is tuned for human-paced dwell time, how much of current SOC playbook logic actually holds up against an adversary iterating in seconds instead of hours?

https://www.techgines.com/post/jadepuffer-ai-ransomware-langflow-cve-2025-3248

I previously covered a related Langflow RCE (CVE-2026-33017) here if you want more background: https://www.techgines.com/post/cisa-confirms-langflow-rce-cve-2026-33017-attackers-had-working-exploits-before-the-world-had-a-poc

u/Expert_Sort7434 — 21 hours ago
▲ 0 r/AZURE

SWE here, Azure Cloud Engineer interview next week. Am I cooked chat?

I will start with this, I'm not a Cloud Engineer. I'm a junior SDE. Never worked on Azure (used Azure Repos and Azure Pipeline here and there once). recruiter said that it will be an hour long pure-technical interview. I am going through John Savill's Azure Masterclass for now but have no idea what will be asked and this masterclass is not enough to answer in-depth.

JD had AZ-104 and AZ-204 listed. Can anyone guide me what should I do and what kind of questions should I expect?

reddit.com
u/anonlegion01 — 1 day ago
▲ 3 r/AZURE

Azure Server Hardening Baselines

What are people using to harden Linux and Windows servers in Azure that are Entra ID joined only?

I'm looking for a sensible way to apply baseline hardening policies/Settings in a production environment without having to build everything from scratch. In the past, I've always just used Microsoft's baseline GPOs, but obviously that's not really an option here.

I've already applied the Azure security baseline, but as far as I can tell it only audits the settings. I can't find a way to actually remediate or enforce the baseline.

Just interested in hearing what people are using in the real world and what's worked well.

reddit.com
u/Secret-Pop-9230 — 1 day ago
▲ 29 r/AZURE

I'm an (Senior) Azure Engineer, where do I go from here? - UK Based

Looking for some guidance/ advice from the community on where you think I should go/ focus on for my career.

I'm currently entering my eleventh year in the industry, I started off doing on-prem and did that for about four and half years very typical on-site engineer work with some Microsoft 365 bits thrown in here and there. From this point I started to transition over to Azure and the wider Microsoft Cloud. Picked up my AZ-900, MS-900, SC-900 back in 2021, was working as a third-line SD engineer at the time doing all sorts of Azure/ Intune/ M365 related work. I did my AZ-104 back in 2022 then shortly afterwards landed a pure Azure Cloud Engineer focused role for 2 years, during which I picked up my AZ-305. After being made redundant late 2024 moved Into my current role as an (Senior) Azure/M365 Cloud Engineer? I do a lot of architecture type work, tech leader-ish stuff and SME for Azure/M365 in general + hands on engineering work (it's quite complicated weird situation definitely need my job title revaluated)

This year I've picked up (I know their only foundation exams) AB-900 + AB-700, Last year I started working towards my AZ-400 to pickup and learn that DevOps knowledge but I've struggled to stick with it/ just not found myself gravitating towards it or found the motivation to study for it? Just because I know it will get asked, I'm self taught for Terraform (IaC) but never used it in a professional setting (yet) I'm currently at a point where I'm evaluating where to take my career next, curious to see what your thoughts are.. I know I should focus on the DevOps side of things as it goes hand in hand with what I've done already but I've found messing around with AI + Microsoft Foundry way more interesting at the moment.

What should I do, where do you think I should focus my efforts/ career path?

reddit.com
u/dannisokay92 — 3 days ago
▲ 10 r/AZURE

DHS confirms HSIN breach — weeks-long undetected access, no attribution yet

DHS confirmed hackers accessed the Homeland Security Information Network and a connected SharePoint system sometime between late May and early June 2026. Public disclosure didn't happen until July 1–2 (Nextgov broke it, BleepingComputer/TechCrunch confirmed). DHS says no classified systems were touched, but hasn't said whether documents were taken or who's behind it.

I previously covered background on the SharePoint exposure angle here if you want more context: [SharePoint CVE-2026-32201 post — title confirmed, exact URL unverified, will update once confirmed in CMS].

Question for the room: given HSIN's "legacy information sharing environment" framing from DHS — how do you all handle the org politics of getting budget/attention for hardening a system that's simultaneously called "legacy" and "still actively used for World Cup security coordination"? Feels like a recurring pattern with sensitive-but-unclassified platforms specifically.

https://www.techgines.com/post/hsin-breach-dhs-homeland-security-information-network-cyberattack

u/Expert_Sort7434 — 2 days ago
▲ 22 r/AZURE+2 crossposts

Built a local Azure Pipelines condition/dependsOn simulator because I was sick of burning PR approvals just to test one eq()

Anyone else done the push -> wait 8 minutes -> red X -> change one character -> push again dance, just to figure out why condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest')) isn't doing what you think it's doing? And then half the time you need an actual PR + approval just to touch the yml, so testing "let me just try this real quick" means pinging a teammate for the third time that week going "sorry, one more approval, promise this is the last one" (it is never the last one).

So I built pipcondition - a local simulator for Azure Pipelines condition, expressions and dependsOn graphs. You paste your real azure-pipelines.yml in, mock whatever variables/parameters/step outcomes you want, and it shows you exactly which stages/jobs/steps would run, skip, or fail. No push, no pipeline run, no waiting.

What it actually does:

- The real condition expression language - eq, ne, in, and/or/not, succeeded()/failed()/succeededOrFailed(), counter(), all of it - not some 80%-there approximation

- dependsOn fan-out/fan-in across stages and jobs, with the actual skip-propagation rules Azure uses (fail one stage, watch everything downstream correctly cascade to Skipped)

- A "simulate a branch push" panel - type in Feature/my-cool-thing or release/2.0, pick Manual/PR/Schedule as the trigger, and it derives Build.SourceBranch, Build.SourceBranchName, System.PullRequest.* etc. so your branch-gated stages actually flip between skip/run correctly (yes it even replicates the "PR builds get a fake refs/pull/N/merge ref" nonsense, because that's genuinely how Azure behaves and I'd rather be accurate than friendly)

- Templates, extends:, typed parameters, the ${{ if/each }} compile-time stuff

- Mock step outcomes so you can pretend a step failed and see if your continueOnError/condition logic actually saves you like you think it does

- A visual stage/job DAG instead of reading yaml top to bottom like a maniac

- If your pipeline references a variable group or a cross-repo template it obviously can't reach (it's a local tool, it's not calling your actual org), it just tells you "can't see this, treating as empty" instead of exploding

It's here, https://pipcondition.vercel.app/ (paste and go, nothing to install), code's on GitHub: https://www.github.com/WasathTheekshana/pipcondition

Heads up - this is very much a beta, built in my spare time by one guy who also does this stuff for a day job. It WILL have bugs, especially on weirder real-world patterns (nested templates, exotic variable setups, whatever creative yaml your pipelines team wrote three years ago that everyone's now too scared to touch). If you paste your pipeline in and it either explodes or gives you a flat-out wrong answer, please open an issue - the more real pipelines this gets thrown at, the better it gets. PRs welcome too if you enjoy yaml pain as much as I apparently do.

reddit.com
u/KeyboardViiraya — 2 days ago
▲ 35 r/AZURE+1 crossposts

AWS bedrock roadblocks are infuriating

I’ve been working with AWS professionally for a decade. I’ve had AWS accounts for other side projects, but decided to create a new one for an ai specific project where I wanted to test and learn bedrock. I created this account at the beginning of June, but kept getting hit with validation errors when trying to test out a model in playground.

I open a support ticket and after weeks of no response, I’m told my account is too new. I need to wait a full billing cycle and show account activity before they enable the models.

Ok fine. I spent the rest of June building but continue to hit new account road blocks. Now it’s July, I reach back out to support after having completed my first billing cycle and I’m still denied again without any explanation other than “To maintain performance of the service and to make sure we use bedrock appropriately, model access for a given account might depend on factors like payment history and account usage. We can’t approve your request”

What the actual f? I’ve never dealt with a more frustrating user experience. I’m certain if I went to azure of gcp i wouldn’t have this issue and they gladly let me spend thousands of dollars on usage. AwS is spending a billion dollars on deployment engineers to go into companies and show them how to use AI, but god forbid I try to do it myself and spend my own money on the platform.

What a joke.

EDIT: I must’ve made someone mad because they auto closed my support case without any response :,)

reddit.com
u/MichigansPinkyFinger — 4 days ago
▲ 38 r/AZURE+2 crossposts

Breakglass account in Entra ID

Hello folks

I want to setup breakglass account for my entra tenant

Breakglass account should not have MFA configured but MS in 2024 made it mandatory for all accounts to have MFA

what should be done to by pass MFA or any other way to setup breakglass account?

Any document if you have is appreciated

reddit.com
u/StatisticianFunny170 — 4 days ago
▲ 30 r/AZURE

Entire UK South region at capacity for App Service

I've been going back and forth with Microsoft support to add quota for different App Service SKUs, and today they've advised "Unfortunately, we are unable to support any ask in UK South region at this time. So, the request stays backlogged.".

I'm surprised I've not seen this reported elsewhere - how's this affecting you and your organisation?

reddit.com
u/Verta — 4 days ago
▲ 0 r/AZURE

When microsoft sells out cheap tier they should provide next at same cost

We have some log analytics workspaces, with a few hundred GB/day of logs. We move from Amsterdam to Stockholm, as datalake / auxiliary storage at $0.07/GB has been sold out for about a year in Amsterdam.
Since it is the same amount of storage I need to for Analytics/Basic/Auxiliary storage, I don't understabnd why I have to pay almost 10x the price for Basic - just because Microsoft don't want to sell me the same disc space for the low price. I would not need a single GB exrra, so they should sell it to me at the lower cost - And give me the performance for free, until they have managed to send a guy down to the local shop and buy pallet of discs.

reddit.com
u/povlhp — 3 days ago
▲ 7 r/AZURE

Microsoft Foundry as LLM Gateway

Do you usr Microsoft Foundry as your LLM gateway? I would like to understand if you use Foundry for this use case .

reddit.com
u/SmartWeb2711 — 3 days ago
▲ 11 r/AZURE+4 crossposts

Built a curated list of official DevOps / Cloud / SRE MCP servers and agent skills

Hi folks,

I’ve been collecting and organizing official MCP servers, agent skills, and agent toolkits for DevOps, cloud, platform engineering, SRE, security, IaC, observability, and diagramming workflows.

Repo: https://github.com/DevOpsAIguru123/awesome-agentic-devops

The goal is to make it easier to find trusted sources instead of hunting through random MCP lists. I’m focusing on official or vendor-backed tools where possible, with notes around risk, write-capability, human approval, and operational use cases.

Current areas include:

  • AWS, Azure, Google Cloud
  • GitHub, GitLab, Azure DevOps, Atlassian
  • Terraform, Pulumi
  • Grafana, Datadog, Sentry, Splunk, PagerDuty
  • SonarQube, Okta
  • Databricks, Kubeflow
  • Docker, Kubernetes, draw.io
  • Agent skills and toolkits

Specialized DevOps/SRE agents and reference workflows are coming soon.

Would love feedback from folks using MCP or AI agents in infrastructure workflows:

  • What official tools am I missing?
  • Which MCP servers are actually useful in day-to-day DevOps/SRE work?
  • What safety/risk fields would make this more useful?

If you find it helpful, a star would be appreciated.

u/Individual_Walrus425 — 3 days ago
▲ 25 r/AZURE

I got tired of having no visibility into our Entra ID identity sprawl, so I built a self-hosted governance portal (open source, runs in your own tenant)

The problem

Our tenant slowly accumulated hundreds of app registrations and ~800 enterprise apps. The native Entra portal makes you click into a separate blade to answer basic questions: who owns this app? which secrets expire next month? what hasn't been signed into in a year? which apps hold high-risk Graph permissions? There's no single pane, and ownership data is scattered or just missing.

Entra ID Governance / access reviews / PIM exist, but they're heavy (and licensed) for what I actually wanted: a fast, owner-centric view of the app and identity estate for routine hygiene.

​What I built

A lightweight, self-hosted portal that runs entirely in your own Azure subscription:

  • One grid for App Registrations, Enterprise Apps, Managed Identities, and Privileged (directory-role) Users
  • Per-identity risk: expiring/expired creds, high-risk permissions, no owner, stale sign-in, missing Conditional Access coverage
  • Ownership tracking + review/owner-change workflow, CSV export
  • A tenant health score and consent-posture dashboard
  • Optional credential-expiry email notifications (requires Sendgrid API key)
  • Reads Microsoft Graph via a managed identity - no app secrets for data access, and nothing leaves your tenant

~$26–30/mo (one B2 App Service plan).

What it's not: a replacement for Entra ID Governance, PIM, or access reviews. It's a focused, low-cost complement for day-to-day hygiene.

Repo (screenshots + setup guide): Github Repository

Genuinely after feedback — especially what you'd want surfaced that isn't there, or where the risk scoring feels wrong. Built this incrementally over a few months (with long breaks), so it's had time to settle.

reddit.com
u/AzAutomationEngineer — 4 days ago
▲ 7 r/AZURE+1 crossposts

Excluding WhatsApp from App Protection Policy for a pilot group — possible?

Hey all,

​I am currently rolling out Intune App Protection Policies (APP/MAM) across the organization. I need to create a data transfer exception specifically for WhatsApp so that managed apps can send data to it, but I want this exclusion to apply only to a small pilot group rather than the entire organization.

​How can I exempt WhatsApp from the data transfer restrictions for just this specific group without adding it as an Intune-managed app? Is there a clean way to achieve this?

reddit.com
u/thrasherx_ — 4 days ago