Azure

Azure Monitor GA: SLI/SLO primitives and Metrics Export via Data Collection Rules

Azure Monitor SLI/SLOs and Metrics Export via Data Collection Rules reached GA, giving SREs SLO tracking and policy metric routing to Log Analytics and sinks.

June 17, 2026·3 min read·AI researched · AI written · AI reviewed

Microsoft's week's most consequential Azure change isn't a flashy new model  it's the plumbing that makes reliability and safe data access operational. Two Azure Monitor features hit GA (SLIs/SLOs and Metrics Export via Data Collection Rules), Entra-only SMB identities are now generally available for Azure Files, SQL MCP Server reached GA to let agentic AI talk to production databases under policy, and Azure DevOps Server got security patches you should install yesterday.

SQL MCP Server  the new trust boundary

Microsoft appears to be shipping a managed query proxy for agentic AI workflows  sometimes described as a managed connector or proxy in product docs  that centralizes queries to SQL, PostgreSQL, and Cosmos DB. Teams building agent-driven automation or retrieval-augmented workflows can avoid ad-hoc database proxies, credential injection, or brittle VMs; instead, a managed component can enforce access and policy controls around those queries.

But make no mistake  this is a new network and identity boundary you must design for. The managed proxy creates an explicit agent-to-data path with its own auth, rate limits, and auditing semantics. Treat it as a service perimeter: enforce least-privilege roles, bind short-lived credentials, throttle queries, and bake observability into every agent flow. If you don't, you'll face classic problems  noisy queries, uncontrolled joins, and surprising cost spikes  only now with AI writing the SQL. Check Microsoft's documentation for the exact product name and availability in your tenant or region; some of these connectors are rolling out with preview stages.

Azure Monitor: SLIs/SLOs go GA, plus metric export hygiene

Azure Monitor now exposes Service Level Indicators and Service Level Objectives as GA primitives, and Metrics Export via Data Collection Rules (DCRs) has reached GA as well. For platform engineers this consolidates SRE primitives and a policy-driven export pipeline in the same control plane your metrics already flow through.

Practically, you can define metric-based SLIs inside Azure Monitor, tie SLOs to those SLIs, and attach detectors, alerting, and dashboards to the same constructs. Metrics Export via DCRs standardizes forwarding platform and custom metrics to Log Analytics or other sinks without brittle agent config, which reduces telemetry plumbing and makes retention/ingest policies repeatable.

A few caveats: exporting high-cardinality metrics still bites  DCRs don't absolve you of cardinality control or egress cost. Use aggregation and sampling at the source, and push only what's useful for SLO measurement or incident response.

Entra-only identities for Azure Files SMB  cloud-first access

Microsoft Entra ID-only authentication for Azure Files (SMB) is now GA. In plain terms: you can secure SMB shares with cloud-only Entra identities and avoid hybrid AD or domain-join complexity for many workloads. This is a practical move for modernizing lift-and-shift file share patterns and reducing on-prem identity glue.

Reality check: legacy Windows apps that require Kerberos constrained delegation or deep AD attributes will still need Active Directory. But if you're hosting line-of-business apps in Azure and maintained brittle AD syncs just to serve file ACLs, adopt Entra-only SMB where supported  it's simpler, reduces ops, and is auditable.

Azure DevOps Server patches  patch now

Microsoft released security updates for supported Azure DevOps Server on-prem versions. If you're running on-prem DevOps, these patches are not optional. On-prem remains a higher-opportunity, higher-risk surface compared to Azure DevOps Services; these updates are a reminder that staying current matters and that, for many teams, migrating to the SaaS offering offloads this constant churn.

What to change first

  • Treat the managed database proxy (SQL MCP-style connectors) as a service perimeter: short-lived creds, strict RBAC, query budgets, observability.
  • Convert SLO work to Azure Monitor SLIs/SLOs where feasible and use DCRs to centralize metric routing  but curb cardinality upstream.
  • Move eligible SMB shares to Entra-only identity and decommission fragile AD syncs where possible.
  • Patch Azure DevOps Server immediately or accelerate SaaS migration.

This week's releases are less about novelty and more about operational maturity. Azure is handing teams the tools to make reliability measurable and agentic data access governable. Use them, and design the boundaries clearly  because the failures you'll prevent are exactly the ones you won't notice until an AI-driven job floods your DB or a forgotten DevOps instance is exploited.

Sources

azure-monitorazure-filesazure-sqlazure-devops
← All articles
More in Azure
Azure

Azure Foundry brings high-capacity OpenAI & Anthropic models to enterprise endpoints

Azure Foundry now hosts high-capacity OpenAI and Anthropic frontier models, changing latency, governance, cost, and operational trade-offs for platform teams.

Jun 15, 2026·3mazure-foundryazure-ai
Azure

AKS: Windows Server Semi-Annual Channel (SAC) container images retired on May 15, 2026

AKS retired Windows Server Semi-Annual Channel container images on May 15, 2026, forcing Windows node-image and upgrade changes for teams running Windows nodes.

Jun 14, 2026·3mazure-akswindows-containers
Azure

Azure Kubernetes Fleet Manager GA: Arc-enabled Kubernetes Support for AKS and Hybrid Multicluster Management

Fleet Manager GA for Azure Arc-enabled Kubernetes centralizes policy, GitOps, and deployments across AKS and Arc-onboarded clusters for hybrid operations.

Jun 13, 2026·3maksazure-arc