Turn your real-world experience into part of the show.

Microsoft Azure Podcast – Cloud Architecture, Security & Operations Episodes

Microsoft Azure is more than a collection of cloud services — it is an operating environment where identity, networking, security, and automation converge. The Azure Talk category explores how Azure behaves in real production scenarios, where architectural choices determine reliability, security posture, and long-term cost.

These episodes cover Azure fundamentals such as resource organization, subscriptions, management groups, networking design, identity integration, automation, monitoring, and cost governance. Special attention is given to how Azure services interact with Entra ID, Microsoft 365, and on-premises environments, as well as how security boundaries are enforced — or accidentally bypassed.

Azure Talk is not focused on quick-start tutorials or certification-style walkthroughs. Instead, we analyze architectural intent, failure modes, and operational consequences of design decisions made early in cloud adoption. Topics often include misconfigured identity flows, insecure automation, insufficient network segmentation, and the hidden risks of over-delegation to cloud-native services.

This category is designed for cloud architects, engineers, and IT leaders who need to understand Azure as a long-term platform rather than a collection of isolated services. If you are responsible for designing, operating, or securing Azure workloads in an enterprise environment, Azure Talk provides practical, experience-driven insight into how Microsoft Azure works in the real world.
Jan. 13, 2026

Azure Governance Is Not Documentation – Do This Instead

Most enterprises tell themselves a comfortable story: “We moved to Microsoft Azure, therefore we’re modern.” That story keeps people calm—right up until the first budget review, the first audit, or the first outage postmortem. Because cloud strategy isn’t a technology decision. It’s a decision about how the business wants to operate.Across dozens of large enterprises—different industries, same patterns—the same failures repeat.If cloud strategy were working, why do the same failures keep happening?Here’s the open loop: governance can increase speed when it removes ambiguity instead of adding paperwork.
Guest: Mirko Peters
Jan. 8, 2026

How to Fix AI Governance in Microsoft 365

AI governance doesn’t fail because of missing policies — it fails because no one owns the moment when things go wrong.In this M365.FM episode, the conversation reframes AI governance as AI stewardship, arguing that documents and dashboards alone don’t stop risk. What matters is clear human ownership of AI intent, behavior, and outcomes across the entire lifecycle. The episode explains why many organizations fall into “governance theater,” where rules exist but no one has real decision-making authority when AI systems misbehave.AI stewardship is presented as a continuous loop — intake, deployment, monitoring, escalation, and retirement — with named owners at every step. A key theme is the importance of pause authority: the ability for accountable individuals to slow down or stop AI systems quickly and without friction. The discussion also highlights how Microsoft’s tools, such as Entra and Purview, can help operationalize stewardship by tying decision rights directly into techn…
Guest: Mirko Peters
Jan. 2, 2026

Entra ID Conditional Access Is Broken – Do This Instead

Everyone thinks their Azure outages and breaches start with networks, costs, or misconfigured virtual machines, but this episode argues that the real failure almost always begins much higher up, in identity itself. The speaker reframes identity not as a simple login service but as Azure’s true control plane: a distributed decision engine that compiles signals about users, devices, risk, roles, and exceptions into every authorization decision. Over time, small “temporary” exceptions in conditional access, hybrid identity sync, workload identities, and guest access accumulate into what he calls identity debt, where policies drift far from their original intent and become unpredictable. Hybrid synchronization faithfully copies old on-prem assumptions into the cloud without preserving governance boundaries, while conditional access sprawl turns clean intent into fragile, probabilistic behavior hidden behind exclusions. Networks, firewalls, and endpoints cannot compensate for this, because…
Guest: Mirko Peters
Dec. 31, 2025

How AI Broke Your Entra Security (And How to Fix It)

The demo worked in ten minutes. The audit took ten weeks. That gap is where most modern security failures are born. A team asked an AI agent to wire up identity, and it did exactly what it was trained to do: choose the fastest, most common path. Secrets instead of certificates. Broad permissions instead of narrow intent. Wildcard redirects to keep things moving. Nothing broke. That was the problem.Here’s the uncomfortable truth: the system wasn’t misconfigured. Responsibility was outsourced. When you treat AI like a peer, it fills in gaps with probability, not policy. Every unstated rule becomes a guess, and every guess scales. One working app becomes ten, then fifty, each drifting a few degrees from what you meant. Not dramatically. Quietly. Conveniently.Speed feels real at first. Tokens flow, tests pass, production lights stay green. But governance dissolves when defaults go unchallenged. The model doesn’t know your rules; it knows the internet’s habits. And habits favor con…
Guest: Mirko Peters
Dec. 21, 2025

How to Stop Active Directory Security Drift Before a Breach

This episode explores the concept of Active Directory security drift—how environments gradually move away from their original secure configuration over time. Even well-designed setups become vulnerable as changes accumulate through daily operations, admin actions, or incomplete processes.The discussion highlights that drift is often subtle and goes unnoticed, yet it can introduce serious risks such as excessive permissions, outdated settings, and weakened security controls. These issues make it easier for attackers to escalate privileges and move laterally within a network. ()A key takeaway is that security is not a one-time setup but an ongoing process. Organizations need continuous monitoring, regular reviews, and automation to maintain a secure baseline and detect unwanted changes early. Without this, even mature environments can slowly degrade into insecure states.Overall, the episode emphasizes that security drift is inevitable—but unmanaged drift is dangerous, making…
Guest: Mirko Peters
Dec. 21, 2025

How Ransomware Crews Really Move Through Your Active Directory

Security drift in Active Directory and Azure AD isn’t a single bug — it’s the slow, invisible decay of identity, permissions, and governance posture that happens when environments aren’t routinely managed and remediated. Over time, this drift increases risk, weakens access controls, and creates blind spots that attackers can exploit.In this episode, we break down what security drift really means in the context of Microsoft Entra Active Directory and Entra ID, how it develops, what causes it, and what you can do to prevent it — not just detect it.
Guest: Mirko Peters
Dec. 12, 2025

How to Build a Multi‑Agent Copilot in Microsoft 365 That Auditors Trust

Ever trusted an AI answer that felt certain, then realised you couldn’t prove where it came from? This video is a forensic walkthrough of how single agents hallucinate, leak data, drift off stale indexes, and fail every audit that matters – and how to fix it with a multi-agent reference architecture in Microsoft 365. You’ll see exactly how SPFx + Azure OpenAI + LlamaIndex chains go wrong: weak RAG retrieval, no rerank, ornamental citations, prompt injection, over-privileged Graph connectors, and stale SharePoint indexes. Then we rebuild the system with dedicated agents for retrieval, rerank, verification, red-team and blue-team policy, maintenance, and compliance, all fronted by Azure API Management and permission-aware Microsoft Search or Copilot retrieval. You’ll learn how to enforce chain of custody, log prompts and tool calls, require line-level citations, and replay answers on demand for regulators and boards. If you care about AI you can defend, not just demo, this is your bluep…
Guest: Mirko Peters
Dec. 11, 2025

How to Fix Document Chaos in Microsoft 365 With Purview

In a recent podcast, Mirko Peters discussed the critical importance of effective document management and compliance in organizations, emphasizing that lost documents can lead to organizational failure. He presented strategies for building an audit-ready Enterprise Content Management (ECM) system in the cloud, using tools like SharePoint and Purview to create a robust defense against regulatory scrutiny. The conversation highlighted the alignment with standards such as ISO 27001, GDPR, and SOC 2, which are essential for surviving inspections.Peters outlined a structured approach to document management, including defining ownership, lifecycle management, and implementing data loss prevention (DLP) measures. He stressed the need for clear policies, sensitivity labels, and regular audits to ensure compliance and mitigate insider risks. The discussion also covered the importance of collaboration between HR, legal, and security teams to maintain a culture of compliance.This podcast …
Guest: Mirko Peters
Dec. 9, 2025

How to Run Hybrid Quantum Jobs in Azure with Python and QAOA

This episode performs an “autopsy” on why classical optimization collapses on NP-hard problems and how hybrid quantum methods, especially QAOA on Azure, can triage them. It explains qubits, superposition, entanglement, and interference as tools for exploring many “maybes” at once, while a classical optimizer steers parameters. You’ll hear how Azure Quantum workspaces, simulators, and QPUs fit into normal Python- and DevOps-driven workflows, with an emphasis on logging, governance, and avoiding hype. Two case files—logistics max-cut and healthcare workforce scheduling—show how hybrid QAOA reduces congestion, overtime, and time-to-decision by reading histograms instead of chasing a single “best” answer. The episode closes with architecture patterns, security and reliability practices, and Microsoft’s motive for getting teams quantum-ready early: not magic speedups, but compounding gains from faster, more resilient decisions.
Guest: Mirko Peters
Dec. 8, 2025

How to Use Managed Identity with PowerShell for Microsoft Graph API

Still writing PowerShell against MSOnline and AzureAD modules in 2025? This episode explains why that stack is legacy – and how to go API-first with pure REST and Microsoft Graph. We walk through the core “token, headers, REST call” pattern, three real-world auth flows (device code, client credentials with certificates, and managed identity), plus the one token audience gotcha that breaks most Graph scripts.You’ll see how to build cross-platform Graph automation that runs cleanly on Linux, containers, GitHub Actions, Azure Functions, and Azure Automation – with no fragile module dependencies. Then we apply the pattern to enterprise scenarios: Intune device cleanup, identity onboarding, and compliance drift detection and remediation, all with least-privilege Graph permissions, robust retry logic, pagination helpers, and full audit trails in Log Analytics.If you’re an Azure, Intune, or Microsoft 365 engineer who’s tired of “works on my laptop” modules, this practical Graph-first…
Guest: Mirko Peters
Dec. 8, 2025

How to Build Reliable AI Agents for Intune and Entra ID.

Tired of chatbots that answer Intune incidents with poetry instead of fixes? In this episode, we go hands-on with Azure AI Foundry and Semantic Kernel to build a mini, self-healing, governed multi-agent system for enterprise IT. You’ll learn why single agents stall on real Intune, Entra ID, and Microsoft Graph workflows, and how planner, operator, reviewer, and concierge agents collaborate to deliver faster, safer automation. We break down patterns for tool-driven remediation, identity-scoped actions, content safety, and observability, then apply them to three real-world scenarios: ghost device cleanup in Intune, truly zero-touch onboarding, and automated BitLocker security hardening. Along the way we mix small language models with GPT-4-class reasoning models to cut cost, reduce hallucinations, and keep prompts short while still getting production-grade results. If you’re an Azure, Intune, or security engineer looking to turn AI agents into reliable teammates instead of risky toys, t…
Guest: Mirko Peters
Dec. 7, 2025

How to Use Azure Automation to Clean Up Your Intune Estate

Stop patching ghosts and start running a self-healing workplace. This Podcast reveals why Microsoft Intune alone can’t scale your endpoint management – and how pairing Intune with Azure, Automation, Functions, Microsoft Graph, managed identities and Log Analytics turns chaos into a quiet, secure estate. You’ll see how configuration drift, stale devices, manual reports and “global admin for everything” culture silently open the door to attackers, then watch how event-driven automation cleans the graveyard, enforces zero trust, and fixes non-compliant devices before users even notice. Real enterprise scenarios show 40%+ fewer ghost devices, onboarding times dropping from days to minutes, and mean time to remediate falling from days to under an hour. If you manage thousands of Windows laptops, kiosks and mobile devices, this Intune and Azure architecture guide is your blueprint for scalable compliance, predictable conditional access and truly automatic security hardening.
Guest: Mirko Peters
Dec. 7, 2025

Soft Delete, MUA, Vault Lock: The Only Azure Backup Safety Net You Have

Think your Azure backups are safe by default? They’re not. In this episode, we uncover how a single over-privileged identity can quietly kill “immutable” backups in Azure. You’ll hear real-life attack paths using compromised automation, shadow admins, and broad Contributor or Owner roles that delete items, purge soft-deleted points, and quietly zero out retention. Then we walk through a three-step hardening blueprint: enable soft delete on every vault, enforce multi-user authorization on destructive changes, and weld safety in with Vault Lock and least-privilege IAM. Learn how to isolate backup vaults, use PIM and Azure Policy, and monitor critical events with Sentinel so your recovery points survive ransomware, panic clicks, and misconfigurations in real Azure environments, especially for admins and security teams.
Guest: Mirko Peters
Dec. 1, 2025

Admin Consent in Entra ID: The One Click That Exposes Your Tenant

The podcast explains how attackers bypass MFA by abusing OAuth consent instead of stealing passwords. When a user or admin approves a malicious “productivity” app, it gets tokens with scopes like mail or files read and offline_access. That lets the attacker quietly read email, files and chats for months, even after password resets and new MFA devices. Normal identity events don’t revoke these grants; you must remove the OAuth grant or service principal itself. The host stresses three Entra controls: lock down user consent to low-risk scopes, only allow verified publishers, and route risky permissions through an admin consent workflow. Combined with rigorous logging, reviews and revocation, these steps eliminate most consent-based attacks in modern cloud identity environments today.
Guest: Mirko Peters
Nov. 29, 2025

How to Diagnose GPU Underutilization in Production AI Systems

In this episode of The M365 Show we investigate a familiar but often misunderstood failure pattern in enterprise AI: GPU costs rise, throughput collapses and latency becomes unpredictable, even though the dashboards look healthy and the models appear to work. Instead of blaming parameters or architectures, we treat the problem as a forensic case and follow the evidence through the entire compute pipeline.We walk through a realistic Stable Diffusion workload under concurrency, with strict P95 latency objectives and GPU hardware that looks perfectly adequate on paper. From there, we trace how silent CPU fallback in ONNX Runtime, subtle version mismatches across CUDA, cuDNN, TensorRT and ONNX Runtime, and container misconfiguration combine into a single pathology that turns an accelerator into an expensive heater. The system continues to return correct outputs, but at 10 to 30 times the expected latency and with a fraction of the intended throughput.Building on that, we construct…
Guest: Mirko Peters
Nov. 16, 2025

Why Your Azure Invoice Explodes Each Month (And How a Mini PC Fixes It)

Still paying sky-high cloud rent for servers you can’t even touch? This episode shows you how to bring “the cloud” home, slash your Azure bill, and keep all the governance, security, and automation you actually care about. You’ll learn how Azure Arc lets your own mini-PCs and edge boxes wear an Azure badge, so they obey the same policies, Defender rules, RBAC, and monitoring as any public region. Then we go step-by-step through Azure Local: zero-touch voucher USB enrollment, spinning up a private Azure region on a shoebox-sized PC, and deploying VMs and AKS from the same portal you already use. We expose the AD trap and replace it with certificate-based identity in Azure Key Vault for cleaner, auditable zero-trust at the edge. Finally, we break down the economics: swap 24/7 VM rent for one-off hardware, tiny power draw, and predictable Capex—while keeping burst workloads in the public cloud. If you’re a CIO, architect, or DevOps lead tired of roulette-cloud billing, this is your playb…
Guest: Mirko Peters
Nov. 15, 2025

Cloud Costs Exploding After AI? Here’s the Real Reason

Stop your cloud migration. Seriously. If you’re still bragging about being “cloud first,” this episode will show you why your shiny Azure estate is actually AI hostile. 🧨We break down the brutal truth: lift-and-shift doesn’t modernize anything—it just moves your technical debt into someone else’s data center. Your VMs won’t give Copilot safe, governed access to data… they’ll give it a front-row seat to your permissions sprawl, lineage gaps, and compliance nightmares.You’ll learn:Why cloud ≠ AI (and how your 2015 migration is blocking 2025 AI use cases)The Fintrax case study: “cloud-first” optics, AI pilot failure, compliance incident, and a 70% cost blowoutThe 3 pillars of real AI readiness: data discipline, MLOps maturity, and governance talentA no-BS 3-step playbook: Unify → Fortify → Automate so every AI decision becomes traceable and defensibleIf your roadmap still reads like a relocation plan instead of an AI architecture, hit play before you burn the next dec…
Guest: Mirko Peters
Nov. 9, 2025

How to Move AD Groups to Entra ID Without Breaking Access

Managing identity in 2025 shouldn’t feel like running a smartphone next to a rotary phone, but that’s exactly what happens when organizations rely on both on-prem Active Directory and Microsoft Entra ID. This episode breaks down the real cost of that dual-directory setup: mismatched policies, sync drift, failed Conditional Access checks, and endless “I can’t log in” tickets.We start by explaining the Source of Authority—who actually owns your users and groups—and why hybrid sync was meant to be a bridge, not a permanent home. You’ll learn how the IsCloudManaged property flips ownership from AD to Entra ID and why that shift is essential for Zero Trust, modern governance, and consistent authentication.Before moving anything, preparation is key. We walk through cleaning up stale AD objects, checking synchronization health, enforcing MFA, and documenting the attribute and app dependencies that can break during migration.Finally, we cover why groups should move first, how to i…
Guest: Mirko Peters
Nov. 3, 2025

How to Migrate Bing Maps to Azure Maps in Power BI Safely

You Thought Your Power BI Maps Were Safe breaks down the Bing Maps → Azure Maps eviction — and why this is not optional, not cosmetic, and not “a visual upgrade.”As of Oct-2025, Bing Maps visuals are deprecated.If you don’t migrate, your map visuals become blank boxes.This episode explains what’s actually changing, why Azure Maps is a compliance-era replacement — not a skin swap — and the admin switches you MUST flip in the tenant before anything works.We cover the migration traps, the false comfort of “auto convert,” and the difference between visuals that render and visuals that survive production.This is not a warning — it’s a countdown.
Guest: Mirko Peters
Oct. 24, 2025

Azure File Sync Migration to Managed Identity Step by Step

Azure File Sync still “works” for many orgs—but on 2010s-era auth: local X.509 certs and SAS tokens. Those are possession-based secrets: whoever holds them is “you.” They sprawl into scripts, backups, repos, and logs; they expire silently; and one leak grants silent exfiltration via valid creds. That isn’t identity—it’s superstition.The modern fix is Managed Identity (MI). Each Storage Sync Service and registered server authenticates through Entra ID with short-lived tokens; no static keys, no cert renewals, no whitelisting of cert endpoints. RBAC replaces secret distribution; revocation is instant; every call is auditable.Migration is housekeeping, not heart surgery: update the File Sync agent, enable system-assigned MI on Azure VMs (or Azure Arc + MI for on-prem/other-cloud servers), flip the Storage Sync Service to MI, and let Azure apply least-privilege roles to the storage account and shares. Outcome: fewer open URLs, zero secrets to rotate, uniform logging, and governanc…
Guest: Mirko Peters
Oct. 24, 2025

Group Writeback for Entra ID: Keep Old File Servers Working While You Modernize

Most orgs still treat on-prem AD groups as sacred, syncing them to Entra ID and calling it “hybrid.” In reality, those objects are zombies: visible in Entra but ruled by on-prem, which blocks modern governance (dynamic membership, access reviews, APIs) and slows HR-driven provisioning. The fix is recognizing Source of Authority (SoA) per object. Groups that matter to cloud workloads should be cloud-managed (isCloudManaged=true), with Group Writeback used only where legacy systems still need on-prem visibility. Entra brings dynamic rules, self-service, access reviews, and unified audit; AD brings inertia and gray, read-only fields. The path forward: inventory and purge “zombie” groups, classify what stays, finish Exchange migrations, convert eligible security groups to Entra authority, and enable writeback via Cloud Sync for any remaining on-prem dependencies. This isn’t rebellion; it’s alignment—put governance where work happens. Let AD retire into archival role; let Entra run identit…
Guest: Mirko Peters
Oct. 23, 2025

How Azure PostgreSQL Wastes Your Money (And How to Stop It)

Azure Database for PostgreSQL – Flexible Server isn’t pricey because of traffic; it’s pricey because defaults quietly overprovision compute, storage, and HA. “Managed” means patched, not optimized—you still pay for VM cores at idle, disks that only grow, and standby replicas that double costs while doing nothing. The audit hits five leak paths: baseline vCores (and burstable traps), storage auto-grow with no auto-shrink, Premium SSD v2 overbuy (capacity + IOPS + MB/s), HA mirroring that bills 2× for zero business value in most tiers, and backups/maintenance that charge or reboot when you’re not looking. The playbook: right-size from observed metrics, cap/trim storage, reserve HA for revenue-critical writes, use read replicas where they earn their keep, set custom maintenance windows, and pair snapshots with tested logical dumps. Cost control isn’t a SKU—it’s discipline: measure, cap, schedule, and delete the “temporary” you forgot. Defaults prevent support tickets, not invoices.
Guest: Mirko Peters
Oct. 22, 2025

How to Run Azure App Gateway Without Any Public IP Exposure

For years, a “private” Azure Application Gateway still needed a public IP and outbound Internet just to talk to Microsoft’s control plane. Management (control plane) and user traffic (data plane) shared the same door—an architectural contradiction that forced ugly firewall exceptions, Azure-DNS dependencies, and auditor discomfort. The new Network Isolation model finally fixes it: control traffic now travels entirely over Azure’s private backbone, fully separated from your app’s data path. Enable a subscription flag, deploy new gateways, and you can drop the public IP, block all Internet egress, use your own DNS, and still keep WAF, probes, scaling, and cert automation humming. Caveat: isolation applies to new gateways (no in-place flip), and Private Link pairing isn’t supported yet on isolated builds. The move isn’t just config—it’s philosophy: Zero Trust by structure, not exception. Register the flag, redeploy, and retire every “temporary” rule that kept your “private” gateway kinda…
Guest: Mirko Peters
Oct. 21, 2025

Why Your Multi Cloud Architecture Breaks Performance (And How to Fix It)

Multi-cloud sounds like freedom—until physics and billing collide. Stitching Azure, AWS, and GCP together turns “resilience” into a toll road: you pay egress to leave one cloud, port/cross-connect fees in the colocation meet-me, and operational overhead to run three of everything (IAM, gateways, monitors, DNS). Latency adds a hidden tax: even with private interconnects, packets still traverse real buildings and fiber, so microseconds compound into slower pipelines and bigger clusters “to compensate.” The result: triple networks, triple consoles, triple invoices—often to move the same dataset in circles.Fixes aren’t shiny services; they’re disciplined design. Pick a primary cloud (where the data lives) and treat others as satellites. Prefer shared services/APIs over bulk data copies—compute near storage, move results, not raw tables. If multi-cloud is unavoidable, colocate smartly: choose regions in the same metro and land in the same carrier-neutral facility to cut latency and cos…
Guest: Mirko Peters