Notes from the field
Writing on cloud, DevOps, security, and AI engineering, informed by what actually goes wrong in production.
Defender for Cloud: cutting through the noise
Microsoft Defender for Cloud surfaces a lot. Here's how I prioritize so the team acts on what matters and ignores the rest, without drowning in tickets.
Microsoft Sentinel for small teams: getting real value without a SOC
You don't need a 24/7 security operations center to get value from Sentinel. Here's how a small team can deploy it pragmatically and actually use what they collect.
Azure DevOps Variable Groups and Key Vault: the right way
Linking Azure Key Vault to Azure DevOps Variable Groups is the cleanest way to handle secrets in pipelines. Here's how to set it up properly, and the gotchas to avoid.
Self-hosted GitHub Actions runners on Azure: when, and how
When to move off GitHub-hosted runners onto your own Azure VMs or container apps and how to do it without inheriting an ops nightmare.
Deploying Next.js to Azure App Service with GitHub Actions
A practical, production-ready setup for deploying Next.js to Azure App Service via GitHub Actions — including standalone output, OIDC, and the gotchas no one warns you about.
Microsoft Entra ID PIM: a practical setup that doesn't break the team
Privileged Identity Management is one of the highest-leverage security upgrades you can make. Here's how I roll it out without grinding admin work to a halt.
Bicep vs Terraform on Azure: a practical take
Both deploy Azure resources. Both are good. Here's how I actually choose between them on real projects.
Key Vault RBAC vs Access Policies: migrate now, your future self will thank you
Azure Key Vault has two permission models. One is the future, one is the past, and most of us are still using the past. Here's how to switch.
Federating GitHub Actions to Azure with OIDC — no more client secrets
A walkthrough of how to deploy from GitHub Actions to Azure without storing a client secret anywhere. Faster, safer, easier to rotate.
Conditional Access policies every Entra ID tenant should have
A baseline set of Conditional Access policies that block 80% of identity attacks — without becoming a productivity drag for your users.
Hardening a new Azure subscription: my first-10-settings checklist
The first ten things I configure on every new Azure subscription before any workload goes near it. Identity, policy, monitoring, and the things teams forget until it's too late.