Skip to main content

Least Privileged Access Required to View Azure App Service Log Stream: Complete Guide

Least Privileged Access Required to View Azure App Service Log Stream: Complete Guide

The Log Stream in the Azure portal is greyed out — but az webapp log tail works fine from the CLI. This guide explains why, covers every permission path, and gives you the minimum viable custom role to unblock the portal UI without granting Contributor.

Reader
Not Enough
Reader and Monitoring Reader cannot access Log Stream — Kudu SCM requires a write-level permission
Kudu SCM
Log Stream routes through Kudu (the SCM companion app) — not through the standard Azure Monitor APIs
2 permissions
Minimum for portal Log Stream: Microsoft.Web/sites/write AND Microsoft.Web/sites/publish/Action
Custom Role
A scoped custom role grants Log Stream access without giving full Contributor across the resource group
⚠ The Core Problem — Why Reader Is Not Enough

Azure App Service Log Stream does not use the same access path as other Azure Monitor features. Log Stream is served by Kudu — the companion SCM (Source Control Manager) app that runs alongside every App Service at https://<appname>.scm.azurewebsites.net. Access to Kudu requires write-level permissions on the App Service resource, specifically Microsoft.Web/sites/write or Microsoft.Web/sites/publish/Action.

Reader, Monitoring Reader, Log Analytics Reader — none of these include a write action on Microsoft.Web/sites. That is why the Log Stream panel is greyed out in the portal for users with only read access, even though the Azure CLI az webapp log tail command works — because the CLI authenticates differently using your full Azure credential, which in your case likely has broader permissions than the portal RBAC check sees.

Understanding the Architecture

Why Log Stream Requires Write Access — The Kudu Architecture

Every Azure App Service has two websites. The first is your application — the one your users access. The second is the Kudu SCM site — a management companion app that Azure creates automatically and that runs at https://<your-app-name>.scm.azurewebsites.net. Kudu handles deployments, provides a web-based console, enables log file access, and most relevantly, serves the Log Stream endpoint at /api/logstream.

When you open Log Stream in the Azure portal, the portal navigates you to the Kudu SCM endpoint. This is not an Azure Monitor query against a Log Analytics Workspace — it is a live HTTP streaming connection to the Kudu app. Kudu enforces its own authentication, which ties back to Azure RBAC. Kudu requires that the authenticated identity has write-level access to the App Service resource — specifically the Microsoft.Web/sites/publish/Action permission (for Kudu access via Entra ID authentication) or the Microsoft.Web/sites/write permission (which gates the Log Stream portal panel itself).

This is a deliberate design decision by Azure, not an oversight. Kudu provides capabilities far beyond just reading logs — it gives access to the file system, a remote shell console, process monitoring, and deployment management. Requiring write-level permissions before granting any Kudu access prevents read-only users from accidentally performing potentially destructive operations through the Kudu interface, or having their tokens used for deployment operations without explicit intent.

Figure 1 — Two log access paths: Azure Monitor (Reader OK) vs Kudu Log Stream (write permission required)
Azure UserReader role orContributor roleReader ✓Azure Monitor / Log AnalyticsAppServiceConsoleLogs, AppServiceHTTPLogsQueried via Logs blade / KQLLog Analytics WorkspaceRequires diagnostic settingsNeeds Reader + LA permissionsReader ✗Kudu SCM Appappname.scm.azurewebsites.net/api/logstream endpointRequires: Microsoft.Web/sites/publish/ActionLive Log StreamReal-time stdout/stderrNo diagnostic settings neededAzure Portal UIaz webapp log tailUses your full CLIcredential — not.portal RBAC check
Log Stream in the portal goes through Kudu SCM — not Azure Monitor. Log Analytics (top path) works with Reader. Kudu Log Stream (bottom path) requires a write-level permission regardless of what the Monitoring roles grant.
Figure 2 — Decision tree: which role or permission path gets you to Log Stream access
Log Stream greyed out / UnauthorizedDo you need portal UI or CLI access or both?CLI onlyAlready works!az webapp log tail usesyour CLI session tokenPortal / bothNeed write permsites/write orsites/publish/ActionCan your admin assign a built-in role?YESWebsite ContributorScoped to the App Serviceresource level (not RG)Least privileged built-in ✓NO / more granularCustom Rolesites/write + publish/Action+ read permissions onlyTruly minimal scope ✓Alternative: Log AnalyticsEnable diagnostic settings → send logsto workspace. User queries withReader role — no Kudu needed
If you only need logs (not live stream), routing through Log Analytics avoids the Kudu permission problem entirely and works with Reader access
Role Comparison

Built-In Role Comparison — What Each Role Can and Cannot Do

This table covers every common built-in role and what it allows for each of the three App Service log access methods: portal Log Stream, CLI log tail, and Log Analytics query.

RolePortal Log StreamCLI az webapp log tailLog Analytics queryRecommended?
Owner✓ Works✓ Works✓ WorksNo — far too broad
Contributor✓ Works✓ Works✓ Works⚠ Broader than needed
Website Contributor ← recommended built-in✓ Works✓ Works⚠ Only with workspace perms✓ Best built-in option
Reader✗ Greyed out⚠ Depends on credential⚠ Only with workspace permsNo — insufficient
Monitoring Reader✗ Greyed out✗ Unauthorized✓ WorksNo — no Kudu access
Monitoring Contributor✗ Greyed out✗ Unauthorized✓ WorksNo — no Kudu access
Log Analytics Reader✗ Greyed out✗ Unauthorized✓ WorksNo — no Kudu access
Custom Role (log-stream-only) ← most minimal✓ Works✓ Works⚠ Add LA perms if needed✓ Truly minimal
Solution 1 — Quickest Fix
Solution 1 — Assign Website Contributor at Resource Scope

Solution 1: Assign Website Contributor Scoped to the App Service Resource

The Website Contributor built-in role is the least privileged built-in role that includes the write-level permissions Kudu requires. It includes Microsoft.Web/sites/write, Microsoft.Web/sites/publish/Action, and the ability to manage App Service configuration — without granting the ability to create or delete other resource types.

The critical detail: scope this role assignment to the App Service resource level — not the resource group or subscription. Assigning Website Contributor at the resource group level gives write access to every App Service in that group. Scoping to the specific App Service resource limits the access to exactly the one app that needs log access.

1
Azure Portal → App Service → [your-app-name] → Access control (IAM) → Add → Add role assignment

Open IAM on the App Service resource — not the resource group

Navigate to your App Service in the Azure portal. In the left-hand navigation menu, select Access control (IAM). This opens the RBAC management panel scoped specifically to this App Service resource. Click Add → Add role assignment.

If you navigate to IAM from the resource group instead, the assignment will apply to all resources in the group. Make sure the scope shown in the breadcrumb confirms you are at the App Service resource level, not the resource group.

2
Role tab → Search "Website Contributor" → Select → Next

Search for and select Website Contributor

In the Role tab, type Website Contributor in the search box. Select the Website Contributor role from the results. Click Next to proceed to the Members tab.

3
Members tab → Select members → search for user/group/service principal → Select → Review + assign

Select the user and assign the role

On the Members tab, click Select members and search for the user account, group, or service principal that needs log access. Select them and click Select. Click Review + assign, review the scope (it should show your App Service resource, not the resource group), and click Review + assign again to confirm.

The role assignment typically takes effect within a few minutes. The user may need to sign out and sign back in to the Azure portal for the updated permissions to appear in their session.

4

Verify the assignment worked — check effective permissions

After assigning the role, verify the user now has the necessary permissions before asking them to test. In the App Service IAM blade, click Check access → search for the user → click on their name → select Current role assignments to confirm Website Contributor is listed. Alternatively click Effective permissions and filter for Microsoft.Web/sites/write — it should now appear.

Azure CLI — Assign Website Contributor scoped to a specific App Service resource# Replace the placeholders with your actual values SUBSCRIPTION_ID="your-subscription-id"
RESOURCE_GROUP="your-resource-group"
APP_NAME="your-app-service-name"
USER_EMAIL="user@yourdomain.com"

# Build the App Service resource ID for correct scope APP_RESOURCE_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Web/sites/${APP_NAME}"

# Assign Website Contributor scoped to the specific App Service (not RG) az role assignment create \
  --assignee "${USER_EMAIL}" \
  --role "Website Contributor" \
  --scope "${APP_RESOURCE_ID}"

# Verify the assignment az role assignment list \
  --assignee "${USER_EMAIL}" \
  --scope "${APP_RESOURCE_ID}" \
  --output table
Solution 2 — Truly Minimum Permissions
Solution 2 — Custom Role with Minimal Permissions

Solution 2: Create a Custom Role with Only the Permissions Log Stream Actually Needs

Website Contributor includes permissions beyond what Log Stream strictly requires — it also grants the ability to manage deployments, configure app settings, modify SSL certificates, and several other operations. If your security posture requires truly minimum permissions, create a custom role that includes only what is needed for Log Stream access and nothing more.

The minimum set of permissions for portal Log Stream access:

  • Microsoft.Web/sites/write — required to unlock the Log Stream panel in the Azure portal
  • Microsoft.Web/sites/publish/Action — required to authenticate to the Kudu SCM endpoint via Entra ID
  • Microsoft.Web/sites/read — required to read the App Service resource in the portal
  • Microsoft.Web/sites/config/read — required to read App Service configuration (needed for the Log Stream panel to load)
  • Microsoft.Resources/subscriptions/resourceGroups/read — required to navigate to the resource in the portal

Optionally, if you also want the user to see the diagnostic settings toggle and understand what logging is configured:

  • Microsoft.Insights/diagnosticSettings/read
  • Microsoft.Web/sites/diagnostics/read
JSON — Custom role definition for App Service Log Stream access only{
  "Name": "App Service Log Stream Viewer",
  "IsCustom": true,
  "Description": "View live Log Stream via Kudu in Azure App Service portal. Cannot modify app configuration, deployments, or settings.",
  "Actions": [
    // Minimum needed to unlock Log Stream panel and authenticate to Kudu
    "Microsoft.Web/sites/read",
    "Microsoft.Web/sites/write", // Unlocks Log Stream panel in portal UI
    "Microsoft.Web/sites/publish/Action", // Authenticates to Kudu SCM via Entra ID
    "Microsoft.Web/sites/config/read", // Reads app config (needed by portal panel)
    // Navigation / portal UX
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    // Optional: see diagnostic settings configuration
    "Microsoft.Insights/diagnosticSettings/read",
    "Microsoft.Web/sites/diagnostics/read"
  ],
  "NotActions": [
    // Explicitly exclude all write operations on config, SSL, slots, scale
    "Microsoft.Web/sites/config/write",
    "Microsoft.Web/sites/slots/*",
    "Microsoft.Web/sites/start/Action",
    "Microsoft.Web/sites/stop/Action",
    "Microsoft.Web/sites/restart/Action",
    "Microsoft.Web/sites/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/YOUR-SUBSCRIPTION-ID"
  ]
}
1

Save the JSON above as a file and create the custom role via CLI

Save the JSON definition above as logstream-role.json. Update YOUR-SUBSCRIPTION-ID with your actual subscription ID. Then create the custom role using the Azure CLI command below. Custom roles are available in the subscription within a few minutes of creation.

Azure CLI — Create the custom role and assign it# Step 1: Create the custom role from the JSON definition az role definition create --role-definition @logstream-role.json

# Step 2: Verify the role was created az role definition list --name "App Service Log Stream Viewer" --output table

# Step 3: Assign the custom role to the user, scoped to the specific App Service APP_RESOURCE_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Web/sites/${APP_NAME}"

az role assignment create \
  --assignee "${USER_EMAIL}" \
  --role "App Service Log Stream Viewer" \
  --scope "${APP_RESOURCE_ID}"

# Step 4: Verify effective permissions include sites/write and publish/Action az role assignment list \
  --assignee "${USER_EMAIL}" \
  --scope "${APP_RESOURCE_ID}" \
  --include-inherited \
  --output table
Solution 3 — Reader-Compatible Alternative
Solution 3 — Log Analytics Alternative (Reader-Compatible)

Solution 3: Route Logs Through Log Analytics — Works with Reader Access

If giving write-level access to the App Service is not acceptable for your security posture, there is a legitimate workaround: route App Service logs to a Log Analytics workspace and let the user query logs there. Log Analytics queries work with the Reader role on the resource plus Log Analytics Reader on the workspace. No Kudu access needed, no write permissions needed.

The trade-off: Log Analytics is not a true live stream. There is typically a 1–5 minute ingestion delay. For debugging active issues, this delay is acceptable for most use cases. For absolute real-time stdout visibility during a deployment, it is not.

1
App Service → Monitoring → Diagnostic settings → Add diagnostic setting

Enable diagnostic settings to send App Service logs to Log Analytics

Navigate to your App Service → Monitoring → Diagnostic settings → Add diagnostic setting. Select the log categories you need: AppServiceConsoleLogs (stdout/stderr from your app — the equivalent of what Log Stream shows), AppServiceHTTPLogs (HTTP access logs), and AppServiceAppLogs (application-level logs). Under Destination details, select Send to Log Analytics workspace and choose or create a workspace. Click Save.

2
Log Analytics workspace → Access control (IAM) → Add → Log Analytics Reader

Assign Log Analytics Reader to the user on the workspace

Navigate to the Log Analytics workspace used above. Select Access control (IAM) → Add role assignment. Assign Log Analytics Reader to the user who needs log access. This allows them to run KQL queries against all tables in the workspace. Combined with Reader on the App Service resource (for navigation in the portal), this gives full log visibility without any write access to the App Service.

3

Query console logs in Log Analytics — equivalent to Log Stream output

The user can now query App Service logs directly in the Log Analytics workspace, or from the App Service's own Logs blade in the portal (which uses resource-context mode and does not require Kudu). The queries below return the equivalent data to what Log Stream shows.

KQL — Queries equivalent to Log Stream output in Log Analytics// Console logs (stdout/stderr) — equivalent to Log Stream AppServiceConsoleLogs
| where TimeGenerated > ago(30m)
| project TimeGenerated, ResultDescription, Level
| order by TimeGenerated desc

// Live-like view: auto-refreshes every 30 seconds in Log Analytics AppServiceConsoleLogs
| where TimeGenerated > ago(5m)
| project TimeGenerated, ResultDescription
| order by TimeGenerated asc

// HTTP access logs (equivalent to web server log stream) AppServiceHTTPLogs
| where TimeGenerated > ago(30m)
| project TimeGenerated, CsMethod, CsUriStem, ScStatus, TimeTaken
| order by TimeGenerated desc

// Application-level errors and exceptions AppServiceAppLogs
| where Level == "Error" or Level == "Warning"
| where TimeGenerated > ago(1h)
| project TimeGenerated, Level, Message, ExceptionClass, ExceptionMessage
| order by TimeGenerated desc
Figure 3 — Complete permission map: all three solutions side by side
Solution 1: Website ContributorAssign at: App Service resource scopeIncludes: sites/write, sites/publish/ActionAlso includes: manage config, SSL, etc.Portal Log Stream: ✓CLI az webapp log tail: ✓Deploy code: ✓ (not desired)Best option if built-in role is acceptableNo extra steps neededSolution 2: Custom RoleAssign at: App Service resource scopesites/write + publish/Action + readExcludes: config/write, start, stop, restartPortal Log Stream: ✓CLI az webapp log tail: ✓Cannot modify app config: ✓Truly minimal — requires custom role setupOne-time admin taskSolution 3: Log AnalyticsReader + Log Analytics ReaderNo write permissions on App ServiceRequires diagnostic settings firstPortal Log Stream: ✗ (uses KQL instead)CLI az webapp log tail: ✗Log Analytics query: ✓ (1-5 min delay)Zero write access — best for strict orgsNot real-time — query-based
Choose based on your security requirements: Solutions 1 and 2 provide true live streaming; Solution 3 provides query-based access with Reader-only permissions
Verify Your Current Permissions

How to Check What Permissions You Currently Have

Before requesting an administrator to assign a new role, check your current effective permissions. This helps you understand exactly what is missing and present a precise ask to your admin.

Azure CLI — Check your current effective permissions on the App Service# Get your current user's object ID MY_USER=$(az ad signed-in-user show --query id -o tsv)

# Check current role assignments on the App Service az role assignment list \
  --assignee "${MY_USER}" \
  --scope "${APP_RESOURCE_ID}" \
  --include-inherited \
  --query "[].{Role:roleDefinitionName, Scope:scope}" \
  --output table

# Specifically check if you have the two key permissions for Log Stream # If either returns empty, you do not have that permission az role definition list \
  --query "[?contains(permissions[0].actions, 'Microsoft.Web/sites/write')].name" \
  --output table

# Quick test: does az webapp log tail work with your current credential? az webapp log tail \
  --name "${APP_NAME}" \
  --resource-group "${RESOURCE_GROUP}"
# If this works but portal Log Stream does not → you need write permission on the resource
⚠ Why az webapp log tail Works When Portal Does Not

The CLI command az webapp log tail authenticates using your full Azure account session — the same credentials you used when you ran az login. This session may have inherited permissions from a parent scope (subscription or resource group) that includes write-level access. The portal RBAC check specifically evaluates permissions against the App Service resource scope — and it is more strict in what it accepts. If your effective permissions at the resource level do not include Microsoft.Web/sites/write, the portal blocks Log Stream regardless of what broader permissions you might have inherited.

Key Takeaways

Log Stream in the Azure App Service portal is served by Kudu (the SCM companion app). Kudu requires Microsoft.Web/sites/publish/Action and the portal panel requires Microsoft.Web/sites/write. Reader, Monitoring Reader, and Log Analytics Reader do not include these — Log Stream will always be greyed out with these roles.
The quickest fix: assign Website Contributor at the App Service resource level (not resource group level). This is the least privileged built-in role that includes the required write permissions.
For truly minimal access: create a custom role containing only Microsoft.Web/sites/write, Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/read, and Microsoft.Web/sites/config/read. Use NotActions to explicitly exclude config/write, start, stop, restart, and delete operations.
If write access is not acceptable at all, enable diagnostic settings to route App Service logs to Log Analytics. Users with Reader + Log Analytics Reader can query the equivalent data via KQL — at a 1–5 minute ingestion delay.
Always scope role assignments to the specific App Service resource — not the resource group. A Website Contributor assignment at the resource group level grants write access to every App Service in the group.
The reason az webapp log tail works but the portal Log Stream does not is that your CLI session may have broader inherited permissions. The portal enforces the RBAC check at the resource scope more strictly.
This is a known platform limitation documented by Microsoft: Log Stream routes through Kudu APIs which have no RBAC granularity below write-level. A feedback/feature request for Reader-level Log Stream access exists but has no ETA.
Frequently Asked Questions
Why does the Microsoft documentation not mention the minimum permission needed for Log Stream?
The Azure App Service diagnostic logging documentation describes how to enable and access logs but does not specify the minimum RBAC role for each access method. This is a documented gap that has been raised in community feedback multiple times. The official guidance is that Log Stream requires write-level access because it goes through Kudu, which has no RBAC granularity below write. This guide collects all the scattered community confirmations into one place.
Can I use the direct Kudu URL instead of the portal if I have a different permission?
No. Accessing https://your-app.scm.azurewebsites.net/api/logstream directly in a browser uses the same Entra ID authentication and requires the same Microsoft.Web/sites/publish/Action permission. The Kudu authentication backend enforces the permission check regardless of whether you access it through the portal or directly. If you want to use the direct Kudu URL, you still need either Website Contributor or the custom role with publish/Action included.
I have Owner at the subscription level but Log Stream is still greyed out — why?
This is the specific behavior described in recent Microsoft Q&A threads: Azure has introduced more granular permission checks for App Service features including Log Stream, Console, and Advanced Tools. Even if you are an Owner at a subscription or resource group level, if explicit Microsoft.Web/sites/write permission has not been granted at the App Service resource scope, Log Stream will be blocked. This was introduced as part of security hardening. The fix is to add an explicit role assignment (Website Contributor or your custom role) directly on the App Service resource, even if you already have Owner at a higher scope.
Is the custom role solution safe — does giving sites/write allow the user to modify my app?
The Microsoft.Web/sites/write action does technically allow modification of the App Service resource. However, your custom role definition explicitly excludes the most impactful operations via NotActions: config/write (prevents changing app settings, connection strings), restart/Action (prevents restarting the app), stop/Action, start/Action, and delete. What remains is a narrow write permission that is needed for Kudu authentication but is constrained by the explicit exclusions. Test the effective permissions in a non-production environment before deploying this role to production.
Will this ever be fixed so that Reader can access Log Stream?
Microsoft is aware of this limitation and has acknowledged it in official community responses. A feedback request titled "Reader role should be sufficient to read the log stream of an App Service" exists and Microsoft has noted that a longer-term plan includes routing console logs to Azure Monitor Logs, at which point a Reader-level permission on the Log Analytics workspace would be sufficient. As of mid-2026, no ETA has been given. The Log Analytics workaround described in this guide (Solution 3) is the current reader-compatible path.

Popular posts from this blog

The Cloud Incumbent: AWS Bedrock Hosts Every Frontier Model and Amazon Is Betting on Neutrality AWS at $37.6 billion quarterly revenue, growing 28%. $13 billion invested in Anthropic. A $100 billion Anthropic-to-AWS commitment. Trainium with $225 billion in customer revenue commitments. The most quietly powerful AI strategy in the race. By Francis Avorgbedor | Azure Engineer  ·  July 4, 2026  ·  14 min read  ·  Amazon · AWS · Cloud AI 74 SEVENAI Momentum Score — Rank #5 $37.6B AWS Q1 2026 revenue — 28% YoY growth ▲ Fastest in 15 quarters $13B Total Amazon investment in Anthropic to date ▲ Strategic anchor 100K+ Customers running Claude on AWS Bedrock ▲ Distribution moat Amazon's AI strategy is built on a thesis that every other Magnificent Seven company is testing against — and that Amazon is uniquely positioned to win regardless of the outcome. The thesis is neutrality. In a race where Microsoft has bet on OpenAI, Google has bet on Gemini, and Meta has bet...
Performance Fix Foundry Local 1.2 Linux ARM64 Embeddings Offline ASR The Edge Latency Drop: Fixing Latency Spikes by Offloading Embeddings to Foundry Local 1.2 You are paying a full cloud round trip — network, TLS, queue, throttle risk — to turn a twelve-word search query into a vector. That is the most expensive way possible to do one of the cheapest computations in your stack. Foundry Local 1.2 now runs on Linux ARM64, which means embeddings and speech recognition can happen on a Raspberry Pi, a Jetson, or a Graviton instance — offline, unmetered, and in single-digit milliseconds. The failure signature this guide resolves # Application Insights — the embedding call, not the LLM, is your tail latency: name p50 p95 p99 calls/day POST /embeddings (cloud) 89 ms 412 ms 3,847 ms 1,240,000 POST /chat/completions (cloud) 940 ms 1,720 ms 2,910 ms 38,000 ^^^^^^^^ ...

How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk

How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk Azure does not have a single "factory reset" button. What it does have is something better: the OS Disk Swap — a method that swaps out the corrupted or misconfigured OS disk for a clean Windows Server managed disk without deleting the VM, its NICs, its IP addresses, or any attached data disks. Here is how it works, when to use it, and the exact steps to execute it safely. FA Francis Avorgbedor Azure Engineer July 16, 2026 15 min read Azure VMs · Windows Server · Real-World Fix 3 Methods to achieve a clean Windows Server installation on an existing Azure VM ~15min Typical OS Disk Swap duration — VM retains its NICs, IPs, and data disks throughout 0 Data disks affected by an OS Disk Swap — data disks remain attached and untouched 1 Snapshot of the original OS disk you must take before starting — no exceptions Introduction Why Azure Does Not Have a Simple Factory Reset — and What to Do Instead On a ph...

AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use

Incident Playbook AKS Kubernetes kubectl 2026 AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use Every AKS engineer eventually faces the same nightmare: CrashLoopBackOff at 2am, pods stuck Pending for no clear reason, or nodes flipping to NotReady mid-deployment. The difference between panic and control is knowing the exact diagnostic sequence — and the real fixes that work in production. This guide gives you both. 3 commands get pods, describe pod, and logs diagnose roughly 90% of AKS incidents before you touch anything else Exit 137 The code that means OOMKilled — the container hit its memory limit and was killed by the kernel (128 + SIGKILL 9) Events The bottom of kubectl describe is where the real cause lives — Pending, FailedScheduling, and image errors all surface there CoreDNS The single component behind most "intermittent" production failures — service discovery breaks quietly and looks like an app bug Table of Contents 01 The 3 Comm...
Can I Update My Old Computer to Windows 11 — and How Much Will It Cost? Your i7, 16GB RAM, 512GB SSD machine is powerful enough to run Windows 11 comfortably. The TPM 2.0 and Secure Boot wall is a security checkbox, not a performance ceiling. Here are two proven ways to get past it, what each one costs, and what you are trading away by doing so. $0 Cost of the Windows 11 licence if your existing Windows 10 is genuine — the upgrade remains free in 2026 2 Proven methods to bypass TPM 2.0 and Secure Boot — Rufus (easy) and Registry edit (manual) 25H2 Current Windows 11 version — all known bypass methods tested and confirmed working as of July 2026 Oct 2025 Windows 10 end of life — no more security updates. Staying on Windows 10 now carries real risk. First — Check Your BIOS Before Anything Else You Might Not Actually Need a Bypass Before running any bypass, open your BIOS and look at two settings. Many computers that fail the Windows 11 compatibility check have TPM 2.0 present in the hard...

Top 100 Best AI Tools for Software Engineers and DevOps Professionals in 2026

2026 Edition 100 Tools Software Engineering DevOps AIOps Top 100 Best AI Tools for Software Engineers and DevOps Professionals in 2026 85% of developers now regularly use AI tools. Fully AI-generated code accounts for nearly 28% of all pull requests. The question is no longer whether to use AI tools — it is which ones, in which combination, for which part of the lifecycle. This guide cuts through the noise: 100 tools, 10 categories, honest pricing, real use cases, and a selection framework for building your stack without redundancy. 85% Percentage of developers who now regularly use AI tools, per JetBrains' 2025 State of Developer Ecosystem report — up from near zero three years ago 28% Share of all pull requests containing primarily AI-generated code in 2026 — the metric that signals AI coding assistants have moved from experiment to workflow $50B Cursor's reported valuation in April 2026 Series D talks — the number that signals investor confidence in the AI developer tools ma...

Azure Files vs Azure NetApp Files: Which One Should You Choose?

Azure Files vs Azure NetApp Files: Which One Should You Choose? Performance tiers, protocol support, dual-protocol capability, pricing models, SAP/Oracle/HPC suitability, data management features, and the decision framework that maps each workload type to the right service — with step-by-step setup procedures for both. FA Francis Avorgbedor Azure Engineer July 15, 2026 20 min read Azure Storage · Architecture 4 Azure Files tiers: Premium SSD, Standard Hot, Cool, Tx Optimized 3 ANF performance tiers: Standard, Premium, Ultra — all SSD-backed 4TiB ANF minimum provisioning — significant cost floor for small workloads Dual ANF serves the same data via SMB and NFS simultaneously — AF cannot Introduction Two Services, One Surface Area — Completely Different Purposes Microsoft offers two fully managed, enterprise-grade file storage services in Azure. They share a surface area — both serve file shares over standard protocols, both run on managed infrastructure, and both integrate with Microsof...
Troubleshooting Guide AKS Kubernetes Real Solutions kubectl Azure Kubernetes Service (AKS) Troubleshooting Guide: Real Solutions to Common Problems CrashLoopBackOff at 2am. Pods stuck Pending with no obvious cause. Nodes going NotReady mid-deployment. DNS resolution silently failing in production. Every AKS engineer encounters these — the difference between engineers who panic and engineers who stay calm is knowing the exact sequence of diagnostic commands to run. This guide gives you that sequence, the root cause analysis for each failure mode, and the fix. 3 commands 90% of AKS problems are diagnosed with the same three kubectl commands: describe pod, logs --previous, and get events — in that order, every time Exit 137 The exit code that tells you everything: container killed by SIGKILL — either the Linux OOM killer (memory limit exceeded) or kubelet after grace period expired 5 min The CrashLoopBackOff ceiling: Kubernetes applies exponential backoff (10s → 20s → 40s → 80s → 160s → 3...

How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service

Step-by-Step Guide Azure OpenAI App Service Production Python How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service From zero to a production-grade AI chatbot: provision Azure OpenAI, write a streaming Flask API backend, deploy it on Azure App Service with Managed Identity, wire in conversation history and content safety, and instrument it with Application Insights — all with complete code and Terraform IaC. No API keys in environment variables. No hardcoded secrets. No half-finished PoC patterns. 7 phases This guide covers the full deployment lifecycle: architecture design → resource provisioning → backend code → App Service deployment → streaming → security → monitoring Zero keys The chatbot authenticates to Azure OpenAI using Managed Identity and DefaultAzureCredential — no API keys stored in environment variables, Key Vault, or code SSE Server-Sent Events stream GPT tokens to the browser as they generate — the same token-by-token typing effect users expect from pr...
Planning Guide Site-to-Site VPN Gateway SKUs BGP & IPsec Azure Site-to-Site VPN Prerequisites: Network Planning, Gateway Requirements, IPsec, and Routing Half of what determines whether a Site-to-Site VPN deployment goes smoothly happens before the gateway exists at all — the subnet size, the SKU, the address space plan, and the ASN choice are all decisions that are painful or impossible to change once traffic is flowing. Get the prerequisites right, and the actual gateway creation is the boring, predictable part. Current status, verified Azure is actively consolidating VPN Gateway SKUs. The Basic SKU and the original VpnGw1–VpnGw5 SKUs are being phased out in favor of zone-redundant AZ SKUs (VpnGw1AZ through VpnGw5AZ), which Microsoft now recommends for all new deployments. After June 2026, Azure will attempt to automatically migrate remaining Standard and High Performance SKU gateways — and that migration can fail outright if the gateway subnet is too small for the target SKU. T...