Notes from the field
Writing on cloud, DevOps, security, and AI engineering, informed by what actually goes wrong in production.
Defender for Cloud: cutting through the noise
Microsoft Defender for Cloud surfaces a lot. Here's how I prioritize so the team acts on what matters and ignores the rest, without drowning in tickets.
Microsoft Sentinel for small teams: getting real value without a SOC
You don't need a 24/7 security operations center to get value from Sentinel. Here's how a small team can deploy it pragmatically and actually use what they collect.
Azure DevOps Variable Groups and Key Vault: the right way
Linking Azure Key Vault to Azure DevOps Variable Groups is the cleanest way to handle secrets in pipelines. Here's how to set it up properly, and the gotchas to avoid.
Self-hosted GitHub Actions runners on Azure: when, and how
When to move off GitHub-hosted runners onto your own Azure VMs or container apps and how to do it without inheriting an ops nightmare.
Evals for LLM apps: from vibes to numbers
If you ship an LLM feature without evals, you're flying blind. Here's how to set up evaluations that actually catch regressions, in a few hundred lines of code.
Securing AI endpoints: PII, prompt injection, and output filtering
Three categories of attack on production LLM endpoints and the defensive patterns that actually work in practice.
Deploying Next.js to Azure App Service with GitHub Actions
A practical, production-ready setup for deploying Next.js to Azure App Service via GitHub Actions — including standalone output, OIDC, and the gotchas no one warns you about.
Azure AI Foundry: my honest first impressions
I've been using Azure AI Foundry on real projects for several months. Here's what's good, what's frustrating, and where it fits in the AI tooling landscape.
Cost control patterns for Azure OpenAI in production
Token spend on LLM features can go non-linear quickly. Here are the patterns I use to keep Azure OpenAI bills predictable without compromising the experience.
Azure DevOps YAML pipelines: multi-stage patterns that scale
How I structure multi-stage YAML pipelines once a single-file pipeline gets unwieldy. Templates, environments, approvals, and the small things that make a big difference.
Microsoft Entra ID PIM: a practical setup that doesn't break the team
Privileged Identity Management is one of the highest-leverage security upgrades you can make. Here's how I roll it out without grinding admin work to a halt.
Building a private RAG with Azure AI Search and Azure OpenAI
An end-to-end blueprint for a retrieval-augmented chat over your own documents — locked down behind Private Endpoints and identity, deployed entirely on Azure.
Bicep vs Terraform on Azure: a practical take
Both deploy Azure resources. Both are good. Here's how I actually choose between them on real projects.
Key Vault RBAC vs Access Policies: migrate now, your future self will thank you
Azure Key Vault has two permission models. One is the future, one is the past, and most of us are still using the past. Here's how to switch.
Branch policies in Azure Repos: a production-ready setup
The branch protection settings I configure on every Azure Repos repo to keep main always shippable — and the ones I deliberately don't enable.
Azure OpenAI vs OpenAI direct: which to choose
Same models, very different operational stories. A practical comparison from someone who's shipped both.
Federating GitHub Actions to Azure with OIDC — no more client secrets
A walkthrough of how to deploy from GitHub Actions to Azure without storing a client secret anywhere. Faster, safer, easier to rotate.
Conditional Access policies every Entra ID tenant should have
A baseline set of Conditional Access policies that block 80% of identity attacks — without becoming a productivity drag for your users.
GitHub Actions vs Azure Pipelines: when to use which in 2025
Both are excellent. The question isn't which is 'better' — it's which fits your team's working model. A practical breakdown.
Hardening a new Azure subscription: my first-10-settings checklist
The first ten things I configure on every new Azure subscription before any workload goes near it. Identity, policy, monitoring, and the things teams forget until it's too late.