Default outbound access for VMs in Azure will be retired September 2025

Reading Time: 2 minutes

You may have read or heard about the recent announcement from Microsoft that default outbound access for VMs in Azure will be retired on 30th September 2025, and that you will need to use explicit outbound connectivity methods such as Azure NAT Gateway, Azure Load Balancer outbound rules, or a directly attached Azure public IP address.

Yes, when you deploy a virtual machine in Azure, outbound internet connectivity is enabled by default allowing you to browse the Internet. This default configuration is changing.

What happens to my Virtual Machines default outbound connectivity if I don’t make this change?
According to the announcement your existing VMs that use default outbound access will continue to work after this retirement, however, Microsoft strongly recommend transitioning to an explicit outbound method.

I posted the announcement on LinkedIn and this retirement notice was welcomed by techies. Here are a few comments. Let me know what you think in the comments section below,

Now, to the main reason why I posted this announcement. If you’re wondering what is Azure NAT Gateway, continue to the next paragraph.

What is Azure NAT Gateway?
One of the recommended methods mentioned to allow outbound Internet connectivity for your VMs is to use Azure NAT Gateway, but what is this service. If you wish to learn more about Azure NAT Gateway, check out my post Azure NAT Gateway Explained

Microsoft Entra ID Custom Security Attributes

Reading Time: 5 minutes

In this blog post I will go through a demo of setting up Custom Security Attributes in Microsoft Entra ID.

What are Custom Security Attributes?
Custom Security Attributes are an Entra ID P1 or P2 license feature and can be created in Microsoft Entra ID to extend user profiles, such as adding employee hourly salary, certifications and other secure attributes to an employees profile. We can also add custom security attributes to Azure Applications (Service Principles) and resources. These secure attributes are not visible to anyone by default unless assigned a particular role within Entra ID. The Global Administrator can not see these values by default either.

Which role can create these custom security attributes?
To be able to add or activate or deactivate a custom security attribute definition, the admin will require the built in role Attribute Definition Administrator assigned. By default, the Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

Here are built in custom security attributes roles (shown below),

Implement Custom Security Attributes step by step

I have assigned my account the Attribute Administrator Role. I was not automatically granted this role by being a member of the Global Administrators group.
Once you add a custom security attribute definition, you can’t delete it. However, you can deactivate a custom security attribute definition.
This feature is still in preview at the time of writing this post

Demo description:
In this demo I will create an attribute set and add an attribute named SecurityCleared with the values BPSS, SC, CTC and DV (National security vetting clearance levels in the UK). I will then assign one of these levels to one of my demo users and demonstrate how I can search for users assigned one of these security levels in Entra ID.

  1. Login to, expand Protection from the left pane and click Custom security attributes. You can also access this feature via Entra ID (formerly Azure AD) through

2. Click Add attribute set

An attribute set contains a collection of security attributes. All custom security attributes must be included in an attribute set.

3. For the purpose of this demo I will name my attribute set EmployeeConfidential and allow a maximum of 25 attributes inside this set. For limits and constraints, visit the following link Custom Security Attributes Limits and Constraints

4. Click create

5. Click to open the newly created attribute set

6. Click roles and administrators from the left pane. Here you can assign roles at the attribute set level so anyone assigned permissions here will only be able to manage attributes inside this attribute set. For example, if you require for another admin to create attributes inside this attribute set, here is where you configure the permissions, and that admin would only be able to manage this attribute set and not any others you may create in the future. I won’t be adding any additional admins to these built in roles.

7. Next, I add attributes inside my newly created attribute set, click Add attribute

8. Here is my attribute. It is one for Staff Security Clearance.

Attribute Name: SecurityCleared
Description: Levels of Security Clearance
Allow multiple values to be assigned: I have set to no as in this example I only wish to assign one of the four values to employees. However, if there was a requirement to assign more than one of these values to an employee, I would enable this option.
Only allow predefined values to be assigned: I only wish to assign one of the four values I have defined below. BPSS, SC, CTC and DV are the national security vetting clearance levels in the UK.

9. Click save

10. Next, I need to assign one of the four security levels to a user. For this example, my demo user called Lynne Robbins has a security clearance of SC so I would like to apply this to the account. I locate Lynne’s account in Entra ID and click Custom security attributes as shown below.

11. I receive a permissions error. I have the role of Attribute Definition Administrator. I can create custom security attributes but can not assign them to users. For the purpose of this demo, I assign my account the Attribute Assignment Administrator role which will allow me to assign custom security attributes to users.

12. I try again after assigning the required role. Log out and back into the portal if needed. Click Add assignment,

13. I assign the SC security clearance attribute to Lynne. Because I initially configured the attribute to only allow the assignment of one value, I can not add multiple values to Lynne. Click save.

Done. Let’s search for all users who have security clearance of SC. It should only be Lynne.

14. In Entra ID, click users

15. Click Add filter

16. Click Custom security attributes from the filter list.

17. I select value of SC and click apply

18. One user found, it’s Lynne. Lynne is the only employee who is SC cleared

If anyone in the organisation attempts to access the Custom Security Attribute filter without the required permissions, they will not be able to access and receive an access denied message. These secure attributes can only be searched by admins with the assigned roles as mentioned earlier.

I hope this helps.

If you wish to learn more about custom security attributes, add them to an application or use in conditional access policies, visit the Microsoft Learn links below,

What are custom security attributes in Microsoft Entra ID?
Manage custom security attributes for an application
Filter for applications in Conditional Access policy

Azure NAT Gateway Explained

Reading Time: 7 minutes

If you are new to Azure, you might be wondering what is a NAT gateway and why do you need one. In this blog post, I will explain the basics of Azure NAT Gateway and how it can help you connect your Azure resources to the internet.

SNAT – Source Network Address Translation

Before diving into Azure NAT Gateway, have you ever wondered how your devices or services can access the internet using a single public IP address? This is possible thanks to a technique called SNAT, which stands for source network address translation. SNAT changes the original IP address and port of your outgoing packets to match the public IP address and a unique port. Let’s dig deeper.

At home, your Internet Service Provider provides you with a router to which all your devices connect to via wireless or a physical cable as demonstrated in the drawing below,

In most cases the devices connecting to your home router are issued with an IP address automatically using a built in DHCP service built into the router, see example below. Each device has an IP address.

The above assigned IP addresses are private and can only be used on your home network, these IP addresses are not internet routable so can not access the Internet. Yet, we know that your devices at home can access the Internet. How do your devices access the internet? via the router.

To allow access to the internet, your Internet Service Provider assigns you a public IP address, allocated to your router. As shown in the diagram below. (Public IP selected for demo purposes).

When your home devices connect to the Internet via the router, the router has a built in SNAT (Source Network Translation) which translates to allow traffic from a private network (your home network) to go out to the internet. All your devices use the public IP address assigned to your router to gain access to the internet. If you were to visit each one of your devices, open an internet browser (ensure you’re connected to your home router wirelessly or a cable) and visit the website you will find that the public IP address is the same for all your devices (mobiles, ipads, laptops). This is because your devices are using the same Public IP to access the internet.

Now that you have a basic idea of SNAT (Source Network Address Translation), let’s move onto understand what a Azure NAT Gateway is.

What is a Azure NAT Gateway?
An Azure Network Gateway is similar to your home router but more intelligent and built for larger networks. An Azure Network Gateway allows your private resources (such as Virtual Machines) located in Azure to connect to the internet through a central, managed and highly resilient Network Address Translation (NAT) service.

But a Azure virtual machine can get out to the Internet by default, right?

Correct, and let’s understand how Virtual Machines in Azure access the internet (outbound) without the implementation of an Azure NAT Gateway.

Important Announcement: Default outbound access for vm’s in Azure will be retired September 2025

In Azure, virtual machines without explicit outbound connectivity defined are assigned a default outbound public IP address via the Azure platform. This IP address enables outbound connectivity from your virtual machine to the Internet. This access is referred to as default outbound access. This auto assigned public IP address belongs to Microsoft and is subject to change so it’s not recommended to depend on this default public IP address for production workloads. Customers don’t own the default outbound access IP and have no control over it. This IP may change, and any dependency on it could cause issues in the future. Logon to a virtual machine in Azure without a public IP address explicitly assigned and try accessing the Internet or browse to and take a note of the automatically assigned default public IP address.

Can I assign an explicit outbound connectivity method by manually assigning an instance level public IP address to a Virtual Machine?

Yes, this is another option. You could create a Public IP address in Azure which you will have more control over such as ensuring it is static and doesn’t change, and then assign this public IP address to your Virtual Machine. Creating a public IP address will also allow Internet resources to communicate inbound to your Azure virtual machine and enable your virtual machine to communicate to the Internet. You dedicate the public IP address to the resource until you unassign/remove it, you’re in control.

A resource without a public IP assigned can communicate outbound to the Internet as we now know but inbound access is not allowed until you assign your own created public IP address and configure the required NSG/Firewall rules to allow inbound access from the Internet. Therefore, you could assign your virtual machines a public IP address but ask yourself a question, am I only granting these virtual machines a public IP to allow access to the internet? how many virtual machines do you have that require access to the internet? is it a good idea assigning each virtual machine a dedicated public IP address to allow access to the Internet? there is definitely another layer of management overhead as an accidental configuration could allow access to your resources from the outside world, such as accidentally allowing RDP from the outside world would trigger a brute force attack in no time.

So what do Microsoft recommend for resources in Azure requiring outbound Internet access without assigning each resource a public IP address?

Azure NAT Gateway

Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. You can use Azure NAT Gateway to allow your resources in your Virtual Network subnets connect outbound to the internet while remaining fully private, as there is no need to assign all your resources a public IP address. Unsolicited inbound connections from the internet aren’t permitted through a NAT gateway, the service is secure by default. A NAT Gateway allows traffic to flow outbound to the Internet only. However, only packets arriving as response packets to an outbound connection can pass through a NAT gateway.

In the diagram above we have a NAT Gateway connected to two subnets inside a VNET (Virtual Network). The NAT gateway assumes the subnet’s default next hop type for all outbound traffic directed to the internet. No extra routing configurations are required. Outbound Internet traffic for Virtual Machines in Subnet A and Subnet B, along with the Virtual Machine Scale Set (VMSS) will flow through the NAT Gateway. The NAT gateway can be configured with up to 16 public IP addresses which can scale automatically as demand increases.

In the diagram below, we introduce a Load balancer, so how does traffic flow outbound when a Azure load balancer comes into the picture? traffic being distributed to a backend pool of servers via a load balancer will open the flow to allow traffic to return outbound via the Load balancer, so packets arriving as response packets to an inbound connection can pass back through the load balancer and not outbound via the NAT Gateway. Yes, the NAT Gateway has this intelligence built in.

What about a Virtual machine with a public IP assigned?
Exactly the same as inbound traffic via a load balancer (mentioned above), packets arriving as response packets to an inbound connection can pass back through the public IP address assigned to the Virtual Machine and will not flow outbound via the NAT Gateway.

Azure NAT Gateway benefits

  • Simple setup

  • Secure by default

  • Scalable – Each NAT gateway public IP address provides 64,512 SNAT ports, and NAT gateway can
    scale to use up to 16 public IP addresses, reducing the chances of SNAT Port Exhaustion. NAT gateway solves the problem of SNAT port exhaustion by providing a dynamic pool of SNAT ports so ports are only allocated to virtual machines when needed instead of a pool based SNAT allocation where a number of ports are assigned to a virtual machine from which some are used and others remain available but not used by the virtual machine. The virtual machines would keep hold of the additional assigned ports, which can cause SNAT port exhaustion.

    Another cool feature of Azure NAT Gateway is that it selects SNAT ports at random from it’s available inventory to make new outbound connections and it only assigns ports to virtual machines as and when needed. As mentioned in the earlier paragraph, virtual machines are not being assigned additional ports when they will not be used.

    Also, Azure NAT Gateway allows a SNAT port to be reused to connect to the same destination endpoint. However, before doing so, NAT Gateway places a reuse cooldown timer on the port after the initial connection closes, which prevents ports from being selected too quickly.

    When NAT gateway cannot find any available SNAT ports to make new outbound connections, it can reuse a SNAT port that is currently in use so long as that SNAT port connects to a different destination endpoint.

  • Performance – each NAT Gateway can process up to 50 Gbps of data. A NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. The NAT gateway can process 1M packets per second and scale up to 5M packets per second. The total number of connections that a NAT gateway can support at any given time is up to 2 million. While it’s possible that the NAT gateway can exceed 2 million connections, you have increased risk of connection failures.

  • NAT gateway takes precedence over other outbound connectivity methods, including Load balancer, instance-level public IP addresses (assigning a public IP address to a Virtual Machine), and Azure Firewall.

  • NAT gateway automatically replaces the default Internet public IP assigned by the Azure platform.

  • No traffic routing configurations are required to use NAT gateway.

Azure NAT Gateway Limitations
Yes, there are limitations you need to be aware of when implementing a Azure NAT Gateway. Documented at Azure NAT Gateway resource | Microsoft Learn

For more info on Azure NAT Gateway, visit the following Microsoft Learn link What is NAT Gateway and the Azure NAT Gateway FAQ page

Thank you and see you at the next post 🙂

Microsoft Entra Privileged Identity Management Alerts

Reading Time: 4 minutes

In this blog post I will discuss Microsoft Entra Privileged Identity Management (PIM) Alerts and not the process of setting up Azure Privileged Identity Management. If you wish to learn about Microsoft Entra PIM, visit the following link What is Privileged Identity Management? Microsoft Learn

Note: Azure Active Directory is being rebranded to Microsoft Entra ID

Azure Entra ID Privileged Identity Management Alerts (PIM) alerts are security notifications that Privileged Identity Management (PIM) generates when there is suspicious or unsafe activity in your Microsoft Entra ID organisation, such as,

Entra ID Roles (Previously known as Azure AD Roles)
– Your organisation doesn’t have Entra ID (Azure AD) Premium P2 licenses which is a requirement for you to use PIM
– Roles don’t require multi-factor authentication for activation
– Eligible administrators aren’t activating their privileged role
– Roles are being assigned outside of Privileged Identity Management
– Roles are being activated too frequently
– There are too many global administrators
– Potential stale accounts in a privileged role

Azure Resources
– Too many owners assigned to a resource
– Too many permanent owners assigned to a resource
– Duplicate role created
– Roles are being assigned outside of Privileged Identity Management

The above are built into Privileged Identity Management and will generate an alert if the condition is met.

Let’s take a look where these built in alerts are located in Privileged Identity Management (PIM),

  1. Login to or access Entra ID from the Azure portal.
  2. Expand Identity Governance
  3. Click Privileged Identity Management
  4. Under manage click Azure AD roles (Being rebranded to Entra ID Roles)

5. Click Alerts

6. Click Settings

7. Here are the built in rules which will trigger an alert if the condition is met

8. Go back to check if any alerts have been generated. Click the scan button if nothing is visible. I have two alerts generated as per the image below,

9. If I click on the alert Potential stale accounts in a privileged role I have one account which is assigned a privileged role, and the user has not signed into Entra ID (Azure AD) for over 30 days (Click the image below if you need to enlarge).

The image above shows that a user named Alex is assigned to a privileged administrator role, however, has not signed in for over 2 months. Therefore the alert Potential stale accounts in a privileged role has triggered.

I have two options, Dismiss and Fix.

Dismiss – This would dismiss/hide the alert, however if I was to run another scan, the alert would return. This is not dismissing Alex having a privileged stale role but as mentioned it will hide/suppress the alert from your view. You’ll find that the dismiss option is available to select even though you have not selected any users (via the checkbox). After clicking dismiss, if you were to return to the alerts pages, the alert would not be visible but running another scan would return the alert.

Fix – as you can see from the image above, the option to fix is greyed out. If I click the checkbox by the account of Alex as shown in the image below, the option to fix becomes available. What does this fix option do? It will automatically remove the privileged role from Alex. You could also remove the role manually if you wish. Once, fixed, the alert will disappear within a couple of seconds.

Note: Ensure that the role is not required before attempting to fix.

What does the below status symbol mean?

The blue symbol under the status column means that the alert is pending or requires resolving.

When you fix a issue, you’ll find that the blue symbol switches to a green check mark for a second before the alert is actioned and removed. In my case, the alert disappeared and the privileged role was unassigned from Alex.

Azure resource alerts

You will also find a number of alerts available for Azure resources,

1. Go back to the main page for PIM and click Azure Resources

2. Click your subscription

3. Click alerts under manage from the left pane and click settings. These are the alerts which will be triggered if the condition is met.

If an access denied error appears the first time you click settings, refresh the page and try again.

I hope this helps. As always, please feel free to drop a comment below if you have any feedback.

How to calculate IP addresses in a subnet using Windows Calculator

Reading Time: 3 minutes

In this blog post I will take you through working out how many IPv4 IP addresses there are in a subnet using the built in Windows calculator.

Let’s take an example of a /24 mask, and I want to know how many IP addresses I can use, and a mask of

If you haven not already read my post on CIDR notation simplified, I would recommend you have a read.


Add up the 1’s, that’s a total of 24 bits, that’s where the /24 comes from. See my post CIDR notation simplified if you wish to dive deeper.

How do I calculate how many available IP addresses I can assign from the above. We’ll use the Windows calculator,

Click on your start menu and search for calculator,

Switch from standard to scientific

Image showing standard calculator in Windows Operating System
Image showing the option to switch to Scientific mode

In the example above we had a subnet mask of /24. The sum to calculate the number of IP addresses available would be,

A total of 32 if we total all the bits together, we minus the bits which are turned on, 24, so that’s 32 – 24 leaving us with 8 bits (The last box to the right below).


The sum is below, but let’s input this into the calculator.

2^{(32 - 24)}=2^{8}=256

  1. 32 minus 24 = 8
  2. we now calculate 2 to the power of 8
  3. To do this, clear the calculator and type 2
  4. Next, click the Xy button as shown in the screenshot below

5. Type 8 and click the = button

That gives us 256 IP addresses in a /24 subnet mask. We take away two as we don’t use .0 (Network address) and 255 (Broadcast address) = 254 IP’s that we can use

Try the sum with another example,

What do you get if you calculate /16, /27 and /32 using the method above. What numbers appear on your calculator.

Let me know in the comments section below

/16 = ? post the answer below

/27 = ? post the answer below

/23 = ? post the answer below

That’s it. I hope you found this post useful.