Category: Microsoft
Category Archives: Microsoft
Prevent SQL Injection attacks on your PostgreSQL servers
SQL injections are one of the most common and popular application attack vectors used with the goal of retrieving sensitive data from companies. When you hear about stolen financial information, defaced web sites or even systems takeover, they often happen through complex hacking attempt, which in many cases starts with common SQL injection vulnerabilities being exploited. Fortunately, you can follow some very easy techniques to prevent SQL injection affecting your system with PostgreSQL backend.
What is SQL Injection?
SQL injection (SQLi) is a common cybersecurity exploit that targets commercial and open-source relational databases using specifically crafted SQL statements to trick the systems into doing unexpected and undesired things. SQL injection attacks allow penetrators to spoof identity, tamper with existing data stored in databases, cause repudiation issues such as voiding transactions or changing balances and ultimately quite often to become administrators of the database server. SQL Injection is more common with older web development platforms, such as PHP, ASP, JSP, CGI due to the prevalence of older data access interfaces, but can occur with newer platforms as well, when not taking advantage of available methods to reduce this vulnerability.
Pic 1. Typical SQL Injection diagram courtesy of Cloudflare
Within the last 20 years, many SQL injection attacks have targeted large websites, businesses, and social media marketing platforms. Many of these attacks resulted in serious data breaches. A couple of notable examples are listed below:
7-Eleven breach. a group of attackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million charge card numbers.
Ghost Shell attack. Hackers from APT group Team GhostShell targeted 53 universities using the SQL injection and stole and published 36,000 personal records owned by students, faculty, and staff.
Freepik breach. In 2020, Freepik, one of the largest online graphic resources sites in the world with 18 million monthly unique users, says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.
Types of SQL Injection attack
SQL Injection (SQLi) is commonly classified to several types:
Union-based SQL Injection– Union-based SQL Injection represents the most popular type of SQL injection and uses the UNION operator in SQL. The UNION operator is used to combine the result-set of two or more SELECT statements to retrieve data from the database.
Error Based SQL Injection– this method is usually deployed against Microsoft SQL Server databases. In this attack, the malicious actor causes an application to display an error. originating from database. It manipulates the database into generating an error that informs the malicious actor of the database’s structure.
Blind SQL Injection – in this attack, no error messages are received from the database; We extract the data by submitting queries to the database. Blind SQL injections can be divided into Boolean-based SQL Injection and time-based SQL Injection.
Example of SQL Injection
This example shows how an attacker can use SQL injection to circumvent an application’s SQL Based authentication and gain administrator privileges.
Consider a simple authentication system using a database table with usernames and passwords. A user’s POST request will provide the variables user and password, and these are inserted into a SQL statement:
sql = “SELECT id FROM users WHERE username='” + user + “‘ AND password='” + password + “‘”
The problem here is that the SQL statement uses string concatenation to combine data. The attacker can provide a string like this instead of the password string variable:
password’ OR 5=5
Finally, we have a resulting SQL query that will be run against the database:
SELECT id FROM users WHERE username=’user’ AND password=’pass’ OR 1=1′
Because 1=1 is a condition that always evaluates to true, the entire WHERE statement will be true, regardless of the username or password provided. Moreover, WHERE statement will return the first ID from the users table, which is commonly the administrator. This means the attacker can access the application without authentication, and also has administrator privileges.
Preventing SQL Injection attacks
There are number of methods for reducing the risk of SQL injection. As a best practice, several strategies should be utilized. Let’s look at most popular implementations:
Using Parameterized Queries.
At its core, this method separates SQL logic from the data being passed. Using placeholders instead of directly embedding user input into queries, the database strictly recognizes the input as data. This means that even if an attacker tries to insert malicious code, the database won’t execute it as a command. As a developer, adopting parameterized queries is not just a best practice; it’s a fundamental shift in how user input is processed, ensuring a higher level of security.
Escape All User Supplied Input. When writing SQL, specific characters or words have particular meaning. For example, the ‘*’ character means “any” and the words “OR” is a conditional. To circumvent users who enter these characters either accidentally or more likely maliciously into an API request to the database, user supplied input can be escaped. Escaping a character is the way of telling the database not to parse it as a command or conditional but instead treat it as literal input, aka string.
Enforce Least Privilege. As a general rule, in all instances where a website needs to use dynamic SQL, it is important to reduce the exposure to SQL injection by limiting permissions of your application loginuser to the most marrow scope required to execute the relevant query. This means that an administrative account should never be application loginuser and executing SQL commands as a result of the API call from an unauthorized request. Enforcing least privilege can help reduce the risks of dynamic SQL queries.
Resources
For more information on SQL injection, as well as security best practices with Postgres Flexible Server see following:
Security – Azure Database for PostgreSQL – Flexible Server | Microsoft Learn
SQl Injection: example of SQL Injections and Recommendations to avoid it. – Microsoft Community Hub
Postgres SQL Injection Cheat Sheet | pentestmonkey
Investigation: A Pentesting PostgreSQL with SQL Injections (onsecurity.io)
To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.
Microsoft Tech Community – Latest Blogs –Read More
Boxfusion and Skypoint offer transactable partner solutions in Azure Marketplace
Microsoft partners like Boxfusion and Skypoint deliver transact-capable offers, which allow you to purchase directly from Azure Marketplace. Learn about these offers below:
Botsa: Botsa works with Microsoft Teams to provide a simple, familiar, and user-friendly interface for your employees to improve internal communications and processes. By handling routine queries, Botsa frees up your staff to focus on more complex tasks, increasing overall productivity and transforming your workplace experience. Reduce operational costs by automating common queries and processes.
Skypoint AI Platform for Senior Living: Skypoint’s AI platform unifies and leverages common senior living data sources so you can safely and securely “chat with your data” for instant answers and drive senior living experiences in more meaningful ways. It allows you to deliver better care, services, and experiences while optimizing operational expenses, leading to improved overall outcomes.
Microsoft Tech Community – Latest Blogs –Read More
Time Format
hello all,
I had entered a number 6 in a cell and choose the time format.
instead of instead of showing me the time as 6:00 am it gives with the date and time together!
can i know the mistake i made pls.
i am trying to schedule some work in a regular basis using the time. How do i go about to get only 6:30 am or 6:00 pm, etc.
thank u in advance to one and all
hello all,I had entered a number 6 in a cell and choose the time format.instead of instead of showing me the time as 6:00 am it gives with the date and time together! can i know the mistake i made pls. i am trying to schedule some work in a regular basis using the time. How do i go about to get only 6:30 am or 6:00 pm, etc. thank u in advance to one and all Read More
Storage full but only 1% used
I am not an IT high knowledge. Can use programs but don’t always understand how tings work. I have onedrive with 1TB storage. I am wanting to use the account for backup of my files on laptop. When I look at Manage my storage it says 1% in use but when I try to place folders/files onto onedrive it says not enough space. I cannot understand this. I’ve tried emptying the recycling bin but cannot seem to be able to delete anything – either in one go or individual files. Instructions say “Delete in Navigation Bar” but not on my screen! Can anyone help me please?
I am not an IT high knowledge. Can use programs but don’t always understand how tings work. I have onedrive with 1TB storage. I am wanting to use the account for backup of my files on laptop. When I look at Manage my storage it says 1% in use but when I try to place folders/files onto onedrive it says not enough space. I cannot understand this. I’ve tried emptying the recycling bin but cannot seem to be able to delete anything – either in one go or individual files. Instructions say “Delete in Navigation Bar” but not on my screen! Can anyone help me please? Read More
Windows Admin Center 2311 – EntraID Authentication issues
Hello everybody
This problem has already been reported under post: WAC Build 2311 in HA Not Authenticating w/ Entra AD Properly
However, since there has been no feedback from Microsoft for some time, I am reopening the topic.
I am using Windows Admin Center 2311 with EntraID authentication enabled. The redirect URLs are fine, and the ID tokens are used (Hybrid Flow) But I always get the message:
Method not found: ‘Microsoft.IdentityModel.Tokens.SecurityKey Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.FindKeyMatch(System.String, System.String, Microsoft.IdentityModel.Tokens.SecurityKey, System.Collections.Generic.IEnumerable`1<Microsoft.IdentityModel.Tokens.SecurityKey>)’.
I have also used Azure’s Sign-in Diagnostic, which states that:
“The user sign-in failed due to application configuration issues. The reply URL does not match the reply URLs configured for the application {appName}. Make sure the reply URL sent in the request matches one added to your application in the Azure portal.”
…no matter what I configure. I also double checked the reply URLs. Is there any news about this issue ?
thanks for a feedback, br yves
Hello everybodyThis problem has already been reported under post: WAC Build 2311 in HA Not Authenticating w/ Entra AD ProperlyHowever, since there has been no feedback from Microsoft for some time, I am reopening the topic.I am using Windows Admin Center 2311 with EntraID authentication enabled. The redirect URLs are fine, and the ID tokens are used (Hybrid Flow) But I always get the message:Method not found: ‘Microsoft.IdentityModel.Tokens.SecurityKey Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.FindKeyMatch(System.String, System.String, Microsoft.IdentityModel.Tokens.SecurityKey, System.Collections.Generic.IEnumerable`1<Microsoft.IdentityModel.Tokens.SecurityKey>)’.I have also used Azure’s Sign-in Diagnostic, which states that:”The user sign-in failed due to application configuration issues. The reply URL does not match the reply URLs configured for the application {appName}. Make sure the reply URL sent in the request matches one added to your application in the Azure portal.”…no matter what I configure. I also double checked the reply URLs. Is there any news about this issue ?thanks for a feedback, br yves Read More
Availability of Microsoft Teams Room features Voice, Face Recognition for Live Transcription in UAE
Hello,
We’re exploring the idea of setting up Microsoft Teams Rooms in our office space in Dubai. However, before investing in the hardware, I am researching the availability of certain features, specifically the Voice and Face Recognition capabilities for Microsoft Teams Rooms in the United Arab Emirates.
Can anyone confirm if these facial and voice recognition features are available in the UAE. Because I couldn’t find it officially anywhere?
Thank you!
Hello, We’re exploring the idea of setting up Microsoft Teams Rooms in our office space in Dubai. However, before investing in the hardware, I am researching the availability of certain features, specifically the Voice and Face Recognition capabilities for Microsoft Teams Rooms in the United Arab Emirates. Can anyone confirm if these facial and voice recognition features are available in the UAE. Because I couldn’t find it officially anywhere? Thank you! Read More
Any update on the stickers on the desk?
Is it still in development? Never heard any update on this.
Is it still in development? Never heard any update on this. Read More
Localization of App
Hi,
I tried to update the manifest.json file to support localization.
{
“$schema”: “https://developer.microsoft.com/en-us/json-schemas/teams/v1.16/MicrosoftTeams.schema.json”,
“manifestVersion”: “1.16”,
“version”: “1.0.0”,
“id”: “3fb32313-adb1-4a04-8c35-f3ad7c0f0188”,
“packageName”: “com.microsoft.teams.extension”,
“localizationInfo”: {
“defaultLanguageTag”: “fr-ca”,
“additionalLanguages”: [
{
“languageTag”: “fr-ca”,
“file”: “fr-ca.json”
}
]
},
“developer”: {
“name”: “Teams App, Inc.”,
“websiteUrl”: “https://localhost:53000”,
“privacyUrl”: “https://localhost:53000/index.html#/privacy”,
“termsOfUseUrl”: “https://localhost:53000/index.html#/termsofuse”
},
“icons”: {
“color”: “color.png”,
“outline”: “outline.png”
},
“name”: {
“short”: “Localization”,
“full”: “Localization App”
},
“description”: {
“short”: “Localization App for Microsoft Teams”,
“full”: “This sample app provides a very simple localization app. You can extend this to add more content and capabilities.”
},
“accentColor”: “#FFFFFF”,
“bots”: [],
“composeExtensions”: [],
“configurableTabs”: [],
“staticTabs”: [
{
“entityId”: “index”,
“name”: “Personal Tab”,
“contentUrl”: “https://localhost:53000/index.html#/tab”,
“websiteUrl”: “https://localhost:53000/index.html#/tab”,
“scopes”: [
“personal”
]
}
],
“permissions”: [
“identity”,
“messageTeamMembers”
],
“validDomains”: [
“localhost:53000”
],
“webApplicationInfo”: {
“id”: “254c5630-0ff0-4ec5-a7e8-824f0762f7e6”,
“resource”: “api://localhost:53000/254c5630-0ff0-4ec5-a7e8-824f0762f7e6”
}
}
But when I am adding the app to the teams, the initial window content is not showing the default language set. As in this case I set fr-ca as a default language. NOTE: I am running this app locally
Hi,I tried to update the manifest.json file to support localization. {
“$schema”: “https://developer.microsoft.com/en-us/json-schemas/teams/v1.16/MicrosoftTeams.schema.json”,
“manifestVersion”: “1.16”,
“version”: “1.0.0”,
“id”: “3fb32313-adb1-4a04-8c35-f3ad7c0f0188”,
“packageName”: “com.microsoft.teams.extension”,
“localizationInfo”: {
“defaultLanguageTag”: “fr-ca”,
“additionalLanguages”: [
{
“languageTag”: “fr-ca”,
“file”: “fr-ca.json”
}
]
},
“developer”: {
“name”: “Teams App, Inc.”,
“websiteUrl”: “https://localhost:53000”,
“privacyUrl”: “https://localhost:53000/index.html#/privacy”,
“termsOfUseUrl”: “https://localhost:53000/index.html#/termsofuse”
},
“icons”: {
“color”: “color.png”,
“outline”: “outline.png”
},
“name”: {
“short”: “Localization”,
“full”: “Localization App”
},
“description”: {
“short”: “Localization App for Microsoft Teams”,
“full”: “This sample app provides a very simple localization app. You can extend this to add more content and capabilities.”
},
“accentColor”: “#FFFFFF”,
“bots”: [],
“composeExtensions”: [],
“configurableTabs”: [],
“staticTabs”: [
{
“entityId”: “index”,
“name”: “Personal Tab”,
“contentUrl”: “https://localhost:53000/index.html#/tab”,
“websiteUrl”: “https://localhost:53000/index.html#/tab”,
“scopes”: [
“personal”
]
}
],
“permissions”: [
“identity”,
“messageTeamMembers”
],
“validDomains”: [
“localhost:53000”
],
“webApplicationInfo”: {
“id”: “254c5630-0ff0-4ec5-a7e8-824f0762f7e6”,
“resource”: “api://localhost:53000/254c5630-0ff0-4ec5-a7e8-824f0762f7e6”
}
} But when I am adding the app to the teams, the initial window content is not showing the default language set. As in this case I set fr-ca as a default language. NOTE: I am running this app locally Read More
Health check / windows 11 test
Hopefully an easy one, I just tried running the health check to see if our pcs will run windows 11, but when i try because we are on a domain it wont run the windows 11 check, as the pcs are managed, but i am the domain admin logged on as my account, Its acting like i want to install windows 11 rather than just see if our hardware will run windows 11 (which i doubt) Is there bit of software that will just run and test for compatibility, or a way to force the health check to test for me, with out i thinking i actually want to go to windows 11?
Hopefully an easy one, I just tried running the health check to see if our pcs will run windows 11, but when i try because we are on a domain it wont run the windows 11 check, as the pcs are managed, but i am the domain admin logged on as my account, Its acting like i want to install windows 11 rather than just see if our hardware will run windows 11 (which i doubt) Is there bit of software that will just run and test for compatibility, or a way to force the health check to test for me, with out i thinking i actually want to go to windows 11? Read More
Filter Corrupting Print Page Form
Hello,
I created this list for our order list. (Picture #1)
I enter the order of the clients and I want to filter out the empty lines.
When I filter out empty lines I try to print it and it divides the pages bad.
How can I fix it so there is no gap between the lines when I print it ?
Thanks.
Hello, I created this list for our order list. (Picture #1) I enter the order of the clients and I want to filter out the empty lines.When I filter out empty lines I try to print it and it divides the pages bad. How can I fix it so there is no gap between the lines when I print it ? Thanks. Read More
Copilot not working for one on one calls
We have copilot enabled on our tenant with Transcription set to on and Copilot set to On only with retained content.
We cannot turn copilot on in 1:1 direct calls with an error stating:
‘Copilot isn’t available. Transcription is disabled for your org. To do its thing, Copilot needs the transcript’.
Is this actually a bug or is it just not supported for 1:1 calls, hard to get clarity,
We have copilot enabled on our tenant with Transcription set to on and Copilot set to On only with retained content. We cannot turn copilot on in 1:1 direct calls with an error stating:’Copilot isn’t available. Transcription is disabled for your org. To do its thing, Copilot needs the transcript’. Is this actually a bug or is it just not supported for 1:1 calls, hard to get clarity, Read More
UrlsAccessibleCheck for most of our AVD HealthCheckFailed
Hi Team most of our AVD are recieving the below errror. We are facing this issue from yesterday. We tried restarting the avd with no luck. Seems like RD Agent is getting stuck due to which the health is failing. Any suggestion or workaround would be helpful.{ “healthCheckName”: “UrlsAccessibleCheck”, “healthCheckResult”: “HealthCheckFailed”, “additionalFailureDetails”: { “message”: “{“AccessibleUrls”:null,”NotAccessibleUrls”:null,”Context”:”No information URLs accessibility: healthcheck was cancelled.”}”, “errorCode”: 1223, “lastHealthCheckDateTime”: “2024-06-10T14:28:45.5028866Z” } Read More
Sharepoint columns
Hello everyone I’m working on some ideas about automation in SharePoint and I need help or any suggestions for it. In the first picture, we can extract the time of taking these images when we uploaded them and it appears in the column, Is there any method to do the same thing for GPS and make(longitude and latitude) appear also? even if we need to do some flow in power automate and thanks to all of you.12
Hello everyone I’m working on some ideas about automation in SharePoint and I need help or any suggestions for it. In the first picture, we can extract the time of taking these images when we uploaded them and it appears in the column, Is there any method to do the same thing for GPS and make(longitude and latitude) appear also? even if we need to do some flow in power automate and thanks to all of you.12 Read More
Issues with labs for AZ-400
Hi, there are significant problems with the labs for AZ-400, as discussed here: The subscription is not allowed to create or update the serverfarm – Microsoft Community Hub
This forced us to cancel the last day of a class two weeks ago.
@Mindy_Rosenthal, do you have a timeline as to when this will be resolved?
Kind regards,
Ulf Dalgaard
Hi, there are significant problems with the labs for AZ-400, as discussed here: The subscription is not allowed to create or update the serverfarm – Microsoft Community HubThis forced us to cancel the last day of a class two weeks ago. @Mindy_Rosenthal, do you have a timeline as to when this will be resolved? Kind regards,Ulf Dalgaard Read More
Starting a PA Flow from a script
I’m following:
Using site designs and Power Automate to track site creation requests | Microsoft Learn
to the letter. And it’s not triggering the flow.
#Define the parameters for the branding:
$themeName = “SiteTemplateBrandingvJustFlowv5”
#Changed @’ from @” below – check if still works.
$site_script = @’
{
“$schema”: “schema.json”,
“actions”: [
{
“verb”: “triggerFlow”,
“url”: “https://prod-105.westeurope.logic.azure.com:443/workflows/a8609dd2abb14c5gac1183be13ef0099/triggers/manual/paths/invoke?api-version=2016-06-01”,
“name”: “Record site creation event”,
“parameters”: {
“event”: “site creation”,
“product”: “SharePoint Online”
}
}
],
“bindata”: { },
“version”: 1
}
‘@
Connect-SPOService -Url “https://mydomain-admin.sharepoint.com” -Credential $credentials
$addSiteScript = Add-SPOSiteScript -Title $themeName -Content $site_script -Description “Communication site which removes data export for modern experience and adds branding.”
Write-Host $addSiteScript.Id
Add-SPOSiteDesign -Title $themeName -WebTemplate “68” -SiteScripts $addSiteScript.Id -Description “”
#ADD CREATE LIST ITEM IN O365 TEAM HUB LIST HERE
The flow is just not triggering as mentioned, can anyone see something wrong above. I’ve used 2 different accounts to create the flow.
I’m following:Using site designs and Power Automate to track site creation requests | Microsoft Learnto the letter. And it’s not triggering the flow. #Define the parameters for the branding:
$themeName = “SiteTemplateBrandingvJustFlowv5”
#Changed @’ from @” below – check if still works.
$site_script = @’
{
“$schema”: “schema.json”,
“actions”: [
{
“verb”: “triggerFlow”,
“url”: “https://prod-105.westeurope.logic.azure.com:443/workflows/a8609dd2abb14c5gac1183be13ef0099/triggers/manual/paths/invoke?api-version=2016-06-01”,
“name”: “Record site creation event”,
“parameters”: {
“event”: “site creation”,
“product”: “SharePoint Online”
}
}
],
“bindata”: { },
“version”: 1
}
‘@
Connect-SPOService -Url “https://mydomain-admin.sharepoint.com” -Credential $credentials
$addSiteScript = Add-SPOSiteScript -Title $themeName -Content $site_script -Description “Communication site which removes data export for modern experience and adds branding.”
Write-Host $addSiteScript.Id
Add-SPOSiteDesign -Title $themeName -WebTemplate “68” -SiteScripts $addSiteScript.Id -Description “”
#ADD CREATE LIST ITEM IN O365 TEAM HUB LIST HEREThe flow is just not triggering as mentioned, can anyone see something wrong above. I’ve used 2 different accounts to create the flow. Read More
Can I download Facebook video to my computer Windows 11?
I’m in a bit of a bind and hoping for some expert advice. I need to download videos from Facebook onto my Windows 11 PC for work-related projects. These videos often contain tutorials and demonstrations that are essential for my ongoing professional development and reference. Unfortunately, my attempts so far haven’t yielded any successful results using the methods I’ve found online. Security and maintaining the original quality of the videos are my top priorities. Could anyone recommend a reliable and safe method or software that works well with Windows 11? Your suggestions will be invaluable to my workflow. Thank you!
I’m in a bit of a bind and hoping for some expert advice. I need to download videos from Facebook onto my Windows 11 PC for work-related projects. These videos often contain tutorials and demonstrations that are essential for my ongoing professional development and reference. Unfortunately, my attempts so far haven’t yielded any successful results using the methods I’ve found online. Security and maintaining the original quality of the videos are my top priorities. Could anyone recommend a reliable and safe method or software that works well with Windows 11? Your suggestions will be invaluable to my workflow. Thank you! Read More
Prevent enabling lock screen camera not work
Hi,
I’m using win11,
In the group policy, there is a setting Prevent enabling lock screen camera.
From the wording, it will block the camera when I lock the screen.
but when I enabled this setting and locked screen, I can still call the camera by using script.
eg.
import cv2
cap = cv2.VideoCapture(0)
Could you help to advice how this “Prevent enabling lock screen camera” setting work, and how can I check it’s really effect after enabled.
thanks.
Hi, I’m using win11, In the group policy, there is a setting Prevent enabling lock screen camera. From the wording, it will block the camera when I lock the screen. but when I enabled this setting and locked screen, I can still call the camera by using script. eg. import cv2
cap = cv2.VideoCapture(0) Could you help to advice how this “Prevent enabling lock screen camera” setting work, and how can I check it’s really effect after enabled. thanks. Read More
How to remove the banner section from the ViVa Connections page.
Hello, Is it possible to remove the banner section on the ViVa Connections page as highlighted in the below image? So, the user can view only the dashboard sections.
Expected:
Hello, Is it possible to remove the banner section on the ViVa Connections page as highlighted in the below image? So, the user can view only the dashboard sections. Expected: Read More
Windows doesn’t let me uninstall Microsoft Edge
Currently I’m on Windows 11 Insider preview and I cannot uninstall Microsoft Edge. The uninstall button is greyed out and says “this app cannot be uninstalled because of the policy set by your organization”. I live in Greece.
Currently I’m on Windows 11 Insider preview and I cannot uninstall Microsoft Edge. The uninstall button is greyed out and says “this app cannot be uninstalled because of the policy set by your organization”. I live in Greece. Read More
How to budget your Azure cloud spend with Microsoft Cost Management
Introduction
If you are using Azure for your cloud applications, you might be wondering how to manage your costs effectively. You might have heard of Microsoft Cost Management, a service that helps you monitor, analyze, and optimize your cloud spending[1]. But did you know that Microsoft Cost Management also offers a powerful feature called Budgets?
Budgets are a way to set spending limits and track your costs against them. They help you avoid surprises in your bill, align your spending with your business goals, and empower your teams to make informed decisions[2]. In this article, you will learn the benefits of having a budget in Microsoft Cost Management, and how to set up and manage your budgets effectively.
We will also show you the three simple steps for budgeting in Azure, and who is responsible for what. These steps are based on the FinOps framework, a set of best practices for managing cloud costs. The FinOps framework consists of three phases: inform, optimize, and operate[3]. We will show you how budgets can help you in each of these phases, and how to connect them with other Microsoft Cost Management features and tools.
Figure 1 Navigating the FinOps Journey: Inform, Optimize, Operate. Retrieved from finops.org
By the end of this article, you will have a clear understanding of why you need a budget in Microsoft Cost Management, and how to use it to get the most out of your cloud investment.
What is a Budget in Microsoft Cost Management?
A budget is a way to set a spending limit for a specific scope and time period in Azure. You can create a budget for your entire billing account, or for a subset of your resources, such as a subscription, a resource group, or a tag. You can also create multiple budgets for different scopes and time periods, depending on your needs.
A budget allows you to track your actual and forecasted costs against your spending limit and get alerts when you reach certain thresholds. You can also configure action groups to trigger automated actions, such as sending emails, calling webhooks, or executing Azure functions, when your budget thresholds are met.
A budget is not a hard limit that prevents you from spending more than the amount that you set. It is a mechanism to provide you with visibility and insights into your spending patterns, and to help you proactively take action before it is too late.
Here are some key features of budgets in Microsoft Cost Management:
You can create budgets for any scope and time period, such as billing account, subscription, resource group, or tag.
You can create multiple budgets for different scopes and time periods, and track them separately or together.
You can use the suggested amount feature to get a recommended budget based on your usage patterns and historical data.
You can set up alerts for actual costs, forecasted costs, percentage of budget, or amount.
You can configure action groups to trigger automated actions, such as sending emails, calling webhooks, or executing Azure functions, when your budget thresholds are met.
You can monitor and analyze your budget usage and performance using Microsoft Cost Management and Cost Analysis.
You can update or delete your budget at any time, depending on your changing needs and circumstances (as long as you have the correct rights/permissions to do so).
Why do you need a budget in Microsoft Cost Management?
Having a budget in Microsoft Cost Management can help you in many ways, such as:
Aligning your spending with your business goals and objectives. You can use a budget to set a realistic and achievable target for your cloud spending, and to measure your progress and performance against it. You can also use a budget to communicate your expectations and constraints to your stakeholders, such as your product owners, engineering teams, finance teams, and leadership teams.
Gaining insights and visibility into your cloud costs. You can use a budget to monitor your actual and forecasted costs, and to compare them with your spending limit. You can also use a budget to drill down into your costs by different dimensions, such as service, resource, location, or tag. If your budget alert is triggered, you can investigate further to see if it was due to a usage or cost spike, anomaly or trend, and identify the root cause and potential solutions. Budget thresholds can give you an indication of your spend rate, that is how much time it takes for your resources to reach 50% (or more) of your predicted budget.
Optimizing your cloud costs and maximizing your return on investment. You can use a budget to identify areas for cost savings or efficiency improvements, such as right-sizing your resources, purchasing reservations or savings plans, or redesigning your application architecture. You can also use a budget to evaluate the impact of your optimization actions, and to validate your assumptions and hypotheses.
Operating efficiently and proactively in the cloud. You can use a budget to set up alerts and notifications when you reach certain thresholds of your spending limit, and to trigger automated actions, such as sending emails, calling webhooks, or executing Azure functions. The extensibility of these notifications can help you bring visibility of your cloud spend into other systems that your organization may use, including Microsoft Teams, email, or helpdesk ticketing systems (ITSM). You can also use a budget to define internal processes and workflows for handling budget overages, such as requesting additional funding, escalating issues, or taking corrective actions like shutting down test or development virtual machines.
Here are some benefits of budgets in Microsoft Cost Management:
Avoid surprises in your bill and stay within your budget.
Align your spending with your business goals and objectives.
Gain insights and visibility into your cloud costs.
Optimize your cloud costs and maximize your return on investment.
Operate efficiently and proactively in the cloud.
How to set up and manage your budgets in Microsoft Cost Management?
Setting up and managing your budgets in Microsoft Cost Management involves several steps, such as:
Defining the initial budget estimate
Creating the budget
Configuring the budget alerts and action groups
Monitoring and managing the budget usage and performance
Fine-tuning and adjusting the budget as needed
We will explain each of these steps in detail, and show you how to use the three simple steps for budgeting in Azure, and who is responsible for what.
Defining the initial budget estimate
Embarking on the journey of defining the initial budget estimate requires a clear delineation of roles and responsibilities. To facilitate this, we introduce the RACI model—a cornerstone of project management that delineates the involvement of project participants. RACI, an acronym for Responsible, Accountable, Consulted, and Informed, serves as a guide to define the involvement and communication flow within project tasks.
Responsible individuals are those who do the work to achieve the task. They have a hands-on role in getting the job done.
Accountable is the person or stakeholder who is the ‘owner’ of the work. They must sign off or approve when the task, deliverable, or milestone is complete.
Consulted are those whose opinions are sought; they are typically subject matter experts, with their input having a significant influence over the outcome.
Informed are those who are kept up-to-date on progress, often only on completion of the task or deliverable; they need to be aware of outcomes but are not directly involved in the work.
Integrating the RACI model is pivotal for its ability to bring clarity and structure to project management. It ensures that each participant is aware of their specific roles and responsibilities, thereby preventing any confusion or overlap in duties. By applying the RACI model to our budgeting process, we aim to foster a well-organized and transparent approach, setting a solid foundation for the project’s success.
Defining the initial budget estimate involves understanding the scope of your product, estimating the resources needed, and translating them into financial terms. You can use Azure pricing calculator, Azure TCO calculator, or Azure Advisor to help you with this step.
Here are some tips for defining the initial budget estimate:
Understand your product requirements and operational needs, such as performance, availability, scalability, security, and compliance.
Estimate the resources needed to support your product, such as compute, storage, network, database, and other services.
Translate the resources into financial terms, such as cost per hour, cost per month, or cost per year.
Consider the factors that may affect your costs, such as usage patterns, demand fluctuations, region differences, or currency changes.
Add a buffer or contingency to account for unexpected costs or changes.
Responsible: The Product Owner is responsible for defining the initial budget estimate based on the product requirements and operational needs. This involves understanding the scope of the product, estimating the resources needed, and translating these into financial terms.
Accountable: Finance is accountable for providing guidance during the budget setup process. They ensure that the budget aligns with the organization’s financial goals and complies with any financial regulations or constraints.
Consulted: The Engineering and Procurement teams are consulted during the budget setup process. They provide input on the operational needs and goals, helping to ensure that the budget is realistic and achievable.
Informed: All members of the organization, including Leadership and Finance, are informed about the budget. This promotes a culture of financial accountability and ensures everyone understands the financial constraints and goals.
Please note that the responsibilities and roles outlined in this document according to the RACI matrix are general recommendations and may vary within your organization. The suggested approach to managing responsibilities is one of many possible options and should be adapted to fit your company’s unique organizational structure and needs. It is essential to determine the most effective method for assigning and managing roles and responsibilities that align with your internal processes and culture.
In addition, if you are setting a budget on existing resources in Microsoft Azure, the budget creation process will suggest a budget amount based on historical cost.
Creating the budget
This step involves creating the budget in Microsoft Cost Management for the desired scope and time period. You can use the Azure portal, Azure CLI, Azure PowerShell, or Azure REST API to create a budget. You can also use the suggested amount feature, which provides you with a recommended budget based on your usage patterns and historical data.
Here are some steps for creating the budget:
Choose the scope and time period for your budget, such as billing account, subscription, resource group, tag, month, quarter, or year.
Specify the budget amount and currency, and optionally use the suggested amount feature to get a recommended budget.
Name your budget and provide a description, and optionally add tags to categorize and group your budget.
Save your budget and review the details.
Figure 2 Effortless Budgeting: Harness the Power of Suggested Amounts
Responsible: The Product Owner and Engineering team are responsible for creating the budget in Microsoft Cost Management for the desired scope and time period. They choose the scope and time period, specify the budget amount and currency, name and describe the budget, and save and review the budget.
Accountable: Finance and Budget Owner are accountable for reviewing and approving the budget. They ensure that the budget is consistent with the initial budget estimate, and that it meets the organization’s financial goals and standards.
Consulted: The FinOps Practitioner is consulted for help on using the suggested amount feature, which provides a recommended budget based on usage patterns and historical data. They provide financial expertise and advice on setting the budget amount and currency.
Informed: All members of the organization, including Leadership and Finance, are informed about the budget. This promotes a culture of financial accountability and transparency.
Configuring the budget alerts and action groups
This step involves setting up alerts and action groups for the desired thresholds and conditions. You can set up alerts for actual costs, forecasted costs, percentage of budget, or amount[4]. You can also set up action groups to trigger automated actions, such as sending emails, calling webhooks, or executing Azure functions, when your budget thresholds are met.
Here are some steps for configuring the budget alerts and action groups:
Choose the alert type and condition, such as actual costs, forecasted costs, percentage of budget, or amount.
Specify the alert threshold and frequency, and optionally add a custom message.
Select or create an action group to trigger automated actions, such as sending emails, calling webhooks, or executing Azure functions, when your alert condition is met.
Save your alert and action group and review the details.
Responsible: The Product Owner and Engineering team are responsible for configuring the budget alerts and action groups for the desired thresholds and conditions. They choose the alert type and condition, specify the alert threshold and frequency, select or create an action group, and save and review the alert and action group.
Accountable: The Product Owner and Engineering team are accountable for reviewing and approving the budget alerts and action groups. They ensure that the alerts and action groups are consistent with the budget goals and expectations, and that they comply with the organization’s policies and standards.
Consulted: The FinOps Practitioner is consulted for help on choosing the alert type and condition, and specifying the alert threshold and frequency. They provide financial expertise and advice on setting the budget alerts and action groups.
Informed: All members of the organization, including Leadership and Finance, are informed about the budget alerts and action groups. This promotes a culture of financial accountability and transparency.
Monitoring and managing the budget usage and performance
This step involves tracking your actual and forecasted costs against your budget, and drilling down into your costs by different dimensions. You can use Microsoft Cost Management and Cost Analysis to monitor and analyze your budget usage and performance[5]. You can also use Azure shared dashboards or share customized cost views to share your budget information with your stakeholders[6]. You can also use Azure Advisor Cost Optimization workbook to get recommendations and best practices for optimizing your costs[7].
Here are some tips for monitoring and managing the budget usage and performance:
Use Cost Analysis to view your budget usage and performance, and compare your actual and forecasted costs with your spending limit.
Use Cost Analysis to drill down into your costs by different dimensions, such as service, resource, location, or tag, and identify the cost drivers and contributors.
Use shared dashboards and customized cost views to create and share custom views of your budget information with your stakeholders, such as product owners, engineering teams, finance teams, or leadership teams.
Use Azure Advisor Cost Optimization workbook to get recommendations and best practices for optimizing your costs, such as right-sizing your resources, purchasing reservations or savings plans, or redesigning your application architecture.
Responsible: The Product Owner and Engineering team are responsible for monitoring and managing the budget usage and performance. They use Microsoft Cost Management and Cost Analysis to view and analyze their budget usage and performance, and to drill down into their costs by different dimensions. They also use shared dashboards and customized cost views to share their budget information with their stakeholders, and Azure Advisor Cost Optimization workbook to get recommendations and best practices for optimizing their costs.
Accountable: The Budget Owner is accountable for tracking and managing budgets. They establish acceptable variance thresholds (e.g., 20% overage), and identify exception handling for scenarios when altering budgets out of cycle is needed. This involves regular monitoring and reporting, as well as taking corrective action if the budget is not being adhered to.
Consulted: The Engineering team and FinOps Practitioner are consulted for help on drilling down with tools. They provide technical expertise and can help identify areas for cost savings or efficiency improvements.
Informed: All members of the organization, including Leadership, are kept informed about any changes to the budget. This helps maintain transparency and promotes a culture of financial accountability.
Fine-tuning and adjusting the budget as needed
This step involves updating or deleting your budget at any time, depending on your changing needs and circumstances. You can also use Microsoft Cost Management to analyze the variance between your budget and your actual or forecasted costs, and to identify the reasons and solutions for any discrepancies or overages.
Here are some tips for fine-tuning and adjusting the budget as needed:
Update your budget amount, scope, time period, alerts, or action groups as needed, depending on your changing needs and circumstances.
Delete your budget if it is no longer relevant or needed, such as when your product is decommissioned or migrated.
Analyze the variance between your budget and your actual or forecasted costs, and identify the reasons and solutions for any discrepancies or overages.
Take corrective actions to resolve any issues or challenges, such as requesting additional funding, adjusting resource usage, or modifying product scope.
Responsible: The Product Owner and Engineering team are responsible for fine-tuning and adjusting the budget as needed. They update or delete their budget at any time, depending on their changing needs and circumstances. They also analyze the variance between their budget and their actual or forecasted costs, and take corrective actions to resolve any issues or challenges.
Accountable: The Budget Owner is accountable for the budget performance. If the budget overage is above the defined tolerance (e.g., 20%), they take corrective actions if possible. This could involve identifying areas for cost savings, adjusting resource usage, or modifying the product scope. If the overage cannot be corrected and additional funding is needed, they request additional funding from the holdback.
Consulted: If additional funding from the holdback is not available or not sufficient, the Higher-Level Budget Owner or Finance directly review the request for additional funding. They provide financial expertise and make decisions about whether to approve the additional funding.
Informed: All members of the organization, including Leadership, are kept informed about any changes to the budget. If the budget adjustment is significant and impacts the organizational performance expectations, Leadership makes adjustments to the budgeted spending levels and records/adjusts impacts to organizational performance expectations.
Best practices for budgets in Microsoft Cost Management
To get the most out of your budgets in Microsoft Cost Management, here are some best practices to follow:
Align your budgets with SMART business goals and objectives. Ensure your budgets are Specific, Measurable, Achievable, Relevant, and Time-bound, reflecting your financial aspirations and limitations[8]. They should be realistic and attainable, fostering a sense of accountability and progress tracking. Communicate your budgets clearly to stakeholders, ensuring they comprehend the expectations and implications, and are aligned with the SMART framework for optimal clarity and effectiveness.
Use multiple budgets for different scopes and time periods. You should have an overall budget for your entire billing account, as well as individual budgets for different units, such as subscriptions, resource groups, tags, or applications. You should also have budgets for different time periods, such as monthly, quarterly, or yearly. This way, you can easily track and compare your costs across different dimensions and granularities.
Use tags to categorize and group your resources and budgets. Tags are key-value pairs that you can assign to your resources to identify and organize them[9]. You can use tags to create budgets for specific categories, such as cost center, product owner, app name, environment, or project. You can also use tags to filter and analyze your costs by different dimensions. You can also use the tag inheritance feature to inherit tags from your subscription to your individual resources.
Use actual and forecasted cost alerts for your budgets. You should set up both actual and forecasted alerts for your budgets, as they serve different purposes[10]. Actual alerts trigger on actual costs when thresholds are met, and can be considered as a reactive approach. Forecasted alerts trigger on estimates and can be considered as an active approach, as you can act before it is too late.
Use action groups to trigger automated actions for your budgets. You should set up action groups to trigger automated actions, such as sending emails, calling webhooks, or executing Azure functions, when your budget thresholds are met[11]. This way, you can notify your stakeholders, escalate issues, or take corrective actions in a timely manner.
Define internal processes and workflows for handling budget overages. You should establish acceptable variance thresholds and exception handling for scenarios when altering budgets out of cycle is needed. You should also define who is responsible, accountable, consulted, and informed for setting up and managing your budgets, and what are the roles and responsibilities of each stakeholder. You should also define what happens if your budget is exceeded, such as requesting additional funding, adjusting resource usage, or modifying product scope. You can use your preferred modeling language to describe these processes and workflows, and to align them with your organizational culture and values.
Summary
In this article, you have learnt the benefits of having a budget in Microsoft Cost Management, and how to set up and manage your budgets effectively. We have also shared some best practices for using budgets to gain insights, optimize costs, and operate efficiently in Azure.
Here are some key takeaways to remember:
Budgets are a way to set spending limits and track your costs against them in Microsoft Cost Management.
Budgets help you align your spending with your business goals, gain insights and visibility into your costs, optimize your costs and maximize your ROI, and operate efficiently and proactively in the cloud.
To set up and manage your budgets, you need to define the initial budget estimate, create the budget, configure the alerts and action groups, monitor and manage the budget usage and performance, and fine-tune and adjust the budget as needed.
To get the most out of your budgets, you should align them with your business goals, use multiple budgets for different scopes and time periods, use tags to categorize and group your resources, use actual and forecasted alerts, use action groups to automate actions, and define internal processes and workflows for handling budget overages.
We hope you have found this article useful and informative. If you have any questions or feedback, please let us know in the comments section below. Thank you for reading!
References
[1] Overview of Cost Management – Microsoft Cost Management | Microsoft Learn
[2] Tutorial – Create and manage budgets – Microsoft Cost Management | Microsoft Learn
[4] Monitor usage and spending with cost alerts in Cost Management – Microsoft Cost Management | Microsoft Learn
[5] Quickstart – Start using Cost analysis – Microsoft Cost Management | Microsoft Learn
[6] Create a dashboard in the Azure portal – Azure portal | Microsoft Learn
[7] Use and customize the Cost optimization workbook – Cloud Computing | Microsoft Learn
[8] SMART criteria – Wikipedia
[9] Tag resources, resource groups, and subscriptions for logical organization – Azure Resource Manager | Microsoft Learn
[10] Monitor usage and spending with cost alerts in Cost Management – Microsoft Cost Management | Microsoft Learn
[11] Azure Monitor action groups – Azure Monitor | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
