App Service Hybrid connections: is it fast enough?

App Service Hybrid connections: is it fast enough?

This article is contributed. See the original author and article here.

App Service Hybrid connection offers a quick and uncomplicated way to reach your on-premises services in scenarios where there aren’t other networking solutions like VPN or ExpressRoute available. Normally, you don’t even need to open any firewall ports in your on-premises environments because it only requires outbound HTTP connection over port 443 towards Azure to work. Behind the scenes, it is a TCP relay proxy over websockets. It only works to reach services that run on TCP protocols and not UDP. 

Therefore, it might be a good fit if you are planning to migrate your application(s) to Azure App Service but this app has dependencies to on-premises databases or APIs and your networking team is not yet ready to set up a VPN/ExpressRoute connection between these environments. The migration work can be unblocked using Hybrid connections towards these external dependencies with no code changes within your app.

However, what to expect in terms of performance? Apart from the pure networking latency of having an App Service connecting back to on-premises service… will the Hybrid connection itself introduce extra latency on top of network? What about the different scenarios:

  • Reaching on-premises HTTP APIs;

  • Reaching on-premises databases;

  • Downloading on-premises large files over HTTP


In this article we will run benchmarks on all given scenarios above and compare them with and without Hybrid connection. It is not the goal here how to configure such a connection, because that tutorial is very well described here.


The test setup


An App Service Hybrid connection relies on a service called Azure Relay to work (and Azure Relay is based on Azure Service Bus platform). This is how the architecture looks like:



Now, let me explain how the setup in this test is done when comparing to the diagram above:

  • App Service: a small PremiumV2 .NET Core 6 app running in Brazil South;

  • Azure Relay: if you don’t have an already created Azure Relay created, the App Service Hybrid connection will ask you to do so. Here, I created one in Brazil South region;

  • On Premises: to simulate an on-premises environment, here I have a physical computer with a fast and modern hardware (Ryzen 5 5600H, 16GB ram, 512gb SSD) connected to a 600mbps stable fiber connection. This system has an average 12ms (milliseconds) latency to Azure and vice-versa. It also has one SQL Express 2019 database, a .NET 6 API to simulate on-premises services for these tests and the HCM (Hybrid Connection Manager) that is required for this setup.

Now, we want to compare the Hybrid connection overhead over the raw network connection. So, for each test that will follow in this article, we will configure the App Service to hit the services via Hybrid connection endpoints and then run the same test but going directly to the public IP of the “on-premises” server, skipping the relay completely. 

Here’s the configuration in the Portal:




Scenario 1: HTTP requests


Let’s assume you got on-premises HTTP services to reach from an App Service via Hybrid connection. In the configuration picture above, that endpoint name is “andre-api” which points to a on-premises DNS name of “testerelay” on port 5001. That is the .NET API running in the on-premises computer. This API has a REST endpoint that returns random strings of around ~8kb in size.

From the App Service side, it runs another .NET API that calls the previous endpoint in three different ways:

  • Single request: App Service calls the on-premises API once

  • Sequentially: App Service calls the on-premises API 50 times in a row. When the previous request finishes, the next goes ahead and so on… until we reach 50 requests;

  • Parallel: App Service calls the on-premises API 50 times at the same time. This is accomplished by making use of .NET tasks

The intention here is to verify how well the relay handles a typical real-world scenario where you get many parallel requests at a given time. All requests here are using HTTP2 protocol.

Check out the results table:




Average response time per HTTP request



Hybrid connection

Single request




Sequential (50)




Parallel (50)





Important note

Having the App Service .NET API calls the relay forcing the HttpClient to use HTTP2 by default made a huge difference for the positive side in the tests results. HTTP 1.1 was much worse especially in the parallel requests test;


Conclusion for HTTP tests

If we look at the difference numbers in % it seems to be a huge overhead added by the Hybrid Connection, but looking at absolute numbers, it is not. In the more realistic test of this setup – the Parallel HTTP simulation – we get only 10ms added compared to a direct connection, which is negligible for most applications. Another point to keep in mind here is that we are comparing the Hybrid connection to a direct connection back to on-premises. In reality we would have a VPN or other appliance which might add some extra delay there too.


Scenario 2: database connections


Another very common use case is the need to fetch data from a on-premises database that could not be migrated to Azure at the same time as the application. Here we will make the App Service .NET API call the on-premises SQL Server using the relay connection and then directly. The query returns from the database around ~8kb of data per call. Like the HTTP tests, there will be three different scenarios:

  • Single request: AppService queries the database once

  • Sequentially: App Service queries the database 50 times in a row. When the previous query finishes, the next goes ahead and so on… until we reach 50 queries;

  • Parallel: App Service queries the on-premises database 50 times at the same time. This is accomplished by making use of .NET tasks



Average response time per SQL query



Hybrid connection

Single query




Sequential (50)




Parallel (50)





Conclusion for database tests

Compared to the HTTP tests, the database queries have less overhead because of the TCP nature of the connections. While the direct connection had no extra overhead even when querying 50 in parallel, the Hybrid counterpart added some but not significantly – again, looking from absolute numbers perspective and not purely in percentage.


Scenario 3: large file downloads


Now let’s benchmark something less usual: what about using the Hybrid connection to stream a 1GB file (a Linux ISO file) from on-premises REST API via HTTP? Here I’m expecting more overhead because the underlying websockets protocol that Azure Relay is using is not really meant for these cases.  But anyway, here are the results:


REST API HTTP download speed



Hybrid connection

27 MB/s

20 MB/s



Conclusion for file download test

I was expecting a much worse result, but the Hybrid connection surprised for the better here. I wouldn’t recommend this connection for streaming large files but this test shows that this is possible if it is really needed.


Overall conclusion


These benchmarks did not cover all the possibilities for a Hybrid connection but certainly give us an idea what to expect. Generally speaking, it is a solid alternative and I would recommend for scenarios where a VPN or ExpressRoute connection is not possible. The biggest advantage for sure is ease of use – setting up your own environment to run similar tests will take just a couple of hours top. 


If you wish that I run additional benchmarks and scenarios, please let me know in the comments!



Customize work item cards to boost seller productivity

Customize work item cards to boost seller productivity

This article is contributed. See the original author and article here.

Customization is one of the most effective tools to ensure users are maximizing application capabilities by tailoring them to their organization or individual use cases. Microsoft Dynamics 365 Sales users love the sales accelerator experience, where they get a prioritized list of customers and an optimized workspace. It is a modern view that provides seamless navigation and relevant guidance regarding the next best activity the user should take, without multiple context switches. However, our users told us they needed more flexibility to customize work item cards according to the requirements and use cases of specific organizations or users. That flexibility is now available.

The new work item experience enables users to customize work item cards according to their needs and organizational requirements. With key information visible in the work item cards and relevant filters and sorting mechanisms easily available, users can make quick, informed decisions about the next entity or sales workflow to select, just by glancing at the curated worklist.

Screenshot of work item appearance customization settings.
Work item appearance customization options

The key highlights of this feature include: 

  • Modify the information, icons, and action buttons displayed in a work item card so that the most relevant data for Sales entities is always available
  • Control the customization at the organization (admin) and user levels

Let’s understand the capabilities in detail and how you can benefit by customizing work item cards across your sales scenarios.  

What is work item card customization? 

The ability to customize work item cards is a new capability offered as part of the sales accelerator workspace. It allows users to customize the design, content, and structure of work item cards to display the most relevant and valuable information in the work item. Users can personalize work items for each entity type they work with, by adding, removing, or modifying icons, activities, and the number of rows or the number of fields in each row, which are displayed as part of the out-of-the-box card structure. Users can view the fields and activities that are relevant for them in any ongoing sales processes. 

Who will benefit from customized work item cards? 

Work item card customization is beneficial to individual users, business admins, and sales managers, as this feature provides control at both organizational and user levels. 

Work item card customization is available for business admins without having to change any settings. If you have an admin role in your organization, you can start using the feature right away to customize work item cards. Define the work item card structure that will be visible in the worklist of the sales accelerator workspace for all relevant entities in accordance with your organizational directives or sales scenarios.

As an admin, you can lock customization to ensure that users are not able to make any modifications to work item cards without reaching out to you.

Screenshot of lock customization capability for admins page.
Lock customization capability for admins 

If allowed, users can define the work item card structure for all relevant entities according to their own requirements and advantages. The customized view is visible only to the user, and they can always restore the default card view with a single click.  

Below are some of the use cases for customizing the work item card: 

  • If sellers are directed to prioritize opportunities based on the estimated revenue, an admin can update the structure of the Opportunity work item to show the “Estimated Revenue” field.
  • To pick up an opportunity based on a field like “Rating,” which is not part of the Opportunity entity card, users can modify the card structure to add the field.
  • In cases where lead cards are displaying information that isn’t relevant for the user’s work, they can remove unneeded fields and keep the ones they find relevant. 

How to customize work item cards? 

A card designer with dynamic preview options allows users to view their changes as they are making them, reducing design errors and minimizing rework while modifying the card structure. The designer comes with a one-click “Reset to Default” option available at any point in case they want to return to the out-of-the-box card structure for an entity.  

Users can make the following customizations using the card designer: 

  • Modify the card icon to add an image, initials, or record or activity type associated with the record 
  • Add up to three fields and three icons in a single row 
  • Add up to four rows 
  • Remove rows or fields (a minimum of one row is required) 
  • Add action options from an available set (skip, preview, assign, mark complete, etc.) to perform the actions without having to delve into the form details of each entity

The card designer allows users to update the design and structure for all the sales entities by selecting the relevant one from a list. Changes that admins make are reflected in work item cards for all users. Users can modify and save their own card structure, which overrides the out-of-the-box or admin-defined structure.

Screenshot of the work item card designer.
Work item card designer

Next steps 

To start designing your own customized work item card view in the sales accelerator workspace, check out the documentation: Customize the appearance of work items in sales accelerator | Microsoft Learn

If you are not yet a Dynamics 365 Sales customer, check out theDynamics 365 Sales webpagewhere you can take a guided tour or get a free 30-day trial.

The post Customize work item cards to boost seller productivity appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Introducing Identity Theft Monitoring in Microsoft Defender for Individuals

Introducing Identity Theft Monitoring in Microsoft Defender for Individuals

This article is contributed. See the original author and article here.

Attempting to impersonate someone is an activity as old as humanity, and has been used to great comedic effect by comedians and jesters throughout the ages.


Sadly, the crime of identity theft (in which a criminal uses someone’s identity details for fraudulent purposes) is very much not a joke. Not only because it can destroy someone’s finances and credit, but can even lead to false arrests and other life-altering consequences for the person whose identity is being abused.


Even less funny than that, is that the number of these crimes is currently at an all-time high. According to identitytheft.org1 the number of identity theft incidents are up 70% compared to 2020, with the yearly number of reported identity theft incidents clocking in at 5.7 million in 2021 for the US alone.


Figure 1 - Source: FTC annual data book 2021 ( 1 – Source: FTC annual data book 2021 (

Figure 1 – Source: FTC annual data book 2021 (

And along with the number of incidents, the median cost of these identity theft incidents is also on the rise, reaching an estimated $500 USD per incident based on the 2021 data2. This is in direct correlation with the ever-increasing number of devices and services people use in their daily lives, and the strong shift to conducting life online (from work, shopping, and entertainment), which have all served to increase exposure to this type of crime.


All of this means that, on average, someone’s identity is stolen every 22 seconds in the US, and 33% of Americans will become a victim of identity theft at some point in their lives. In fact, 1 in 4 have been victimized by identity theft before they turn 183. In all, this is most certainly not a laughing matter, especially when you consider that this type of crime costs the US economy 5.8 billion USD per year4.


Hopefully, after hearing the above numbers, you’re wondering what can be done to stop this. Or, at the very least, what you can do to prevent yourself and your family from becoming identity theft victims.


The answer to that question is both simple and very hard; It starts with implementing all the common security advice you’ve probably heard thousands of times before: Use strong passwords, do not reuse credentials, enable multi-factor authentication, do not post personal data on social media, monitor your credit cards, bank accounts, and credit history for anything out of the ordinary, etc.


But the problem with this is that securing your identity is not just solely your responsibility. What makes it hard is that every company, government body, institution, etc. that holds your information is also participating in this game of staying ahead of the identity thieves. And, when we remember that data loss incidents by those entities have been on a steady rise for years with no signs of stopping, it’s an almost statistical certainty that someone, somewhere, will expose your data at some point.


As a result, all too often people that follow the commonly espoused advice about account and identity security to the letter still become a victim of identity theft, through no fault of their own.


Introducing identity theft monitoring

Which brings us to the core topic of this article; Microsoft is excited to announce that identity theft monitoring is available today to Microsoft 365 subscribers (for both Personal and Family subscription plans) in the United States.


Figure 2 - Microsoft Defender with identity theft monitoring enabledFigure 2 – Microsoft Defender with identity theft monitoring enabled

This solution addresses one of the biggest challenges in preventing identity theft: visibility. We’ve partnered with Experian® to leverage their powerful identity monitoring technology to detect, track, and alert you whenever we find any identifying information on the internet, the dark web, and less common sources like file sharing, chat rooms, and many other places.


By showing exactly what details are compromised and/or publicly available, Microsoft empowers you to take control of your personal identity security and make informed decisions. Once you know what’s out there, you can take action by resetting passwords for compromised services, enabling multi-factor authentication for services that support it, placing a credit freeze to avoid malicious actors affecting your credit, contacting your bank or card provider to report potential fraud on your account, etc.


Identity theft monitoring can currently track and report up to 64 different types of identity details per breach, from usernames and passwords to credit card numbers and even Social Security Numbers. And it does so intelligently; whenever a match is found on any monitored information, it will also alert you to any of your other personal information that was found in that same breach.


For example, when identity theft monitoring is tracking your email address, it will report all associated data it finds in a breach where your email was found. So, if you had a credit card on file with the breached company or service, it will not just report that it found your email, but also the credit card that was registered on your account there. Even if you never added your credit card number to your monitored identity details!


And, if the cause of the breach is known, identity theft monitoring will even tell you what happened to cause your data to be lost.


But knowing your identity has been compromised is only half the battle. While most people we surveyed were perfectly familiar with how to reset a password, many indicated that they wouldn’t know where to start if more sensitive information like their Social Security Number or driver’s license got exposed. Furthermore, many shared their struggles with looking up instructions online due to conflicting information and insufficient clarification of nuances like the difference between placing a credit freeze and a credit lock.


Identity theft monitoring helps answer these questions with contextual recommendations for each individual breach, as well as in-depth guides on how to perform more complex tasks. And, because we want to empower you to make informed decisions about your identity security, it will also inform you of the risks associated with each identity type. This way you can take the action that works best for your situation and risk tolerance.


That’s all well and good, but what if you need further help? Or if someone is actively trying to take over your identity, right now? For those cases Defender includes access to a 24/7 support team of restoration specialists that can guide you through the appropriate next steps for any situation regarding your identity and can even take action for you if time is of the essence.


This means, regardless of the situation, you are never left wondering what the appropriate next steps to resolving your identity breach are or having to fend for yourself in trying to get everything sorted.


This extends to the damages caused by identity theft too. Identity theft monitoring subscribers are insured for the costs associated with restoring their identity (document fees, legal fees, etc.) up to $1M USD and stolen funds caused by the identity theft up to $100k USD5.


So even if the worst should happen, Defender users who have identity theft monitoring enabled can rest (a little bit) easier, knowing that they have access to insurance that will help them in recovering their identities and the associated fallout.


And, as mentioned in the beginning, identity theft monitoring extends to family members in your Microsoft 365 family. These features and benefits can be set up and managed by the family organizer for all members of the family6. Once set up, family organizers will then receive alerts for all managed family members7 through the Defender app on any device they’re signed in on, as well as via email. This helps the organizer stay on top of not just their own identity security, but their families’ as well.


Figure 3 - Managing breaches for multiple family membersFigure 3 – Managing breaches for multiple family members

And of course, all of that can be easily managed from the central dashboard provided by the Defender app.


Getting started

To get started with identity theft monitoring today, visit, sign-in with the personal Microsoft account (@gmail, @outlook, etc.) linked to your Microsoft 365 subscription, find the identity theft monitoring card on the dashboard, and select “Get started.” You can also download the app from the Microsoft, Google, and Apple app stores or download the MacOS app here (if you haven’t already)!


For more details and answers to frequently asked questions, visit: Getting started with identity theft monitoring in Microsoft Defender



1,2,4. 2022 Identity Theft Facts and Statistics –

3. Experian® Identity theft statistics

5. The identity theft insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Review the Summary of Benefits.

6. All family members need an active Microsoft 365 subscription, and any user over the age of 13 need to explicitly consent to being monitored and managed by the family organizer.

7. Requires alert sharing to be enabled. Users over the age of 13 need to explicitly consent to sharing their alerts with a family organizer.

Learn Data Science and Machine Learning in 30 Days.

Learn Data Science and Machine Learning in 30 Days.

This article is contributed. See the original author and article here.

A warm welcome! 


In #30DaysOfDataScience we will go from understanding the Python language to working with real life data and finally creating Machine Learning models both on Azure and in Python. The main role is understanding our data and using the knowledge to make decisions such as fraud detection, customer segmentation and product pricing. 


Register for the Program set to kick off on the 17th October to 17th November 2022. 


The program journey. 


The program is set to start on the 17th of October, before then you need to register as part of the program then start learning on Microsoft Learn using the Cloud Skills Challenge modules.  


We will hold discussions on GitHub and over the 30-day period we will host live sessions to help you navigate your journey. Register and join us for this epic adventure. 


What to expect after 30 days. 

  • Successfully build 3 end to end Data Science projects i.e. fraud detection model, customer segmentation and product pricing model.

  • Badge of completion to be posted on LinkedIn 

Next Steps 

Register for the Program set to kick off on the 17th October to 17th November 2022. 

See you at the finish line! 

Exchange Online email applications stopped signing in, or keep asking for passwords? Start here.

Exchange Online email applications stopped signing in, or keep asking for passwords? Start here.

This article is contributed. See the original author and article here.

Starting on October 1, 2022, Microsoft is starting to disable an outdated way of logging into Exchange Online known as “basic authentication.” This outdated method is vulnerable to various forms of password attacks. The newer authentication standard is based on a standard called OAuth and the Microsoft implementation of this standard is called “modern authentication.”

Some customers might run into problems once the outdated log in method is disabled for their organization, such as not being able to sign into email.

When basic authentication is disabled for your organization, and various email clients are still using it, there are two things to know:

  • How to temporarily re-enable basic authentication for your organization (which solves the immediate problem of not being able to sign in)

  • How to stop using basic authentication permanently (because temporary re-enablement ends on December 31, 2022). Unless you address this, your users will not be able to sign into Exchange Online starting January 2023 when we permanently disable basic authentication.

Let’s cover both of these.

Temporarily re-enable basic authentication for your organization

You can re-enable basic auth in your tenant by using our self-service diagnostic. You launch this self-help diagnostic by clicking this button which will take you to the diagnostic in the Microsoft 365 admin center (if you are a Global admin):


Or, you can open the Microsoft 365 admin center and click the green Help & support button in the lower right-hand corner of the screen:


When you click the Help & support button, you enter our self-help system. Here you can enter the phrase Diag: Enable Basic Auth in EXO and then run the tests. The test results will look like the following (results will vary depending on what we have disabled for your organization):


You can enable basic auth for each protocol you need (one by one). Within an hour (often much sooner) of asking us to re-enable basic auth for a protocol, it will start to work again.

Be aware that by re-enabling basic auth for a protocol, your users and data are more vulnerable to security risks.

Stop using basic authentication permanently

Here are some client-specific tips for you, with links to learn more:

  • Outlook for Windows: The first thing to do is to make sure Outlook is up to date and that the organization-wide switch to enable modern authentication is set to True. Without that setting, Outlook for Windows won’t use modern auth. So, make sure it’s turned on. We are turning on the organization setting for customers as we disable basic auth for MAPI/RPC protocols, so this should be enabled already, but it’s worth checking. If things are still not working, check that Outlook has the right registry keys in place.

    Note: If you are using Outlook for Windows with POP or IMAP protocol, that will stop working permanently when basic authentication is disabled end of this year. Outlook for Windows does not support modern authentication using POP or IMAP and if you need to keep using those legacy protocols, you will have to use a different email client (for example, Thunderbird).

  • Outlook for Mac: if your Outlook for Mac clients insist to keep using basic auth, please see our recent blog post on this subject.

  • Exchange ActiveSync: this refers to a protocol used by various native email and calendar apps, such as the Mail app on iOS. All mainstream apps on up-to-date mobile clients support modern auth, but many user devices might still be using basic auth. Removing and re-adding the account from the device should automatically switch it to modern auth.

However, if you use some sort of mobile device management (MDM/MAM) solution, you should use it to deploy new profiles. Here’s how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you’re using Basic Mobility and Security take a look at this document for some more information on how to fix those devices.

There might also be some less common types of clients that stop working when basic auth is disabled; here is how to work with those:

  • POP/IMAP applications: some of our customers use these protocols for application access. Please see this blog post for how to address both interactive and non-interactive apps.

  • Exchange Web Service (EWS) applications: EWS supports app-only access and you can use Application Access Policies to control what an app can access. If you have apps using EWS with basic auth, you must either modify the code, or get the app developer to do so. Many partner apps have support for modern auth, they just need to modify their configuration or update to the latest versions.

  • PowerShell scripts: If you have scripts, follow this guide to use modern auth within scripts.

Clients that we do not expect to have problems with starting October 1, 2022:

  • Outlook for iOS and Android – this client does not use basic authentication when connecting directly to Exchange Online mailboxes.

  • Outlook on the web – authenticating with Outlook on the web through your web browser always uses modern authentication if the mailbox is in Exchange Online.

Where can I find more information?

There are several resources that we wanted to provide here as additional reading:

The Exchange Team