Location data is by nature sensitive and therefore needs to be managed securely. Today, we’re announcing the Public Preview of private endpoint support for Azure Maps, bringing enterprise-grade network isolation and data privacy to your location-aware applications. With Azure Private Link, your applications can connect to Azure Maps over a private IP inside your virtual network, keeping traffic on the Microsoft backbone network instead of the public internet. This helps reduce exposure to external threats while maintaining stringent security and compliance requirements.

Raising the Bar for Location Data Security in the Cloud

Azure Maps Private Endpoints creates a secure network bridge between your Azure VNet and Azure Maps using private endpoint. Here’s what changes:

• Network isolation: API calls are never exposed to the public internet. Traffic flows securely within Azure’s private backbone.
• Compliance support: Sensitive spatial data used by your application never traverses the public internet, directly supporting privacy and regulatory needs by minimizing external exposure.

Creating a Private Endpoint for your Azure Maps account

The create command below specifies the Maps account resource ID and the mapsAccount sub-resource, along with the virtual network and subnet used for the private endpoint. Azure creates a Private DNS zone for privatelink.account.maps.azure.com and adds the necessary DNS record automatically.

az network private-endpoint create \ --name <myprivateendpointname> \ --resource-group <myresourcegroup> \ --vnet-name <myvnetname> \ --subnet <mysubnetname> \ --private-connection-resource-id "/subscriptions/<subscriptionid>/resourceGroups/<myresourcegroup>/providers/Microsoft.Maps/accounts/<mymapsaccountname>" \ --group-id mapsAccount \ --connection-name <myconnectionname></myconnectionname></mymapsaccountname></myresourcegroup></subscriptionid></mysubnetname></myvnetname></myresourcegroup></myprivateendpointname>

To use the private endpoint, configure your applications to call the Azure Maps account-specific endpoint. The access pattern is:

https://{maps-account-client-id}.{location}.account.maps.azure.com

For example, if your Maps account client ID is abc123 and the region is East US, the new Azure Maps endpoint for your account (instead of https://atlas.microsoft.com) is https://abc123.eastus.account.maps.azure.com.

Accelerating Secure Location Intelligence with Azure Maps Private Endpoints

Azure Maps private endpoint support enables teams to build secure, compliant geospatial solutions; whether you’re handling Protected Health Information (PHI) in healthcare, optimizing logistics, or running sensitive analytics in financial services.  Azure Maps API traffic is isolated within Azure’s backbone, supporting privacy, regulatory, and security goals.

Developers can keep their existing integration patterns (just update the endpoint to the account-specific private DNS name); network and security admins gain seamless VNet integration and granular access controls; business leaders can unlock location intelligence without risking data exposure or sacrificing developer velocity.

Azure Maps is now ready for your most sensitive, compliance-driven workloads: securely, efficiently, and with full network isolation.

Explore more

• Azure Maps Private Endpoints documentation
• Azure Maps Documentation
• Azure Maps Samples
• Azure Maps Pricing

---

Directions' Barry Briggs and industry analysts George Gilbert and Peter O'Kelly discuss if and how AI could be making Microsoft's core Office apps more replaceable.



Download audio: https://www.directionsonmicrosoft.com/wp-content/uploads/2026/03/season1ep3TSG.mp3

750 of these daily notes. I’m happy about that. And I appreciate each of you who takes time to skim through it.

[blog] Gemini 3.1 Flash Live: Making audio AI more natural and reliable. A fast, natural-sounded real-time AI experience feels like magic. Now you can bake this latest audio and voice capability into your AI apps.

[blog] Choosing the best git branching strategy for continuous delivery in your team. Useful look at some classic approaches to managing work in an engineering team. I wonder if new patterns emerge given the volume (and speed) of AI code generation.

[blog] Kubernetes Still Feels Weird? What i wish i knew sooner. Wow, this is super terrific. It’s a comprehensive dive into all corners of what Kubernetes is and how it works. But written in a way that most anyone can understand.

[article] How to Convince Others to Trust Your Instincts. This can be tough, especially on a senior team or if people don’t yet see you as someone with viable opinions. I liked the advice here, as much of it felt actionable.

[blog] A developer’s guide to training with Ironwood TPUs. Really, this a set of optimization methods you can use for model training.

[blog] Deployment strategies: Types, trade-offs, and how to choose. What are the proven ways to ship software? There are many patterns based on your goals and the sophistication of your production environment. Get familiar with these!

[blog] Your Employees Aren’t Ready For AI — And It’s A Problem. The skills, psych safety, and tools might be missing from your company. What are you doing about it?

[article] How can engineering leaders assess their AI maturity? Let’s say you’re ready for AI. How do you know if you’re progressing? Useful data here.

[blog] Building superconducting and neutral atom quantum computers. I barely grasp this stuff, but progress in quantum has some major impact. Keep an eye on it.

[article] State of Context Engineering in 2026. How do you manage what gets stuffed in the context window? It’s not just about a prompt. It’s the tools, ways to progressively disclosure new info, how you compress context, and more. Good post!

[blog] The State of Open Source Licensing in 2026. Some of you nod off when the topic of “open source licensing” comes up. I get it. But the implications of recent shifts have material impact on your usage.

[blog] Vibe Coding XR: Accelerating AI + XR prototyping with XR Blocks and Gemini. Neat. Vibe coding for extended reality apps? That’ll help people quickly figure out where to go.

Want to get this update sent to you every day? Subscribe to my RSS feed or subscribe via email below:

Android 17 has officially reached platform stability today with Beta 3. That means that the API surface is locked; you can perform final compatibility testing and push your Android 17-targeted apps to the Play Store. In addition, Beta 3 brings a host of new capabilities to help you build better, more secure, and highly integrated applications.

Get your apps, libraries, tools, and game engines ready!

If you develop an SDK, library, tool, or game engine, it's even more important to prepare any necessary updates now to prevent your downstream app and game developers from being blocked by compatibility issues and allow them to target the latest SDK features. Please let your downstream developers know if updates are needed to fully support Android 17.

Testing involves installing your production app or a test app making use of your library or engine using Google Play or other means onto a device or emulator running Android 17 Beta 3. Work through all your app's flows and look for functional or UI issues. Review the behavior changes to focus your testing. Each release of Android contains platform changes that improve privacy, security, and overall user experience, and these changes can affect your apps. Here are some changes to focus on:

• Resizability on large screens: Once you target Android 17, you can no longer opt out of maintaining orientation, resizability and aspect ratio constraints on large screens.
• Dynamic code loading: If your app targets Android 17 or higher, the Safer Dynamic Code Loading (DCL) protection introduced in Android 14 for DEX and JAR files now extends to native libraries. All native files loaded using System.load() must be marked as read-only. Otherwise, the system throws UnsatisfiedLinkError.
• Enable CT by default: Certificate transparency (CT) is enabled by default. (On Android 16, CT is available but apps had to opt in.)
• Local network protections: Apps targeting Android 17 or higher have local network access blocked by default. Switch to using privacy preserving pickers if possible, and use the new ACCESS_LOCAL_NETWORK for broad, persistent access.

Media and camera enhancements

Photo Picker customization options

Android now allows you to tailor the visual presentation of the photo picker to better complement your app’s user interface. By leveraging the new PhotoPickerUiCustomizationParams API, you can modify the grid view aspect ratio from the standard 1:1 square to a 9:16 portrait display. This flexibility extends to both the ACTION_PICK_IMAGES intent and the embedded photo picker, enabling you to maintain a cohesive aesthetic when users interact with media.

This is all part of our effort to help make the privacy-preserving Android photo picker fit seamlessly with your app experience. Learn more about how you can embed the photo picker directly into your app for the most native experience.

val params = PhotoPickerUiCustomizationParams.Builder()
    .setAspectRatio(PhotoPickerUiCustomizationParams.ASPECT_RATIO_PORTRAIT_9_16)
    .build()

val intent = Intent(MediaStore.ACTION_PICK_IMAGES).apply {
    putExtra(MediaStore.EXTRA_PICK_IMAGES_UI_CUSTOMIZATION_PARAMS, params)
}

startActivityForResult(intent, REQUEST_CODE)

Support for the RAW14 image format: Android 17 introduces support for the RAW14 image format — the de-facto industry standard for high-end digital photography — via the new ImageFormat.RAW14 constant. RAW14 is a single-channel, 14-bit per pixel format that uses a densely packed layout where every four consecutive pixels are packed into seven bytes.

Vendor-defined camera extensions: Android 17 adds Vendor-defined extensions to enable hardware partners define and implement custom camera extension modes to provide you access to the best and latest camera features, such as 'Super Resolution' or cutting-edge AI-driven enhancements. You can query for these modes using the isExtensionSupported(int) API.

Camera device type APIs: New Android 17 APIs allow you to query the underlying device type to identify if a camera is built-in hardware, an external USB webcam, or a virtual camera.

Bluetooth LE Audio hearing aid support

Android now includes a specific device category for Bluetooth Low Energy (BLE) Audio hearing aids. With the addition of the AudioDeviceInfo.TYPE_BLE_HEARING_AID constant, your app can now distinguish hearing aids from regular headsets.

val audioManager = getSystemService(Context.AUDIO_SERVICE) as AudioManager
val devices = audioManager.getDevices(AudioManager.GET_DEVICES_OUTPUTS)
val isHearingAidConnected = devices.any { it.type == AudioDeviceInfo.TYPE_BLE_HEARING_AID }

Granular audio routing for hearing aids

Android 17 allows users to independently manage where specific system sounds are played. They can choose to route notifications, ringtones, and alarms to connected hearing aids or the device's built-in speaker.

Extended HE-AAC software encoder

Android 17 introduces a system-provided Extended HE-AAC software encoder. This encoder supports both low and high bitrates using unified speech and audio coding. You can access this encoder via the MediaCodec API using the name c2.android.xheaac.encoder or by querying for the audio/mp4a-latm MIME type.

val encoder = MediaCodec.createByCodecName("c2.android.xheaac.encoder")
val format = MediaFormat.createAudioFormat(MediaFormat.MIMETYPE_AUDIO_AAC, 48000, 1)
format.setInteger(MediaFormat.KEY_BIT_RATE, 24000)
format.setInteger(MediaFormat.KEY_AAC_PROFILE, MediaCodecInfo.CodecProfileLevel.AACObjectXHE)
encoder.configure(format, null, null, MediaCodec.CONFIGURE_FLAG_ENCODE)

Performance and Battery Enhancements

Reduce wakelocks with listener support for allow-while-idle alarms

Android 17 introduces a new variant of AlarmManager.setExactAndAllowWhileIdle that accepts an OnAlarmListener instead of a PendingIntent. This new callback-based mechanism is ideal for apps that currently rely on continuous wakelocks to perform periodic tasks, such as messaging apps maintaining socket connections.

val alarmManager = getSystemService(AlarmManager::class.java)
val listener = AlarmManager.OnAlarmListener {
    // Do work here
}

alarmManager.setExactAndAllowWhileIdle(
    AlarmManager.ELAPSED_REALTIME_WAKEUP,
    SystemClock.elapsedRealtime() + 60000,
    listener,
    null
)

Privacy updates

System-provided Location Button

Android is introducing a system-rendered location button that you will be able to embed directly into your app's layout using an Android Jetpack library. When a user taps this system button, your app is granted precise location access for the current session only. To implement this, you need to declare the USE_LOCATION_BUTTON permission.

Discrete password visibility settings for touch and physical keyboards

This feature splits the existing "Show passwords" system setting into two distinct user preferences: one for touch-based inputs and another for physical (hardware) keyboard inputs. Characters entered via physical keyboards are now hidden immediately by default.

val isPhysical = event.source and InputDevice.SOURCE_KEYBOARD == InputDevice.SOURCE_KEYBOARD
val shouldShow = android.text.ShowSecretsSetting.shouldShowPassword(context, isPhysical)

Security

Enforced read-only dynamic code loading

To improve security against code injection attacks, Android now enforces that dynamically loaded native libraries must be read-only. If your app targets Android 17 or higher, all native files loaded using System.load() must be marked as read-only beforehand.

val libraryFile = File(context.filesDir, "my_native_lib.so")
// Mark the file as read-only before loading to comply with Android 17+ security requirements
libraryFile.setReadOnly()

System.load(libraryFile.absolutePath)

Post-Quantum Cryptography (PQC) Hybrid APK Signing

To prepare for future advancements in quantum computing, Android is introducing support for Post-Quantum Cryptography (PQC) through the new v3.2 APK Signature Scheme. This scheme utilizes a hybrid approach, combining a classical signature with an ML-DSA signature.

User experience and system UI

Better support for widgets on external displays

This feature improves the visual consistency of app widgets when they are shown on connected or external displays with different pixel densities using DP or SP units.

val options = appWidgetManager.getAppWidgetOptions(appWidgetId)
val displayId = options.getInt(AppWidgetManager.OPTION_APPWIDGET_DISPLAY_ID)

val remoteViews = RemoteViews(context.packageName, R.layout.widget_layout)
remoteViews.setViewPadding(
    R.id.container,
    16f, 8f, 16f, 8f,
    TypedValue.COMPLEX_UNIT_DIP
)

Hidden app labels on the home screen

Android now provides a user setting to hide app names (labels) on the home screen workspace. Ensure your app icon is distinct and recognizable.

Desktop Interactive Picture-in-Picture

Unlike traditional Picture-in-Picture, these pinned windows remain interactive while staying always-on-top of other application windows in desktop mode.

val appTask: ActivityManager.AppTask = activity.getSystemService(ActivityManager::class.java).appTasks[0]
appTask.requestWindowingLayer(
    ActivityManager.AppTask.WINDOWING_LAYER_PINNED,
    context.mainExecutor,
    object : OutcomeReceiver<Int, Exception> {
        override fun onResult(result: Int) {
            if (result == ActivityManager.AppTask.WINDOWING_LAYER_REQUEST_GRANTED) {
                // Task successfully moved to pinned layer
            }
        }
        override fun onError(error: Exception) {}
    }
)

Redesigned screen recording toolbar

Core functionality

VPN app exclusion settings

By using the new ACTION_VPN_APP_EXCLUSION_SETTINGS Intent, your app can launch a system-managed Settings screen where users can select applications to bypass the VPN tunnel.

val intent = Intent(Settings.ACTION_VPN_APP_EXCLUSION_SETTINGS)
if (intent.resolveActivity(packageManager) != null) {
    startActivity(intent)
}

OpenJDK 25 and 21 API updates

This update brings extensive features and refinements from OpenJDK 21 and OpenJDK 25, including the latest Unicode support and enhanced SSL support for named groups in TLS.

Get started with Android 17

You can enroll any supported Pixel device or use the 64-bit system images with the Android Emulator.

• Compile against the new SDK and report issues on the feedback page.
• Test your current app for compatibility and learn whether your app is affected by changes in Android 17.

For complete information, visit the Android 17 developer site.