Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Azure Policy - Support for RegEx in Match Conditions
Right now, the "Match" and "notMatch" conditions only support # for digit placeholders and ? for letters. This is okay, but it would be much more useful to support regex expressions. This would needed for define complex naming policies and tagging standards.
240 votes -
Support query Virtual Machines by state
Ability to query Virtual Machine resource type by state of the VM.
98 votes -
Allow Automatic Remediation of deployIfNotExists templates
What it says on the tin... deployIfNotExists should have an option to automatically remediate the issue by deploying the appropriate resources. (and/or automatically creating and running the remediation task)
92 votes -
azure blueprints assignment to management group
It should be Possible to assign the Blueprint to a Management Group. So every subscripiton with will be added to the Management Group, get automatic the blueprint assignment
49 votes -
Show user friendly message when Azure Policy does not meet compliance
We have created custom policy which checking tags existence when a user creates a new resource group. The policy works great.
But we have faced unexpected behavior. When we tried to create a new resource group for test purposes (without tags) we had an uninformative error (Unexpected error while creating the resource group.).
We think some people might have a misunderstanding about this message (From this message they won’t understand why they cannot create a new resource group).
We investigated this issue but have not found trouble in the policy itself therefore right now we think it is an azure…41 votesHi,
Thanks for your feedback. We are continuously adding more information error messages to improve them. Thank you for being this case to light and we will take a look and update as needed.
- Azure Governance Team
-
Visualize Resource Graph in PowerBI
I can today make querys and export to visualize in Power BI. It would be nice to somehow easier connect from Power BI to Resource Graph to visualize Resources.
39 votesYou can use Resource Graph Explorer in the Azure Portal to do queries and save and pin to your Azure dashboard. Would this serve your scenario.
-
Support for functions in Resource Manager Policies
Support for functions in Resource Manager Policies:
{
"if": {"field": "tags",
"exists": "false"},
"then": {"effect": "append",
"details": [
{
"field": "tags",
"value": { "creator": "CurrentUser()" }
},
{
"field": "tags",
"value": { "created": "DatetTime()" }
}
]}
}37 votesPolicy is not user aware so we are not able to do something like CurrentUser(). However, date and time is available using policy.
-
Azure Blueprints ARM Template Support
The ability to create an Azure Blueprint with an ARM Template. Additionally the ability to export Azure Blueprints as an ARM Templates. That way we can use them in a more repeatable fashion and store our definitions as IaC and deploy them with our existing deployment pipelines.
33 votes -
Ability to query for role assignments in Azure Resource Graph
Please add support for listing all role assignments
Resource Type: Microsoft.Authorization/roleAssignments
https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2017-09-01/roleAssignments
32 votes -
When Unassigning an Azure Blueprint Provide Option of Removing Blueprint Created Resources
Since a Blueprint has the ability to create multiple resources in Azure it should also have the ability to clean up those resources. Think of it as the same as deleting a ResourceGroup deletes all resources in the ResourceGroup.
31 votes -
Azure Policy - Export compliance report to CSV
Add an export to CSV button to the policy compliance screen. The Policy screens can be quite cluttered and clunky. But I can get compliance data from multiple assignments at once. I would like to be able to then export that compliance data so that I can slice and dice the data, augment the data and steward compliance (say in a new policy roll-out) from Excel.
26 votes -
Blueprints should use Azure Template Library artifacts.
It would be great if Blueprints could reference a template in an Azure Template Library rather than having to cut and paste the ARM template into the Blueprint.
This way Blueprints could be made up of tested components in the library. We could even specify versions in the BluePrint to allow for better release testing.
26 votes -
Create Service Principals / App Registrations
Very useful for ARM deployments of services such as AKS which require an SP. Terraform does this rather well, so it would be good to see the same for Blueprints (and perhaps Azure Deployment Manager).
Or maybe just have an ARM provider type for it as that would simplify feeding the id and secret through to the service that needs it.
26 votes -
Integrate Azure Policy with Azure DevOps
Recently, I started working with Azure Policies. In that, am able to create Azure Policy through portal successfully and now am trying to do same with the help of Azure DevOps. According to documentation there is a chance to integrate Azure Policy with Azure DevOps, but there is no more information regarding to that.
25 votesHi,
Thanks for your feedback. We currently have a partnership with the Azure DevOps team to better improve this experience. We do have some built-in tasks and compliance gates and are working on reamp them. We recently publish documentation on Designing Policy as Code workflows and will add more documentation as our improvements develop.
Thank you,
Azure Policy Team
-
Either Include Custom Scripts or the Ability to Call an Automation Runbook in Azure Blueprint
Since there are lots of configuration things that ARM Templates cannot do, it would be extremely helpful if it was possible to include a custom script, preferably PowerShell, in an Azure Blueprint. If including custom scripts is not possible, having the ability to execute an Automation Runbook would also be a good way to solve this problem.
23 votesWe are working to release the ability to run a custom script in Azure Blueprint
-
Provide an "otherwise" effect
It would be useful to have an operator that provides the behavior:
If {conditionA} is True AND If {conditionB} is True
Then {effect}
Otherwise {no-effect}.For example, the attached file demonstrates a possible policy definition that would restrict Public IP names to only those listed and ignore names of resources that are not Public IP addresses.
The apparent behavior of the allOf operator is to require all conditions to be applied to all resources which requires anticipatory knowledge of resources currently generated by Marketplace templates. For example, the NIC is now generated automatically by the new VM wizard and the…
22 votes -
Store resource changes for more than 14 days
Ability to store Azure resource changes for more than 14 days
21 votesHow many days do you want the changes to be stored? and where do you want to store them?
-
Azure Policy - Indexed mode policies pick up resources that don't support tags
For example, I created a custom policy definition that audits if a tag exists. It is set mode=indexed, so only taggable and location based resources should be evaluated.
Here are some things that are coming back as non-compliant:
/microsoft.insights/alertrules
/microsoft.insights/actiongroups
/Microsoft.Compute/virtualMachines/extensions
/microsoft.insights/activitylogalerts
/microsoft.operationsmanagement/solutions
/microsoft.portal/dashboards21 votes -
Allow more rich symbols while using Match in Policy definition
I am using Management groups and wanted to roll out multiple naming policy.
I have various clients hence thought of a consistent manner to support and organize Resource groups/Resources in a consistent way. i.e <Cleint>-<Prod/Dev>-RGP-<Name>.
So it would sort out like
CL1-PROD-RGP-MyFirstRG
CL1-PROD-RGP-AnotherOne
CL2-DEV-RGP-NNNN
CL3-PROD-RGP-aaabut unfortunately found that match could not support a symbol which would represent letter or number in same symbol. Details can be seen in the closed feedback thread on the following page.
https://docs.microsoft.com/en-us/azure/azure-policy/scripts/allow-multiple-name-patterns
It would really help enforce a consistent naming convention.
Not sure how fast help can arrive from MS?20 votesHi Omar,
Thank you for the feedback. I will share this with the Policy team to see what options they currently have or if this is on their roadmap.Thanks
Rich -
Azure Policy Effect - DenyIfNotExist
Scenario: If you want to prevent the modification (or creation) of an object unless it has a required property present. That way, instead of just auditing if the object is in compliance (by checking for the presence of the property), you're preventing the object from drifting out of compliance by the denyIfNotExists effect, and stopping the update operation before it can modify the object.
19 votes
- Don't see your idea?