Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Policy - Support for RegEx in Match Conditions

    Right now, the "Match" and "notMatch" conditions only support # for digit placeholders and ? for letters. This is okay, but it would be much more useful to support regex expressions. This would needed for define complex naming policies and tagging standards.

    220 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  28 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Show user friendly message when Azure Policy does not meet compliance

    We have created custom policy which checking tags existence when a user creates a new resource group. The policy works great.

    But we have faced unexpected behavior. When we tried to create a new resource group for test purposes (without tags) we had an uninformative error (Unexpected error while creating the resource group.).
    We think some people might have a misunderstanding about this message (From this message they won’t understand why they cannot create a new resource group).
    We investigated this issue but have not found trouble in the policy itself therefore right now we think it is an azure…

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support for functions in Resource Manager Policies

    Support for functions in Resource Manager Policies:

    {
    "if": {

    "field": "tags",
    
    "exists": "false"

    },
    "then": {

    "effect": "append",
    
    "details": [
    {
    "field": "tags",
    "value": { "creator": "CurrentUser()" }
    },
    {
    "field": "tags",
    "value": { "created": "DatetTime()" }
    }
    ]

    }
    }

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Integrate Azure Policy with Azure DevOps

    Recently, I started working with Azure Policies. In that, am able to create Azure Policy through portal successfully and now am trying to do same with the help of Azure DevOps. According to documentation there is a chance to integrate Azure Policy with Azure DevOps, but there is no more information regarding to that.

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,

    Thanks for your feedback. We currently have a partnership with the Azure DevOps team to better improve this experience. We do have some built-in tasks and compliance gates and are working on reamp them. We recently publish documentation on Designing Policy as Code workflows and will add more documentation as our improvements develop.

    Thank you,

    Azure Policy Team

  5. Azure Policy - Export compliance report to CSV

    Add an export to CSV button to the policy compliance screen. The Policy screens can be quite cluttered and clunky. But I can get compliance data from multiple assignments at once. I would like to be able to then export that compliance data so that I can slice and dice the data, augment the data and steward compliance (say in a new policy roll-out) from Excel.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Provide an "otherwise" effect

    It would be useful to have an operator that provides the behavior:
    If {conditionA} is True AND If {conditionB} is True
    Then {effect}
    Otherwise {no-effect}.

    For example, the attached file demonstrates a possible policy definition that would restrict Public IP names to only those listed and ignore names of resources that are not Public IP addresses.

    The apparent behavior of the allOf operator is to require all conditions to be applied to all resources which requires anticipatory knowledge of resources currently generated by Marketplace templates. For example, the NIC is now generated automatically by the new VM wizard and the…

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow more rich symbols while using Match in Policy definition

    I am using Management groups and wanted to roll out multiple naming policy.
    I have various clients hence thought of a consistent manner to support and organize Resource groups/Resources in a consistent way. i.e <Cleint>-<Prod/Dev>-RGP-<Name>.
    So it would sort out like
    CL1-PROD-RGP-MyFirstRG
    CL1-PROD-RGP-AnotherOne
    CL2-DEV-RGP-NNNN
    CL3-PROD-RGP-aaa

    but unfortunately found that match could not support a symbol which would represent letter or number in same symbol. Details can be seen in the closed feedback thread on the following page.

    https://docs.microsoft.com/en-us/azure/azure-policy/scripts/allow-multiple-name-patterns

    It would really help enforce a consistent naming convention.
    Not sure how fast help can arrive from MS?

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Policy Effect - DenyIfNotExist

    Scenario: If you want to prevent the modification (or creation) of an object unless it has a required property present. That way, instead of just auditing if the object is in compliance (by checking for the presence of the property), you're preventing the object from drifting out of compliance by the denyIfNotExists effect, and stopping the update operation before it can modify the object.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Policy - Add friendly / custom error messages for deny policies

    When someone tries to create a resource that is blocked by policy, they get an ugly JSON output that doesn't really provide any details as to why they failed validation. The best that they can get (if they find it) is the name of the policy or initiative. It would be much nicer to be able to enter and error description when defining the policies / initiatives and provide links to internal KB articles for how they should remedy the problem.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure Policy - Indexed mode policies pick up resources that don't support tags

    For example, I created a custom policy definition that audits if a tag exists. It is set mode=indexed, so only taggable and location based resources should be evaluated.

    Here are some things that are coming back as non-compliant:
    /microsoft.insights/alertrules
    /microsoft.insights/actiongroups
    /Microsoft.Compute/virtualMachines/extensions
    /microsoft.insights/activitylogalerts
    /microsoft.operationsmanagement/solutions
    /microsoft.portal/dashboards

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  15 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure Policy - Enable faster (itterative) development of Policies

    When developping Policies, testing is a very time consuming process as Policy evaluation takes place once every 30 minutes. You can trigger an on-demand scan, but it still takes a lot more time and effort than I'd like to be able to try filters and logic fast.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Policy development environment

    Developing policy is a nightmare, missing efficient debugging tools, information on the way they are calculated, etc. We need authoring tool to be able to efficiently develop and test policies.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  13. Pin Overall Resource Compliance to Dashboards

    Be able to pin the Overall Resource Compliance percentage to Dashboards to allow quick access for Stakeholders

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure Policy template for all options available in the Azure portal

    Allow Azure Policies to be created by having a "generate policy" option available next to each option available in the Azure portal. Every configuration item should have the ability to be created as a policy and making this easy through the portal for each Azure component and option would make it easy to manage configuration compliance.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing backlog and also gives us insight into the potential impact of implementing the suggested feature.

  15. Azure Policy to check whether the Management group follows naming Pattern

    Hello,
    currently, we cannot create an azure Policy which checks whether the management group follows naming pattern.
    It will be better if this feature is added to the Azure policy

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Policy - Support for Rego Syntax

    It would be great for companies who are working across the major cloud vendors and on AKS if Azure Policy supported the use of OPA and rego policy syntax in addition to the current json format. This would allow companies to adopt a single policy language and use it in multiple contexts.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Fix TitleCase issue in preview Azure Security Center Initiative Policy

    The new Built-In Policy [Preview]: Manage certificate validity period (/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560), has a parameter certificatesValidityPeriodMonitoringEffect having allowed values: 'audit', 'deny', 'disabled', whereas all the other policies have values with TitleCase capitals, like: 'AuditIfNotExists', 'Disabled'. As we are running scripts to automatically activate of disabled policies by setting parameters for the initiative Enable Monitoring in Azure Security Center (/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), the routine now fails, most likely due to Case Sensitivity, showing the error: PolicyParameterValueNotAllowed : The value 'Audit' is not allowed for policy parameter 'certificatesValidityPeriodMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'audit, deny, disabled'. CorrelationId: 3aa33bae-fd0a-4a58-9f55-c201bd0d9609.

    The issue has been submitted…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Policy template for auditing/restricting public blob sharing

    Currently, Azure storage allows for the public sharing of blobs. It would be great to be able to use Azure policy to detect (and remediate) this feature.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. policy for tags enumeration

    Set a policy, that only certain values are allowed on a specific tag.
    For instance, if you set the tag: "Environment", you can only set the values "Dev" or "Prod" nothing else will be accepted. (An enumeration of unlimited numbers please)

    If a tag is needed in the Azure Portal (UI) Then an combobox (drop down) should be presented.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  20. deployIfNotExists policy - add user assigned managed identity

    As of now, deployIfNotExists policy assignments are given a system assigned identity. This is insufficient when using a parameter reference to a keyvault secret. There is no keyvault policy in place to allow read access for the system assigned identity.

    If a user assigned identity were supported, then earlier provisioning could have already granted that identity access to the keyvault.

    It is not an acceptable solution to do manual creation of the keyvault access policy after the policy assignment is created when the deployment of the entire environment is being automated through Azure Blueprints.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base