Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Azure Policy - Support for RegEx in Match Conditions
Right now, the "Match" and "notMatch" conditions only support # for digit placeholders and ? for letters. This is okay, but it would be much more useful to support regex expressions. This would needed for define complex naming policies and tagging standards.
99 votes -
Support for functions in Resource Manager Policies
Support for functions in Resource Manager Policies:
{
"if": {
"field": "tags",
"exists": "false"
},
"then": {
"effect": "append",
"details": [
{
"field": "tags",
"value": { "creator": "CurrentUser()" }
},
{
"field": "tags",
"value": { "created": "DatetTime()" }
}
]
}
}27 votes -
Azure Policy Template to audit/enforce Azure Backups on VMs
Would love to get a pre-made Azure policy template to audit/enforce Azure Backups to ensure servers are not missed.
17 votes -
Allow more rich symbols while using Match in Policy definition
I am using Management groups and wanted to roll out multiple naming policy.
I have various clients hence thought of a consistent manner to support and organize Resource groups/Resources in a consistent way. i.e <Cleint>-<Prod/Dev>-RGP-<Name>.
So it would sort out like
CL1-PROD-RGP-MyFirstRG
CL1-PROD-RGP-AnotherOne
CL2-DEV-RGP-NNNN
CL3-PROD-RGP-aaabut unfortunately found that match could not support a symbol which would represent letter or number in same symbol. Details can be seen in the closed feedback thread on the following page.
https://docs.microsoft.com/en-us/azure/azure-policy/scripts/allow-multiple-name-patterns
It would really help enforce a consistent naming convention.
Not sure how fast help can arrive from MS?17 votesHi Omar,
Thank you for the feedback. I will share this with the Policy team to see what options they currently have or if this is on their roadmap.Thanks
Rich -
Provide an "otherwise" effect
It would be useful to have an operator that provides the behavior:
If {conditionA} is True AND If {conditionB} is True
Then {effect}
Otherwise {no-effect}.For example, the attached file demonstrates a possible policy definition that would restrict Public IP names to only those listed and ignore names of resources that are not Public IP addresses.
The apparent behavior of the allOf operator is to require all conditions to be applied to all resources which requires anticipatory knowledge of resources currently generated by Marketplace templates. For example, the NIC is now generated automatically by the new VM wizard and the…
16 votes -
Integrate Azure Policy with Azure DevOps
Recently, I started working with Azure Policies. In that, am able to create Azure Policy through portal successfully and now am trying to do same with the help of Azure DevOps. According to documentation there is a chance to integrate Azure Policy with Azure DevOps, but there is no more information regarding to that.
11 votes -
Azure Policy based on industry governance/compliance frameworks
It would be helpful to take some of the control mapping from blueprints against industry frameworks such as PCI-DSS/NIST/etc and allow you to report compliance against those controls for each of the Azure services that exist in your environment.
Integrating something like cloudsecurityalliance.org control matrix or unifiedcompliance.com would be very helpful.
9 votes -
Show user friendly message when Azure Policy does not meet compliance
We have created custom policy which checking tags existence when a user creates a new resource group. The policy works great.
But we have faced unexpected behavior. When we tried to create a new resource group for test purposes (without tags) we had an uninformative error (Unexpected error while creating the resource group.).
We think some people might have a misunderstanding about this message (From this message they won’t understand why they cannot create a new resource group).
We investigated this issue but have not found trouble in the policy itself therefore right now we think it is an azure…8 votes -
Azure Policy template for all options available in the Azure portal
Allow Azure Policies to be created by having a "generate policy" option available next to each option available in the Azure portal. Every configuration item should have the ability to be created as a policy and making this easy through the portal for each Azure component and option would make it easy to manage configuration compliance.
7 votesThanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing backlog and also gives us insight into the potential impact of implementing the suggested feature.
-
Azure Policy - Support for Rego Syntax
It would be great for companies who are working across the major cloud vendors and on AKS if Azure Policy supported the use of OPA and rego policy syntax in addition to the current json format. This would allow companies to adopt a single policy language and use it in multiple contexts.
6 votesAzure Policy uses Rego language for its AKS Policy (in limited public preview today): https://docs.microsoft.com/en-us/azure/aks/support-policies
It does not support custom policy definitions yet, as we plan to move to Gatekeeper v.3 which has breaking change in its policy language.
-
Show Azure Policy Definition parameters on a separate tab
In a lot of situations you are only interested in viewing initiative definitions and definition parameters, not editing them.
Showing definition parameters on a separate tab would save a lot of time.6 votes -
Azure Policy template for auditing/restricting public blob sharing
Currently, Azure storage allows for the public sharing of blobs. It would be great to be able to use Azure policy to detect (and remediate) this feature.
6 votesComing soon!
Azure Storage team will introduce a property on Storage Accounts that can override the container-level settings.
We will soon support auditing or denying storage accounts that are open to public network. Remediation will be coming further down the road.
-Liz
-
Azure Policy development environment
Developing policy is a nightmare, missing efficient debugging tools, information on the way they are calculated, etc. We need authoring tool to be able to efficiently develop and test policies.
4 votes -
Resource creation date, and creator.
There are two missing bits of metadata that I would expect to see on every resource: the creation date and the name of who deployed it. Auditing is much harder without these.
These should automatically be added at resource creation, either on the Overview panel, or as tags in addition to the fifteen currently possible. Please add these as you cannot always rely on a user to add them, or when they do: to add them accurately.
I attempted to create policies to assign these at creation, but policies do not, at the time of writing, support functions / variables.
4 votes -
Azure Policy - Enable faster (itterative) development of Policies
When developping Policies, testing is a very time consuming process as Policy evaluation takes place once every 30 minutes. You can trigger an on-demand scan, but it still takes a lot more time and effort than I'd like to be able to try filters and logic fast.
3 votesWe are working on a VS code extension for Azure Policy that evaluates a resource in seconds.
-Liz
-
Generate Alert when there is an audit on deployment.
I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.
He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action
3 votes -
azure policy check string length
It would be great if there will be in future a possibility to check the length of the resource Name at the deployment.
So it would be much easier to Control the naming convention for a resource.
3 votesSupport for length is coming soon (along with there: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-string)
-Liz
-
Parameters Concatenation
I have a naming policy for resource type and i am naming it at a category level. I.e
If Resource is of type CDN or Network then name should be CLIENT1-DEV-INT-<nameofresource>
else If the Resource is of type AppFunction, AppService then name should be CLIENT1-DEV-WEB-<nameofresource>
etc.So this Policy will be massive and having multiple clients I need to introduce a parameter to cover for first bit to be same i.e instead of hard coding CLIENT1-DEV I use parameter and make policy general and use CONCATENATION in the LIKE portion of policy like below.
{
"policyRule": {
"if": {
"not":…3 votes -
Add support for principalName in Microsoft.Authorization/roleAssignments resource type
Our organization use various naming conventions to differentiate between security groups with members with various types of clearances, between security groups with static memberships and just-in-time memberships, and high- and low-security service principals. Since we have hundreds of subscriptions and thus thousands of groups and users, the current aliases available in the Microsoft.Authorization namespace do not give us the ability to write all the policies we would like. Adding support for a Microsoft.Authorization/roleAssignments/principalName alias would enable us to write policies like:
- Prevent adding a security group designated as one with static membership as Owner on the subscription
- Prevent…2 votes -
Add "evaluate" booleans to Azure Policy ARM schema definitions
If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error and is very gard to workaround.
I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.
2 votes
- Don't see your idea?