Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow for blueprint access on management groups without seeing all other subscriptions beneath it

    We want to give access to blueprints on management groups without the user seeing all other subscription below that management group.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support Optional Blueprint Parameters

    Currently, all Blueprint Parameters require a value to be entered. Please support optional parameters for Blueprints. There are numerous use cases for this:


    • Deploy a VM standalone or in an Availability Set.

    • Add additional tags to resources.

    • And so on...

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  3. Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow use of resourceGroup() functions within a resource group artifact

    When using an ARM template artifact within a resource group artifact, allow us to use the resourceGroup() functions, like respourceGroup().location. Currently, we receive the error: Error: 'The function 'resourceGroup' is not valid.'

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  5. Improve CIS Blueprints for subnet NSGs and/or clarify documentation

    CIS Blueprint policy says subnet does not have an NSG, but the portal and az CLI say it does. The policy definition refers to Microsoft.Security/complianceResults and networkSecurityGroupsOnSubnets which are not documented.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support conditions on artifact level

    It would be very nice when conditions attribute can be set on a artifact like it could on resources in an ARM template. So it would be possible to deploy or not deploy artifacts based on parameter inputs or outputs from an ARM.
    Example use case:
    Blueprint creates a vNet and an AKS cluster. Then you configure an ingress controller on AKS and after that a new NSG should be deployed which locks down the vNet so only the LB of the Ingress Controller is reachable. This can be done by update the blueprint assignment and specify a parameter like…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  7. Blueprint Parameters Validation

    Currently the only Blueprint Parameter validation properties that are accepted is "defaultValue" and "allowedValues". Please add the following that are supported by ARM Template Parameters and would provide a much better experience for an Blueprint Assigner:


    • minValue

    • maxValue

    • minLength

    • maxLength

    More information about the above properties can be found here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates#parameters

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  8. subscription transfer process

    Subscription Transfer process
    I lost my blueprints after the subscription transfer.
    I understand RBaC perms are lost but still don't understand why my Blueprints had to disappear as well.
    This has happened twice.
    Microsoft advised that resources will remain the same but that's not the case.
    Are Blueprints assigned to a resource group and subscription different?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Blueprints sample for Service Fabric Cluster

    It would be great to have a sample Azure Blueprints for stamping out different Service Fabric clusters. Unfortunately I haven't managed to find a sample online and tried to create one manually but failed as I am totally new to Azure and there are way too many pieces required for a putting together an Azure Blueprints for a secured multi-node type Service Fabric cluster.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow policies to be assigned to Blueprints like they can Managment Groups and subscriptions

    Azure Policies allow for assignments when viewing the policy into Management Groups, Subscriptions, and Resource Groups. Would like to be able to add Blueprints to that list

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. GitOps

    How does this work with GitOps?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  12. Option to delete non-blueprint RBAC Assignment when blueprint is assigned

    In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.

    Overwrite Scenario

    Config
    • Account Admin role on a Subscription 1 has Amber and Brian.

    • Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.

    Result
    • When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow use of uniqueString ARM function in Blueprint template artifacts

    Allow use of uniqueString ARM function in Blueprint template artifacts.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  14. Function to get the properties of the assigned blueprint definition

    It would be useful when you could get (with a function) the properties, like the version or name, of the blueprint definition during an assignment.
    This way you could for example use this information in ARM artifact the information to tag the resources which a created by the blueprint assignment with the name and version number of the blueprint definition. So you would see directly form which blueprint definition and which version a resource was created.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow a Blueprint or ARM Template Item timeout limit to be set

    I have a Blueprint defined which has a purpose of provisioning a complete infrastructure but it is timing out due to one of its components being an ASE.

    The overall template is based on the ISO 27001 foundation as supplied by MS but does a few other tings too, including deploying an Application Service Environment.

    It all progresses nicely to a point - the components are all there and the ASE is undergoing provisioning however, it eventually throws an error with:

    'Template' failed to deploy. Exceeded maximum wait time of '02:00:00'. Message: 'Deployment didn't get into terminal status within the…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Blueprint (policy assignment) - Tag value should accept null values so we can put the tag later on.

    Azure Blueprint (policy assignment) - Tag value should accept null values. For example, we want to put 'function' tag in each VM and function can be app, db, ad etc. If we put 'app' as a value then all the VMs will have the same tag. We want to be 'function' tag there but we want to put the value at the time of creation as per the role of VM.

    Another one, Azure Blueprint (policy assignment). When we delete the blueprint, the blueprint got deleted but the policy does not get deleted. In this case, we have to delete…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  17. Errors when applying the ISO 27001 Shared Blueprint

    When applying the ISO 27001 blueprint, I get a number of errors when using different parameter permutations.

    My parameters are to constrain it to the UK (South) and to limit the types of Storage Accounts.

    There is also an issue with the resource group parameter, it is missing a leading / before the "providers" value.

    [concat(subscription().id, '/resourceGroups/', concat(parameters('organization'),'-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  18. Ability to chain/link blueprints together

    It would be handy to be able to group/chain together blueprints in order to be able to define a "product". For example:

    Within a company, there are many distinct product offerings, some API's, some Service Fabric apps and some containerised apps.

    Some of these may need to have the standard offering for a SQL Server, a Web App and a Storage account. Others may need access to a Service Fabric cluster and other such Azure services.

    Within the ARM templates, these things can all be linked whereby the definition of a SQL Server is a linked artefact and the same…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  19. Description to Role Assignment

    Add descriptions to Role assignment when value must be specified that shows up when assigning the blueprint to an Subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  20. Blueprints for Resource Groups

    I would love to have the blueprints for resource groups as well.

    To quote from your documentation:

    'With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.'

    Replace "subscription" with "resource group" in the text above and there you have my request. :)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base