Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Blueprints do not create managed identities for deployifnotexist policy initiatives

    Currently Azure Blueprints can assign policy initiatives but do not properly create the managed service identity for deployifnotexist policy definitions within the initiative. This needs to be corrected as that is basic functionality of a policy initiative assignment. The managed identity is created correctly if directly assigning the policy definition outside of an initiative.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  2. subscription transfer process

    Subscription Transfer process
    I lost my blueprints after the subscription transfer.
    I understand RBaC perms are lost but still don't understand why my Blueprints had to disappear as well.
    This has happened twice.
    Microsoft advised that resources will remain the same but that's not the case.
    Are Blueprints assigned to a resource group and subscription different?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow policies to be assigned to Blueprints like they can Managment Groups and subscriptions

    Azure Policies allow for assignments when viewing the policy into Management Groups, Subscriptions, and Resource Groups. Would like to be able to add Blueprints to that list

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. GitOps

    How does this work with GitOps?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  5. Option to delete non-blueprint RBAC Assignment when blueprint is assigned

    In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.

    Overwrite Scenario

    Config
    • Account Admin role on a Subscription 1 has Amber and Brian.

    • Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.

    Result
    • When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  6. Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  7. Function to get the properties of the assigned blueprint definition

    It would be useful when you could get (with a function) the properties, like the version or name, of the blueprint definition during an assignment.
    This way you could for example use this information in ARM artifact the information to tag the resources which a created by the blueprint assignment with the name and version number of the blueprint definition. So you would see directly form which blueprint definition and which version a resource was created.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add additional strongTypes for Blueprint

    Please add the following strongTypes that are supported by Azure Policy:

    storageSkus
    vmSKUs
    existingResourceGroups
    omsWorkspace

    Additionally, I would like the following:

    existingVNETs - displays existing Virtual Networks
    existingVNETSubnets - displays exiting VNET Subnets

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow a Blueprint or ARM Template Item timeout limit to be set

    I have a Blueprint defined which has a purpose of provisioning a complete infrastructure but it is timing out due to one of its components being an ASE.

    The overall template is based on the ISO 27001 foundation as supplied by MS but does a few other tings too, including deploying an Application Service Environment.

    It all progresses nicely to a point - the components are all there and the ASE is undergoing provisioning however, it eventually throws an error with:

    'Template' failed to deploy. Exceeded maximum wait time of '02:00:00'. Message: 'Deployment didn't get into terminal status within the…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure Blueprint (policy assignment) - Tag value should accept null values so we can put the tag later on.

    Azure Blueprint (policy assignment) - Tag value should accept null values. For example, we want to put 'function' tag in each VM and function can be app, db, ad etc. If we put 'app' as a value then all the VMs will have the same tag. We want to be 'function' tag there but we want to put the value at the time of creation as per the role of VM.

    Another one, Azure Blueprint (policy assignment). When we delete the blueprint, the blueprint got deleted but the policy does not get deleted. In this case, we have to delete…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure Blueprints sample for Service Fabric Cluster

    It would be great to have a sample Azure Blueprints for stamping out different Service Fabric clusters. Unfortunately I haven't managed to find a sample online and tried to create one manually but failed as I am totally new to Azure and there are way too many pieces required for a putting together an Azure Blueprints for a secured multi-node type Service Fabric cluster.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  12. Errors when applying the ISO 27001 Shared Blueprint

    When applying the ISO 27001 blueprint, I get a number of errors when using different parameter permutations.

    My parameters are to constrain it to the UK (South) and to limit the types of Storage Accounts.

    There is also an issue with the resource group parameter, it is missing a leading / before the "providers" value.

    [concat(subscription().id, '/resourceGroups/', concat(parameters('organization'),'-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to chain/link blueprints together

    It would be handy to be able to group/chain together blueprints in order to be able to define a "product". For example:

    Within a company, there are many distinct product offerings, some API's, some Service Fabric apps and some containerised apps.

    Some of these may need to have the standard offering for a SQL Server, a Web App and a Storage account. Others may need access to a Service Fabric cluster and other such Azure services.

    Within the ARM templates, these things can all be linked whereby the definition of a SQL Server is a linked artefact and the same…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  14. Description to Role Assignment

    Add descriptions to Role assignment when value must be specified that shows up when assigning the blueprint to an Subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. Blueprints for Resource Groups

    I would love to have the blueprints for resource groups as well.

    To quote from your documentation:

    'With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.'

    Replace "subscription" with "resource group" in the text above and there you have my request. :)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  16. Ability to export Blueprint

    Ability to export Blueprint and utilise in another tenant would save extreme amount of man hours replicating them.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  17. Within a Blueprint, allow for the creation and RBAC of Resource Groups based on an array

    Suppose I have a standard set of Resource Groups that I want to be created for each subscription - think of them as team names for the sake of this example).

    Within the ARM template, I have a variable (using parameters) containing an array of team names I want to create.

    Within the blueprint, I want to be able to enumerate over this array and create the RG's using variable substitution to adhere to a naming convention. Each RG then having a consistent set of RBAC applied.

    After triggering the BluePrint, I would have the confidence that the subscription exactly…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  18. Create AAD Groups with Blueprints

    How about an ability to add AAD users or groups to the current AAD tenant with Blueprints? Blueprints are currently aimed at subscription level, but how about extending this to the whole tenant?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  19. Granular locking of resources.

    Need the ability to have more granular locking of resources. Specifically being able to lock a VNET/subnet, but allow creation of NICs on the subnet so that users can attach to the subnet, but not modify an VNET/subnet configuration.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure Blueprints loose blueprint level dependencies when edited in UI

    This is a bug... when you set up dependencies in blueprint.json they are removed if you subsequently edit the blueprint in the UI.


    1. Create blueprint in UI

    2. Export with AzBlueprint, set up dependencies and import

    3. Export again, dependecies are still there

    4. Edit in UI

    5. Export, dependencies are gone

    The dependency management is not a great experience at the moment, it needs to be visible in the UI, also, I the documentation should be updated to clearly state if you can make one resource group dependent on another rather than making them dependent on artifacts in another resource group.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base