Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Policy Effect - DenyIfNotExist

    Scenario: If you want to prevent the modification (or creation) of an object unless it has a required property present. That way, instead of just auditing if the object is in compliance (by checking for the presence of the property), you're preventing the object from drifting out of compliance by the denyIfNotExists effect, and stopping the update operation before it can modify the object.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Fix TitleCase issue in preview Azure Security Center Initiative Policy

    The new Built-In Policy [Preview]: Manage certificate validity period (/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560), has a parameter certificatesValidityPeriodMonitoringEffect having allowed values: 'audit', 'deny', 'disabled', whereas all the other policies have values with TitleCase capitals, like: 'AuditIfNotExists', 'Disabled'. As we are running scripts to automatically activate of disabled policies by setting parameters for the initiative Enable Monitoring in Azure Security Center (/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), the routine now fails, most likely due to Case Sensitivity, showing the error: PolicyParameterValueNotAllowed : The value 'Audit' is not allowed for policy parameter 'certificatesValidityPeriodMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'audit, deny, disabled'. CorrelationId: 3aa33bae-fd0a-4a58-9f55-c201bd0d9609.

    The issue has been submitted…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Pin Overall Resource Compliance to Dashboards

    Be able to pin the Overall Resource Compliance percentage to Dashboards to allow quick access for Stakeholders

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure Policy initiatives - Remediate multiple policies within an initiative

    When assigning a new initiative the remediation task only evaluates a single policy rather than allowing multiple policies to be selected for remediation.

    The process at the moment is to remediate just one policy then the user must create multiple subsequent remediation tasks to evaluate the others one by one.

    What would be useful is the ability to ‘select all’ and/or select multiple policies to remediate as a single action while assigning a new initiative.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  6. deployIfNotExists policy - add user assigned managed identity

    As of now, deployIfNotExists policy assignments are given a system assigned identity. This is insufficient when using a parameter reference to a keyvault secret. There is no keyvault policy in place to allow read access for the system assigned identity.

    If a user assigned identity were supported, then earlier provisioning could have already granted that identity access to the keyvault.

    It is not an acceptable solution to do manual creation of the keyvault access policy after the policy assignment is created when the deployment of the entire environment is being automated through Azure Blueprints.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  7. Blueprints and ARM Complete mode

    Today, without the ability to specify complete mode deployments, we struggle undoing items from ARM templates. As blueprints change over time, would make our lives much easier if we didn't need to drop into Azure CLI or REST to undo changes

    https://github.com/neilpeterson/azure-blueprints-pipeline-tasks/issues/66

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Resource Graph: Add support for the semi and anti flavors to the join operator

    While leftsemi/anti and rightsemi/anti are part of KQL for the join operator, they aren't supported by Resource Graph. Only innerunique, inner, and leftouter are supported.
    https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer#join-flavors

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  9. Resource Graph type for Management Groups

    Add Management Groups as a resource type for Resource Graph. This would allow for writing queries that target subscriptions that are in a specific Management Group. This is extremely helpful for enterprises that have a lot of subscriptions that are being organized with Management Groups.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure Policy Initiatives - descriptive policy name

    When an initiative contains multiple policies with the same definition, it is hard to determine which one is which.

    Example:
    We have an initiative definition that consists of multiple (7) "Require a tag on resources" policies, and it is impossible to figure out which tag they require without editing the initiative definition (see the screenshot)

    On the assignment end, it is hard to determine which tag is missing in the non-compliant resource. The only way is to navigate to the reason details.

    Suggestion:
    1) Extend https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2019-06-01/policySetDefinitions#policydefinitionreference-object schema with a "name" text attribute. Use the policy definition name if omitted (current…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Evaluate a condition of Azure policy rules from powershell / az cli

    When creating policies it would be convenient to test our condition locally by targeting a specific resource group for exemple.

    Currently we should create the policy and assign it and wait for the the result.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to query budget and forecast in Azure Resource Graph

    Please add the ability to query budget and forecast in Azure Resource Graph. This will allow the creation of dynamic and filterable cost management dashboards

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure Policy

    When we apply Azure Policy to the SQL DB created through stored procedure, the Policy is not triggering its effect on that resource as these resources are not created in ARM layer. We know that policy evaluation happens on the ARM layer. But it would be great if Policy team could add this feature in the Policy so that Policy evaluation happens on the resources created through stored procedure as well.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure Storage File share available in resource graph

    Right now, the file share information of a storage account is not available in the resource graph.
    ie. it would allow to list the file share of a subscription, compute the global storage size or simulate the pricing.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure Resource Graph - Support query for backup status

    Add the ability to query backup status from Azure Resource Graph and therefore see status for multiple vaults in a unique dashboard

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Resource Graph - Limitations in the Result Set

    Query results return only 1000 records

    Resource Graph limits any query to returning only 1000 records. This can be extended to the exact output values or the commands like First and Skip should be added with Kusto as well to exactly see the data.

    Also we are not able to use the MAP Visualization, as none of the Data set is matching with it. Can you add a demo for it as well.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Policy - Export compliance report to CSV

    Add an export to CSV button to the policy compliance screen. The Policy screens can be quite cluttered and clunky. But I can get compliance data from multiple assignments at once. I would like to be able to then export that compliance data so that I can slice and dice the data, augment the data and steward compliance (say in a new policy roll-out) from Excel.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow me to name the managed identity created for deployIfNotExists policies

    There currently is no control available I can find that allows me to name the managed identities that are created when I make an assignment that includes a deployIfNotExists policy.

    This is challenging because the name of the identity that is created for me shows up in Azure IAM is not meaningful. For example: 145be6177g3g391580751e32

    This makes it very hard for someone to verify the identity of the "app" and therefore become concerned over if this is a legitimate app in our AAD.

    Please allow me to name the managed identity at creation time or better yet allow me to…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Resource Graph - support for type microsoft.web/sites/config

    support type 'microsoft.web/sites/config' to get the all the data nodes under config type

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  20. Store resource changes for more than 14 days

    Ability to store Azure resource changes for more than 14 days

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 8 9
  • Don't see your idea?

Feedback and Knowledge Base