Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Policy - Export compliance report to CSV

    Add an export to CSV button to the policy compliance screen. The Policy screens can be quite cluttered and clunky. But I can get compliance data from multiple assignments at once. I would like to be able to then export that compliance data so that I can slice and dice the data, augment the data and steward compliance (say in a new policy roll-out) from Excel.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure Policy - Support for Rego Syntax

    It would be great for companies who are working across the major cloud vendors and on AKS if Azure Policy supported the use of OPA and rego policy syntax in addition to the current json format. This would allow companies to adopt a single policy language and use it in multiple contexts.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Azure Policy - Enable faster (itterative) development of Policies

    When developping Policies, testing is a very time consuming process as Policy evaluation takes place once every 30 minutes. You can trigger an on-demand scan, but it still takes a lot more time and effort than I'd like to be able to try filters and logic fast.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure policy effect "deny" doesn't work on API call"delete"

    Hello,

    Currently Azure policy effect "deny" doesn't work on API call "delete". This creates issues when cx's create policies with deny effect. For example, when we try to create a policy which prevent users from disconnecting "VNET INTEGRATION", the operation which takes place is Delete(Microsoft.Web/sites/networkconfig/virtualNetwork).

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Show user friendly message when Azure Policy does not meet compliance

    We have created custom policy which checking tags existence when a user creates a new resource group. The policy works great.

    But we have faced unexpected behavior. When we tried to create a new resource group for test purposes (without tags) we had an uninformative error (Unexpected error while creating the resource group.).
    We think some people might have a misunderstanding about this message (From this message they won’t understand why they cannot create a new resource group).
    We investigated this issue but have not found trouble in the policy itself therefore right now we think it is an azure…

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure Policy - Based on delete action

    Like to setup the Azure policy based on the delete action .

    ex:

    {
    "source": "action",
    "equals": "Microsoft.Network/expressRouteCircuits/*/delete"
    },
    "then": {
    "effect": "deny"
    }

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Policy - Support for RegEx in Match Conditions

    Right now, the "Match" and "notMatch" conditions only support # for digit placeholders and ? for letters. This is okay, but it would be much more useful to support regex expressions. This would needed for define complex naming policies and tagging standards.

    117 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  20 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Policy development environment

    Developing policy is a nightmare, missing efficient debugging tools, information on the way they are calculated, etc. We need authoring tool to be able to efficiently develop and test policies.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add support for principalName in Microsoft.Authorization/roleAssignments resource type

    Our organization use various naming conventions to differentiate between security groups with members with various types of clearances, between security groups with static memberships and just-in-time memberships, and high- and low-security service principals. Since we have hundreds of subscriptions and thus thousands of groups and users, the current aliases available in the Microsoft.Authorization namespace do not give us the ability to write all the policies we would like. Adding support for a Microsoft.Authorization/roleAssignments/principalName alias would enable us to write policies like:

    - Prevent adding a security group designated as one with static membership as Owner on the subscription
    - Prevent…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure Policy Allow field to equal null

    I really need the ability to check that a field is null. In my case I want to Deny leaving an email address blank. To force people to fill in Vulnerability assessments reports and email them.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure Policy Template to audit/enforce Azure Backups on VMs

    Would love to get a pre-made Azure policy template to audit/enforce Azure Backups to ensure servers are not missed.

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Easily navigate between Policy Definitions and Assignments

    In the portal, I cannot easily navigate between policy definitions and assignments. Examples:

    -From a policy definition, show me all assignments of this definition
    -From a policy assignment, show me the definition

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  13. Resource creation date, and creator.

    There are two missing bits of metadata that I would expect to see on every resource: the creation date and the name of who deployed it. Auditing is much harder without these.

    These should automatically be added at resource creation, either on the Overview panel, or as tags in addition to the fifteen currently possible. Please add these as you cannot always rely on a user to add them, or when they do: to add them accurately.

    I attempted to create policies to assign these at creation, but policies do not, at the time of writing, support functions / variables.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide an "otherwise" effect

    It would be useful to have an operator that provides the behavior:
    If {conditionA} is True AND If {conditionB} is True
    Then {effect}
    Otherwise {no-effect}.

    For example, the attached file demonstrates a possible policy definition that would restrict Public IP names to only those listed and ignore names of resources that are not Public IP addresses.

    The apparent behavior of the allOf operator is to require all conditions to be applied to all resources which requires anticipatory knowledge of resources currently generated by Marketplace templates. For example, the NIC is now generated automatically by the new VM wizard and the…

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Integrate Azure Policy with Azure DevOps

    Recently, I started working with Azure Policies. In that, am able to create Azure Policy through portal successfully and now am trying to do same with the help of Azure DevOps. According to documentation there is a chance to integrate Azure Policy with Azure DevOps, but there is no more information regarding to that.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Policy - Extend policy aliases for Microsoft.Datamigration provider

    Create aliases for objects within services/projects to allow auditing or enforcement of authentication/encryption options on new migrations.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Generate Alert when there is an audit on deployment.

    I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.

    He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Policy - Need a policy alias for Microsoft.RecoveryServices/vaults/monitoringConfigurations

    In order to create an azure policy that audits recovery vaults that do not have backup alerts enabled, there should be an alias for the monitoringConfigurations property.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Bug: If tags are appended by Built-In Policy they do not appear on UI and Powershell before you update resource tags

    Hi,

    There is a bug in Policy and Resource tags.

    If you use policies to append tags & values to Resource from Resource Group those appended tags and values do not appear in resource, before you update tags by Azure Portal UI. Right away when you example add new tag and press save button, those tags what are appended by policies appears on UI and Powershell. Not before.

    I have tested this and even next day or after two days those tags and values not appear in resource before updating tags.

    So if you want those tags and values shown…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow more rich symbols while using Match in Policy definition

    I am using Management groups and wanted to roll out multiple naming policy.
    I have various clients hence thought of a consistent manner to support and organize Resource groups/Resources in a consistent way. i.e <Cleint>-<Prod/Dev>-RGP-<Name>.
    So it would sort out like
    CL1-PROD-RGP-MyFirstRG
    CL1-PROD-RGP-AnotherOne
    CL2-DEV-RGP-NNNN
    CL3-PROD-RGP-aaa

    but unfortunately found that match could not support a symbol which would represent letter or number in same symbol. Details can be seen in the closed feedback thread on the following page.

    https://docs.microsoft.com/en-us/azure/azure-policy/scripts/allow-multiple-name-patterns

    It would really help enforce a consistent naming convention.
    Not sure how fast help can arrive from MS?

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base