Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Resource Graph service

    Allow Azure Resource Graph service output to be stored in Azure blob storage automatically based on time

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  2. Include core counts for VMs for the purpose of cross-joins with other data

    It would be great to have some of other meta data exposed within Resource Graph. More specifically a way to get the number of cores that a VM size has. This would be valuable for queries to show the total number of cores that are used. Right now, we have to export out the results of the Resource Graph and convert the VM SKU to the number of cores outside of Resource Graph. Having it within the Resource Graph would allow us to do joins within our queries to get a single report with all of the information that we…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  3. Create AAD Groups with Blueprints

    How about an ability to add AAD users or groups to the current AAD tenant with Blueprints? Blueprints are currently aimed at subscription level, but how about extending this to the whole tenant?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. Create additional policy condition of 'inCaseSensitive' to validate case-senstive match in the Array

    Request to have the policy condition similar to 'in' for an Array to have an additional policy condition of 'inCaseSensitive' (or similar) to validate the value in the array is an exact, case-sensitive match.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure Policy - Based on delete action

    Like to setup the Azure policy based on the delete action .

    ex:

    {
    "source": "action",
    "equals": "Microsoft.Network/expressRouteCircuits/*/delete"
    },
    "then": {
    "effect": "deny"
    }

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support GraphQL as an alternative to Kusto

    Lots of work being done in GraphQL that are well aligned w what is done via Kusto and gets to a more common language and structure. Agreed gql is more complex than Kusto, but be helpful.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  7. Resource Graph - support for type microsoft.web/sites/config

    support type 'microsoft.web/sites/config' to get the all the data nodes under config type

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  8. Report and present Azure metrics queries

    Azure documentation here: https://azure.microsoft.com/en-us/pricing/details/monitor/ under the section metrics mention that metrics queries above 1 million queries per month would be charged on the subscription. It would be good to have this data presented on the Azure portal to set up alerts and throttle the additional requests if needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Deny Assignments for Existing Resource Groups

    Allow Deny Assignments for Existing Resource Groups - Currently deny assignments with Blueprints is only allowed for new resources. It would be really helpful if the same feature can be applied to existing resource groups.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  10. Create a property/alias that can be used in a policy to deny deployment of VM that is acceleratednetworking capable but not enabled.

    Create a property/alias that can be used in a policy to deny deployment of VM that is acceleratednetworking capable but not enabled. This is not currently possible. Ideally, this property/alias would live under Compute.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure Policy Allow field to equal null

    I really need the ability to check that a field is null. In my case I want to Deny leaving an email address blank. To force people to fill in Vulnerability assessments reports and email them.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Relocate new subscriptions automatically

    Currently new subscriptions are automatically defaulted to the root management group when created. Could we have an option to change the default location of new subscriptions in order to have more strict policies applied to new subscriptions

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  14. Granular locking of resources.

    Need the ability to have more granular locking of resources. Specifically being able to lock a VNET/subnet, but allow creation of NICs on the subnet so that users can attach to the subnet, but not modify an VNET/subnet configuration.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. Make tag-values immutable (perhaps via Blueprint Locks)

    We are using tags a lot to organize our ressources. That's why we have some hundred values for one key.
    as deployers tend to do mistakes like typos we would be glad if tag-values could be predeployed and afterwards made immutable e.g. by using a blueprint and locking them. Another approach for the source of truth could be a storage table, or database.
    Like that no addition, duplicates, typos etc. could be created.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Blueprints loose blueprint level dependencies when edited in UI

    This is a bug... when you set up dependencies in blueprint.json they are removed if you subsequently edit the blueprint in the UI.

    1. Create blueprint in UI
    2. Export with AzBlueprint, set up dependencies and import
    3. Export again, dependecies are still there
    4. Edit in UI
    5. Export, dependencies are gone

    The dependency management is not a great experience at the moment, it needs to be visible in the UI, also, I the documentation should be updated to clearly state if you can make one resource group dependent on another rather than making them dependent on artifacts in…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  17. Resource Graph - support for Microsoft.Sql/servers/encryptionProtector

    Support for subtype Microsoft.Sql/servers/encryptionProtector will enable us to query TDE configuration such as Microsoft managed vs. customer managed and Azure KeyVault configurations

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  18. Resource Graph - Support for searching nested arrays

    Ability to enumerate through resource responses that contain nested arrays.

    Example scenario: identify all subnets that does not have an NSG assigned.

    Today, the approach will be to retrieve all of the VNETs and enumerate through the list in PowerShell. This adds another level of complexity and complicates analysis through the Portal.

    Example code:

    $rgQuery = "where type == 'microsoft.network/virtualnetworks' | summarize subnets = make_list(properties.subnets)"
    $results = Search-AzGraph -Query $rgQuery

    $SubnetsWithoutNSGs = [System.Collections.ArrayList]@()

    foreach ($subnet in $results.subnets)
    {
    if ($subnet.properties.networkSecurityGroup -eq $null)
    {
    $captures = [regex]::Match($subnet.id, '/subscriptions/(.*)/resourceGroups/(.*)/providers/.*/virtualNetworks/(.*)/subnets/(.*)').Captures

    $item = New-Object PSObject
    $item | Add-Member NoteProperty SubscriptionId ($captures.Groups[1].value)
    $item | Add-Member…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  19. Function to get the properties of the assigned blueprint definition

    It would be useful when you could get (with a function) the properties, like the version or name, of the blueprint definition during an assignment.
    This way you could for example use this information in ARM artifact the information to tag the resources which a created by the blueprint assignment with the name and version number of the blueprint definition. So you would see directly form which blueprint definition and which version a resource was created.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support conditions on artifact level

    It would be very nice when conditions attribute can be set on a artifact like it could on resources in an ARM template. So it would be possible to deploy or not deploy artifacts based on parameter inputs or outputs from an ARM.
    Example use case:
    Blueprint creates a vNet and an AKS cluster. Then you configure an ingress controller on AKS and after that a new NSG should be deployed which locks down the vNet so only the LB of the Ingress Controller is reachable. This can be done by update the blueprint assignment and specify a parameter like…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base