Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

How can we improve Azure Governance?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Policy - Extend policy aliases for Microsoft.Datamigration provider

    Create aliases for objects within services/projects to allow auditing or enforcement of authentication/encryption options on new migrations.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Select existing managed identity in Azure Policy Assignment

    When creating a policy assignment using deployIfNotExist the assignment always creates a new Managed Identity. We would like to be able to select/use an existing Managed Identity. This way we don't have to assign permissions to multiple Managed Identities and we can re-use the Managed Identity.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Azure Policy - Support for Rego Syntax

    It would be great for companies who are working across the major cloud vendors and on AKS if Azure Policy supported the use of OPA and rego policy syntax in addition to the current json format. This would allow companies to adopt a single policy language and use it in multiple contexts.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure Policy - Need a policy alias for Microsoft.RecoveryServices/vaults/monitoringConfigurations

    In order to create an azure policy that audits recovery vaults that do not have backup alerts enabled, there should be an alias for the monitoringConfigurations property.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure Policy - Enable faster (itterative) development of Policies

    When developping Policies, testing is a very time consuming process as Policy evaluation takes place once every 30 minutes. You can trigger an on-demand scan, but it still takes a lot more time and effort than I'd like to be able to try filters and logic fast.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Bug: If tags are appended by Built-In Policy they do not appear on UI and Powershell before you update resource tags

    Hi,

    There is a bug in Policy and Resource tags.

    If you use policies to append tags & values to Resource from Resource Group those appended tags and values do not appear in resource, before you update tags by Azure Portal UI. Right away when you example add new tag and press save button, those tags what are appended by policies appears on UI and Powershell. Not before.

    I have tested this and even next day or after two days those tags and values not appear in resource before updating tags.

    So if you want those tags and values shown…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  7. Append for azure policy works only creation.Update whould also be possible

    Currently if we want to enforce the policy to copy the RG tags to the child resources is possible but it is not possible to copy the Rg tags to the existing resources. It would be good to have it.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  8. guest configuration

    Provide more samples for VM Guest Configuration. Currently there is only 1

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Policy development environment

    Developing policy is a nightmare, missing efficient debugging tools, information on the way they are calculated, etc. We need authoring tool to be able to efficiently develop and test policies.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Generate Alert when there is an audit on deployment.

    I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.

    He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add "evaluate" booleans to Azure Policy ARM schema definitions

    If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error and is very gard to workaround.

    I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add "evaluate" booleans to Azure Policy ARM schema definitions

    If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error.

    I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.

    The tags.initiative.json shows my workaround, but it is very ugly. The tags.initiative.2.json file shows how I think it could and should look.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  13. Resource creation date, and creator.

    There are two missing bits of metadata that I would expect to see on every resource: the creation date and the name of who deployed it. Auditing is much harder without these.

    These should automatically be added at resource creation, either on the Overview panel, or as tags in addition to the fifteen currently possible. Please add these as you cannot always rely on a user to add them, or when they do: to add them accurately.

    I attempted to create policies to assign these at creation, but policies do not, at the time of writing, support functions / variables.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Prevent Owner role unless MFA enabled

    We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Show user friendly message when Azure Policy does not meet compliance

    We have created custom policy which checking tags existence when a user creates a new resource group. The policy works great.

    But we have faced unexpected behavior. When we tried to create a new resource group for test purposes (without tags) we had an uninformative error (Unexpected error while creating the resource group.).
    We think some people might have a misunderstanding about this message (From this message they won’t understand why they cannot create a new resource group).
    We investigated this issue but have not found trouble in the policy itself therefore right now we think it is an azure…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Integrate Azure Policy with Azure DevOps

    Recently, I started working with Azure Policies. In that, am able to create Azure Policy through portal successfully and now am trying to do same with the help of Azure DevOps. According to documentation there is a chance to integrate Azure Policy with Azure DevOps, but there is no more information regarding to that.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  17. azure policy check string length

    It would be great if there will be in future a possibility to check the length of the resource Name at the deployment.

    So it would be much easier to Control the naming convention for a resource.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Provide an "otherwise" effect

    It would be useful to have an operator that provides the behavior:
    If {conditionA} is True AND If {conditionB} is True
    Then {effect}
    Otherwise {no-effect}.

    For example, the attached file demonstrates a possible policy definition that would restrict Public IP names to only those listed and ignore names of resources that are not Public IP addresses.

    The apparent behavior of the allOf operator is to require all conditions to be applied to all resources which requires anticipatory knowledge of resources currently generated by Marketplace templates. For example, the NIC is now generated automatically by the new VM wizard and the…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Get policy state return all objects

    When getting policy state it only returns non-compliant objects. If the results returned all objects it would be easier to get an overview of compliance status for the environment.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Show Azure Policy Definition parameters on a separate tab

    In a lot of situations you are only interested in viewing initiative definitions and definition parameters, not editing them.
    Showing definition parameters on a separate tab would save a lot of time.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base