Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Deploy Custom RBAC Role via Azure Blueprint
It would be a nice feature to add Custom RBAC Role as a Azure Blueprint Artifact. Deploying custom RBAC roles currently is painful and packaging them in an Azure Blueprint would allow for a less painful and much more standarized way of deploying custom RBAC roles.
5 votes -
Allow blueprints to register services within subscriptions
Currently the only way to register all services for a subscription, if the users dont have owner or contributor roles on them, is to run a shell command for every single subscription to register all services. Being able to do this within a blueprint would save a great amount of time when building out tenants.
5 votes -
Resource Graph - support for type microsoft.web/sites/config
support type 'microsoft.web/sites/config' to get the all the data nodes under config type
4 votes -
Azure policy effect "deny" doesn't work on API call"delete"
Hello,
Currently Azure policy effect "deny" doesn't work on API call "delete". This creates issues when cx's create policies with deny effect. For example, when we try to create a policy which prevent users from disconnecting "VNET INTEGRATION", the operation which takes place is Delete(Microsoft.Web/sites/networkconfig/virtualNetwork).
4 votes -
Ability to query SQL Server firewall rules
Please add support for type :
Microsoft.Sql/servers/firewallRules
4 votes -
Allow use of resourceGroup() functions within a resource group artifact
When using an ARM template artifact within a resource group artifact, allow us to use the resourceGroup() functions, like respourceGroup().location. Currently, we receive the error: Error: 'The function 'resourceGroup' is not valid.'
4 votesWe are working on a fix to make sure all ARM template functions work if they are deployed by a blueprint
-
Support Optional Blueprint Parameters
Currently, all Blueprint Parameters require a value to be entered. Please support optional parameters for Blueprints. There are numerous use cases for this:
- Deploy a VM standalone or in an Availability Set.
- Add additional tags to resources.
- And so on...
3 votes -
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
3 votes -
Make tag-values immutable (perhaps via Blueprint Locks)
We are using tags a lot to organize our ressources. That's why we have some hundred values for one key.
as deployers tend to do mistakes like typos we would be glad if tag-values could be predeployed and afterwards made immutable e.g. by using a blueprint and locking them. Another approach for the source of truth could be a storage table, or database.
Like that no addition, duplicates, typos etc. could be created.3 votes -
Resource Graph - Support for searching nested arrays
Ability to enumerate through resource responses that contain nested arrays.
Example scenario: identify all subnets that does not have an NSG assigned.
Today, the approach will be to retrieve all of the VNETs and enumerate through the list in PowerShell. This adds another level of complexity and complicates analysis through the Portal.
Example code:
$rgQuery = "where type == 'microsoft.network/virtualnetworks' | summarize subnets = make_list(properties.subnets)"
$results = Search-AzGraph -Query $rgQuery$SubnetsWithoutNSGs = [System.Collections.ArrayList]@()
foreach ($subnet in $results.subnets)
{if ($subnet.properties.networkSecurityGroup -eq $null)
{
$captures = [regex]::Match($subnet.id, '/subscriptions/(.*)/resourceGroups/(.*)/providers/.*/virtualNetworks/(.*)/subnets/(.*)').Captures$item = New-Object PSObject
$item | Add-Member NoteProperty SubscriptionId ($captures.Groups[1].value)
$item | Add-Member…3 votesThis will be doable using mvexpand which we are currently working to enable for customers
-
Support conditions on artifact level
It would be very nice when conditions attribute can be set on a artifact like it could on resources in an ARM template. So it would be possible to deploy or not deploy artifacts based on parameter inputs or outputs from an ARM.
Example use case:
Blueprint creates a vNet and an AKS cluster. Then you configure an ingress controller on AKS and after that a new NSG should be deployed which locks down the vNet so only the LB of the Ingress Controller is reachable. This can be done by update the blueprint assignment and specify a parameter like…3 votes -
Blueprint Parameters Validation
Currently the only Blueprint Parameter validation properties that are accepted is "defaultValue" and "allowedValues". Please add the following that are supported by ARM Template Parameters and would provide a much better experience for an Blueprint Assigner:
- minValue
- maxValue
- minLength
- maxLength
More information about the above properties can be found here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates#parameters
3 votes -
Blueprints do not create managed identities for deployifnotexist policy initiatives
Currently Azure Blueprints can assign policy initiatives but do not properly create the managed service identity for deployifnotexist policy definitions within the initiative. This needs to be corrected as that is basic functionality of a policy initiative assignment. The managed identity is created correctly if directly assigning the policy definition outside of an initiative.
3 votes -
Ability to query for custom role definitions in Azure Resource Graph
Please add support for listing all custom role definitions
Resource Type: Microsoft.Authorization/roleDefinitions
https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2017-09-01/roledefinitions
3 votes -
subscription transfer process
Subscription Transfer process
I lost my blueprints after the subscription transfer.
I understand RBaC perms are lost but still don't understand why my Blueprints had to disappear as well.
This has happened twice.
Microsoft advised that resources will remain the same but that's not the case.
Are Blueprints assigned to a resource group and subscription different?3 votes -
Generate Alert when there is an audit on deployment.
I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.
He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action
3 votes -
Ability to query for DNS Zones CNAME type in Azure Resource Graph
I am able to filter out resources by provider (e.g., 'Microsoft.Network') and higher-level types (e.g., 'Microsoft.Network/dnszones'). However, not all resource types are supported by Resource Graph. For example, DNS Zone record types aren't supported. I would like to get a response for a query like this one:
az graph query -q "where type =~ 'microsoft.network/dnszones/cname'"
3 votes -
Allow policies to be assigned to Blueprints like they can Managment Groups and subscriptions
Azure Policies allow for assignments when viewing the policy into Management Groups, Subscriptions, and Resource Groups. Would like to be able to add Blueprints to that list
3 votes -
GitOps
How does this work with GitOps?
3 votes -
Prevent Owner role unless MFA enabled
We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner
3 votesI am going to move this item to Azure Policy as this would be something they could enforce on the MG scope.
- Don't see your idea?