Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add "evaluate" booleans to Azure Policy ARM schema definitions

    If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error.

    I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.

    The tags.initiative.json shows my workaround, but it is very ugly. The tags.initiative.2.json file shows how I think it could and should look.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Errors when applying the ISO 27001 Shared Blueprint

    When applying the ISO 27001 blueprint, I get a number of errors when using different parameter permutations.

    My parameters are to constrain it to the UK (South) and to limit the types of Storage Accounts.

    There is also an issue with the resource group parameter, it is missing a leading / before the "providers" value.

    [concat(subscription().id, '/resourceGroups/', concat(parameters('organization'),'-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  3. Open Source the sample Blueprints

    Is the blueprint available on GitHub at all?

    I have taken the blueprint as a foundation for my "data centre in a box" template but, I have no way of seeing if there have been any changes to the MS provided one and if there are, what changes were made.

    Cheers

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. Show Kusto query in Resource Graph (as per Log Analytics)

    In the same way that Log Analytics displays the Kusto query when filters are applied, it would be great if Resource Graph could do this too so the queries could be saved and used via API calls, etc.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to chain/link blueprints together

    It would be handy to be able to group/chain together blueprints in order to be able to define a "product". For example:

    Within a company, there are many distinct product offerings, some API's, some Service Fabric apps and some containerised apps.

    Some of these may need to have the standard offering for a SQL Server, a Web App and a Storage account. Others may need access to a Service Fabric cluster and other such Azure services.

    Within the ARM templates, these things can all be linked whereby the definition of a SQL Server is a linked artefact and the same…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow policies to be assigned to Blueprints like they can Managment Groups and subscriptions

    Azure Policies allow for assignments when viewing the policy into Management Groups, Subscriptions, and Resource Groups. Would like to be able to add Blueprints to that list

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide description of type

    Provide a way to get a description of each type in the resource graph, much like the first "Type" field (display name of resource type) in the "All resources" pane in the Azure portal

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  8. Prevent Owner role unless MFA enabled

    We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Description to Role Assignment

    Add descriptions to Role assignment when value must be specified that shows up when assigning the blueprint to an Subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow more than 100 items to be exported in azure resource graph

    Allow more than 100 items to be exported in azure resource graph
    If a limit is needed, 100 seems a bit small

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  11. Blueprints for Resource Groups

    I would love to have the blueprints for resource groups as well.

    To quote from your documentation:

    'With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.'

    Replace "subscription" with "resource group" in the text above and there you have my request. :)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  12. Get policy state return all objects

    When getting policy state it only returns non-compliant objects. If the results returned all objects it would be easier to get an overview of compliance status for the environment.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to Integrate Depedency mapping in Azure Resource Graph with integration to Visio/Microsoft Graph or Security Center

    Ability to integrate Azure Resource Graph Dependency and Discovery mapping results in Log Analytics (Log analytics (Service Map or Security Center) / Visio or Microsoft Graph (PaaS).

    When moving resources from Resource Group to another Resource Group, most of the time it's difficult to get an overview of any backend dependencies. When performing a Move operation, a post check will be done, and if by any chance, a discrepancy is found, the Move operation will quit and display the failure in a RAW message format.

    It would be great to have these backend dependencies visible by using the Resource Graph…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  14. Warn when results are truncated in Search-AzGraph

    Currently, when a you run a query via Search-AzGraph but don't specify the -First parameter, the results are limited to the first 100 items (see https://github.com/Azure/azure-powershell/blob/master/src/ResourceGraph/ResourceGraph/Cmdlets/SearchAzureRmGraph.cs for source code details).

    Whilst the reasoning behind limiting the results is fully understood (a select everything across all subscriptions is obviously going to return a large result set!) it should at very least result in a warning when results are truncated.

    As a secondary but related suggestion, I would also like to see the same warning be surfaced when the -First parameter *is* supplied but the result set is larger than the chosen…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  15. View changes across all resources

    Ability to see which Azure resources changed over a time period

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  16. Fix Azure Policy avoidance with NSG deployments.

    Deny Policies that deny NSG rules to be created are not evaluated by Azure Policy when deployed through VM deployments.

    https://github.com/Azure/azure-policy/issues/305

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Policy - Extend policy aliases for Microsoft.Datamigration provider

    Create aliases for objects within services/projects to allow auditing or enforcement of authentication/encryption options on new migrations.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow adding Azure Policy initiative parameters later on (after you've saved and closed out of it)

    Presently you can only add initiative parameters upon first creation of the initiative. Once you save it and go back in to edit you can no longer add parameters. This is very inflexible and requires you to know everything you want in the initiative up front.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing backlog and also gives us insight into the potential impact of implementing the suggested feature.

  19. PCI DSS 3.2.1 BluePrint

    1- After creating a blueprint by using the new PCI DSS 3.2.1 one, I've seen that the it has only the following which I believe is not the complete list. Is this an issue or it's due to being still Preview?
    *Deploy Threat Detection on SQL servers
    *Require encryption on Data Lake Store accounts
    *Allowed locations
    *Deploy Auditing on SQL servers
    *Deploy SQL DB transparent data encryption
    *Allowed locations for resource groups

    2- Will this blueprint provide guidence on what Azure Resources should used for PCI DSS Compliance? As an example the previous blueprints page was stating that ASE (App…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure Policy - Need a policy alias for Microsoft.RecoveryServices/vaults/monitoringConfigurations

    In order to create an azure policy that audits recovery vaults that do not have backup alerts enabled, there should be an alias for the monitoringConfigurations property.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base