Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

How can we improve Azure Governance?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Ability to retreive subscription name given subscriptionId in Resource Graph Query

    Resource graph queries are great at returning SubscriptionId. But a GUID is unfriendly. Provide a function or means for retrieving the subscription display name. For example:

    where type contains 'publicIPAddresses' and properties.ipAddress != ''
    | summarize count () by subscriptionName(subscriptionId)

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  3 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure Policy based on industry governance/compliance frameworks

    It would be helpful to take some of the control mapping from blueprints against industry frameworks such as PCI-DSS/NIST/etc and allow you to report compliance against those controls for each of the Azure services that exist in your environment.

    Integrating something like cloudsecurityalliance.org control matrix or unifiedcompliance.com would be very helpful.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Convert linked/nested arm templates into a blueprint

    Take an existing nested or linked arm template and convert it into a blueprint, with each template being converted into an artifact. With this you could take advantage of blueprints update and locking features.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. When Unassigning an Azure Blueprint Provide Option of Removing Blueprint Created Resources

    Since a Blueprint has the ability to create multiple resources in Azure it should also have the ability to clean up those resources. Think of it as the same as deleting a ResourceGroup deletes all resources in the ResourceGroup.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support history for resources

    For scenarios where we need the resources to be synced into an external store, we want the history so that I don't need to scan all the resources again.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  6. Show Azure Policy Definition parameters on a separate tab

    In a lot of situations you are only interested in viewing initiative definitions and definition parameters, not editing them.
    Showing definition parameters on a separate tab would save a lot of time.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Policy template for auditing/restricting public blob sharing

    Currently, Azure storage allows for the public sharing of blobs. It would be great to be able to use Azure policy to detect (and remediate) this feature.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Implement a Change Reviewer Group feature

    Lots of organisations are using code technologies like ARM Templates/PowerShell/Az CLI/Terraform to manage their Azure Tenants which can allow a team to perform a review on changes made to an environment.

    However there are organisations that currently use the Portal and only the Portal for implementing any changes to resources.

    I propose that an Azure Tenant / Subscription / Resource Group / Resource should allow for a enforced Change reviewer group feature where any changes made can need to be signed off and reviewed by another set of eyes in the team.

    This likely feels like a enhancement to the…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Resource Graph to target all subscriptions or a management group

    Currently, the Resource Graph API expect a list of subscription IDs to be passed in as part of the request body. This is very troublesome when you need to query all subscriptions in a tenant or a management group. Please add support for allowing wildcard for the subscriptions value i.e. "*", and extend the support for management groups.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  10. Limit Portal View

    When applying a Blueprint, have an option to limit what is visible for users to deploy in the Azure Portal

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow blueprints to register services within subscriptions

    Currently the only way to register all services for a subscription, if the users dont have owner or contributor roles on them, is to run a shell command for every single subscription to register all services. Being able to do this within a blueprint would save a great amount of time when building out tenants.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Policy template for all options available in the Azure portal

    Allow Azure Policies to be created by having a "generate policy" option available next to each option available in the Azure portal. Every configuration item should have the ability to be created as a policy and making this easy through the portal for each Azure component and option would make it easy to manage configuration compliance.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing backlog and also gives us insight into the potential impact of implementing the suggested feature.

  13. Azure Policy - Support for Rego Syntax

    It would be great for companies who are working across the major cloud vendors and on AKS if Azure Policy supported the use of OPA and rego policy syntax in addition to the current json format. This would allow companies to adopt a single policy language and use it in multiple contexts.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Deploy Custom RBAC Role via Azure Blueprint

    It would be a nice feature to add Custom RBAC Role as a Azure Blueprint Artifact. Deploying custom RBAC roles currently is painful and packaging them in an Azure Blueprint would allow for a less painful and much more standarized way of deploying custom RBAC roles.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure Policy development environment

    Developing policy is a nightmare, missing efficient debugging tools, information on the way they are calculated, etc. We need authoring tool to be able to efficiently develop and test policies.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Use Search-AzGraph to find Resource Groups and MetaData

    For faster and more complex queries I need to find Resource Groups using Graph. E.g. show me all Resource Groups with tag X across my tenant. Looping through 200 subscriptions is very time consuming. Also hope that it will allow more complex queries comparing resource tag values to Resource Group tag values.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  17. Generate Alert when there is an audit on deployment.

    I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.

    He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Resource creation date, and creator.

    There are two missing bits of metadata that I would expect to see on every resource: the creation date and the name of who deployed it. Auditing is much harder without these.

    These should automatically be added at resource creation, either on the Overview panel, or as tags in addition to the fifteen currently possible. Please add these as you cannot always rely on a user to add them, or when they do: to add them accurately.

    I attempted to create policies to assign these at creation, but policies do not, at the time of writing, support functions / variables.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Option to delete non-blueprint RBAC Assignment when blueprint is assigned

    In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.

    Overwrite Scenario
    Config
    • Account Admin role on a Subscription 1 has Amber and Brian.
    • Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.
    Result
    • When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  20. azure policy check string length

    It would be great if there will be in future a possibility to check the length of the resource Name at the deployment.

    So it would be much easier to Control the naming convention for a resource.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base