Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Convert linked/nested arm templates into a blueprint

    Take an existing nested or linked arm template and convert it into a blueprint, with each template being converted into an artifact. With this you could take advantage of blueprints update and locking features.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support history for resources

    For scenarios where we need the resources to be synced into an external store, we want the history so that I don't need to scan all the resources again.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  3. Quota limit per Resource Group

    There is a quota limit only per the subscription but it would be helpful if you will give an option also to configure quota limit per resource group.

    Example, we have a single subscription with some quota limit but I created a resource group for developers and testing team.

    Developer's resource group should be 50 instances and Testing resource group should be 60 instances.

    The current feature is not having that option to control my resource group usages.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure Storage File share available in resource graph

    Right now, the file share information of a storage account is not available in the resource graph.
    ie. it would allow to list the file share of a subscription, compute the global storage size or simulate the pricing.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure Resource Graph - Support query for backup status

    Add the ability to query backup status from Azure Resource Graph and therefore see status for multiple vaults in a unique dashboard

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  6. Blueprints do not create managed identities for deployifnotexist policy initiatives

    Currently Azure Blueprints can assign policy initiatives but do not properly create the managed service identity for deployifnotexist policy definitions within the initiative. This needs to be corrected as that is basic functionality of a policy initiative assignment. The managed identity is created correctly if directly assigning the policy definition outside of an initiative.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Policy template for auditing/restricting public blob sharing

    Currently, Azure storage allows for the public sharing of blobs. It would be great to be able to use Azure policy to detect (and remediate) this feature.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Resource Graph type for Management Groups

    Add Management Groups as a resource type for Resource Graph. This would allow for writing queries that target subscriptions that are in a specific Management Group. This is extremely helpful for enterprises that have a lot of subscriptions that are being organized with Management Groups.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Policy

    When we apply Azure Policy to the SQL DB created through stored procedure, the Policy is not triggering its effect on that resource as these resources are not created in ARM layer. We know that policy evaluation happens on the ARM layer. But it would be great if Policy team could add this feature in the Policy so that Policy evaluation happens on the resources created through stored procedure as well.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add additional strongTypes for Blueprint

    Please add the following strongTypes that are supported by Azure Policy:

    storageSkus
    vmSKUs
    existingResourceGroups
    omsWorkspace

    Additionally, I would like the following:

    existingVNETs - displays existing Virtual Networks
    existingVNETSubnets - displays exiting VNET Subnets

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. Implement a Change Reviewer Group feature

    Lots of organisations are using code technologies like ARM Templates/PowerShell/Az CLI/Terraform to manage their Azure Tenants which can allow a team to perform a review on changes made to an environment.

    However there are organisations that currently use the Portal and only the Portal for implementing any changes to resources.

    I propose that an Azure Tenant / Subscription / Resource Group / Resource should allow for a enforced Change reviewer group feature where any changes made can need to be signed off and reviewed by another set of eyes in the team.

    This likely feels like a enhancement to the…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  12. Limit Portal View

    When applying a Blueprint, have an option to limit what is visible for users to deploy in the Azure Portal

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  13. policy for tags enumeration

    Set a policy, that only certain values are allowed on a specific tag.
    For instance, if you set the tag: "Environment", you can only set the values "Dev" or "Prod" nothing else will be accepted. (An enumeration of unlimited numbers please)

    If a tag is needed in the Azure Portal (UI) Then an combobox (drop down) should be presented.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Export functionality for Azure Policy report

    I'd suggest to have a functionality of Excel exporting in Azure Policy so security administrator or system administrator can export and report to ISM/CISO level.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  15. deployIfNotExists policy - add user assigned managed identity

    As of now, deployIfNotExists policy assignments are given a system assigned identity. This is insufficient when using a parameter reference to a keyvault secret. There is no keyvault policy in place to allow read access for the system assigned identity.

    If a user assigned identity were supported, then earlier provisioning could have already granted that identity access to the keyvault.

    It is not an acceptable solution to do manual creation of the keyvault access policy after the policy assignment is created when the deployment of the entire environment is being automated through Azure Blueprints.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Policy: Custom Rules

    AWS Config has the ability to define custom rules, where the rule evaluation is run within a lambda function: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html

    It would be nice if Azure Policy had an equivalent capability--that way, arbitrarily complex evaluations could be defined by using a language such as python instead of being limited to what the policy definition's JSON language supports

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Policy Evalution via Customer API

    Currently Azure Policy is comprised of Definitions and Assigments applied at various scopes. From what I can gather, this leads to the policy assignments being evaluated during ARM requests for the applicable scope. I would assume this happens in some sort of processing pipeline for the resource request.

    Within our org, we provide Azure services as a bundled product with opinionated configuration options enforced. To accomplish this, we work with multiple custom policies that have become too complex to declare in the current Policy object JSON syntax (think 500-1,000 line definition files with multiple nestings).

    Ideally, we would like to…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure policy effect "deny" doesn't work on API call"delete"

    Hello,

    Currently Azure policy effect "deny" doesn't work on API call "delete". This creates issues when cx's create policies with deny effect. For example, when we try to create a policy which prevent users from disconnecting "VNET INTEGRATION", the operation which takes place is Delete(Microsoft.Web/sites/networkconfig/virtualNetwork).

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow blueprints to register services within subscriptions

    Currently the only way to register all services for a subscription, if the users dont have owner or contributor roles on them, is to run a shell command for every single subscription to register all services. Being able to do this within a blueprint would save a great amount of time when building out tenants.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure Policy - Compliance Overview & Non-Compliant Resources Details

    On the "non-compliance resources" view and also the detailed "resource compliance" blade need to show more details on the policy rule that was not compliance (e.g. what field, expected values, actual values)

    For example, if I have a policy that checks for a tag existence, which has a parameter of tagName, then have an initiative which has that policy linked 4 times with different tagName parameters, you can't tell which is which or what the actual values of the resource evaluated were.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base