Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Resource Changes: Track resource move

    Create a change log when a resource is moved to a different resource group and maintain its history from before it moved

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to Integrate Depedency mapping in Azure Resource Graph with integration to Visio/Microsoft Graph or Security Center

    Ability to integrate Azure Resource Graph Dependency and Discovery mapping results in Log Analytics (Log analytics (Service Map or Security Center) / Visio or Microsoft Graph (PaaS).

    When moving resources from Resource Group to another Resource Group, most of the time it's difficult to get an overview of any backend dependencies. When performing a Move operation, a post check will be done, and if by any chance, a discrepancy is found, the Move operation will quit and display the failure in a RAW message format.

    It would be great to have these backend dependencies visible by using the Resource Graph…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  3. Warn when results are truncated in Search-AzGraph

    Currently, when a you run a query via Search-AzGraph but don't specify the -First parameter, the results are limited to the first 100 items (see https://github.com/Azure/azure-powershell/blob/master/src/ResourceGraph/ResourceGraph/Cmdlets/SearchAzureRmGraph.cs for source code details).

    Whilst the reasoning behind limiting the results is fully understood (a select everything across all subscriptions is obviously going to return a large result set!) it should at very least result in a warning when results are truncated.

    As a secondary but related suggestion, I would also like to see the same warning be surfaced when the -First parameter is supplied but the result set is larger than the chosen…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add Meter Category/Service Name in resource graph

    The category type Meter category, which is available at billing modul is not available at resource graph.
    It is only the resource type category available, that is not the same as meter category.
    So it is not possible to make billing queries in billing modul and compare this with counts from resources in resource graph.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  5. Renaming Azure Management Group to Azure Subscription Group

    Azure Management Group should have been called/renamed to Azure Subscription Group for subscription grouping, analogous to Resource Group for resource grouping. Subscription Group is much more specific and descriptive than Management Group to indicate subscription grouping.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Management Groups  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add support in ARM template to validate values in an object

    I would like to be able to validate certain values that are a part of an object in a parameter file. In the same way that it's possible to do this with simple strings or to validate that a object specified in the parameter file matches one of the objects in "allowedValues" for the object in the templates parameter section. Currently I'll have to specify all possible variants of an object and that isn't feasible if I want to validate more than two-three values that might have 3 or more values that should be allowed. It's also not possible to…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support queries for Microsoft.Compute/virtualMachineScaleSets/virtualMachines

    Customers would like to get all the virtual machines across different types.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow a Blueprint or ARM Template Item timeout limit to be set

    I have a Blueprint defined which has a purpose of provisioning a complete infrastructure but it is timing out due to one of its components being an ASE.

    The overall template is based on the ISO 27001 foundation as supplied by MS but does a few other tings too, including deploying an Application Service Environment.

    It all progresses nicely to a point - the components are all there and the ASE is undergoing provisioning however, it eventually throws an error with:

    'Template' failed to deploy. Exceeded maximum wait time of '02:00:00'. Message: 'Deployment didn't get into terminal status within the…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Blueprint (policy assignment) - Tag value should accept null values so we can put the tag later on.

    Azure Blueprint (policy assignment) - Tag value should accept null values. For example, we want to put 'function' tag in each VM and function can be app, db, ad etc. If we put 'app' as a value then all the VMs will have the same tag. We want to be 'function' tag there but we want to put the value at the time of creation as per the role of VM.

    Another one, Azure Blueprint (policy assignment). When we delete the blueprint, the blueprint got deleted but the policy does not get deleted. In this case, we have to delete…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add "evaluate" booleans to Azure Policy ARM schema definitions

    If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error.

    I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.

    The tags.initiative.json shows my workaround, but it is very ugly. The tags.initiative.2.json file shows how I think it could and should look.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Errors when applying the ISO 27001 Shared Blueprint

    When applying the ISO 27001 blueprint, I get a number of errors when using different parameter permutations.

    My parameters are to constrain it to the UK (South) and to limit the types of Storage Accounts.

    There is also an issue with the resource group parameter, it is missing a leading / before the "providers" value.

    [concat(subscription().id, '/resourceGroups/', concat(parameters('organization'),'-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to chain/link blueprints together

    It would be handy to be able to group/chain together blueprints in order to be able to define a "product". For example:

    Within a company, there are many distinct product offerings, some API's, some Service Fabric apps and some containerised apps.

    Some of these may need to have the standard offering for a SQL Server, a Web App and a Storage account. Others may need access to a Service Fabric cluster and other such Azure services.

    Within the ARM templates, these things can all be linked whereby the definition of a SQL Server is a linked artefact and the same…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  13. Description to Role Assignment

    Add descriptions to Role assignment when value must be specified that shows up when assigning the blueprint to an Subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  14. Blueprints for Resource Groups

    I would love to have the blueprints for resource groups as well.

    To quote from your documentation:

    'With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.'

    Replace "subscription" with "resource group" in the text above and there you have my request. :)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. Get policy state return all objects

    When getting policy state it only returns non-compliant objects. If the results returned all objects it would be easier to get an overview of compliance status for the environment.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Discard blueprint draft

    Discard a draft for a blueprint

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  17. Guideline Export/Display

    Between Azure policy and Security Center - the export of what is or is not in compliance is now available, however there's no assistance to the individual(s) provisioning the services on how to make sure they’re provisioning accordingly.
    At the moment, individuals are provisioning services which are then appearing as out of compliance when reports are ran and shared.
    Proposal: export/display of Guidelines based on policies to azure service, its effect, and possible link to a regulatory compliance.
    Example:
    SQL (Service)
    • Policy A | Deny | NIST
    • Policy B | Deny | HIPPA, DoD
    • Policy C |…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Monitor Diagnostic Settings via Resource Graph

    Hi would like to verify/visualize via Resource Graph that all my NSGs have enabled logging via Azure Monitor. Currently, this is only possible for NSG flow logs via Traffic Manager, however, to get all necessary entries, logging needs to be enabled via Azure Monitor Diagnostics too.

    So please, add support for querying Azure Monitor Diagnostic settings via Azure Resource Graph.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  19. Use predefinied managed identity for remedation Task

    If you have many subscriptions and many remediation task for each Task there is created a new managed identity.

    So it must be able to use an generated managed identity for alle remedation task.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Policy parameter json syntax does not match ARM syntax for integer type

    Policy parameter json syntax does not match ARM syntax for integer type.
    For a policy definition parameter, the integer type is 'integer'. But for an ARM template parameter, the integer type is 'int'. So when composing a deployIfNotExists policy that takes a numeric parameter, you have to use 'integer' in one place and 'int' in another. Syntax should be aligned with ARM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base