Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Blueprint Parameters Validation

    Currently the only Blueprint Parameter validation properties that are accepted is "defaultValue" and "allowedValues". Please add the following that are supported by ARM Template Parameters and would provide a much better experience for an Blueprint Assigner:


    • minValue

    • maxValue

    • minLength

    • maxLength

    More information about the above properties can be found here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates#parameters

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support queries for Microsoft.Compute/virtualMachineScaleSets/virtualMachines

    Customers would like to get all the virtual machines across different types.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  3. subscription transfer process

    Subscription Transfer process
    I lost my blueprints after the subscription transfer.
    I understand RBaC perms are lost but still don't understand why my Blueprints had to disappear as well.
    This has happened twice.
    Microsoft advised that resources will remain the same but that's not the case.
    Are Blueprints assigned to a resource group and subscription different?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. Generate Alert when there is an audit on deployment.

    I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.

    He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure Blueprints sample for Service Fabric Cluster

    It would be great to have a sample Azure Blueprints for stamping out different Service Fabric clusters. Unfortunately I haven't managed to find a sample online and tried to create one manually but failed as I am totally new to Azure and there are way too many pieces required for a putting together an Azure Blueprints for a secured multi-node type Service Fabric cluster.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  6. Ability to chain/link blueprints together

    It would be handy to be able to group/chain together blueprints in order to be able to define a "product". For example:

    Within a company, there are many distinct product offerings, some API's, some Service Fabric apps and some containerised apps.

    Some of these may need to have the standard offering for a SQL Server, a Web App and a Storage account. Others may need access to a Service Fabric cluster and other such Azure services.

    Within the ARM templates, these things can all be linked whereby the definition of a SQL Server is a linked artefact and the same…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow policies to be assigned to Blueprints like they can Managment Groups and subscriptions

    Azure Policies allow for assignments when viewing the policy into Management Groups, Subscriptions, and Resource Groups. Would like to be able to add Blueprints to that list

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  8. GitOps

    How does this work with GitOps?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  9. Prevent Owner role unless MFA enabled

    We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Option to delete non-blueprint RBAC Assignment when blueprint is assigned

    In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.

    Overwrite Scenario

    Config
    • Account Admin role on a Subscription 1 has Amber and Brian.

    • Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.

    Result
    • When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. Blueprints for Resource Groups

    I would love to have the blueprints for resource groups as well.

    To quote from your documentation:

    'With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.'

    Replace "subscription" with "resource group" in the text above and there you have my request. :)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  12. Get policy state return all objects

    When getting policy state it only returns non-compliant objects. If the results returned all objects it would be easier to get an overview of compliance status for the environment.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  13. Parameters Concatenation

    I have a naming policy for resource type and i am naming it at a category level. I.e
    If Resource is of type CDN or Network then name should be CLIENT1-DEV-INT-<nameofresource>
    else If the Resource is of type AppFunction, AppService then name should be CLIENT1-DEV-WEB-<nameofresource>
    etc.

    So this Policy will be massive and having multiple clients I need to introduce a parameter to cover for first bit to be same i.e instead of hard coding CLIENT1-DEV I use parameter and make policy general and use CONCATENATION in the LIKE portion of policy like below.

    {
    "policyRule": {

    &quot;if&quot;: {
    
    &quot;not&quot;:
    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure Policy - Compliance report should ignore non-taggable items

    Currently the compliance report looks at all resources for my tagging policy. However, some resources cannot be tagged (App Insights alerts come to mind or Databricks vnets). this messes with my ability to quickly check policy.

    Suggestion:

    Either ignore these resources, or add "Needs Review" if these resources are detected. Honestly ignoring the resources more desirable.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable selection of a Tenant scoped service principal for append policies

    For azure policies that apply configuration on behalf of the user, the identity created by the policy engine is scoped to the local subscription. This prevents any configuration dependent on resources in a different subscription. We use a service principal scoped to the root management group to automate operations across our tenancy. If the policy engine allowed selection of an existing service principal rather than creating a subscription scoped identity, it could effectively be used to apply any configuration match by policy.

    This would further enable development teams that are still using the UI for provisioning and have not adopted…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Access Resource Graph through Kusto.Explorer

    It would be great to access Azure Resource Graph through our normal tooling of Kusto.Explorer to enable our normal workflows, and storage of queries through our normal Git repositories.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Blueprints Preview

    Question: Azure Blueprints is now in preview for 2 years. Will this be a standard feature and if so when?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Built-In Policy doesn't allow multiple parameters

    Azure Built-in policy assigned to a RG supports only one parameter at this time. If I have more than one tag that should be added to each new resource in a given RG then I need assign same policy multiple times. Policy assignment should allow multiple parameters.

    Workaround: Assign same policy multiple times with different parameter.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure Resource Graph - Limitations in the Result Set

    Query results return only 1000 records

    Resource Graph limits any query to returning only 1000 records. This can be extended to the exact output values or the commands like First and Skip should be added with Kusto as well to exactly see the data.

    Also we are not able to use the MAP Visualization, as none of the Data set is matching with it. Can you add a demo for it as well.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  20. Provide ability to list Storage Account shares and containers in Resource Graph

    Provide ability to query Microsoft.Storage storageAccounts/blobServices/containers type

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base