Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Ability to chain/link blueprints together

    It would be handy to be able to group/chain together blueprints in order to be able to define a "product". For example:

    Within a company, there are many distinct product offerings, some API's, some Service Fabric apps and some containerised apps.

    Some of these may need to have the standard offering for a SQL Server, a Web App and a Storage account. Others may need access to a Service Fabric cluster and other such Azure services.

    Within the ARM templates, these things can all be linked whereby the definition of a SQL Server is a linked artefact and the same…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  2. Description to Role Assignment

    Add descriptions to Role assignment when value must be specified that shows up when assigning the blueprint to an Subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  3. Blueprints for Resource Groups

    I would love to have the blueprints for resource groups as well.

    To quote from your documentation:

    'With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.'

    Replace "subscription" with "resource group" in the text above and there you have my request. :)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  4. Get policy state return all objects

    When getting policy state it only returns non-compliant objects. If the results returned all objects it would be easier to get an overview of compliance status for the environment.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. make it easy to change name for newly added artifacts

    Currently when you add anything new, like templates, policy.
    the name (not display) is a random string, and it can not be displayed or changed via portal.
    please make it easy to change from portal

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. deny public network access

    Instead of audit, it would be nice to have a deny public network access option for resources especially in the PaaS or Storage Accounts to name a few. I didn't see any except to audit it. Not sure if I understand this area quite well but I thought this is a need possibly (or is that an NSG or deny public on a VNETinstead).

    I understand there is a switch when say creating a resource like say a PostgreSQL or SQL, etc and I understand that there is now a Private EndPoint feature. But why not just deny public network…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  7. CIS summary

    Having multiple subscriptions that need CIS hardening we would like to have the option to have a summary of the CIS blueprints that are assigned to subscriptions. Just like the one in the security center (regularory compliance) but for the blueprint(s) that can be created and can be assigned individually.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  8. It will be useful if Blueprint can have ordering of deployment

    It will be useful if Blueprint can have ordering of deployment, for example in one template, it deploys a log analytics workspace, and I have another template deploys set of alerting targeting at this workspace. Since they are not in the same template file, the alerting template will fail, because it can't find workspace at the time of depoyment.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  9. Compliance reason for Deny policies

    Deny policies should not be shown as non-compliant if Current Value is the same as Target Value. In fact Deny policies should not be even included in the compliance data, as the effect is deny/prevention.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure Resource Graph VLookup with external sources

    Here is the Use case - My Organization has 100 Subscriptions and each Subscription is assigned to a Different team. I am having a mapping in excel file which says the team owning the subscription. Now my team requested me to send a report on the total number of IaaS machines owned by each team. Currently how I am doing is (1)run the Azure Resource Graph query to get count() of VM's across each subscription. (2)Download the results as a CSV file, (3)do a VLookup against subscription so that I get the team owning the subscription.(4) Generate Report.

    Instead, It…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  11. Get Cost Details of Each Resource Per Day

    I am looking for a way to get cost of each Resource via Resource Graph API. We are extensively using Azure Consumption API's and preparing different kinds of Dashboards. If we have the ability to pull cost related data via Azure Resource Graph that would be saving lots of time.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  12. is there any logic apps connector is available ?

    how we can schedule export the result of the resource graph? or is there any logic apps connector available.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  13. Discard blueprint draft

    Discard a draft for a blueprint

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  14. Guideline Export/Display

    Between Azure policy and Security Center - the export of what is or is not in compliance is now available, however there's no assistance to the individual(s) provisioning the services on how to make sure they’re provisioning accordingly.
    At the moment, individuals are provisioning services which are then appearing as out of compliance when reports are ran and shared.
    Proposal: export/display of Guidelines based on policies to azure service, its effect, and possible link to a regulatory compliance.
    Example:
    SQL (Service)
    • Policy A | Deny | NIST
    • Policy B | Deny | HIPPA, DoD
    • Policy C |…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Use predefinied managed identity for remedation Task

    If you have many subscriptions and many remediation task for each Task there is created a new managed identity.

    So it must be able to use an generated managed identity for alle remedation task.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Policy parameter json syntax does not match ARM syntax for integer type

    Policy parameter json syntax does not match ARM syntax for integer type.
    For a policy definition parameter, the integer type is 'integer'. But for an ARM template parameter, the integer type is 'int'. So when composing a deployIfNotExists policy that takes a numeric parameter, you have to use 'integer' in one place and 'int' in another. Syntax should be aligned with ARM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Policy - Support for auditing/denying keys, secrets without an expiry

    Related to: https://github.com/Azure/azure-policy/issues/139

    Currently, it's not possible to have a policy audit or deny using the attribute Microsoft.KeyVault/vaults/secrets/attributes.exp. This is a PCI requirement where all keys and secrets need to have an expiry date.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Auto scalling

    Hello,

    I would like to automate the autoscale "App Service - service plan" activation via an Azure policy. Is it possible ?
    do you have an example ?

    Thanks

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add Evaulaute and Bag_Unpack()

    Adding the Evaluate plugin operator to Azure Resource graph would allow more options with ARG queries. Including pivot, narrow and in particular bag_unpack

    bagunpack would be very valuable to have in ARG because of all the nested JSON fields. Using bagunpack would allow you to unpack a nested field which would put all the key value pairs in that nested field as their own colums instead of nested inside one column thats a dynamic type.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add securestring as a supported type for policy assignment parameters

    Please add securestring as an allowed type for a policy assignment parameter.

    When using ARM to create policy assignments, there are cases where the ARM deployment has a secure string that needs to be passed in as an assignment parameter of the policy assignment. For example, when the ARM parameters had a reference to a keyvault secret, or when a secure string was passed into the resource deployment as a parameter.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base