Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. provide schema for blueprint artifact

    There should be a $schema property for blueprint artifacts. I usually author blueprints in VSCode with the Azure Resource Manager extension. It does not do proper syntax checking I'm guessing because there is no schema.

    The inner ARM template does have a schema, but that's not sufficient for clean syntax checking and command completion.

    Something like this
    {
    "kind": "template",
    "$schema": "https://schema.management.azure.com/schemas/2020-01-01/blueprintArtifactTemplate.json#",
    "properties": {

    "template": {
    

    ...
    }
    }
    }

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  2. Az.PolicyInsights cmdlet to trigger policy evaluation

    Add a powershell cmdlet to the Az.PolicyInsights module that triggers a policy evaulation. The REST API has this - https://docs.microsoft.com/en-us/rest/api/policy-insights/policystates/triggersubscriptionevaluation

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  3. DenyIfNotExists when deploying Azure Policies

    Currently when working with Azure Policies, there are the following effects (among others)

    Deny
    AuditIfNotExists
    DeployIfNotExists

    Unfortunately, the concept of DenyIfNotExists does not exist, and so when you have a resource like Azure SQL, which has related resources that don't count as properties (like TDE and VirtualNetworkRules), there is currently no way to Deny the creation of the SQL server, potentially exposing your data.

    You can put an AuditIfNotExist or a DeployIfNotExists, but you can't block the deployment and really inform the team responsible that their ARM templates are not valid.

    If the logic is already available when auditing, or…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Force suffix or prefix in naming standard policy

    Force suffix or prefix in naming standard policy on all resourcetypes and allow for wildcard. Maybe create a governance page in the portal that people can fill out with their values such as environment-resourcetype and allow wildcard values.
    Example: -prod-nsg = -environment-resourcetype
    would help alot.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add License data on Azure Resource Graph Explorer query

    Add License data on Azure Resource Graph Explorer query, because my customer needs to create alerts about that

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Microsoft should allow for one or more Azure management groups to be added to one subscription.

    Currently, a subscription is linked to one management group and the management group structure stops. If you allow for one or more management groups under a subscription, you can then organize one or more resource groups to a management group. This would allow for solutions to have a management group and be able to control access and governance at the solution level, not at a subscription level.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Management Groups  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Subscription RBAC Management Access using ARG

    Currently I am not able to find way to get details of the access control for the subscriptions to be queried using the Azure Resource Graph explorer.

    Example: Requirement to have subscription Name, Group or user name, Access level (Owner, reader, contributor etc.)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support query Hybrid worker groups

    I would like to query all hybrid worker groups

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support query AAD App Registrations and AAD Groups.

    I would like to query to find AAD App Registrations and AAD Groups. We would use this to replace how we are automating orphaned app regisrations and unassigned AAD groups.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  10. Better support for SecureString parameters via Portal

    I am developing a Blueprint with an ARM template artifact that allocates an Azure KeyVault (along with a few other resources in the stack).


    1. I would like to initialize several secrets via "securestring" parameters from the Portal.

    2. I would like to optionally update such secrets via subsequent assignment operations from the Portal.

    To use "securestring" parameters currently, first requires initializing a reference Key Vault with the secrets in question. It's a catch-22 scenario. Also, since regular "string" type parameters show up in clear text in the deployment history, there is no secure way to initialize Key Vault secrets by simply…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide alternative to Policy Aliases

    Provide an alternative to Policy Aliases for fields that need to evaluated during policy rule conditions. Ideally using a function that supports a custom path (for example such as: "Microsoft.Logic/workflows/definition/triggers/manual/kind").

    This will allow for more advanced conditions to be created for policy evaluations without first having to contact Microsoft support (and raise a support ticket) for each new alias needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →

    Policy uses aliases over paths because paths can change and would require for information on api version in order to be maintained. We are also continuously working to make it easier to find aliases. We recently launched our VSCode extension that lets you hover over resource properties to find the aliases. Ultimately, the best way for us to find aliases that are missing and are requested is through support since they have a line of contact with us.

    -Azure Policy Team

  12. Give 'Management group contributor' delete rights on the Management Group

    Management group contributor should have delete rights on the management group. This is currently not the case.

    'Not authorized to delete'.

    Or else, foresee another Role that has delete rights on the Management Group, without being distributed to the subscriptions below (eg. the owner can delete the group, but is immediately owner in the underlying subscriptions as well).

    Thanks !
    T

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Management Groups  ·  Flag idea as inappropriate…  ·  Admin →
  13. KQL to query Azure VM's status

    Would like a way to use Azure Resource Graph to query all VM's and filter out deallocated VM's (VM status).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to export Blueprint

    Ability to export Blueprint and utilise in another tenant would save extreme amount of man hours replicating them.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. Within a Blueprint, allow for the creation and RBAC of Resource Groups based on an array

    Suppose I have a standard set of Resource Groups that I want to be created for each subscription - think of them as team names for the sake of this example).

    Within the ARM template, I have a variable (using parameters) containing an array of team names I want to create.

    Within the blueprint, I want to be able to enumerate over this array and create the RG's using variable substitution to adhere to a naming convention. Each RG then having a consistent set of RBAC applied.

    After triggering the BluePrint, I would have the confidence that the subscription exactly…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Policy - Support for Array type in Like conditions

    like only works with strings, not arrays per Azure Policy conditions.

    It should work with arrays with a wild card
    [
    "Microsoft.Compute/",
    "Microsoft.Resources/
    ",
    "Microsoft.Sql/",
    "Microsoft.Network/
    "
    ]

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Resource Graph

    Allow to query "Azure Resource Graph " across EA accounts. In EA accounts we have multiple tenants.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Create AAD Groups with Blueprints

    How about an ability to add AAD users or groups to the current AAD tenant with Blueprints? Blueprints are currently aimed at subscription level, but how about extending this to the whole tenant?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support GraphQL as an alternative to Kusto

    Lots of work being done in GraphQL that are well aligned w what is done via Kusto and gets to a more common language and structure. Agreed gql is more complex than Kusto, but be helpful.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  20. Report and present Azure metrics queries

    Azure documentation here: https://azure.microsoft.com/en-us/pricing/details/monitor/ under the section metrics mention that metrics queries above 1 million queries per month would be charged on the subscription. It would be good to have this data presented on the Azure portal to set up alerts and throttle the additional requests if needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base