Validate azure against devops version controlled reference templates
We use DevOps to deploy Azure "virtual datacentres" (VDC) and use version control and release management. Our clients are very keen to understand insider threats and use behavioural analytics etc. We would like to be able to "prove" the running state of a VDC against the repo and release and have something like monitor service maps to highlight any deviations (that might suggest an administrator is making changes through the portal) correlated with activity logs. Thus the state of any deployment can be formally proven... and secondly, want "out of band" governance - some means to assure the deployments that bypass subscription owners and can assure the CIO that the systems are not being compromised from within.