You've come to the right place if you're looking for everything happening with Azure Governance at Microsoft Ignite, November 19-22, 2024. 

Azure Governance is an ecosystem of neatly integrated services that provide the ability to ensure speed and control across your cloud environment. From enforcing rules in your cloud environment to querying the state of your resources at-scale, Azure Governance services keep your resources secure and compliant with corporate standards.

The Azure Governance team is excited to share all the following new features across our product portfolio. For each of the features, you will find an accompanying announcement with scenario details, documentation and blog posts to follow along!

 

Azure Change Analysis  

Change Actor – Generally Available 

We are excited to announce the General Availability of Change Actor in Azure, a feature that enhances Change Analysis by identifying who made changes to your resources and how. With this update, you can audit changes across all tenants and subscriptions, seeing who initiated changes and with which identity. Changes are available in under five minutes and are queryable for fourteen days, allowing for timely auditing and troubleshooting. Additionally, you can craft charts and pin results to Azure dashboards based on specific change queries through Azure Resource Graph, providing a comprehensive view of changes across your environment. 

 

Change Actor experience in Azure Portal

• Overview of change analysis: https://learn.microsoft.com/azure/governance/resource-graph/changes/get-resource-changes?tabs=azure-cli 

• Change analysis portal experience: https://learn.microsoft.com/azure/governance/resource-graph/changes/view-resource-changes 

• Change actor blog announcement: https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/announcing-the-general-availability-of-change-actor/4171801 

Azure Policy 

Query Component-level AKS/HSM policy compliance in Azure Resource Graph 

Effortlessly query policy compliance down to the component-level across your AKS, Key Vault, and Managed HSM resources in Azure Resource Graph! With component-level granularity of AKS Policy compliance, you verify if your pods are using approved base images, audit the labelling of your namespaces or ensure your Managed HSM instances to configure the required security settings—all through ARG. Through a unified experience with Azure Policy and Azure Resource Graph, you can gain deeper insights into the compliance state of each AKS component with precision, ensuring your resources are always in line with your organization’s standards.  

 

AKS Policy component-level compliance in ARG 

CEL-based support for AKS Policy (preview) 

Introducing CEL and VAP support in AKS Policy! Common Expression Language (CEL) is a Kubernetes-native expression language that can be used to declare validation rules of a policy. Validating Admission Policy (VAP) feature provides in-tree policy evaluation, reduces admission request latency, and improves reliability and availability. The supported validation actions include Deny, Warn, and Audit. Custom policy authoring for CEL/VAP is allowed, and existing users won't need to convert their Rego to CEL as they will both be supported and be used to enforce policies. You'll be able to view violation messages at request time and audit results in the portal just like with Rego. 

• MS Learn documentation: https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#171  

Support for Expansion in AKS Policy 

Introducing expansion, a shift left feature that lets you know up front whether your workload resources (Deployments, ReplicaSets, Jobs, etc.) will produce admissible pods. Expansion shouldn't change the behavior of your policies; rather, it just shifts Gatekeeper's evaluation of pod-scoped policies to occur at workload admission time rather than pod admission time. To enable expansion for a given policy definition, set.policyRule.then.details.source to All, and if needed, use a mutation with source Generated to mutate the what-if pods for evaluation purposes. 

• MS Learn documentation: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#170  

Expanded list of Policy for AKS Built-In Definitions – Generally Available 

Azure Policy has expanded the list of mutation built-in definitions for Azure Kubernetes Service (AKS). These new definitions allow you to automatically remediate the configuration of your AKS pods and containers at scale across your cluster. With this update, you can manage and enforce configuration changes more efficiently, ensuring consistency and compliance within your AKS environment. With Mutation policies, you can: 

• Enforcing Resource Limits: Automatically set resource limits on pods and containers to prevent any single workload from consuming too many resources. 

• Injecting Sidecars: Mutate pod specifications to include sidecar containers for logging, monitoring, or security purposes, without requiring changes to the original pod definitions. 

• Setting Environment Variables: Specify the environment variables set in containers, which can be used for configuration or to pass secrets securely. 

MS Learn documentation: https://learn.microsoft.com/azure/aks/policy-reference  

Policy Versioning support Built-in Definitions – Public Preview 

With Versioning, you can now gradually ingest built-in definition changes with zero-gap in enforcement! All Azure Policy built-in definitions will now follow a standardized version pattern: at assignment time, simply specify the version number of the built-in definition to enforce on your environment. Have a previous definition version already assigned? Leverage assignment-level selectors and overrides property to gradually update the assignment to the latest version of the built-in definition. Additionally, versioning awareness is displayed in compliance logs on a per-resource basis, enhancing your ability to govern and evolve your cloud governance policies with greater agility.  

• Tech Community Blog:  https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/public-preview-announcement-azure-policy-built-in-versioning/4186105  

• MS Learn Documentation: https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-basics#version-preview  

Azure Machine Configuration 

Support for User Assigned Identity Based Access for Configuration Packages – Generally Available  

User Assigned Identity support for configuration package access in Azure Machine Configuration is now Generally Available, reinforcing our commitment to security and simplicity in at-scale server management for all Azure customers. This feature enhances your server configuration management lifecycle by providing a secure and straightforward alternative to the use of Shared Access Signature (SAS) Tokens for anonymous access. With User Assigned Identities, you can now privately access configuration packages stored in Azure Storage Blobs, ensuring that your server management operations are both secure and efficient. 

• Tech Community Blog:  Securely store your Machine Configuration packages in Azure Storage using User Assigned Identities 

• MS Learn Documentation: https://learn.microsoft.com/azure/governance/machine-configuration/how-to/create-policy-definition 

SSH Posture control through Machine Configuration – Generally Available 

Additional built-in capabilities to enhance your Linux management scenarios are now generally available through Azure policy and Machine Configuration! Through new built-in policies, you can manage your SSH configuration settings declaratively at-scale. SSH Posture Control also provides detailed Reasons describing how compliance or non-compliance was determined. These Reasons help you to document compliance for auditors with confidence and evidence. They also enable you to take action when non-compliance is observed. 

• MS Learn documentation: https://learn.microsoft.com/azure/osconfig/overview-ssh-posture-control-mc  

Azure Resource Graph 

ARG PowerBI – Generally Available 

We are pleased to announce General Availability of the Azure Resource Graph Power BI connector! Now, you can run queries against your Azure resources and visualize the results directly in Power BI. With seamless integration, you can connect Azure Resource Graph with Power BI Desktop or Power BI service to analyze your Azure resources, and the connector has an optional setting to return all records if your query results exceed 1,000 records. This feature provides deeper insights and more control over your Azure resources, enhancing your ability to manage and govern your cloud infrastructure. 

• Learn documentation: https://learn.microsoft.com/azure/governance/resource-graph/power-bi-connector-quickstart?tabs=power-bi-desktop  

Azure Resource Graph Copilot – Public Preview 

With the release of the Azure Resource Graph (ARG) skill within Copilot, customers can access the ARG query skill through Azure Portal or Github Copilot. Questions about resource governance like “how many Linux VMs do I own” will be sent to the ARG Skill. With this release, customers can easily turn natural language questions into ARG queries. ARG Copilot helps users create queries to quickly surface insights about resources and simplify operational investigations. 

 

ARG Copilot in Azure Portal 

ARG Copilot in Github Copilot 

• MS Learn documentation: https://learn.microsoft.com/azure/copilot/get-information-resource-graph  

ARG GET/LIST API - Private preview 

Now available for private preview is the Azure Resource Graph GET/LIST API, a highly scalable, fast, and performant alternative to existing control plane GET and List API calls within the Azure ecosystem. This API allows you to mitigate issues related to throttling, such as performance degradation and failed requests offering a 10X higher Read throttling quota to callers, ensuring faster and more efficient read operations for your critical cloud native workload. Contact argpms@microsoft.com to join the private preview program!

Azure Resource Manager 

All New Azure Resource Manager Throttling Experience  

We are thrilled to announce the modernization of Azure Resource Manager throttling. This upgrade introduces a revamped throttling experience for Azure subscriptions, bringing increased limits and a token bucket algorithm for managing API requests! Throttling limits have increased by roughly 30 times for writes, 2.4 times for deletes, and 7.5 times for reads. 

• Tech Community Blog: https://azure.microsoft.com/updates?id=azure-resource-manager-throttling 

• Learn documentation: https://learn.microsoft.com/azure/azure-resource-manager/management/request-limits-and-throttling 

Azure Resource Notification 

ContainerserviceEventresources System Topic for AKS - Public Preview   

We are excited to announce public preview of the Azure Resource Notification ContainerServiceEventResources system topic that empowers customers with proactive notifications for critical AKS cluster maintenance events, covering statuses such as scheduled, started, and completed. By enhancing planning capabilities, this feature reduces operational disruptions and minimizes costs, allowing you to manage maintenance with greater confidence and efficiency. 

• MS Learn documentation: https://learn.microsoft.com/azure/event-grid/event-schema-containerservice-resources 

Stay Updated 

Keep in touch with Azure Governance products, announcements, and key scenarios. 

• Bookmark the Azure Governance Tech Community Blog, then follow us @AzureGovernance on X (previously known as Twitter) 

• Share Product feedback/ideas with us here- Azure Governance · Community 

• For questions, you can reach us at:

• • Azure Policy: policypm@microsoft.com  

• • Azure Resource Graph: argpms@microsoft.com