Azure Governance and Management topics

Misplacement of schema in AllowedHostPathVolumesInKubernetesClusterList Policy Parameter?

arodindev — Thu, 22 May 2025 14:25:34 GMT

In the Microsoft Cloud Security Benchmark, the policy parameter `AllowedHostPathVolumesInKubernetesClusterList` defines a `schema` object nested under metadata. Is this placement intentional, or should the schema be defined at the top level of the parameter

https://github.com/Azure/azure-policy/blob/303a0000a3b9d1aed7361c69edaafd4340d37df7/built-in-policies/policySetDefinitions/Azure%20Government/Security%20Center/AzureSecurityCenter.json#L4132

Script or Query for Management Group Compliance Statistics

gsutterfield — Wed, 07 May 2025 15:37:00 GMT

I've been trying to reproduce the Azure Portal Compliance statistics for a Management Group in a

PowerShell script or Resource Graph query without much luck. What I'd like to do is reproduce the numbers like compliance percentage, number of compliant / non-compliant resources, in the portal display. And run a daily script or query to track the numbers over time. (Without doing screen shots every day.)

Just to be clear, I've attached a screenshot of a compliance screen for management group TEST1. I want to automate calculation of the Overall Resource Compliance (46%, 317 out of 692), and the policies/initiatives compliance state and resource compliance percentages at the bottom of the screen. I'm only interested in the resource compliance percentages below a threshold like 90% in order to help guide our remediation efforts.

I've found several scripts and resource graph queries online but none seem to address management group scope. And even the ones that produce numbers for subscription scope don't seem to match the portal numbers.

Has anyone successfully reproduced the portal MG compliance numbers with a script or quiery? Or, is it possible to obtain the logic behind the portals' MG scope compliance code? Seems like we should be able to reproduce the numbers shown by the console.

Thanks.

Deleting an Immutable, vault-locking enabled Recovery Services Vault in Azure

MathieuVandenHautte — Sun, 27 Apr 2025 07:16:28 GMT

Hey everyone, just wanted to share something I confirmed with Microsoft Support - could be useful if you're managing Recovery Services vaults with immutability and vault-locking enabled.

Once immutability and vault-lock are in place, the vault can't normally be deleted until all backup data has passed its retention period. It's meant to protect data and enforce policies.

However, if you have a special case where you really need to delete the vault early, you can submit a request through Microsoft Support.

You’ll need to open a support case.
Clearly explain the situation and why early deletion is needed (include vault details, customer consent, or strong justification).
Microsoft reviews these requests individually — it’s not guaranteed, but it's possible.

Also important: costs keep adding up as long as the vault exists. So if you think you might need help, reach out to Support early to avoid unexpected billing.

Hope this helps someone!

Restrict Cost Consumption by using Azure Automation, Budget and Policy

Aaida_Aboobakkar — Thu, 13 Mar 2025 10:43:52 GMT

Video

See the demo video by using below link

Demonstration Video

Automation Runbook Logic

Logic which set tag value once threshold exceeds

# Authenticate using Managed Identity (recommended for Automation Accounts)

Connect-AzAccount -Identity

# Define Subscription ID and Reset Tag

$subscriptionId = (Get-AzContext).Subscription.Id

$tags = @{ "cost exceeded" = "yes" } # Resetting the tag value

# Update the tag

Update-AzTag -ResourceId "/subscriptions/$subscriptionId" -Tag $tags -Operation Merge

Write-Output "Tag 'cost exceeded' reset to 'yes' for subscription $subscriptionId"

Logic which reset tag value every month

# Authenticate using Managed Identity (recommended for Automation Accounts)

Connect-AzAccount -Identity

# Define Subscription ID and Reset Tag

$subscriptionId = (Get-AzContext).Subscription.Id

$tags = @{ "cost exceeded" = "no" } # Resetting the tag value

# Update the tag

Update-AzTag -ResourceId "/subscriptions/$subscriptionId" -Tag $tags -Operation Merge

Write-Output "Tag 'cost exceeded' reset to 'no' for subscription $subscriptionId"

Azure Policy Logic

{

"properties": {

"displayName": "budget",

"policyType": "Custom",

"mode": "All",

"metadata": {

"version": "1.0.0",

"createdBy": "f6bb4303-e52d-4cba-9790-01f0798164b7",

"createdOn": "2025-03-13T05:08:05.8483517Z",

"updatedBy": "f6bb4303-e52d-4cba-9790-01f0798164b7",

"updatedOn": "2025-03-13T06:32:35.1740944Z"

"version": "1.0.0",

"parameters": {},

"policyRule": {

"if": {

"allOf": [

{

"field": "type",

"notEquals": "Microsoft.Resources/subscriptions"

{

"value": "[subscription().tags['cost exceeded']]",

"equals": "yes"

}

]

"then": {

"effect": "Deny"

}

"versions": [

"1.0.0"

]

}

Azure Policy require multiple tags with values

Oleg_A — Thu, 10 Oct 2024 15:32:39 GMT

I have a policy that requires specific tag with specific values (json below), but I want to require more tags within the same policy also with specific value and not sure how to do it...

Is there a way to add more tags with specific values to the same policy?

For example, I want to require two tags:

environment with prod/non-prod and department with Infra/Finance

Is it possible?

Thank you!

{

"properties": {

"displayName": "Require tag environment and its values on resources ",

"policyType": "Custom",

"mode": "Indexed",

"description": "Enforces a required tag environment and its value. Does not apply to resource groups.",

"metadata": {

"category": "Tags",

"createdBy": ""

"createdOn": ""

"updatedBy": ""

"updatedOn": ""

"version": "1.0.0",

"parameters": {

"tagName": {

"type": "String",

"metadata": {

"displayName": "Tag Name1",

"description": "Name of the tag, such as 'environment'"

"allowedValues": [

"environment"

]

"tagValue": {

"type": "Array",

"metadata": {

"displayName": "Tag Value1",

"description": "Value of the tag, such as 'production'"

"allowedValues": [

"prod",

"non-prod"

]

}

"policyRule": {

"if": {

"not": {

"field": "[concat('tags[', parameters('tagName'), ']')]",

"in": "[parameters('tagValue')]"

}

"then": {

"effect": "deny"

}

"versions": [

"1.0.0"

]

}

Azure Resource Graph query to get subscription properties

NotSoNewOzzie — Mon, 30 Sep 2024 00:56:17 GMT

I am very new to ARG queries. I am struggling to figure out how to get a list of our Azure Subscriptions using ARG, including some of the properties you see on the properties pane when using the azure portal. In particular, I want the property visually labelled "ACCOUNT ADMIN".
Can anyone point me in the right direction?

resourcecontainers

| where type == 'microsoft.resources/subscriptions'

| project subscriptionId, name, owner = ???

azure cosmos db for mongo db cluster

DurgeshS1910 — Thu, 08 Aug 2024 10:59:26 GMT

Team,

has any one enforced a azure policy to restrict public access along with firewall rule. As Microsoft has not given any build in policy for this new resource type.

Azure Inherited roles, but still access denied

Petri-X — Tue, 30 Jul 2024 14:51:17 GMT

Hi,

In e.g. Key Vault, when looking for the Access Control I can see that user account have custom contributor role inherited from the subscription level. When looking for the role more deeply it shows:

"Showing 500 of 15937 permissions View all (will take a moment to load)"

E.g. having the following permissions: Read Secret Properties and Write Secret. So all should be kind of okay..? 🙂

But when I'm looking for the e.g. secrets in the key vault, it gives me back "The operation is not allowed by RBAC." and "You are unauthorized to view these contents.". I thought there could be a "deny" rules, but nothing in there either.

What could be the trick on here? What might be blocking or missing the access to the resources.

Btw, I just tested, I was able to create the Key Vault by myself.

How to get Policy "Windows VMs should enable ADE or EncryptionAtHost." to be compliant?

AzureToujours — Thu, 06 Jun 2024 12:18:56 GMT

Advisor noticed that Azure Disk Encryption is missing on my VMs and gave me the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost."

A couple of weeks ago I installed the AzurePolicyforWindows extension on one of the machines. Its status changed to compliant.

Two days ago, I did the same for all other VMs but their statuses haven't changed.

Am I missing something or are the policies messing with me?

Microsoft Cloud Security Benchmark policies not reporting in Defender for Cloud

Dominic_Sch — Fri, 12 Apr 2024 14:28:34 GMT

We enable the MCSB security policy at our tenant level and manage compliance via Defender for Cloud. However, I have found that some of the policies are listed are not showing in the Defender for Cloud recommendations.

For example, the policy "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled" is visible via Defender for Cloud>Environment Settings>Security Policies>MCSB and is linked to Policy Id 0c28c3fb-c244-42d5-a9bf-f35f2999577b. Within Azure Policy Compliance, I can find the policy in the assignment for MCSB and it reports both compliant and non-compliant resources in my tenant.

However, there is nothing reported in Defender for Cloud for the policy under the Recommendations>All Recommendations.

I have checked the filters applied and know it should be there - the similar policy is showing correctly (named "Azure SQL Managed Instance authentication mode should be Azure Active Directory Only" in the recommendation and security policies, and named "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation" in Azure Policy - 78215662-041e-49ed-a9dd-5385911b3a1f).

Any suggestions on what could be causing this behaviour ?

Regards

Dominic

Microsoft's inconsistent implementation of tagging in Azure

Adeelaziz — Wed, 03 Apr 2024 16:07:12 GMT

We revamped our Azure resource tagging strategy several years ago and rely on them heavily for #Governance and #FinOps. We not only enforce #tags via #AzurePolicy, we also enforce tag values based on a set of permissible values for each tag. Even with that in place we experience some drift due to exclusions required in the policy definition or exemptions in the policy assignments. I won't get into why this flexibility is needed here, that's a whole separate discussion.

Establishing a sound tag hygiene process becomes a vital component of your overall governance and FinOps strategies. One method we employ for tag hygiene is to surface the non-compliant resources in a #PowerBi report using an #AzureResourceGraph (ARG) query. Yes, you can do this in the Compliance section of Azure Policy as well however it lacks ease of use. For example, flipping back and forth between policies, filtering by subscriptions, surfacing other linked metadata is a cumbersome experience in the Azure Policy blade.

Now onto my frustrations with how Microsoft has implemented tagging across Azure.

1. Inconsistent application of Tag case-sensitivity across tools

- In Azure Policy and in the Azure portal, tag names are case-insensitive whereas tag values are case-sensitive.

- In Azure Resource Graph Explorer, both tag names and tag values are case-sensitive.

- Why is there inconsistency with case-sensitivity of tag names?

2. Inconsistent Tag validation across Resource Types

- When deploying a Storage Account, Azure validates my tag policy before I am able to hit the create button (before it's submitted to ARM) whereas when deploying a resource like a Public IP Address, that validation only occurs after you hit the create button. This likely happens with other resource types as well. By the way, my tagging policy specifies "Indexed" for mode, so in effect it should apply to any and all resources that support tagging in Azure.

- Why is does the evaluation of the tag policy differ based on the resource being deployed?

3. Inconsistent Tag UX across Resource Types

- When deploying a Storage Account, the tags input is a drop-down list. However, when deploying an Azure Virtual Machine, the tags input is a textbox. Although the latter makes use of predictive text, it's still clearly a different experience. This inconsistency is found across multiple Azure resources.

- Why is the tag UX different between resource types?

I realize some of this is addressed or is less of a concern when using IaC but that may not be for everyone, or work in all scenarios. It would be great if Microsoft could standardize their implementation of tagging resources uniformly across the entire Azure estate. In my opinion I don't think that's a huge ask.

Confused on the dispaly after "add lock" on storage

Xuhui_Liu — Thu, 14 Mar 2024 21:16:20 GMT

I am practising https://learn.microsoft.com/zh-cn/training/modules/describe-features-tools-azure-for-governance-compliance/5-exercise-configure-resource-lock. The display don't match the images.

Steps:

1, create storage az900xliu under az900 resource group

2, Add lock lock1 on it

3, add container failed

4, navigate to az900:az900xliu:lock : NO LOCK here ( don't match the material)

5, navigate to az900:lock : lock1 is here

6, delete lock1

I repeated step 2-6 several times. And tried add lock2 under az900:az900xliu:lock, lock2 will disappear after navigate to other tab and back just like lock1. But, lock2 will NOT appear under az900:lock either.

And, I tried add lock2 under az900:lock. It appears, but after navigate to other tab and back, it disappear. Really confused on these behavior.

I tried create container after delete lock1(lock2 don't appear so I cannot delete). After click the link in error message, I navigate to az900:lock and two lock2 appear. One is under az900:lock, another is under az900:az900xliu:lock. After delete them, I successfully add container.

Wish: Add 'Customer Name' to Azure Portal Views as a Column (or 'Group By') Option

GW999 — Fri, 09 Feb 2024 16:21:41 GMT

I work for a CSP and use Azure Lighthouse to manage many customer environments. All of the Azure portal views are focused on the concept of the subscription being the top level management object in Azure (I'm excluding Management Groups for policy management). I'm sure this works well for single organisations that use Azure portal, but for CSPs we need to be able to order/arrange/group lists based on customer name first and then by subscription. In other words, our administration view has to start one level above subscription compared with most organisations.

I know you can change the directory filter if you want to work on a single customer's environment and limit the view to their resources, but most often we are managing at scale and operating on multiple customer estates at once and as such we need lists to be built around the customer as the topmost object rather than the subscription.

When we are confronted with a long list of subscriptions (some of which being unhelpfully named 'Subscription 1' or 'Azure' by customers who have not followed CAF...) it is impossible to determine which customer that sub relates to without following each and every subscription link. It's onerous. Not all customers allow us to impress a subscription naming convention on their Azure environment (we might be contracted to only support a subset of their subscriptions and they are unwilling to change them).

An example would be the Virtual Machines list. Microsoft offers no fewer than 33 'Group By' attribute options, none of which is 'Customer'. Some views allow you to add a column and Group By tag, but a surprisingly small number of views support column manipulation.

I'm hoping someone from the MSFT PG sees this and hears my plea: please keep CSPs in mind when designing Azure Portal and allow us to add a column for 'Customer Name' throughout, it would be of huge benefit to us!

How to fix azure policy not showing in definitions.

rhotrix — Tue, 06 Feb 2024 07:38:38 GMT

I need to configure the policy for "account with owner/read/write permissions on Azure resources should be MFA enabled" but it is not showing here.

Azure Advisor aggregate score for 2+ subscriptions - how is it calculated?

eva1608 — Fri, 12 Jan 2024 08:03:02 GMT

Dear all,

I would like to understand how Azure Advisor calculates aggregations for the 5 pillars, for multiple subscriptions.

In the example below we have values for Azure Advisor subscription 1 –(Cost = 68, Security = 47, Reliability = 86, Operational Excellence = 83, Performance = 100)

And subsequently values for Azure Advisor subscription 2 -

(Cost = 35, Security = 69, Reliability = 91, Operational Excellence = 79, Performance = 100)

When selecting both subscriptions, we obtain the aggregate values –

Naively I might have expected that the aggregate advisor scores could be the arithmetic average between the two, but that is not the case.

Any help is much appreciated! ❤️

Thank you very much in advance,

Best Regards,

Eva

Azure Policy - Configure backup on virtual machines with a given tag

as-integy — Tue, 19 Dec 2023 16:04:39 GMT

I wonder if somebody could sanity check something for me with this please in case it's something I could be missing.

We have this existing policy configured in a customers tenant (https://www.azadvertizer.net/azpolicyadvertizer/345fa903-145c-4fe1-8bcd-93ec2adccde8.html

After creating a VM and allocating the correct tag etc. it didn't automatically have the backup policy assigned to it. With the policy assignment itself it didn't even appear as a non-compliant resource. I went through the checks to make sure it was the same region, correct tag, correct rsv and policy, which all appeared to look fine. When remediating it still wasn't pulling the resource through.

When I went into the definition detail to see what could be amiss, I noticed the list of WindowServer image SKU's that were listed (image attached here https://i.stack.imgur.com/1YPpM.png. As I was sanity checking everything, I looked at the VM to see that the SKU wasn't actually in this list (2019-datacenter-smalldisk-g2).

As every SKU is listed specifically it makes me think this image has just been missed off and needs adding? Rather than it getting captured by one of the SKU's listed.

I can add the VM manually to the existing RSV for now but for future ref, is there a way I can raise this if my findings are indeed correct?

AWESOME Azure Policy

Jesse Loudon — Sat, 02 Dec 2023 13:16:11 GMT

Azure Policy is a very powerful, but sometimes frustrating service to learn, adopt, and troubleshoot. Years ago when I first started getting into the technical nitty gritty side of Azure Policy I quickly learnt that I could save myself hours of time in trial and error simply by combining Microsoft sources of information (e.g. Microsoft Docs) with trusted community sources containing examples and how-to-guides.

And so in January of 2022 the Awesome Azure Policy project was born -- a curated list of AWESOME blogs, videos, tutorials, code, tools, scripts...anything which can help you learn Azure Policy and quickly get started with designing, planning, and implementing governance controls to your resources. There's currently over 380+ links to awesome Azure Policy content within!

You're more then welcome to submit pull requests to the project as that's the only way we can keep up with the pace of new content being released globally.

Convert an organization policy into azure policy

deloittepocra — Fri, 24 Nov 2023 07:15:00 GMT

Hi,

I wanted to know that is it possible to convert the current organization policy that are used for servers(Windows, Linux and Redhat) to Azure Policy. This is because there are some policies that is specifically only for their organization. For instance:

Rename administrator account to <company name>support.

Azure defender

Francis2043 — Wed, 08 Nov 2023 22:24:00 GMT

Hi, So I am trying to export my subscription and their secure scores to a CSV file. I seem not to find a way to do this on the portal. Does anyone know if there is a command to get this done or steps on how to do it from the portal.

Policy trigger for Microsoft.Network/virtualNetworks/subnets/join/action

Aniruddha1248 — Thu, 02 Nov 2023 17:40:30 GMT

Hello Team,

I have a use case where I do not want any resource to connect to my VNET except a few allowed ones.

We are designing a secured containerized environment for our customers with very strict access control policies. However, we are not seeing the policy triggered for the network join operation.

For testing purpose, I used the following policy just to capture and deny all the operations on virtual network and assigned this policy to the resource group scope where my VNET is present: -

{

"mode": "All",

"policyRule": {

"if": {

"field": "type",

"equals": "Microsoft.Network/virtualNetworks"

"then": {

"effect": "deny"

}

After this policy is assigned to my resource group, I am not able to create a VNETs in my resource group, however, I am still able to join an existing VNET in this resource group.

Looks like policy is not even getting evaluated/triggered for the network join action. Can you please suggest how can we deny this action?