Best practices for governing Azure deployed resources
A while ago... I attended a day long session where Microsoft has lead a class about governing Azure resources. They covered using management groups and blueprints to help template and create re-usable tools to help ensure resources in Azure don't sprawl and are allocated to the proper groups that own the resources. I am curious if there are any other best practices, tips, tricks, etc. that are documented or undocumented that others recommend reading and following? Thanks! Azure Governance Workshop Roadshow was the name of the aforementioned session - if you have a chance to attend it's a great and informative session.Is it possible to deny the access to Cost Management?
Hi, I try to deny the access to Cost Management for a user. I don't want to block the access to the Azure Portal. I don't want to remove the current role of this specific user. I found that this could be achieved using Azure Blueprint. But I can't see where to apply the deny permission. Does anyone can help? Thanks. 🙂
Anybody know how to create a custom policy to deny public network access to PaaS services
I know there is an audit components to PaaS resources to deny public network but is there a way to deny instead of audit the denial of public network? Or does anybody know how to create a custom policy for this ask?How to export Azure Compliance Data for NIST 800-53 r4 in a PDF format
I am doing security audit and have to provide recommendations to my customer based on the Audit outcome. I have created a NIST 800-53 R4 Policy Initiative and assigned it to few subscriptions. So i would like to export this compliance report now in the form of a PDF or a CSV. How is that possible? I don't see any option to export the compliance report. You get this option in Azure Security Center for CIS, PCI DSS, SOC TSP and ISO 27001. I want something like that in Azure Policy. Can anyone help me with this or provide some pointers. Thanks
Azure Blueprint: Allow resource only in specifc resource group
Hello all, We would like to use blueprint to govern azure subscriptions. Within the blueprint we would like to deploy some kind of "core networking" resource group containing a VNET, which we can achieve using ARM template. So far so good, but we would like to prevent other VNET's being deployed to the subscription. I guess it should be possible somehow using policy and exclude the "core networking" resource group, but I havn't found a way jet.
Blocking resource creation in a blueprint managed Resource Group
Hello, I have noticed that its possible to create new resources in a Resource Group that is under a Read-Only blueprint assignment. The RG is under 'Cannot edit / delete' Lock State when looking at the blueprint assignment page. Is that normal behavior or am i missing something? Thank you.
Is AzurePolicy applied topdown? I am applying it in MgmtGroup where it has Sub but no go.
I am trying to apply Azure Policy in ManagementGroup but no go. I tried in subscription and it works fine. I thought you can apply policy in MgmtGroup in the subscription, and subscription will inherit the policy (top down). Anyone can provide clarification on this? My structure is like this MgmtGroup1 (AzPolicy - allowed location) |___ Subscription1 MgmtGroup2 (AzPolicy - allowed location) |__ Subscription 2Deleting an Azure Blueprint
Quoting an excerpt from https://learn.microsoft.com/en-us/azure/governance/blueprints/concepts/lifecycle "The core blueprint can also be deleted. Deleting the core blueprint also deletes any blueprint versions of that blueprint, including both Draft and Published blueprints. As with deleting a version of a blueprint, deleting the core blueprint doesn't remove the existing assignments of any of the blueprint versions." The last line in the above quoted text "deleting the core blueprint doesn't remove the existing assignments of any of the blueprint versions" doesn't make sense to me. How is this possible? Because if we have to delete the core blueprint, we'll have to unassign it, and deleting the core Blueprint will also delete all the versions, which would automatically mean exiting assignments will have to be removed.
