Professional Documents
Culture Documents
Governance
• Resource Locks
• Management Groups
• Azure Policy
• Blueprints
• Resource Graph
Microsoft Confidential
1
Module 1 - Azure Governance
Microsoft Confidential
Enterprise Azure Roles and Portals
https://ea.azure.com
Enterprise
Portal
https://account.windowsazure.com
Account
Portal
https://portal.azure.com
Mgmt
Portal
Subscription Setup Methodology
http://aka.ms/magicbutton
Microsoft Confidential
Microsoft Confidential
Module 1 - Azure Governance
Microsoft Confidential
Azure Role-Based Access Control (RBAC)
Fine-grained access control to Azure
“control plane”
Grant access by assigning Security
Principal a Role at a Scope
Security Principal: User, group, or service
principal
Role: Built-in or custom role
Scope: Subscription, resource group, or
resource
Microsoft Confidential
Cloud Sprawl ->
Increased complexity in
Pressure to Need for
managing standard,
digitally agility to Shift to
accountability,
transform & reduce speed DevOps
compliance, consistent
innovate to market
architecture & cost ->
at Scale
Sacrifice Speed for Control
Developers
Cloud Custodian /
Engineers responsible
for Cloud environment
Operations
Speed and Control
Developers
Cloud Custodian
Team
Built-in controls through
policy instead of workflow
Operations
Native platform capabilities to ensure compliant use of cloud resources
NEW NEW
Real-time Deploy and update Query, explore & Define organizational Monitor cloud spend
enforcement, cloud environments in analyze cloud hierarchy and optimize
compliance a repeatable manner resources at scale resources
assessment and using composable
remediation artifacts
ARM Templates
Role-based
Definitions
1. Environment Factory:
Access
Policy
Deploy and update
cloud environments in a
repeatable manner using
composable artifacts
Management Groups
Subscriptions CRUD
Query
Shared Shared
App D App C
services services
Prod Pre-Prod
(Prod) (Pre-Prod)
Turn on built-in policies Apply policies to a Management
or build custom ones for all Group with control across your Real time remediation
resource types entire organization
Real-time policy evaluation and Apply multiple policies and & Remediation on existing resources
enforcement aggregate policy states with (NEW)
policy initiative
Code
Config
Request
Resource
Azure Policy
User
Code
Config
Request
Resource
Azure Policy
Cloud
Resource
ARM – Centralized Control Plane
User
Azure Policy
Cloud
Resource
Cloud
Resource
Cloud
Code Resource
Fields Conditions
name “equals”: “value”
kind “like”: “value”
type “match”: “value”
location “contains”: “value”
fullName “in”: [“val1”, “val2”]
Accessors tags “containsKey”: “keyName”
“field”: “fieldname” tags.* “exists”: “bool”
“source”: “action” aliases + “not*” variants
$policy = New-AzureRmPolicyDefinition -Name
costCenterTagPolicyDefinition -Description "Policy to deny
resource creation if no costCenter tag is provided" -Policy '{
"if": {
"not" : {
"field" : "tags",
"containsKey" : "costCenter"
}
},
"then" : {
"effect" : "deny"
}
}'
{
"if": {
"not": {
"field": "name",
"like": "namePrefix*nameSuffix"
}
},
"then": {
"effect": "deny"
}
}
"properties": {
"displayName": "Allowed VM Skus",
"description": "This policy enables you to specify a set of virtual machine SKUs that your
organization can deploy.“
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
},
{
"not": {
"field":"Microsoft.Compute/virtualMachines/sku.name",
"in": ["Basic_A0”,”Basic_A1”,”Basic_A2”,”Basic_A3”,”Basic_A4”]
}
}
]
},
"then": {
"effect": "Deny“
}
}
"properties": {
"displayName": "Allowed VM Skus",
"description": "This policy enables you to specify a set of virtual machine SKUs that your
organization can deploy.",
"parameters": {
"listOfAllowedSKUs": {"type": "array"}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
},
{
"not": {
"field":"Microsoft.Compute/virtualMachines/sku.name",
"in": "[parameters('listOfAllowedSKUs’)]”
}
}
]
},
"then": {
"effect": "Deny“
}
}
What is involved in
What drives your Who owns policy definitions defining a new Policy or
need for Policy? & implementation? refining an existing one?
Policy Definitions
ARM Templates
1 Contoso Blueprint
Creates a Blueprint
RBAC
Identifies artifacts to be
3
instantiated by default
Functions\Runbooks
Curated
Marketplace
Other Templates
Perform fast ad hoc exploration in large Query & analyze across all of your Ability to assess the impact of applying
cloud environment cloud resources at scale in seconds policies in vast cloud environment
LAB