Azure Governance Simplified: Essential Policies for Every Organization
5 min read
Table of contents
- Introduction:
- Allowed Locations:
- Allowed Virtual Machine Size SKUs:
- Allowed Resource Types
- Audit Usage of Custom RBAC Roles
- Custom Subscription Owner Roles Should Not Exist
- Not Allowed Resource Types
- A Maximum of 3 Owners for Subscriptions
- MFA for Subscription Owners
- Contact Email Address for Security Issues
- Require a Tag on Resource Groups
- Inherit a Tag from the Resource Group
- Custom Policy for Resource lock:
- Conclusion:
Introduction:
In the ever-evolving world of cloud computing, governance is the cornerstone of a secure, compliant, and efficient Azure environment. As organizations migrate to the cloud, the challenge lies in maintaining control without stifling innovation. Azure Governance provides a framework to address this challenge, ensuring that resources are managed effectively, costs are optimized, and security is upheld.
This blog dives into the essential Azure policies every organization should implement to establish a robust governance model. Whether you’re a small business or a global enterprise, these recommendations will help you create a scalable and compliant cloud environment. From cost management to security and resource consistency, we’ll cover practical examples and best practices to guide your governance journey.
Let’s simplify Azure Governance and empower your organization to harness the full potential of the cloud responsibly.
Allowed Locations:
This policy restricts the locations your organization can specify when deploying resources. It helps enforce geo-compliance requirements, ensuring resources are deployed only in approved regions.
Exclusions:
Resource groups.
Azure Active Directory B2C directories.
Resources using the
globalregion.
Example Use Case: Restrict deployments to regions that comply with data residency and regulatory requirements, such as GDPR or HIPAA.
Allowed Virtual Machine Size SKUs:
This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. By restricting VM sizes, you can:
Enforce organizational standards.
Optimize costs by preventing the use of oversized VMs.
Simplify management by limiting the variety of deployed VMs.
Example Use Case: Restrict VM SKUs to cost-efficient or approved configurations that meet workload requirements.
Allowed Resource Types
This policy specifies which resource types your organization can deploy. It helps reduce complexity and minimizes the attack surface by limiting resource types to those essential for business operations.
Note: Only resource types supporting tags and location are affected. To restrict all resources, duplicate the policy and change its mode to All.
Example Use Case: Allow only approved resource types, such as storage accounts and virtual machines, to simplify governance and improve security.
Audit Usage of Custom RBAC Roles
Custom roles can be error-prone and introduce security risks. This policy audits the usage of built-in roles such as Owner, Contributor, and Reader, treating custom roles as exceptions requiring thorough review.
Example Use Case: Ensure adherence to least privilege principles by minimizing the use of custom roles.
Custom Subscription Owner Roles Should Not Exist
Prevent the creation of custom subscription owner roles to maintain consistency and security in role assignments.
Example Use Case: Avoid role proliferation and potential misconfigurations.
Not Allowed Resource Types
This policy restricts specific resource types from being deployed. It helps reduce the environment’s complexity and attack surface while managing costs.
Example Use Case: Disallow deployment of expensive or unsupported resource types.
A Maximum of 3 Owners for Subscriptions
Limiting the number of subscription owners reduces the potential impact of a compromised owner account.
Example Use Case: Ensure there are no more than three designated subscription owners to enhance security.
MFA for Subscription Owners
Multi-Factor Authentication (MFA) should be enabled for all accounts with owner permissions. This prevents unauthorized access to critical resources.
Example Use Case: Enforce MFA for subscription owners to mitigate risks of account breaches.
Contact Email Address for Security Issues
Set a security contact email address to ensure the right individuals are notified of potential security breaches.
Example Use Case: Receive alerts from Azure Security Center for prompt action.
Require a Tag on Resource Groups
Enforce the existence of a specific tag on resource groups to enhance resource organization and tracking.
Example Use Case: Require a CostCenter tag for resource groups to track expenses.
Inherit a Tag from the Resource Group
Automatically add a missing tag to resources from their parent resource group. This ensures consistent tagging across the environment.
Example Use Case: Ensure all resources inherit the Environment tag (e.g., Production, Development).
Custom Policy for Resource lock:
Azure doesn’t provide built-in policy for resource lock. however, we can create custom policy to deploy a policy to Enforce CanNotDelete Resource Lock using Azure Policy:
{
displayName: "Resource Lock should be enabled",
description: "With this policy: any resource that has the tag key LockLevel with the value CanNotDelete means authorized users can read and modify the resource, but they can t delete it.",
metadata: {
category: "Backup",
version: "1.0.0"
},
mode: "Indexed",
parameters: {
tagName: {
type: "string",
metadata: {
displayName: "Exclusion Tag Name",
description: "Name of the tag to use for excluding resources from this policy. This should be used along with the Exclusion Tag Value parameter."
},
defaultValue: "_MVP_Resource_Lock_should_be_enabled"
},
tagValue: {
type: "string",
metadata: {
displayName: "Exclusion Tag Value",
description: "Value of the tag to use for excluding resources from this policy. This should be used along with the Exclusion Tag Name parameter."
},
defaultValue: "exclude"
},
effect: {
type: "String",
metadata: {
displayName: "Effect",
description: "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy"
},
allowedValues: [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
defaultValue: "DeployIfNotExists"
}
},
policyRule: {
if: {
allOf: [
{
field: "tags.LockLevel",
equals: "CanNotDelete"
},
{
value: 🔍"[
length(
split(
field('type'),
'/'
)
)
]",
equals: 2
},
{
not: {
field: 🔍"[
concat(
'tags[
',
parameters('tagName'),
'
]'
)
]",
equals: "[parameters('tagValue')]"
}
}
]
},
then: {
effect: "[parameters('effect')]",
details: {
roleDefinitionIds: [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
type: "Microsoft.Authorization/locks",
name: "ResourceLockedByPolicy",
existenceCondition: {
allOf: [
{
field: "Microsoft.Authorization/locks/level",
In: [
"CanNotDelete"
]
},
{
field: "Microsoft.Authorization/locks/notes",
equals: "Locked by Azure Policy"
}
]
},
deployment: {
properties: {
mode: "incremental",
template: {
$schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
contentVersion: "1.0.0.0",
parameters: {
resourceName: {
type: "string"
},
resourceType: {
type: "string"
}
},
variables: {},
resources: [
{
type: "Microsoft.Authorization/locks",
apiVersion: "2016-09-01",
name: "ResourceLockedByPolicy",
scope: 🔍"[
concat(
parameters('resourceType'),
'/',
parameters('resourceName')
)
]",
properties: {
level: "CanNotDelete",
notes: "Locked by Azure Policy"
}
}
],
outputs: {}
},
parameters: {
resourceName: {
value: "[field('name')]"
},
resourceType: {
value: "[field('type')]"
}
}
}
}
}
}
}
}
Conclusion:
Azure Governance with Azure Policy empowers organizations to enforce compliance, security, and operational efficiency. By implementing these recommended policies, you can establish a robust governance framework that aligns with your organization’s goals and regulatory requirements.
Start defining and enforcing these policies today to ensure your Azure environment remains secure, compliant, and cost-effective.