Approval IT Provisioning Access User request Validation against Policies and Budget Access User request Access Traditional Agile Agile with Governance Agility Control IT Provisioning
Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEW NEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility
Azure ▪ Independent from customer EA Hierarchy ▪ Can be created, moved, updated, and deleted by admins to build a hierarchy for their needs ▪ A management group tree can support up to six levels of depth ▪ Each management group and subscription can only support one parent ▪ All subscriptions and management groups are within a single hierarchy in each directory (Azure AD Tenant) Azure Management Group Facts
will be the Azure Active Directory ID ▪ can't be moved or deleted, unlike other management groups ▪ New subscriptions are automatically defaulted to the root management group when created ▪ No one is given default access to the root management group. ▪ Azure AD Global Administrators can elevate themselves! The Root management group
▪ Policy evaluates all Azure resources & in-guest VM ▪ Policy generates compliance events that can be used for alerting ▪ Aggregated and raw compliance data are available through API, PowerShell & CLI ▪ Can be used to automatically remediate problems in your environment Policy key information
On periodic cadence ▪ Every 24 hours ▪ On demand ▪ New/ updated assignment ▪ Trigger scan API Compliance evaluation frequency POST https://management.azure.com /subscriptions/subID/resourceGroups/rgName/providers/Microsoft.PolicyInsights/polic yStates/latest/triggerEvaluation?api-version=2018-07-01-preview
can be organized in policy sets (initiatives) to overcome object limits per scope ▪ Create objects on a top level management group (naahh.. doesn’t work with ARM Templates? -> use REST API or Terraform) ▪ In existing environment don’t screw all up with “deny” effect – start with “audit” first ☺ Policy Hints
subscription owners • Manage locks through a centralize location • Update locked resource through blueprint definition updates Lock foundational resources • Centralize environment creation through templates • Add resources, policies and role access controls • Track blueprint updates through versioning Streamline environment creation • Empower developers to create fully governed environments through self- service • Create multiple dev-ready environments and subscriptions from a centralize location • Leverage the integration with Azure Policy on the DevOps lifecycle Enable compliant development
resources can't be modified or deleted - even by subscription owners ▪ Locking Modes ▪ Don’t lock | Do not delete | Read only ▪ Uses System or User MSI Resource Locking with Blueprints
are based on Azure Policy, Management Groups and ARM Templates ▪ BPs to enforce corporate standards across subscriptions ▪ ISO27xxx and more as templates available ▪ Watch upcoming months for new stuff! Summing up