Effective The steps to Azure Governance 

About me @SjoukjeZaal https://www.sjoukjezaal.com Sjoukje Zaal Managing Consultant / Azure MVP 

© 2019 Sjoukje Zaal Management Groups Demo Resource Graph Demo Policy demo Blueprints Demo Step 05 Step 04 Step 03 Azure Governance Step 02 Step 01 Agenda 

© 2019 Sjoukje Zaal Governance in Azure is one aspect of Azure Management. . 

© 2019 Sjoukje Zaal 8 6 ( Azure Governance A collection of concepts and services 01 Step 02 Step 03 Step 04 Step Management Groups Policy Blueprints Resource Graph z 

© 2019 Sjoukje Zaal Automatically inherit the conditions Apply governance conditions Unified policy and access management Organizes subscriptions into containers Management Groups capabilities 

© 2019 Sjoukje Zaal Management Groups Azure management groups provide a level of scope above subscriptions. 

© 2019 Sjoukje Zaal Demo Management Groups 

© 2019 Sjoukje Zaal f w c Looked at the available Management Groups Added a subscription to the group Added the Marketing Management Group Step 1 Demo summary Step 2 Step 3 

© 2019 Sjoukje Zaal Detail changes made to resource properties Assess the impact of applying policies Explore resources based on governance requirements Queries with complex filtering, grouping, and sorting Resource Graph (Preview) Provides resource exploration with the ability to query at scale across a given set of subscriptions 

© 2019 Sjoukje Zaal Resource Graph Working • Regular full scan • Updates database when resource is updated • Throttling Supports • PowerShell, CLI and Azure SDK for .NET • Kusto query language ( 6 

© 2019 Sjoukje Zaal Demo Resource Graph 

© 2019 Sjoukje Zaal f w c Installed the Az.ResourceGraph module Executed various queries on the subscriptions Set the Resource Graph to query all subscriptions Step 1 Demo summary Step 2 Step 3 

© 2019 Sjoukje Zaal x E b Azure policy Service Create, assign, and manage policies Azure portal, PowerShell, CLI and ARM templates Built-in & custom policies Stay Compliant by Enforcing rules and effects Evaluating your resources Assigned to Management Groups Subscriptions Resource Groups Azure Policy 

© 2019 Sjoukje Zaal Append Adds the defined set of fields to the request Audit Generates a warning event in activity log but doesn’t fail the request Deny Generates an event in the activity log and fails the request Disabled Doesn’t evaluate resources for compliance to the policy rule DeployIfNotExists Deploys a resource if it doesn’t already exist AuditIfNotExists Enables auditing if a resource doesn’t exist Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. Policy Effects 

© 2019 Sjoukje Zaal Policy Policy artifacts Definition Assignment Parameters Definition Assignment Parameters Initiative C 

© 2019 Sjoukje Zaal Create definition Assign definition Evaluation Compliant / non-compliant User check Create remediation task Azure Policy flow 

© 2019 Sjoukje Zaal Validating individual policies? Don't include them in an initiative Create and assign initiative definitions Consider organizational hierarchies Start with an audit effect instead of a deny effect Policy best practices 

© 2019 Sjoukje Zaal Demo Assign Policies 

© 2019 Sjoukje Zaal 

© 2019 Sjoukje Zaal f w c b y Assigned a built-in policy Created a VM Assigned the custom policy Created a custom policy Performed Remediation Step 1 Demo summary Step 2 Step 3 Step 4 Step 5 

© 2019 Sjoukje Zaal x E E b Exists natively in Azure Offers versioning Relationship definition / assignment Backed by Azure Cosmos DB Azure Blueprints (preview) Deploy and update cloud environments in a repeatable manner using composable artifacts 

© 2019 Sjoukje Zaal RBAC assignments ARM templates Policy definitions Resource Groups Blueprint artifacts 

© 2019 Sjoukje Zaal Blueprint permissions 01 02 03 Create Microsoft.Blueprint/blueprints/write Microsoft.Blueprint/blueprints/artifacts/write Microsoft.Blueprint/blueprints/versions/write Publish Microsoft.Blueprint/blueprints/delete Microsoft.Blueprint/blueprints/artifacts/delete Microsoft.Blueprint/blueprints/versions/delete (Un) assign Microsoft.Blueprint/blueprintAssignments/write Microsoft.Blueprint/blueprintAssignments/delete The blueprint definition permissions must be granted or inherited on the management group or subscription scope where it is saved. 

© 2019 Sjoukje Zaal x E t b Install AZ.Blueprint Module Blueprint parameters Import / export Blueprints CI/CD pipelines Create Blueprints using PowerShell, ARM & API 

© 2019 Sjoukje Zaal Demo Assign Blueprints 

© 2019 Sjoukje Zaal 

© 2019 Sjoukje Zaal f w c b y Set the required permissions Imported the Blueprint using PowerShell Created a Network Blueprint using ARM templates Assigned the VNet Blueprint Created VNet Blueprint in the portal Step 1 Demo summary Step 2 Step 3 Step 4 Step 5 

© 2019 Sjoukje Zaal Useful links Management Groups Azure policy samples: https://bit.ly/2ZpnSVj Blueprints Azure Blueprints samples (including CI/CD pipelines): https://bit.ly/2MLQNwc Resource Graph Starter Resource Graph queries: https://bit.ly/30Q8Owy Advanced Resource Graph queries: https://bit.ly/30Ogf7D ( 6 K 

© 2019 Sjoukje Zaal Validating individual policies? Don't include them in an initiative Blueprints in PowerShell can only be added to the subscription level Consider organizational hierarchies Can’t use ARM templates to create Management Groups Wrap up 

? any Are there questions?