Everything New in Azure Governance @ Ignite 2023

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

You've come to the right place if you're looking for everything happening with Azure Governance at Microsoft Ignite, November 14-17, 2023.


The Azure Governance team is super excited to share all the following new features across our product portfolio. For each of the features, you will find an accompanying announcement with scenario details. For some of these announcements, you will also find a demo video to follow along.


Jump to: Ignite Session | Azure Policy | Machine Configuration | Azure Resource Notifications | Azure Resource Graph 


Ignite Session


Securely operate and manage your estate with Azure Policy and more
Thursday, November 16 | 4:00 PM PT

Join Neha, Kemley, Ryan, and Jodi in reimagining your at-scale cloud management and governance process. Our discussion will feature Azure Policy platform enhancements, a deep dive into gradual deployment best practices, and declarative configuration management. Bring all your questions and come learn how to securely govern your Azure, hybrid, and multi-cloud resources through interactive conversations and practical demonstrations.


Azure Policy


Deny Action effect in Azure Policy (GA)

Protect your critical resources from accidental deletion using Deny Action effect! Azure Policy expands its at-scale enforcement capabilities to deny resource deletion based on resource configuration or scope. The effect will support additional operations (e.g., deny move) in the future.   



Gradual Rollouts of Policy Assignments through Selectors and Overrides
Gradually roll out policies to follow safe deployment practices (SDP) without changing the policy definition. The resourceSelectors property on policy assignment enables targeting resources by resource location or resource type to target subset of resources through the rollout stages. In addition, 
the overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition to first roll out using the audit or auditIfNotExists effect.



Mutation support for AKS clusters in Azure Policy

Azure Policy extends Gatekeeper’s mutation feature to automatically modify components within your Kubernetes clusters at-scale. Gatekeeper's mutation capability enables users to remediate Kubernetes resources at create/update time based on different criteria defined in mutation templates, which can be embedded within the policy definition. For an overview of Azure Policy capabilities for Kubernetes, visit Azure Policy for Kubernetes.



Constraints and Mutation templates extensible through the Policy VS Code extension

You can now use Azure Policy's VS Code extension to auto-generate a policy definition from an existing Open Policy Agent (OPA) GateKeeper v3 constraint template or an existing mutation template.


Image Integrity

You can now use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters.


Machine Configuration


GuestConfiguration authoring and testing module

We are excited to expand our suite of open-source features by making the GitHub repository of the Guest Configuration PowerShell Module publicly available! The GuestConfiguration PowerShell module provides commands that assist authors in creating, testing, and publishing custom machine configuration policies to manage settings inside Azure virtual machines and Arc-enabled servers at scale across both Windows and Linux. 



NxTools, built-in DSC resources for managing Linux Servers

nxtools is an opensource collection of class-based DSC resources for commonly used Linux / Unix modules and built-in Machine Configuration packages for customers. Machine Configuration enables configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.



Azure Resource Notifications


Azure Resource Notification - Public preview of New Event Grid System Topics for “Health Resources” & “Resource Management” events


Azure Resource Notifications (ARN) is a highly scalable, high-performance, and low-latency publisher-subscriber event streaming service tailored for the comprehensive Azure ecosystem. ARN seamlessly connects with a diverse array of publishers, making the data easily accessible through ARN's dedicated system topics in Azure Event Grid. The latest development includes support for two new Event Grid system topic types for Azure Resource Notifications, specifically focusing on Health Resources and Resource Management events. This expansion enhances the capabilities of ARN in providing relevant information about resource health and management within the Azure environment.

HealthResources system topic provides accurate, reliable, and comprehensive health information, enabling deeper understanding of the diverse service issues impacting your Azure resources namely, single instance virtual machines (VMs), Virtual Machine Scale Set VMs, and Virtual Machine Scale Sets. Health Resources offers two event types for consumption: AvailabilityStatusChanged and ResourceAnnotated.

Azure Resource Management system topic provides insights into the life cycle of various Azure resources.  It offers a more targeted selection of event types, specifically CreatedOrUpdated (corresponding to ResourceWriteSuccess in the Event Grid Azure subscription system topic) and Deleted (corresponding to ResourceDeleteSuccess in the Event Grid Azure subscription system topic). These events come with comprehensive payload information, making it easier for customers to apply filtering and refine their notification stream.



Azure Resource Graph


Coming Soon: Azure Resource Graph Power BI Connector

Please fill out this form to be one of the first people notified of this highly awaited feature on our roadmap.


Alerting on Azure Resource Graph Queries

Azure Resource Graph (ARG) facilitates efficient and high-performance resource exploration, enabling scalable querying across a defined set of subscriptions to enable effective governance of your environment. Azure Resource Graph now offers support for configuring and receiving alert notifications based on query results. Users can configure conditions and set up an action group to receive email notifications. This feature should equip you to proactively address issues in their environment by staying informed through alert notifications, leveraging the capabilities of ARG and Log Analytics.



Authorization Resources in Azure Resource Graph

Azure Resource Graph (ARG) has expanded its support to include Azure Role-Based Access Control (RBAC) resources through the AuthorizationResources table. This enhancement allows you to execute queries on your Role Assignments, Role Definitions, and Classic Admins resources. By leveraging this table, you can gain valuable insights to ensure that your security, compliance, and audit requirements are effectively addressed and met.



Enhanced limit on the Azure Resource Graph query scope

The default scope of subscriptions or management groups from which resources are retrieved by a query now defaults to a list of subscriptions based on the context of the authorized user. Previously, the default maximum subscriptions limit for a single query was set at 5000. However, users often encountered issues, reaching this limit, resulting in a degraded query experience and failures with the "TooManySubscriptionException."


To address this, we have made enhancements. We now support queries with a subscription limit of up to 10,000 for a single query. This expanded capability empowers enterprise users to execute queries across their extensive estate, encompassing thousands of subscriptions, without encountering the previous limitations.


Stay Updated


Keep in touch with Azure Governance products, announcements, and key scenarios.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.