Everything New in Azure Governance @ Ignite 2023

You've come to the right place if you're looking for everything happening with Azure Governance at Microsoft Ignite, November 14-17, 2023.

 

The Azure Governance team is super excited to share all the following new features across our product portfolio. For each of the features, you will find an accompanying announcement with scenario details. For some of these announcements, you will also find a demo video to follow along.

 

Jump to: Ignite Session | Azure Policy | Machine Configuration | Azure Resource Notifications | Azure Resource Graph 

 

Ignite Session

 

Securely operate and manage your estate with Azure Policy and more
Thursday, November 16 | 4:00 PM PT

Join Neha, Kemley, Ryan, and Jodi in reimagining your at-scale cloud management and governance process. Our discussion will feature Azure Policy platform enhancements, a deep dive into gradual deployment best practices, and declarative configuration management. Bring all your questions and come learn how to securely govern your Azure, hybrid, and multi-cloud resources through interactive conversations and practical demonstrations.

 

Azure Policy

 

Deny Action effect in Azure Policy (GA)

Protect your critical resources from accidental deletion using Deny Action effect! Azure Policy expands its at-scale enforcement capabilities to deny resource deletion based on resource configuration or scope. The effect will support additional operations (e.g., deny move) in the future.   

 

• Check out this blog for more details - Generally available: Secure critical infrastructure from accidental deletions at scale with Policy
• Follow through the steps to use DenyAction in this demo - https://aka.ms/DenyActionDemo

 

Gradual Rollouts of Policy Assignments through Selectors and Overrides
Gradually roll out policies to follow safe deployment practices (SDP) without changing the policy definition. The resourceSelectors property on policy assignment enables targeting resources by resource location or resource type to target subset of resources through the rollout stages. In addition, the overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition to first roll out using the audit or auditIfNotExists effect.

 

• Check out our how-to guide to learn more on how to leverage these properties and others to safe deploy policy assignments: Safe deployment of Azure Policy assignments - Azure Policy | Microsoft Learn 

 

Mutation support for AKS clusters in Azure Policy

Azure Policy extends Gatekeeper’s mutation feature to automatically modify components within your Kubernetes clusters at-scale. Gatekeeper's mutation capability enables users to remediate Kubernetes resources at create/update time based on different criteria defined in mutation templates, which can be embedded within the policy definition. For an overview of Azure Policy capabilities for Kubernetes, visit Azure Policy for Kubernetes.

 

• Check out this blog for more details - https://aka.ms/MutationSupport

 

Constraints and Mutation templates extensible through the Policy VS Code extension

You can now use Azure Policy's VS Code extension to auto-generate a policy definition from an existing Open Policy Agent (OPA) GateKeeper v3 constraint template or an existing mutation template.

 

Image Integrity

You can now use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters.

 

Machine Configuration

 

GuestConfiguration authoring and testing module

We are excited to expand our suite of open-source features by making the GitHub repository of the Guest Configuration PowerShell Module publicly available! The GuestConfiguration PowerShell module provides commands that assist authors in creating, testing, and publishing custom machine configuration policies to manage settings inside Azure virtual machines and Arc-enabled servers at scale across both Windows and Linux. 

 

• Check out this blog for more details: The Azure Guest Configuration Powershell module is now open source
• Learn more about Machine Configuration in this demo video: Manage resources from cloud to edge using Azure machine configuration 

 

NxTools, built-in DSC resources for managing Linux Servers

nxtools is an opensource collection of class-based DSC resources for commonly used Linux / Unix modules and built-in Machine Configuration packages for customers. Machine Configuration enables configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.

 

• Check out this blog for more details: nxtools, managing Linux IaC just got simpler using Machine Configuration
• Learn more about nxtools in this demo video: Machine configuration for Linux...nxtools is LEGIT!

 

Azure Resource Notifications

 

Azure Resource Notification - Public preview of New Event Grid System Topics for “Health Resources” & “Resource Management” events

 

Azure Resource Notifications (ARN) is a highly scalable, high-performance, and low-latency publisher-subscriber event streaming service tailored for the comprehensive Azure ecosystem. ARN seamlessly connects with a diverse array of publishers, making the data easily accessible through ARN's dedicated system topics in Azure Event Grid. The latest development includes support for two new Event Grid system topic types for Azure Resource Notifications, specifically focusing on Health Resources and Resource Management events. This expansion enhances the capabilities of ARN in providing relevant information about resource health and management within the Azure environment.

​

HealthResources system topic provides accurate, reliable, and comprehensive health information, enabling deeper understanding of the diverse service issues impacting your Azure resources namely, single instance virtual machines (VMs), Virtual Machine Scale Set VMs, and Virtual Machine Scale Sets. Health Resources offers two event types for consumption: AvailabilityStatusChanged and ResourceAnnotated.​

​

Azure Resource Management system topic provides insights into the life cycle of various Azure resources.  It offers a more targeted selection of event types, specifically CreatedOrUpdated (corresponding to ResourceWriteSuccess in the Event Grid Azure subscription system topic) and Deleted (corresponding to ResourceDeleteSuccess in the Event Grid Azure subscription system topic). These events come with comprehensive payload information, making it easier for customers to apply filtering and refine their notification stream.​

 

• Check out this blog for more details: Announcing Public Preview of Resource Management and Health Resources Event Grid System Topics 

 

Azure Resource Graph

 

Coming Soon: Azure Resource Graph Power BI Connector

Please fill out this form to be one of the first people notified of this highly awaited feature on our roadmap.

 

Alerting on Azure Resource Graph Queries

Azure Resource Graph (ARG) facilitates efficient and high-performance resource exploration, enabling scalable querying across a defined set of subscriptions to enable effective governance of your environment. Azure Resource Graph now offers support for configuring and receiving alert notifications based on query results. Users can configure conditions and set up an action group to receive email notifications. This feature should equip you to proactively address issues in their environment by staying informed through alert notifications, leveraging the capabilities of ARG and Log Analytics.

 

• Check out this blog for more details: Announcing the Public Preview of Alerting on Azure Resource Graph - Microsoft Community Hub
• Learn more about configuring alerts in this demo video: https://aka.ms/ARGAlertingDemo

 

Authorization Resources in Azure Resource Graph

Azure Resource Graph (ARG) has expanded its support to include Azure Role-Based Access Control (RBAC) resources through the AuthorizationResources table. This enhancement allows you to execute queries on your Role Assignments, Role Definitions, and Classic Admins resources. By leveraging this table, you can gain valuable insights to ensure that your security, compliance, and audit requirements are effectively addressed and met.

 

• Check out this blog for more details: Announcing AuthorizationResources in Azure Resource Graph

 

Enhanced limit on the Azure Resource Graph query scope

The default scope of subscriptions or management groups from which resources are retrieved by a query now defaults to a list of subscriptions based on the context of the authorized user. Previously, the default maximum subscriptions limit for a single query was set at 5000. However, users often encountered issues, reaching this limit, resulting in a degraded query experience and failures with the "TooManySubscriptionException."

 

To address this, we have made enhancements. We now support queries with a subscription limit of up to 10,000 for a single query. This expanded capability empowers enterprise users to execute queries across their extensive estate, encompassing thousands of subscriptions, without encountering the previous limitations.

 

---

Stay Updated

 

Keep in touch with Azure Governance products, announcements, and key scenarios.

• Bookmark the Azure Governance Tech Community Blog, then follow us @AzureGovernance on X (previously known as Twitter)
• Share Product feedback/ideas with us here- Azure Governance · Community
• For questions, you can reach us at
  • Azure Policy: [email protected]
  • Azure Resource Graph: [email protected]