Category Archives: Azure Governance

Azure Arc: new features to manage systems in hybrid environments

The complexity of IT environments is constantly expanding to the point of having reality with applications based on different technologies, active on heterogeneous infrastructures and perhaps using solutions in different public clouds. The need greatly felt by customers is to be able to adopt a solution that, in a centralized way, invent it, organize and enforce control policies on their IT resources wherever they are. Microsoft's response to this need is Azure Arc, the solution involving different technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article lists new features that were recently introduced to extend the management capacity of hybrid environments.

The servers enabled for the Azure Arc solution can already benefit from various features related to Azure Resource Manager such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 1 – Azure Management for all IT resources

Thanks to the new update that was recently announced you can use new extensions, calls Azure Arc Extensions, to expand functionality and further extend Azure management and governance practices to different environments. This allows to adopt more and more typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Azure Arc Extensions

The Azure Arc Extensions are applications that allow you to make configurations and perform post-deployment automation tasks. These extensions can be run directly from the Azure command line, PowerShell or Azure portal.

The following Azure Arc Extensions are currently available and can be deployed on Azure Arc-enabled servers.

Custom Script Extensions for Windows and Linux Systems

With this extension, you can perform post-provisioning tasks of the machine to perform customizations of your environment. By adding this extension, you can download custom scripts, for example from Azure Storage, and run them directly on the machine.

Figure 2 – Custom Script Extensions, for Windows systems enabled for Azure Arc, from the Azure Portal

When deploying the Custom Script Extension, you can add the file that contains the script to run and optionally add its parameters. For Linux Systems, this is a shell script (.sh), while for Windows is a Powershell script (.ps1).

Desired State Configuration extension on Windows and Ubuntu systems (DSCForLinux)

Desired State Configuration (DSC) is a management platform that you can use to manage your IT and development infrastructure with a view to "configuration as code".

DSC for Windows provides new Windows PowerShell cmdlets and resources that you can use to declaratively specify how you want to configure your software environment. It also provides a useful tool for maintaining and managing existing configurations. This extension works like the extension for virtual machines in Azure, but it is designed to be deployed on Azure Arc-enabled servers.

Figure 3 – Powershell Desired State Configuration, for Windows systems enabled for Azure Arc, from the Azure Portal

The extension DSCForLinux allows you to install the OMI agent and DSC agent on Azure Arc-enabled Ubuntu systems. The DSC extension allows you to perform the following actions:

  • Register the VM with an Azure Automation account to extract (Pull) configurations (Register ExtensionAction).
  • Deploy MOF configurations (Push ExtensionAction).
  • Apply the MOF meta configuration to the VM to configure a pull server to extract the node configuration (Pull ExtensionAction).
  • Install custom DSC modules (Install ExtensionAction).
  • Remove custom DSC modules (Remove ExtensionAction).


OMS Agent for Linux – Microsoft Monitoring Agent

The installation of this agent allows you to collect the monitor data from the guest operating system and the application workloads of the systems and send them to a Log Analytics workspace. This agent is used by several Azure management solutions, including Azure Monitor, Azure Security Center, and Azure Sentinel. Although today it is possible to monitor non-Azure VMs even without Azure Arc, the use of this extension allows you to automatically detect and manage agents in VMs. Once integrated, Azure Arc-enabled servers will fit perfectly into existing Azure portal views along with virtual machines in Azure and Azure scale sets.

After you deploy the Azure Arc agent on the systems, you can install the Microsoft Monitoring Agent (MMA) using this extension, simply by adding the Log Analytics workspace ID and its key.

Figure 4 – Microsoft Monitoring Agent extension for Azure Arc from the Azure portal

Thanks to the availability of these new extensions, Azure Arc-enabled servers also have features such as Update Management, Inventory, Change Tracking and Monitor.

Update Management

The Update Management solution allows you to have an overall visibility into update compliance for both Windows and Linux systems. The search panel can quickly identify missed updates and provide the ability to schedule deployments for update installation within a specific maintenance window.


This feature allows you to retrieve inventory information relating to: installed software, files, Windows Registry keys, Windows Services and Linux Daemons.

Change Tracking

Change Tracking feature allows you to track system changes to Daemons, File, Registry, software and services on Windows . This feature can be very useful to diagnose specific problems and to enable alerts against unexpected changes.


Thanks to the availability of these new extensions, you can take advantage of greater functionality, in governance and management typical of Azure, also for hybrid cloud environments. This is an important evolution of this solution, at the moment still in preview, which is soon destined to be further enriched with important new features.

Azure Monitor: how to enable the monitor service for virtual machine through Azure Policy

The service that allows you to monitor virtual machines has been made available in Azure Monitor, called Azure Monitor for VMs. This service allows you to analyze system performance data and makes a map that identifies all dependencies of virtual machines and their processes. The recommended way to enable this solution for different systems is through Azure Policy adoption. This article describes the steps to take to activate it using this method, taking up various concepts related to Azure governance.

Key Features of Azure Monitor for VMs

Azure Monitor for VMscan be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers) and includes the following areas:

  • Performance: shows summary details of performance, from the guest operating system. The solution has powerful data aggregation and filtering capabilities that enable you to meet the challenge of monitoring performance for a very large number of systems. This allows you to easily monitor the resource usage status of all VMs and easily identify those that have performance issues.
  • Maps: generates a map with the interconnections between the various components that reside on different systems. Maps show how VMs and processes interact with each other and can identify dependencies on third-party services. The solution also allows you to check for connection errors, count connections in real time, network bytes sent and received by processes and latencies encountered at the service level.

Enabling through Azure Policy

The Azure Policy allow to apply and force compliance criteria and related remediation actions on a large scale. To enable this feature automatically on virtual machines in your Azure environment and achieve a high level of compliance, it is recommended that you use Azure Policies. Using Azure Policy, you can:

  • Deploy the Log Analytics agent and Dependency agent.
  • Having a report on the status of compliance.
  • Start remediation actions for non-compliant VMs.

One requirement to check before activating is the presence of the solution VMInsights in the Azure Monitor Log Analytics workspace that will be used to store monitor data.

Figure 1 – Configuring the Analytics log workspace

Selecting the desired workspace triggers the installation of the solution VM Insights which allows you to collect performance counters and metrics for all virtual machines connected to that workspace.

To activate Azure Monitor for VMs policy just select the relevant onboarding tile on the main screen of the solution.

Figure 2 – Selecting Azure Policy as a enable method

The following blade will show the coverage status of the service and provide the ability to assign policies for its activation.

Figure 3 – Assigning the Initiative at the Management Group level

The Azure Management Groups, organize different subscriptions into logical containers, on which define, implement and verify government policies needed.

The Initiatives, which are a set of multiple Azure Policy, can be assigned at the Resource Group level, Subscription or Management Group. It is also possible to exclude certain resources from the application of policies.

In this regard, the policies for enabling Azure Monitor for VMs are grouped into a single "initiative", "Enable Azure Monitor for VMs" that includes the following policies:

  • Audit Dependency agent deployment – VM image (OS) unlisted
  • Audit Log Analytics agent deployment – VM image (OS) unlisted
  • Deploy Dependency agent for Linux VMs
  • Deploy Dependency agent for Windows VMs
  • Deploy Log Analytics agent for Linux VMs
  • Deploy Log Analytics agent for Windows VMs

This Initiative is recommended to be assigned at the Management Group level.

Figure 4 – Configuring the association

Among the parameters you are prompted to specify the Log Analytics workspace and optionally you can specify any remediation tasks.

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 5 – Verification of Initiative compliance status

Once the enable process is complete, you can analyze the system performance data and the maps created to identify all the dependencies of the virtual machines and their processes.

Figure 6 – Performance collected for systems

Figure 7 – Map with the interconnections between various systems

Figure 8 – Map showing connection details

An effective method to make these data easily accessible and to analyze them in a simple way is the use of Workbooks, interactive documents that allow you to better interpret information and do in-depth analysis. In this document of Microsoft you can consult the list of related Workbooks included in Azure Monitor for VMs and how to create your own custom.


This article demonstrates how you can enable the solution Azure Monitor for VMs thanks to the adoption of the Azure Policy in a simple way, fast and effective. The solution provides very useful information that typically needs to be collected on different systems in your environment. Increasing the complexity and amount of services on Azure makes it essential to adopt tools like Azure Policy, to have effective governance policies. In addition, with the introduction of Azure Arc it will be possible to extend these Azure management and governance practices to different environments, thus facilitating the implementation of features present in Azure on all infrastructure components.

Azure Governance: Azure Blueprints overview

IT governance enables you to create a process through which you can ensure that your business companies can efficiently use their IT resources, with the aim of being able to effectively reach their goals. Governance in the Azure Environment is made possible by a set of services specifically designed to enable large-scale management and control of various Azure resources. These tools include Azure Blueprints which allows for the design and creation of new components in Azure, fully complying with company specifications and standards. This article provides an overview of the solution to provide the necessary elements for its use.

Azure Blueprints allows Cloud Architects and Cloud Engineers, responsible for building architectures in Azure, to define and implement a set of Azure resources in a repeatable way, with the certainty of adhering to the standards, models and company-defined requirements. Azure Blueprints also allows you to quickly release new environments, adopting integrated components and accelerating development time and the delivery.

The main strengths of the solution Azure Blueprints can be summarized as follows.

Simplify the creation of Azure environments

  • Centralize the creation of new Azure environments using templates.
  • Allows you to add resources, policies and roles.
  • Allows you to track project updates through versioning.

Azure Blueprints through a declarative model allows you to orchestrate the deployment of various resource templates and other Azure artifacts. The service Azure Blueprints is based and supported by Azure Cosmos DB. Blueprint objects are replicated to multiple Azure regions, thus obtaining a low-latency, high availability and consistent access to them, regardless of the region in which the resources are deployed.

It allows to enforce compliance

  • Enables developers to create fully governed environments through self-service methodologies.
  • Provides the ability to centrally create multiple Azure environments and subscriptions.
  • Leverage integration with Azure Policies and devOps lifecycle.

Allows you to control locks on resources

  • It ensures that the base resources can not be modified.
  • It manages lock centrally.
  • It allows you to update the resources locked by means of changes to the definition of the blueprint model.

How to use Azure BluePrints

The article shows the steps to follow in order to adopt the solution Azure Blueprints.

Figure 1 - How Azure Blueprint works

The first steps include the creation of a blueprint that can be done via Azure portal, PowerShell or REST API.

Figure 2 - Initial screen of Bluprints in the Azure portal

By starting the creation process from the Azure portal it is possible to start from a blank blueprint or use some available examples.

Figure 3 - Creation of the blueprint by the Azure portal

The blueprint consists of different artifacts like: Role Assignments, Policy Assignments, Azure Resource Manager templates and Resource Group. After the creation you must publish the blueprint (at the end of creation will be in the draft state) specifying versioning. Azure Blueprints is very useful for companies that use the infrastructure-as-code model as it contemplates the processes of continuous integration and continuous deployment.

Only after publishing a blueprint you can assign it to one or more Azure subscriptions, specifying the lock type according to the following states:

  • Don’t Lock: means that resources created by Blueprints will not be protected.
  • Do Not Delete: means that resources can be changed, but not removed.
  • Read Only: the allocation results in locked and the resulting resources can not be modified or removed, even from subscription owners. In this case, it should specify that not all Azure resources support the lock and that the allocation of the lock can take up to 30 minutes to be effective.

Figure 4 – Blueprint Assignment

During the Blueprint assignment, you will also be prompted for the parameters to deploy the resources.

Figure 5 – Blueprint parameter request example

An interesting aspect of the solution Azure Blueprints is that the blueprints you create maintain a relationship with the assigned resources and can be monitored and audited, this is not possible using simple ARM templates and policies.


Azure Blueprints is a service that provides those involved to realize Azure architectures in the ability to define a set of resources into easily repeatable manner, in compliance with corporate standards and your organization's requirements. By adopting the blueprint you can rapidly build and deploy new environments, contemplating a series of integrated components. This allows not only to distribute consistent environments, but to do so in agile, enabling organizations to accelerate the development and delivery of solutions in Azure.

Azure Arc: a new approach to hybrid environments

The use of hybrid architectures in enterprise reality is more and more predominant, they allow you to continue to benefit from investments made in your on-premises environment and, at the same time, use the innovation introduced by the cloud. The adoption of hybrid solutions is a winner if it takes into account a shared policy for distribution, component management and security. Without consistency in the management of different environments, the costs and complexities are likely to grow exponentially. Microsoft has decided to respond to this need with the solution Azure Arc, involving a range of technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article presents the approach adopted by Azure Arc for hybrid environments.

The complexity of IT environments is constantly expanding to the point where we find reality with applications based on different technologies, active on heterogeneous infrastructures and maybe that adopt solutions in different public cloud. The need for customers is to be able to adopt a solution that centrally allows them to inventory, organize and enforce control policies on their IT resources wherever they are.

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Figure 1 – Azure Arc overview

To achieve this, Microsoft has decided to extend the model Azure Resource Manager so that we can also support hybrid environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Management for all resources

Azure Arc consists of a set of different technologies and components that allows you to:

  • Manage applications in Kubernetes environments: it provides the ability to deploy and configure Kubernetes applications in a consistent manner across all environments, adopting modern DevOps techniques.
  • Allow Azure data services to run on any infrastructure: everything is based on the adoption of kubernetes and allows achieving more easily meet compliance criteria, to improve the security of data and to have considerable flexibility in deployment time. At the time the services covered are Azure SQL Database and Azure Database for PostgreSQL.
  • Organize, manage and govern all server systems: Azure Arc extends Azure governance and management capabilities to physical machines and virtual systems in different environments. This solution is specifically called Azure Arc for servers.

Figure 3 – Azure Arc Technologies

Azure Arc involves the use of specific Resource Provider for Azure Resource Manager and the installation of Azure Arc agents is required.

By logging in to the portal, you can see that Azure Arc for Servers is already currently available in public preview, while you need to register to manage Kubernetes environments and data services in preview.

Figure 4 – Azure Arc in the Azure portal

Thanks to the adoption of Azure Arc which introduces an overall view, you can reach, for hybrid architectures, the following objectives, difficult to achieve otherwise:

  • Standardization of operations
  • Organization of resources
  • Security
  • Cost Control
  • Business Continuity
  • Regulatory and corporate compliance

Figure 5 – Cloud-native governance with Azure Arc


Azure Arc was recently announced and although still in an embryonic phase, I think that will evolve significantly enough to revolutionize the management and development of hybrid environments. To keep up to date on how this solution will develop you can register at this page.

How to control the execution of applications using Azure Security Center

Azure Security Center provides several mechanisms to prevent security threats and reduce the attack surfaces of your environment. One of these mechanisms is theAdaptive Application Controls, a solution that can control which applications are running on the systems. Azure Security Center uses the machine learning engine to analyze applications running on virtual machines and leverages artificial intelligence to provide a list of allowed applications. This article lists the benefits that can be achieved by adopting this solution and how to perform the configuration.

Adopting this solution, available using the tier Standard of Azure Security Center, you can do the following:

  • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions. For Windows systems on Azure, you can also apply execution locks.
  • Respect corporate compliance, allowing the execution of only licensed software.
  • Avoid using unwanted or obsolete software in your infrastructure.
  • Control access to sensitive data that takes place using specific applications.

Figure 1 – Azure Security Center Free vs Standard Tier

Adaptive application controls can be used on systems regardless of their geographic location. Currently for systems not located in Azure and Linux VMs, only audit mode is supported.

This feature can be activated directly from the portal by accessing the Azure Security Center.

Figure 2 – Adaptive application controls in the "Advanced cloud defense" of Security Center

Security Center uses a proprietary algorithm to automatically create groups of machines with similar characteristics, to help enforce Application Control policies.

From the management interface, the groups are divided into three types:

  • Configured: list groups containing VMs where this feature is configured.
  • Recommended: there are groups of systems where enabling application control is recommended. Security Center uses machine learning mechanisms to identify VMs on which the same applications are always regularly running, and therefore are good candidates to enable application control.
  • Unconfigured: list of groups that contain the VMs for which there are no specific recommendations regarding the application control. For example, VMs that systematically run different applications.

Figure 3 – Types of groups

By clicking on the groups of virtual machines, you will be able to manage the Application control rules, that will allow you to create rules that evaluate the execution of applications.

Figure 4 – Configuring Application control rules

For each individual rule, you select the machines on which to apply it and the applications that you want to allow. For each application, the detail information is provided, in particular, the "Expoitable" column indicates whether it is an application that can potentially be used maliciously to bypass the list of allowed applications. For this type of application, you should pay close attention before allowing.

This configuration, for Windows systems, involves creating specific rules inApplocker, and it govern the execution of applications.

By default, Security Center enables application control in modeAudit, only to control activity on protected virtual machines without applying any locks on application execution. For each individual group, after verifying that the configuration you have made does not result in any malfunctions on the workloads on the systems, you can bring application control to application mode Enforce, as long as they are Windows virtual machines in the Azure environment, to block the execution of applications that are not expressly allowed. You can always change the name of the group from the same interface.

Figure 5 – Change the name and protection mode

At the end of this configuration, you will see, in the main Security Center panel, notifications concerning potential violations in the execution of applications than allowed.

Figure 6 - Violation notifications of applications Securiy Center

Figure 7 – Full list of the violations found

Figure 8 - Sample of violation


The functionality of Adaptive application controls allows with few easy steps to quickly enable a thorough check on the applications that run on systems. The configuration is simple and intuitive, especially thanks to functionality that allows to group the systems that have similar characteristics with regard to the execution of the application. It is therefore an important mechanism that helps prevent potential security threats and to minimize the attack surfaces of the environment. Added to the additional features, Adaptive application controls helps make Security Center a complete solution for the protection of workloads.

Azure Data Share: the service to share data in a safe manner

Microsoft recently announced the availability of the new managed service Azure Data Share, specially designed for sharing data between different organizations. Azure Data Share allows you to share and combine data in an easy way, in order to ensure effective business collaboration between different realities, in respect of safety and governance. In this article are covered the principles of operation and shows the procedure to be followed for the corresponding configuration.

To date, the most commonly used solutions for the exchange and sharing of corporate data are based on the File Transfer Protocol (FTP) or on custom Web API, which in addition to having to manage a specific infrastructure, are unable to adhere to corporate standards in terms of security and governance. In addition, these solutions are not suitable for the exchange of large volumes of data. Azure Data Share is a fully managed service with the aim of simplifying, secure and controlled the process of sharing data between different business realities. Is not required to configure any specific infrastructure and service can rapidly scale to meet big data sharing needs. Meanwhile, your safety is critical for a service of this kind and Azure Data Share exploits the main intrinsic safety measures in Azure for data protection.

Activation of the service

The activation of the service Azure Data Share must be carried out primarily by those who must share data, as follows.

Figure 1 - Starting the process of creation

Figure 2 - Parameters required by the creation process

The deployment is very fast and after activating the service you can begin the process of sharing data.

Using the solution

Azure Data Share has an intuitive interface, can be used directly from the Azure portal, and with a few simple steps you can choose what information to share and with whom to share them.

Figure 3 – Start the process of sharing

Figure 4 – Definition of the name and details of the share

It is possible to govern the use of the data by binding specific terms of use for each share that is created. To allow receiving data, recipients must accept the terms of use specified.

Figure 5 – Added the Dataset and the selection of the type

For data sharing today you can use as Dataset Azure Blob Storage and Azure Data Lake Storage, but soon will be introduced also new Azure data sources.

Figure 6 – Selection of the container that contains the data to be shared

Figure 7 - Added email address of the person you share files

The service also provides the ability to schedule the sharing of new content or changes, while maintaining complete control of any share.

Figure 8 - Scheduling of snapshots

Figure 9 - Review and creation of the share

The recipient will receive at the end of the sharing process a notification by email.

Figure 10 - Notification received via email from the person to whom you want to send data

Figure 11 - Invitation of Data Share from the Azure portal

One who receives the shared data must have a service Azure Data Share to see the shared data.

Figure 12 – Accept invitation to Date Share

In accepts the invitation you must specify the target, in this case the storage account, on which to bring the data received. Such content you can choose to keep it synchronized according to the scheduling specified by the sender.

Figure 13 - Configuration of the storage account target

Figure 14 - Detail of a receipt sharing

In the received shares it is also given the option to manually trigger a snapshot (full or incremental).


In a world where the amount, the type and variety of data is growing, you must have services that enable organizations to work together by sharing information of any kind and size. Thanks to the Azure Data Share you can share data, between different companies, in a simple way, safe and respecting the governance policies. Adding new datasets for data sharing, expected in the short term, will make this service even more complete and effective.

Azure Governance: introduction to Azure Resource Graph

The Azure governance is possible thanks to a series of specially designed services to enable a management and a constant control of the various Azure resources on a large scale. Among these services are Resource Graph, a powerful tool that allows you to quickly obtain via command-line details regarding the different Azure artifacts. Using Resource Graph you can retrieve information that previously required necessarily complex and iterative scripting. This article lists the characteristics of the solution and how you can use it to find out the details of Azure resources on large scale.

Characteristics of the service

In the presence of complex Azure environments who see the presence of many subscriptions, maintain overall visibility of all Azure resources can be complex without the use of tools specifically developed. These requirements which typically need to be addressed:

  • Ability to view resources and their properties in a transversal way among different subscriptions.
  • Be able to efficiently perform queries on resources by setting filters, groupings and by imposing a specific sort order on their properties.
  • Explore iteratively the different resources.
  • Assessing the impact achieved by applying policies on a large number of cloud resources.

The service Azure Resource Graph allows, thanks to the use of an efficient and powerful language to perform the following actions:

  • Query on resources by applying filters, complex groupings and sorts.
  • Explore iteratively resources based on the governance requirements.
  • Assess the impact given by the application of the policy in a vast cloud.
  • Detailing the changes that are made to the Azure resource properties. Recently was introduced the ability to view the last 14 days of history regarding the changes made to resources, to identify which properties have been changed and when. This feature is particularly useful in the process of troubleshooting, to detect any change events in a specific time slot. In addition, it is functional to understand the properties that were changed when a resource has changed the status of compliance, to consider adopting Azure Policy to properly manage such properties. For further details please visit the Microsoft's official documentation.

All these actions provide important aspects in order to govern the most of their Azure environment.

When an Azure resource is updated, Resource Graph Resource Manager is notified by the relevant changes and updates its database accordingly. Resource Graph also regularly performs a complete scan of resources to ensure that your information is up to date in case of missing notifications or updates that take place outside of Resource Manager.

How to use Resource Graph

The query of Azure Resource Graph are based on the Kusto language, also used by Azure Data Explorer, Application Insights and Azure Log Analytics. For more details on using the query language of Azure Resource Graph you can see the Microsoft's official documentation, that shows how it is structured and what are the operators and supported features.

Resource Graph supports theAzure CLIAzure PowerShell and Azure SDK for .NET. Querying Resource Graph requires the addition of the relative extension in the Azure CLI environment , while in Azure PowerShell the installation of the Resource Graph module is required. The queries are always structured in an identical manner, regardless of where they are performed.

The use of Resource Graph requires that the user with which it performs the query has at least read permissions, through Role-based access control (RBAC), about resources that you intend to query. If you don't have at least read permission on specific resources, queries will not return results related to them.

The service Azure Resource Graph is also used when performing research in the search bar of the Azure portal, in the new list of resources (‘All resources’) and in the change history of Azure Policy.

Figure 1 – Experience of ‘All resources’ using Azure Resource Graph

Sample Query

Below are some examples of query of Resource Graph and its result.

Figure 2 - Query to count by resources type (Resource Type)

Figure 3 - Query to count the resources by geographic location

The query of Azure Resource Graph have the advantage that besides being able to achieve the desired result in a simple way, they are also very performant:

Figure 4 - Running time of the query to count the resources based on location

If anyone wanted to achieve this result using the classic PowerShell method in complex Azure environments, should join to the single Azure subscription, search the necessary information and move to the next subscription. This approach was the only possible until the arrival of Resource Graph, but it was more labor intensive and much less powerful.

Figure 5 - List of VMs with the OS disk not Managed


Azure Resource Graph allows you to quickly and efficiently explore and analyze Azure resources, allowing to maintain a total visibility even on particularly complex Azure environments, consisting of several subscriptions, each of which with a large number of elements. Particularly useful is the functionality that allows you to see the history of changes to Azure resources. Azure Resource Graph is a tool that allows you to make a significant contribution for the governance of the Azure environment.

Azure Governance: how to organize your resources using the Azure Management Groups

In the presence of environments with a high number of Azure subscriptions it is necessary to have a different level of abstraction in order to effectively manage the accesses, policies and compliance. To this end, Azure Management Groups have been introduced, that allow to organize different subscriptions into logical containers, on which define, implement and verify government policies needed. This article examines in detail the concepts and shows directions to better organize the Azure resources in order to facilitate the process of governance.

To effectively organize Azure resources is fundamental to define a hierarchy of management groups and subscriptions to which you can apply Azure Policy, the service that allows you to create, assign and manage audit policy. The use of the Management Group is also helpful to effectively manage the assignment of permissions via role-based access control (RBAC), for administrative delegation.

Figure 1 - Example of a hierarchy of Management Groups

Each resource Azure is contained within a specific Azure Subscription, which it is associated to a single Azure Active Directory tenant, and inherits the permissions set at that level.

At the moment, a constraint to consider, is that a Management Group can contain multiple subscriptions provided that the same are part of the same tenant Azure ad. In other words,, the Management Groups reside within a tenant and cannot contain subscriptions of different tenants. The security principal that can be used on management group can come only by the tenant for the management group.

Figure 2 – Relationship between Azure AD and organizational structure

Azure resources belonging to a subscription are contained in Resource Groups. The resource groups are containers of resources that, for administrative purposes, allow to obtain the following benefits:

  • They facilitate administrative delegation because resources contained inherit permissions to the resource group level.
  • On the resource group you can set tags, although these are not automatically inherited by the resources, but it is necessary to foresee specific mechanisms if they are deemed necessary.

Figure 3 – Relationship between the levels of the organisational structure

The Azure Policy can be assigned to a subscription or Management Group level and can be defined exceptions for Resource Group. In this regard it is recommended whenever possible, to organize policies in "initiative" and assign them to Management Group level.

The root Management Group is the top level and contains all configured Management Groups and various Azure subscriptions. Root Management Group cannot be removed or moved. The structure can be created with up to six levels deep, without considering the Root level and the level of subscription. Each Management Group can have more children, but supports only one parent for each Management Group and for each subscription.

In the absence of specific requirements, Microsoft recommends that you split production environments than those "DevTest", creating two tiers of management groups. The management group root by default will have fundamental policies, such as those relating to security. On the remaining Management Groups are associated specific policies. The hierarchy of Management Groups provide a model for which the policies that are defined at higher levels in the hierarchy cannot be overwritten by lower levels.

Figure 4 – Management Group & Subscription Modeling Strategy

This approach enables you to manage complex Azure environments, who see the presence of more subscriptions. in a more simple and flexible way, for the following reasons:

  • The concept of inheritance allows with a single association to apply the desired controls and the assignment of roles on different subscriptions.
  • It has a centralized management.
  • You may include additional subscription in the hierarchy, with the knowledge that will adhere to established policies and who will have the assignment of desired roles.


The goverance processes by which an organization can ensure an effective and efficient use of IT resources, in order to achieve their goals, cannot refrain from adopting a model that allows to organize effectively the Azure resources. The use of Management Groups, in environments with a significant number of subscriptions, is essential to meet the common need of standardize, and in some cases impose, how you configure the different resources in the cloud.

How to discover and optimize cloud costs with Azure Cost Management

One of the main features of the cloud is the ability to create new resources with ease and speed. At the same time an important and fundamental challenge is to be able to keep under control the expenses to be incurred for the resources created in the cloud. The instrument Azure Cost Management makes it easy to find from which services are generated costs, prevent unnecessary costs and optimize resource costs. This article lists the characteristics of the solution and provides guidance in order to best use it for maximize and optimize investments in cloud resources.

Features of the solution

Azure Cost Management is enabled by default and accessible from Azure portal for all Microsoft Enterprise Agreement and Pay-As-You-Go subscriptions. The availability of the solution for CSP subscriptions (Cloud Solution Providers) is scheduled for the second half of the year. Azure Cost Management contemplates the Azure services, including reservations, and cost data by the use of third-party solutions coming from the Azure Marketplace. All costs shown are based on negotiated prices and the data is updated every four hours.

Azure Cost Management allows you to do the following regarding the cost of cloud resources.

Monitor the cloud costs

With this solution you can provide, to the various departments involved in the use of cloud resources, cost visibility of resources for which they are responsible. In addition, you have the option to go into detail and view the trend of costs with a very intuitive and interactive experience. From section Cost analysis you can view the costs, with a chance to put filters on time period and eventually group them according to different parameters.

Figure 1 – Cost analysis – costs accumulated in the last month

Setting for the selected period the daily granularity you can have a graph that shows precisely the day-by-day costs.

Figure 2 – Cost analysis – costs incurred daily

Azure Cost Management also offers the possibility to export the data to Excel or CSV, after setting the required view in section Cost analysis.

Figure 3 -Export the data view created in Cost analysis

The downloaded file contains details about the context used for file generation:

Figure 4 – Summary of Excel sheet created

This feature can be useful for detailed analysis that require a consolidation of this information with other data.

In case there is a need for more functionality in terms of integration and customization you can use Power BI connectors for the creation of specific dashboards and Azure Cost Management APIs to process information with other solutions.

Assignment of responsibility to the various project teams

To raise awareness of the various project teams by making adequate use of resources in terms of spending, you can define your budget. So you can get a significant cost optimization, with no impact in terms of agility in creating resources .

Figure 5 – Creating a budget

When creating a budget it is defined a spending for a certain period of time and you can set the alert to warn those directly responsible when it reaches a certain percentage of the preset threshold.

Optimization of costs

Although you may opt to manage the various Azure resource costs to team by giving them a budget, you can not always be assumed to know how to optimize resource efficiency and reduce costs. Azure Cost Management is able to provide specific recommendations to achieve cost savings.

Figure 6 – Advisor recommendations

In the specific case, to optimize Azure resource costs , it is recommended the purchase ofVirtual Machine Reserved Instances (VM RIs), estimating the annual savings that could be obtained by adopting VM RIs.

Azure Cost Management will soon be enriched with a new feature (currently in public preview) involving the management of costs incurred in the AWS, with the same characteristics as shown for Azure. This integration simplifies management of costs in multi-cloud scenarios.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consult the pricing of Cost Management.


Azure Cost Management is a great tool that allows you to maintain complete visibility of costs and to drive you to have a better manage of the expenses in the cloud resources. Thanks to the flexibility of this tool, constantly evolving, you can get the most from the investment in the cloud easily and intuitively.

Azure Governance: introduction to Azure Policy

IT governance is the process through which an organization can ensure an effective and efficient use of IT resources, in order to achieve their goals. Azure Policy is a service available in the Microsoft public cloud that can be used to create, assign and manage policies to control the resources in Azure. Azure Policy, natively integrated into the platform, are a key element for the governance of the cloud environment. In this article, the principles of operation and features of the solution are reported.

In Azure environments you can find different subscriptions on which develop and operate several groups of operators. The common requirement is to standardize, and in some cases impose, how to configure the resources in the cloud. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of different architectures. These goals can be achieved with a traditional approach, that includes a block of operators (Dev/Ops) in the direct access to cloud resources (through the portal, API or cli). This traditional approach is, however, inflexible, because it involves a loss of agility in controlling the deployment of resources. Instead, using the mechanism that comes natively from Azure platform is possible to drive the governance to achieve the desired control, without impacting speed, the basic element in the operations of the modern IT.

Figure 1 – Traditional approach vs cloud-native governance

In Azure Policy you can do the following reported:

  • Enable built-in policy or configure them to meet your needs.
  • Perform real-time evaluation of the criteria set out in the policy and force execution.
  • Assess the compliance of the policy periodically or on request.
  • Enable audit policy on the virtual machine guest environment (Vm In-Guest Policy).
  • Apply policies on Management Groups in order to gain control over the entire organization.
  • Apply multiple criteria and aggregate the various states of the policies.
  • Configure scope over which the exclusions are applied.
  • Enable real-time remediation steps, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 2 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon request, to assess the compliance of existing resources.

Figure 3 – Working principle of Azure Policy in resource control

Azure already contains many built-in policies ready to be applied. In addition, in this GitHub repository you can find different definitions of Azure Policies, that can be used directly or modified to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described in this Microsoft's document. You also have the possibility of creating Initiatives, they are a collection of multiple policies.

Figure 4 – Example of defining a Azure Policy

When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Figure 5 – Process of assigning an Azure Policy

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 6 – State of compliance

Figure 7 -Example of remediation action



Through the use of Azure Policy you can totally control your own Azure environment, in a simple and efficient way. Statistics provided by Microsoft cite that considering the 100 top Azure Customers, 92 these use Azure Policy to control their environment. This is because, when you increase the complexity and amount of services on Azure is essential to adopt instruments, as Azure Policy, to have effective governance policies.