This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.
Microsoft employees are inventive when it comes to exploring what they can do with Microsoft Azure.
The last thing Vazjier Rosario wants to do is stifle that creativity.
“I think of it as providing guardrails,” says Rosario, who leads a new Microsoft Digital Cloud Governance team that guides Microsoft employees on how to get the most from using the company’s cloud product. “We don’t want anyone throwing themselves or the company down a cliff inadvertently.”
In her mind, a bit of good governance is just the right medicine for an enthusiastic employee base that’s helping the company figure out how to get the most out of Azure.
But before we get into that, a bit on how we got here. Prior to moving to the cloud, Microsoft was a locked-down, heavily governed environment.
“Back in the day, we used to manage all of our datacenters centrally,” Rosario says. “It was Microsoft IT—if we needed an application to run a payroll application, we would provision a server to run it. If we wanted to build a new onboarding tool for human resources, we would provision a server for that.”
If you wanted access, you had to ask first.
At peak, Microsoft IT ran 10 different global datacenters and hundreds of mini datacenters in branch offices all over the world. “We were accountable for 44,000 operating system instances,” Rosario says. “We managed 32 petabytes of usable storage.”
Then the cloud came, and with it, a license for employees to run off and do their own thing (it happened that way in part because the company was adopting a “you own it from end to end” DevOps engineering mentality, and partly because free-thinking employees were finding new, creative, and helpful ways to use the company’s new flagship product).
“We went from a very centralized management to a very decentralized management,” Rosario says. “Owners of services could spin up and scale down resources as easily as they wanted.”
Eventually it became clear that employees were being a bit too free with Azure. Small incidents that could compromise company security would flare up. More and more often, employees would scale up Azure for a project but forget to scale back down when they were done.
In short, some governance was needed.
The evolving role of IT
Multiple efforts were put in place to govern how cloud resources were managed. Then last year (fiscal year 2019), Microsoft Digital created Rosario’s Cloud Governance team to develop and implement an Azure governance solution that enables enforcement of cloud-configuration standards for the company (since the company previously had guidance and templates, but adherence and usage was not enforceable). The solution enables Microsoft to enforce security controls, infrastructure policies, cost-management conditions, and other improvements that help guardrail the company’s internal usage of Azure.
“We’re now using Azure policy and Azure management groups (MG) to add a layer of management above the subscription layer,” Rosario says. “You can nest several subscriptions in one bucket, or MG node. That allows us to deploy cloud configurations at scale to all of our Azure subscriptions at once—in a manner that subscription owners cannot override.”
To date the team has deployed its new governance system only within Microsoft Digital, Microsoft’s IT division. “There are approximately 700 subscriptions in Microsoft Digital,” she says. “So far we have onboarded 300 of those subscriptions into Microsoft Digital’s MG tree.”
The team is focused on onboarding Microsoft Digital. Once that is finished, it will extend to the rest of Microsoft.
“We hope to get every subscription in Microsoft Digital on board by the end of FY20,” Rosario says. “Once we’re done, we’ll move on to other parts of the company, which will be a multi-year effort, given the massive scope of subscription within divisions that have asked for Microsoft Digital’s help.”
So far, the team has taken a light touch when it comes to using its new enforcement teeth to regulate how employees use Azure. Most configuration standards have been deployed in the form of audit Azure policies. They continue to review new Azure policy requests from across the business, partnering with multiple Azure Engineering teams to enhance the policy, MG, and monitoring capabilities. They also write and test Azure usage code that enables managing Microsoft’s Azure portfolio at scale.
“When it comes to enforcement policies, we start by understanding what is right for the business,” Rosario says. “Then we evaluate any unintended consequences, and finally we talk about the technical capabilities to get there.”
While Microsoft’s move from its on-premises datacenters to Azure is largely complete, many teams across the company moved their workloads to the cloud as-is. It was a popular lift-and-shift migration that got them to the cloud but failed to take advantage of being there. Rosario’s larger team encourages Microsoft teams to modernize applications and services to work natively in Azure rather than invest more dollars in older systems.
Boosting Azure from inside Microsoft
Microsoft Digital’s use of Azure Governance policy and management groups capabilities are useful to the Azure product group, as is the partnership between the two teams, says Rich Thorn, a senior program manager on the Microsoft Azure Management Groups team.
“Microsoft is one of the largest consumers of Azure, and it has incredible organizational scale,” Thorn says. “Our partnership with Microsoft Digital allows us to quickly work out designs and features for all large organizations prior to taking a feature public. Our team has been able to iterate on innovative solutions with Microsoft Digital quicker than we could with external customers.”
Satya Vel also underscores the important role of Rosario and the larger Microsoft Digital organization.
“Microsoft Digital is an integral part of our engineering process,” says Vel, also a principal program manager on the Azure Policy team. “They help us validate our preview capabilities at scale and provide feedback at all stages of our development process.”
Microsoft Digital is also playing a pivotal role from the Microsoft customer point of view, says Laura Hunter, a principal program manager on the Azure Governance customer side.
“The Azure Customer Experience team is committed to ensuring that the voice of Microsoft customers is integrated into the earliest possible stages of our product planning processes,” Hunter says. “Microsoft Digital’s early adoption of a ‘cloud-first’ strategy means that they can help us see over the horizon to make better planning decisions for our customers as a whole.”
As for Rosario, using Azure Governance tools to build out her team’s function has been a treat, especially since she has an open door to provide the Azure product group with feedback on how the service is working.
“For me, it’s super-exciting to use the product and to work with them to submit feature requests and finding bugs,” she says. “We’re finding them before they affect customers—my team is helping shape the product.”
Learn more about governance tools and services in Azure.
