Figure 1. The cloud governance hierarchy<\/figcaption><\/figure>\nDeploying policy<\/h4>\n Management Groups enable us to logically group our subscriptions and deploy Azure policies at scale across all 700 subscriptions that Microsoft Digital manages. Policies are authored by engineers and checked into Azure DevOps. When the engineers are satisfied that the policy is ready, they submit a pull request that is reviewed by the Cloud Steering Committee. Once approved, the build and release processes are launched in Azure DevOps where the deployment occurs. The automated deployment uses policy as code for configurable and easily re-deployable policies.<\/p>\nFigure 2. An overview of the governed cloud with Azure governance<\/figcaption><\/figure>\nBest practices<\/h2>\n\nEnable automation wherever possible.<\/strong>\u00a0Although automated processes take time to develop, the time-savings and consistency benefits of automation usually outweigh the effort required to automate tasks.<\/li>\nConsider how you use policy enforcement and inheritance.<\/strong>\u00a0You can use policies as hard controls that specifically disallow resource deployment. These policies will ensure that noncompliant resources are not deployed, but they can stop progress and delay development. Use these policies only for mandatory requirements. You should also leverage inheritance and apply broadly applied or security-related policies as high in the hierarchy as possible.<\/li>\nMap Azure Management Group hierarchy to a logical structure.<\/strong>\u00a0Azure Management Groups provide the ability to manage the Azure portfolio at scale. Ensuring that Management Groups map accurately to your logical structure, make it easier to deploy policy. Logical structure could be based on environment, business structure, or other compositions specific to your organization.<\/li>\nLeverage Azure Management Groups beyond policy application.<\/strong>\u00a0Azure Management Groups enable you to perform additional management tasks across subscriptions. You can use management groups for other enterprise-management scenarios, including cost management, reporting, and solution management.<\/li>\nEnable robust end<\/strong>-to-end monitoring and alerting.<\/strong>\u00a0Management Group access can provide wide-ranging permissions within Azure, so how your access model is configured is critical. It might be necessary to leverage Privileged Identity Management (PIM) as part of a comprehensive strategy. PIM allows administrators to request just-in-time access. We\u2019ve been using a two-key system for administrative access that ensures that no single individual can make critical changes on their own. It\u2019s also important to monitor Management Group events such as creation, deletion, and modification along with permissions changes. Most of this information is written into the standard Azure Activity Log.<\/li>\n<\/ul>\nMoving forward<\/h2>\n Now that we have defined a democratized governance framework that works in a DevOps culture, using native tools to build a scalable solution and a strong partnership with the Azure governance team, we are positioned to enable Cloud Governance to manage Microsoft Digital\u2019s Azure implementation at enterprise scale. We\u2019re working toward a more comprehensive Azure governance solution, including explicitly enforced policies and comprehensive compliance management. We\u2019re also working on automated remediation capabilities for noncompliant resources. Our implementation approach is divided into four phases:<\/p>\n
\nEvaluation of the Azure Services that will be used to build the enterprise solution.<\/li>\n Secure implementation of Management Groups.<\/li>\n Deployment of audit policies to enable the transition to compliance management natively in Azure.<\/li>\n Deployment of enforcement polices to enable the transition to compliance by default.<\/li>\n<\/ul>\nConclusion<\/h2>\n Azure governance has enabled Microsoft Digital to create an Azure-native, enterprise-scale governance solution that will provide decentralized management of our Azure environment and its governance needs. With Azure governance, our environment is more compliant with our organizational policies and, as a result, more efficient, robust, and effective.<\/p>\n","protected":false},"excerpt":{"rendered":"
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. We\u2019ve used Azure governance to create a solution that enables enterprise-scale governance design and compliance enforcement for our entire Azure environment inside Microsoft Digital. By using Azure management…<\/p>\n","protected":false},"author":146,"featured_media":10740,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[1],"tags":[],"coauthors":[674],"jetpack_publicize_connections":[],"yoast_head":"\n
Enabling enterprise governance in Azure - Inside Track Blog<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n\t \n\t \n\t \n