In today's rapidly evolving cloud landscape, keeping your landing zone up to date is critical for maintaining security, performance, and support for your Azure environment. Regular updates to your landing zone ensure that you're mitigating emerging cybersecurity threats, preventing platform configuration drift, and optimizing your environment to take advantage of the latest Azure features. However, this process is not without its challenges. As landing zones evolve, technical debt can accumulate, and neglecting to stay current can expose you to security risks or hinder your ability to leverage new capabilities. This post introduces a new feature in the Azure Governance Visualizer that can help you track the latest policy assignments that you are missing in your Azure Landing Zone deployment.
What problem are we solving?
One of the main challenges of maintaining your Azure Landing Zone (ALZ) deployment, is keeping up to date with the latest ALZ policy assignments across your management group hierarchy. To secure and optimize your environment, the ALZ team regularly updates the policy assignments which can introduce some challenges on identifying what has changed and where it does apply.
The Azure Governance Visualizer (AzGovViz) is a PowerShell script that iterates through your Azure tenant's management group hierarchy down to the subscription level. It captures data from the most relevant Azure governance capabilities, such as Azure Policy and Azure role-based access control (RBAC). The visualizer shows your hierarchy map from the collected data to create a tenant summary and build granular scope insights about your management groups and subscriptions.
A new feature introduced in AzGovViz is the "ALZ Policy assignments checker", which visualizes your ALZ hierarchy and shows the missing policy assignments that you should have assigned to your different ALZ management groups.
Lets' explore how to use this new feature.
Deployment
AzGovViz is a PowerShell script, and it has multiple switches to enable/disable its various capabilities. To enable this feature, you need to provide two switches when you deploy it:
- ALZPolicyAssignmentsChecker: By default, this feature is not enabled, you have to provide this switch to turn it on
- ALZManagementGroupsIds: This is a hashtable of your ALZ management groups. This is important as every customer might have a different management group hierarchy in-terms of names, archetypes ad co-location of platform management groups.
Your AzGovViz deployment command should look like this:
.\pwsh\azGovVizParallel.ps1 -ManagementGroupId <Your management group Id> -OutputPath "c:\AzGovViz-Output" -ALZPolicyAssignmentsChecker -ALZManagementGroupsIds @{ "root" = "ALZ";"platform" = "ALZ-platform";"connectivity" = "ALZ-connectivity";"identity" = "ALZ-identity";"management" = "ALZ-management";"landing_zones" = "ALZ-landingzones";"corp" = "ALZ-corp";"online" = "ALZ-online";"sandboxes" = "ALZ-sandboxes";"decommissioned" = "ALZ-decommissioned" }NOTE: The keys of the hashtable should be the same values as above, you only need to change the values on the right to match the management group Ids of your ALZ hierarchy.
After AzGovViz has traversed your environment and generates the HTML output, you should see a new section called "ALZ Policy assignments checker"
How to read the information in this section?
Once you expand this section, you will see multiple columns with various information and links/ Let's explore what each column means and how you can read it.
- ALZ Management Group: This column will be based on the management group Ids you provided while deploying AzGovViz. This should map your existing management group hierarchy with the standard ALZ hierarchy. It will also show if the Id you provided is not correct or the management group doesn't exist (For example: I don't have the Sandboxes management group in my environment). If you click on the links in this column, it will redirect you to the Azure Landing Zone library and specifically to the selected archetype definition. This can help you understand what the different policy, policy set definitions assignments and role definitions are at that level.
Also note in the screenshot that this is not the main branch as there is a commit Id, we will explain this in a second.
- Management Group exists / provided: This column will verify if the management group Id that corresponds to the reference ALZ management group is provided, and it does exist in your tenant. Note the
- Missing ALZ Policy Assignments: This column will list all the missing policy assignments that are assigned to the reference ALZ management group and not assigned to the management group in your tenant. For example, I'm missing the Enable-DDoS-VNET payload Link policy assignment at my ALZ-connectivity management group which matches to the Connectivity management group in the reference ALZ archetypes. When you click on any missing policy, you will be redirected to the ALZ library to understand how this policy assignment is structured.
- AzAdvertizer Link: This column will have the AzAdvertizer link for this missing policy assignment.
- ALZ Library release: This column will point to the ALZ library release where this policy assignments assessment is done against. This will be the commit Id that you see in the previous screenshots of the ALZ library repository.
- ALZ release: This column will point to the ALZ release that has this policy assignment. This information is useful as not every customer is on the latest ALZ release, so it's good to know this assessment is done against which release of ALZ.
References
Microsoft