🚨 Azure Service Health Built-In Policy (Preview) – Now Available!
Resiliency is a key focus for Microsoft in making sure our customers experience minimal impact due to planned or unexpected outages that may occur. Up until now there has been no native scalable solution to provide consistent notifications across Azure subscriptions for Service Health events. Building on the success of Azure Monitor Baseline Alerts (AMBA) where this functionality is currently available, the AMBA team has combined with the Service Health Product team to include this capability into the Azure native experience. We’re excited to announce the release of Azure Service Health Built-In Policy (Preview), a new built-in Azure Policy designed to simplify and scale the deployment of Service Health alerts across your Azure environment. This policy enables customers to automatically deploy Service Health alerts across subscriptions, ensuring consistent visibility into platform-level issues that may impact workloads. Existing subscriptions can be remediated in bulk and new Azure subscriptions, created once the Policy has been assigned, will automatically be configured for receiving Service Health alerts. 🔍 What's the purpose of this announcement? It addresses situations where customers only permit the use of built-in policies. It automates the setup of Service Health alerts across all subscriptions when deployed at the management group level. It ensures consistent alert coverage for platform events. It helps reduce manual setup and ongoing maintenance. 🛠️ What options are available with the Policy? All the learnings from AMBA have been taken into consideration in designing and creating this policy. There are now a wide range of options available to provide flexibility based on your needs. These options are surfaced as parameters within the policy: It audits the existing environment for compliance. It ensures the ability to provide custom alert rules that align with the naming standards. It gives the ability to choose the types of Service Health events to monitor. It supports Bring-your-own Action Group, or the ability to create a new Action Group as part of the Policy assignment. For ARM role notification, it ensures the ability to choose from a pre-set list of built-in roles for notifications. It provides the ability to choose from email, Logic App, Event Hubs, webhook, and Azure Functions within the Action Group. It enables naming Resource groups, and location flexibility. It gives the ability to add Resource tags. 🧩 What about Azure Monitor Baseline Alerts? The AMBA team have been working to incorporate the newly built-in policy into a future release. The team plans to roll this out in the next few weeks along with details for existing customers on replacing the existing AMBA custom policy. These changes will then be consumed into Azure Landing Zones. AMBA continues to offer a wide range of alerts for both platform and workload services in addition to Service Health alerts. This announcement does not serve as a replacement for AMBA but simply compliments the AMBA solution. 📣 What’s Next? Check out the guidance on leveraging this policy in your environment Deploy Service Health alert rules at scale using Azure Policy - Azure Service Health Should you require support for this policy please raise a support ticket via the portal as comments raised below may not be addressed in a timely mannerEverything New in Azure Governance @ Build 2025
You've come to the right place if you're looking for everything happening with Azure Governance at Microsoft Build, May 19-22, 2025. Azure Governance is an ecosystem of neatly integrated services that provide the ability to ensure speed and control across your cloud environment. From enforcing rules in your cloud environment to querying the state of your resources at-scale, Azure Governance services keep your resources secure and compliant with corporate standards. Join us at Microsoft Build! #MSBuild Session: "Unlock developer agility with a well governed environment" - Thurs, May 22 @ 8:30 AM PDT In a world where app and env requirements are ever changing, maintaining control can be a moving target. Come learn how to empower your developers to achieve more, without compromising on security, compliance, or operational best practices through Azure Governance products. In this session we'll be discussing newly released features within Azure Policy, dive deep into Policy as code, and announce a new grouping construct called Service groups designed to optimize cross subscription management Join the session here: https://aka.ms/AzGovBuild25 Sign up for our #MSBuild Product Roundtable Sessions! Are you going to attend Build 2025 in person in Seattle? If the answer is Yes, Azure product teams would like to invite you to the following Customer Feedback Roundtable sessions at Microsoft Build 2025. Sign up here to join our roundtable sessions: https://aka.ms/AzGovRoundtable. This is a unique opportunity for you to share your insights and help shape the future of Azure. These roundtables will be filled on a first come, first serve basis, so don't miss your chance to sign up now! If you are not attending Build in person, no problem! If you are interested, we would like to invite you to participate in future online feedback sessions. New Releases @ Build 2025 The Azure Governance team is excited to share all the following new features across our product portfolio. For each of the features, you will find an accompanying announcement with scenario details, documentation and blog posts to follow along! Jump to section (New!) Azure Service Groups Azure Policy Azure Machine Configuration Azure Resource Graph (ARG) Azure Resource Manager (ARM) (New!) Azure Service Groups Azure Service Groups - Public Preview A Service Group (SG) is a new grouping structure in Azure that supports flexible grouping of cross-subscription resources and multiple hierarchies of groups. Service Groups provide a unified view and management capabilities, enabling: Low Privilege Management: Service Groups are designed to operate with minimal permissions, ensuring that users can manage resources without needing excessive access rights and appealing to multiple personas. Flexible Cross-Subscription Grouping: Azure resources and scopes, from anywhere in the tenant, can become members of one or multiple service groups. Varying Hierarchies: Service Groups can be self-nested providing the ability to have multiple hierarchy structures of resource containers. Data Aggregation & Views: Aggregate data from resources across subscriptions for practical workloads. View application health (via Health Model) and important data values centered around your wanted perspective. You can reach our team by email at mailto:azureservicegroups@microsoft.com for any questions or comments! TechCommunity Blog: https://aka.ms/servicegroupspreview MS Learn Documentation: http://aka.ms/servicegroups Azure Policy New Features currently in Private Preview Many of the Azure Policy enhancements, including user-based exemptions, caller-type based enforcement (e.g., type user or service principal) and IP filtering are currently in private preview and will soon be available to the public. Stay tuned! Azure Machine Configuration Linux SSH Posture Control Policy - Generally Available We are excited to announce additional built-in capabilities for Linux management scenarios through Azure policy and Machine Configuration. Through new built-in policies, you can manage your SSH configuration settings declaratively at-scale. SSH Posture Control enables you to use the familiar workflows of Azure Policy and Machine Configuration to: Ensure compliance with standards in your industry or organization Reduce attack surface of remote management features Ensure consistent setup across your fleet for security and productivity SSH Posture Control also provides detailed Reasons describing how compliance or non-compliance was determined. These Reasons help you to document compliance for auditors with confidence and evidence. They also enable you to take action when non-compliance is observed. MS Learn Documentation: What is SSH Posture Control? | Microsoft Learn Windows Server 2025 Audit Policy (powered by OSConfig) - Generally Available You can now deploy the Windows Server 2025 security baseline to your environment and ensures that desired security measures are in place, providing a comprehensive and standardized security framework. The Windows Server 2025 baseline includes over 300 security settings to ensure that it meets industry-standard security requirements. It also provides co-management support for both on-premises and Azure Arc-connected devices. The OSConfig tool is a security configuration stack that uses a scenario-based approach to deliver and apply the desired security measures for your environment. MS Learn documentation: Configure security baselines for Windows Server 2025 | Microsoft Learn Onboarding Arc Machines at-scale to Machine Config in Azure Portal - Public Preview With the integration of Machine Configuration audit policies in the Arc at-scale onboarding experience, you can now quickly deploy audit policies to get a deeper look at the security posture of your Arc-enabled servers. Whether you're seeking to test Machine Configuration on an Arc machine or looking to deploy a policy across a broader scope of machines, your deployment workflow just got incredibly easy with this new integration. Azure Resource Graph (ARG) ARG GET/LIST API - Private Preview Now in Private Preview is the Azure Resource Graph GET/LIST API, a highly scalable, fast, and performant alternative to existing control plane GET and List API calls within the Azure ecosystem. This API allows you to mitigate issues related to throttling, such as performance degradation and failed requests offering a 10X higher Read throttling quota to callers, ensuring faster and more efficient read operations for your critical cloud native workload. Contact argpms@microsoft.com to join the private preview program! Azure Resource Graph Copilot – Generally Available With the release of the Azure Resource Graph (ARG) skill within Copilot, customers can access the ARG query skill through Azure Portal or Github Copilot. Questions about resource governance like “how many Linux VMs do I own” will be sent to the ARG Skill. With this release, customers can easily turn natural language questions into ARG queries. ARG Copilot helps users create queries to quickly surface insights about resources and simplify operational investigations. MS Learn documentation: https://learn.microsoft.com/azure/copilot/get-information-resource-graph Azure Resource Manager (ARM) EU Data Boundary enabled by ARM - Generally Available Going beyond Azure's existing data storage commitments, you can now store and process EU Data in the EU by leveraging Azure data boundaries enabled by Azure Resource Manager. With Azure Resource Manager, you can ensure that in-scope, global Azure metadata data, including EUII, EUPI, Customer Content, and Support Data, are routed, processed, and stored entirely within EU data boundary countries and datacenter locations. This builds on Azure's existing regional metadata privacy commitments and helps our European customers achieve greater control over data locality to meet regulatory, compliance, and sovereignty requirements. MS Learn Documentation: What is the EU Data Boundary? - Microsoft Privacy | Microsoft Learn Stay Updated Keep in touch with Azure Governance products, announcements, and key scenarios. Bookmark the Azure Governance Tech Community Blog, then follow us @AzureGovernance on X (previously known as Twitter) Share Product feedback/ideas with us here- Azure Governance · Community For questions, you can reach us at: Azure Policy: policypm@microsoft.com Azure Resource Graph: argpms@microsoft.com[Public Preview] Dynamically organize your cloud resources with Azure Service Groups!
[Public Preview] Dynamically organize your cloud resources with Azure Service Groups! With Service Groups, you can now leverage flexible cross-subscription grouping, low privilege management, nested resource hierarchies, and data aggregation for practical workloads and application monitoring.
Common Azure Policy Issues and Solutions
Azure Policy is a powerful tool for enforcing governance and compliance in Azure environments, but users often encounter issues that can hinder its effectiveness. Below is a concise overview of common Azure Policy issues and their troubleshooting steps, based on current information and best practices: 1. Policy Not Firing or Evaluating as Expected Issue: Policies fail to trigger or resources are not evaluated correctly (e.g., marked compliant when non-compliant or vice versa). Causes: Incorrect policy mode (e.g., default indexed mode in Azure CLI doesn’t evaluate resource groups). Misconfigured policy rule logic or incorrect use of aliases. Scope mismatch (e.g., policy assigned to a resource group but not evaluated due to mode restrictions). Solutions: Explicitly set the policy mode to All when using Azure CLI (--mode All) to evaluate resource groups and subscriptions. Validate policy rules using the Azure Policy extension for Visual Studio Code or SDK to ensure correct aliases and logic. Test policy rules with different combinations of if/then blocks and conditions (All/Any). Reverse the logic if compliance reports are incorrect. Ensure the policy scope aligns with the resources being evaluated (e.g., management group, subscription, or resource group). 2.Resource Creation or Update Denied Issue: Users receive a "Blocked by policy" error when creating or updating resources. Causes: A policy with a Deny effect is applied to the resource scope, blocking non-compliant actions. Missing or incorrect resource payload matches the policy logic. Solutions: Check the error message for policy definition and assignment IDs or review the Activity log for details. Verify the resource payload using an HTTP Archive (HAR) trace or Azure Resource Manager (ARM) template properties. Adjust the policy definition to allow the action or create an exemption for specific resources if justified (e.g., temporary waiver or mitigated exemption). Test actions in a non-production environment to identify policy violations before production deployment. 3. Non-Compliance Reporting Issues Issue: Resources appear in unexpected compliance states (e.g., not compliant when they should be, or compliance details not updating). Causes: Delay in policy evaluation (new assignments take ~5 minutes, resource updates ~15 minutes, standard scans every 24 hours). Incorrect or missing aliases in the policy definition. Lack of read permissions for the resource type, preventing compliance data visibility. Solutions: Wait for the evaluation cycle to complete or trigger an on-demand scan using Azure PowerShell, REST API, or Azure Policy Compliance Scan GitHub Action. Validate aliases using the Azure Policy extension for VS Code or SDK. If an alias doesn’t exist, create a support ticket. Ensure the user has read permissions for the resource type (e.g., Microsoft.DBforPostgreSQL/ flexibleServers /read). Request read operation support if unavailable. Review compliance DETAILS pane in the Azure portal for specific non-compliance reasons and check the last 14 days of change history (preview feature) for resource changes. 4. Custom Policy Development Challenges Issue: Custom policies fail to work as intended or produce errors during creation. Causes: Incorrect policy alias or resource type in the definition. Policy effects (e.g., Deny) are not supported for the resource type, leading to unexpected behavior. Security restrictions prevent certain aliases from being added. Solutions: Use the Azure Policy extension for VS Code to validate aliases and check available operations via Azure RBAC documentation. Switch to a supported effect (e.g., Audit instead of Deny) if the resource type doesn’t support the intended effect. Explore alternative values or indirect methods to achieve the policy goal if aliases are restricted for security reasons. Deploy custom policies at the top-level management group for consistency across tenants, following the DRY principle. 5.Key Vault Policy Issues Issue: Policies for Azure Key Vault (e.g., auditing secret creation or access policies) don’t work as expected. Causes: Data plane policies (e.g., secret creation) do not evaluate ARM template-based secrets until the 24-hour compliance scan. Insufficient Microsoft Entra permissions to modify access policies. Redeployment overwriting access policies without incremental options. Solutions: Enable Key Vault logging to an Azure storage account to monitor policy evaluations (AzurePolicyEvaluationDetails container). Verify user permissions for modifying access policies and use managed identities for authentication where possible. Preserve access policies during redeployment by populating ARM templates with existing policies or switching to Azure RBAC for incremental updates. Review Key Vault logs for evaluation details and wait for the 24-hour compliance scan for data plane policies. 6. Performance and Scalability Issues Issue: Policy evaluations are slow or compliance data takes too long to update for large environments. Causes: Large policy or initiative assignments evaluating many resources. Standard compliance scans (every 24 hours) or on-demand scans take time for large scopes. Solutions: Be patient with evaluation cycles: new assignments (~5 minutes), resource updates (~15 minutes), subscriptions (~30 minutes). Optimize policy definitions by narrowing the scope or using exclusions to reduce the number of evaluated resources. Consider Enterprise Azure Policy as Code (EPAC) for scalable policy management in complex environments. Notes: Always test policies in a non-production environment to avoid unintended disruptions. Regularly review policies to account for changes in Azure services or organizational requirements.
SSH Posture Control for Linux is now GA!
With the increasing importance of reducing the attack surface of any fleet of devices, SSH Posture Control provides a comprehensive solution to ensure your servers are configured according to best practices and your environment specific requirements. This results in enhanced security, improved compliance, and increased efficiency throughout your IT infrastructure. This feature not only audits your current SSH server settings but also can auto-remediate configurations to enhance your security posture. Key Features: Comprehensive Auditing: SSH Posture Control performs a thorough audit of your SSH server settings, and identifying potential misconfigurations. Automated Configuration: Save time and reduce errors with automated configuration options that align your SSH server settings with industry best practices. Support for Multiple Distros: Whether you're using Ubuntu, Red Hat, Azure Linux, or other supported distributions, SSH Posture Control has you covered. Azure Governance: SSH Posture Control integrates seamlessly with Azure Governance services such as Azure Policy and Machine Configuration. Each compliance check includes evidence via the Reasons field, indicating how compliance or non-compliance was determined. You can customize the SSH parameters or use the policy default values, which are aligned with the Azure security baseline for Linux Getting Started Ready to enhance your SSH server security? Take the first step towards a more secure and compliant server environment. For more information and detailed documentation click on the links below: https://aka.ms/SshPostureControlOverview https://aka.ms/SshPostureControlQuickstart https://aka.ms/SshPostureControlBrownfield SSH Posture Control | Not JUST Port 22 - YouTube
Exciting News: AMBA Portal Accelerator is now Generally Available!
We are thrilled to announce that the Azure Monitor Baseline Alerts-Azure Landing Zones (AMBA-ALZ) Portal Accelerator has officially reached General Availability (GA). This achievement is a big step forward in our goal to make onboarding and simplify monitoring your Azure environment regardless of whether or not you are fully aligned to Azure Landing Zones. Screenshot of Azure Landing Zone portal Accelerator What is the AMBA Portal Accelerator? As we introduced AMBA into the ALZ portal experience (not to be confused with this accelerator!) and with the increased flexibility AMBA-ALZ provided for the preferred action notification types, this introduced a need to provide a post ALZ-AMBA Portal to accommodate those notification types that required an existing resource (Azure Function, Event Hub, and Logic App) and in the case of deploying ALZ possibly for the first time these resources may not be present. The AMBA-ALZ Portal Accelerator is designed to simplify the process of setting up baseline alerts, helping you boost your observability maturity in your Azure environment with minimal effort or expertise. You can set up alerts faster and with more confidence. You'll get timely notifications about critical metrics and log anomalies that might signal potential issues with your Azure workloads. What Scenarios Does The Accelerator Help Address? There are a few scenarios as to where the Accelerator can help meet you where you are in your journey: You are an existing Azure customer and looking to mature your observability posture (and at the same time with low effort move one step closer to being aligned to Azure Landing Zones You have an existing Azure Landing Zones implementation prior to AMBA being released and are looking to update your environment to include AMBA-ALZ You may be new to Azure and deploying Azure Landing Zones (the recommended way to onboard to Azure) and wanting to use Azure Function, Event Hub, and Logic App Notification Types Getting Started To begin using the AMBA-ALZ Portal Accelerator, navigate to https://aka.ms/amba/alz/portal or click the "Deploy to Azure" button on the documentation page. Detailed deployment instructions and further guidance are available to help you get started quickly and efficiently. If you have any further feedback please use the following links: đź’¬ - Feedback GitHub Issues: https://aka.ms/amba/issues đź’¬ - Feedback survey: https://aka.ms/ambaSurvey
