This document provides comprehensive guidance for implementing Azure governance best practices within the ICT Governance Framework using Infrastructure as Code (IaC) principles.
This implementation guide helps organizations integrate Azure-specific governance practices with their ICT Governance Framework, ensuring consistent governance while leveraging Azure’s native capabilities for infrastructure governance.
This guide covers:
This implementation aligns with the three-tiered structure of the ICT Governance Framework:
Azure governance should follow these key IaC principles:
| Tool | Primary Use Case | Governance Application |
|---|---|---|
| Bicep | Azure-native resources | Primary tool for Azure resources with direct integration to Azure Resource Manager |
| Terraform | Multi-cloud deployments | Use for hybrid or multi-cloud scenarios with consistent syntax |
| ARM Templates | Legacy Azure resources | For compatibility with existing deployments |
| Microsoft365DSC | Microsoft 365 configuration | Extension of governance to SaaS platform |
| Azure Policy as Code | Compliance automation | Codifying governance rules as enforceable policies |
Management Groups
├── Organization
│ ├── Production (Subscription)
│ │ ├── ResourceGroup1
│ │ └── ResourceGroup2
│ ├── Non-Production (Subscription)
│ │ ├── ResourceGroup1
│ │ └── ResourceGroup2
│ └── Sandbox (Subscription)
│ └── ResourceGroups
| Tag Name | Purpose | Example | Required |
|---|---|---|---|
| Owner | Business owner of the resource | “Finance” | Yes |
| Environment | Deployment environment | “Production” | Yes |
| CostCenter | Financial allocation | “CC-1234” | Yes |
| Application | Associated application | “SAP” | Yes |
| SecurityLevel | Security classification | “Restricted” | Yes |
| ComplianceReq | Compliance requirements | “PCI,GDPR” | As needed |
| DataClassification | Data sensitivity level | “Confidential” | For data resources |
# Example Policy Structure
name: "Require resource tagging"
description: "Enforce required tags on all resources"
mode: "Indexed"
parameters:
- requiredTags:
type: "Array"
defaultValue: ["Owner", "Environment", "CostCenter"]
policyRule:
if:
field: "tags"
exists: "false"
then:
effect: "deny"
/azure-governance/
├── /policies/ # Azure Policy definitions
│ ├── /security/ # Security policies
│ ├── /cost/ # Cost management policies
│ └── /tagging/ # Resource tagging policies
├── /templates/ # Reusable IaC templates
│ ├── /modules/ # Bicep/Terraform modules
│ └── /reference/ # Reference architectures
├── /environments/ # Environment-specific configurations
│ ├── /dev/ # Development environment
│ ├── /test/ # Test environment
│ ├── /staging/ # Staging environment
│ └── /prod/ # Production environment
├── /pipelines/ # CI/CD pipeline definitions
├── /scripts/ # Automation scripts
├── /app-store/ # Employee App Store components
│ ├── /api/ # App Store API infrastructure
│ ├── /web/ # App Store web portal
│ ├── /admin/ # Admin portal for catalog management
│ └── /validation/ # Validation workflow components
└── /security-integration/ # Security monitoring integration
├── /siem/ # SIEM integration components
├── /cas/ # Cloud App Security components
└── /discovery/ # Application discovery processing
# Example Azure DevOps Pipeline for Infrastructure Deployment
stages:
- stage: Validate
jobs:
- job: Lint
steps:
- script: bicep build **/*.bicep
- job: Security
steps:
- task: AzurePolicy@1
inputs:
mode: 'audit'
- stage: PreviewChanges
jobs:
- job: WhatIf
steps:
- task: AzureResourceManagerTemplateDeployment@3
inputs:
deploymentMode: 'Validation'
whatIf: true
- stage: Deploy
jobs:
- job: DeployInfrastructure
steps:
- task: AzureResourceManagerTemplateDeployment@3
inputs:
deploymentMode: 'Incremental'
- stage: Verify
jobs:
- job: ComplianceScan
steps:
- task: AzurePolicy@1
inputs:
mode: 'audit'
Align CI/CD approvals with the ICT Governance Framework:
| KPI | Description | Target | Measurement Method |
|---|---|---|---|
| Azure Policy Compliance | Percentage of resources compliant with Azure policies | >95% | Azure Policy compliance reports |
| Drift Incident Rate | Number of configuration drift incidents | <5 per month | Azure Resource Graph queries |
| IaC Deployment Rate | Percentage of resources deployed via IaC | >98% | Deployment logs analysis |
| Resource Tagging Compliance | Percentage of resources with required tags | 100% | Azure Resource Graph queries |
| Secure Score | Microsoft Defender for Cloud secure score | >85% | Defender for Cloud reports |
| Shadow IT Detection | Percentage of unauthorized applications discovered and processed | 100% | SIEM/CAS reports |
| Application Validation Rate | Percentage of validation requests processed within SLA | >95% | App Store validation metrics |
| Application Compliance Rate | Percentage of applications on company devices that are approved | >95% | App Store compliance reports |
Add these Azure-specific metrics to existing dashboards:
| Role | Responsibilities |
|---|---|
| ICT Governance Council | Approve Azure governance standards and policies Review compliance reports Approve exceptions for high-risk items Review critical shadow IT findings |
| Domain Owners | Define domain-specific Azure governance requirements Review and approve Azure architecture designs Ensure alignment with business objectives |
| Application Governance Owner | Define application approval policies Oversee Employee App Store Manage application validation workflow Coordinate shadow IT remediation |
| Security Domain Owner | Define security policies and standards Oversee SIEM and Cloud App Security Review security findings and vulnerabilities Approve security exceptions |
| Technology Stewards | Implement and maintain Azure governance controls Develop and deploy IaC templates Monitor compliance and remediate issues |
| Security Steward | Operate SIEM and Cloud App Security Coordinate validation of discovered applications Implement security controls and monitoring |
| Applications Steward | Administer Employee App Store Review and categorize discovered applications Manage application catalog |
| Technology Custodians | Execute day-to-day Azure operations Apply governance controls Report issues and improvement opportunities |