What is governance and why is it important?

IT governance in enterprises is needed to control and align IT strategy, security strategy, and business strategy. Also, it enables organizations to optimize the use of technology in a way to obtain the best of it at the best possible cost.

In a modern, agile enterprise that wants to be digitally enabled, it is all about the speed – speed of development and release, ease of access, and self-service abilities. However, IT governance is restrictive to this agility because it enforces to use policies, cost, and security controls.

Is it even possible to mash agility and control and get both? For some enterprises, the answer might be to use Azure with its built-in Governance capabilities, and unlimited compute resources, wide array of services and agility at a reasonable cost. Overall, Azure building blocks that need to be governed can be viewed in the schema below.

To build a well-governed Azure infrastructure, time investment is needed to understand and architect the governance model. To do that we need to understand the building blocks in Azure that can help to achieve desired goals.


The first high-level decision for every company is regarding identity management, which in this case is Azure Tenant. Azure Tenant contains your enterprise user IDs, similarly to any other user directory. However, Azure Tenant count should be kept at an absolute minimum, because it is used not only for Azure authentication but also for all other Microsoft SaaS service authentication, like Office365, PowerBi, etc. Therefore, it is essential that our users do not have sever identities with different passwords. Microsoft also offers a free tool to synchronize on-premises Active Directory with Azure Active Directory.


As you begin to go live with applications in the cloud, you should consider how to manage subscriptions. It’s tempting at first to say that all of your enterprise is on one cloud subscription, but that model results in substantial inefficiency: it is difficult to account for by application and/or by cost center or department in a single-subscription model. Also, managing a large number of applications—some in production, some in test, and so on—can be cumbersome. It’s usually more useful to assign subscriptions to individual cost centers or even to applications, or application groups. In a large organization, for better visibility and accountability, you might want to set up a cloud governance hierarchy, such as the one illustrated below.

Cost reporting and allocation can later be viewed in Azure Cost Center, Cloudyn reporting tool, or PowerBi. All those tools may give you cost reporting for subscription, and in addition, they can report costs based on resource tagging in Azure.

Role-based access control

Access management for cloud resources is a critical function for any organization that is using the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC enables you to achieve the desired security governance in Azure. For example:

  • Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
  • Allow a DBA group to manage SQL databases in a subscription
  • Allow a user to manage all resources in one resource group, such as virtual machines, websites, and subnets, yet restrict doing it in others.
  • Allow an application to access all resources in a resource group


Good IT governance involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues. This vital need is where Azure Policy comes in.

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.

The key differences for Azure Policy between RBAC are that RBAC is user-centric – which user is allowed in doing what, on the other hand, Policy is more Azure resource centric. For example, a user is allowed to create virtual machines in the Resource Group, however, with the Policy, we can restrict what kind of virtual machines a user is allowed to create so that our Azure spend does not spiral out of control.


One of the latest features that Microsoft offers in Azure is Azure Blueprints, where you can combine RBAC access model, security and compliance policies, and Azure templates. Those blueprints can be propagated to Azure subscriptions automatically, thus ensuring that all resources in each subscription adhere to these blueprints. Microsoft even offers some blueprint definitions preconfigured in Azure, like ISO27001 blueprint, upon which application on the subscription it should become ISO270001 audit compliant. Word of warning thou, upon application of preconfigured blueprints, always check their definitions, if they contain definitions that are too weak or too strong for your organization.


For the next level of automation and governance on resources in Azure, we can use Azure ARM Templates. In the templates, we can define specific configurations of resources, like virtual machine logging and patching capabilities, resource Network Security Group configuration, resource tagging, etc. Benefits of the ARM API are that you can deploy several resources together in a single unit and that the deployments are idempotent, in that the user declares the type of resource, what name to use and which properties it should have; the ARM API will then either create a new object that matches those details or change an existing object which has the same name and type to have the same properties. Templates will ensure consistent configuration of your Azure setup if appropriately used.

As you can see there are reactive governance activities as cost reporting, cost alerting and infrastructure audits and proactive governance activities like subscriptions, RBAC, policies, and templates. If you invest enough time in research, definition, development, and automation for proactive activities, you will need to spend less on reactive activities, and you will get higher compliance with current business needs.