Governing Azure subscriptions with auditing management groups and policies - BRK3268

Governing Azure subscriptions with auditing management groups and policies – BRK3268

all righty good morning everyone nice to see so many people here I personally like to think that you are all here at 9 o'clock because you skipped the attendee party last night to make it on time here excellent we've got some good stuff up and coming on governing edger subscriptions with a few new tools and one tool that was earlier in preview and now is it they're generally available my name is your sternum and as you can probably tell by my accent I'm not local and the weather is a bit challenging to me because I'm based out of Helsinki Finland so when I'm indoors here I'm cold and when I'm outdoors it's too hot for me I start melting away so I've got a few goals for the next 45 minutes I want all of my demos to work I did sacrifice a couple of virtual machines just for you and one as your subscription as well because it could lock down because I did two fancy policies in there but the one I'm using today should work and the other aim or goal for me really is that you all learn to pronounce my first name correctly I've heard Josey Jusuf Jusuf Jesse so far I'm good with all of those so you just go with any version you like yes perfect thank you so let's get started with the need for governance back in the day before we had a sure we of course had the on-premise data centers and we all loved hugging the servers and putting in the cables and watching the lights blink and then when we started to get cloud buy services such as Asher I would visit my customers and they would be so excited we started using Azure everything is so quick and agile now and nobody's stopping us on what we want to do just look at this and I would go there they would have maybe 275 resource groups in Azure and the names would be demo1 tests do not delete test test five the final test nobody knew what was happening with those so it was the same as in today when you would visit a customers whose business was not in ITA but their data center needed to be built and it was full of cables full of servers nobody knew what they were doing so today we've got plenty of tools for governing as you're on what happens in Azure I find some companies choosing Germany have one administrator who actually provisions everything in Azure and not allowing anybody else to do anything the sad thing about that is that then you only have this one person who can do everything and he needs to do three shifts every day so 24 hours at the office just provisioning and testing and checking on stuff so the tools we have for the basic sort of governance of course start with the accounts what sort of accounts do we give I quite often say people who are not that well in the know on what other accounts can do they simply invites Microsoft account based identities to Azure grant them the global admin or the owner of the subscription and you're good to go and that will get messy really quick subscriptions this is a topic often that we need to visit during it one subscription do we need multiple subscriptions and the old thinking has always been that we need one subscription just like back in the NT for days when we only did one domain everything is good there and if something breaks everything breaks so these days you typically want to divide your infrastructure your services in Azure to maybe multiple subscriptions I've had discussions with companies who say we want to start with 250 subscriptions and I ask why do you need 250 subscriptions well we need 250 admins and every admin is their own ok that's one approach but baby you would like to start with one or two or five depending on on what you're actually building and how you plan on using Azure role based access control has been there for quite some time typically you're good with the built-in roles so instead of everybody being an admin or maybe a guest you have some leverage in between I see companies building custom roles not that often because it's really hard to keep track of who has access where and about and how resource groups and tags and logs we look into those in a little while when we get to the actual tooling and then policies which is which is one of the main topics but for this talk with policies we can use the built in policies to govern what our admins what our developers what our users who have access to our subscriptions what can they actually do and what they shouldn't be doing the policy is an allow deny based chokan you can add one or more policies and the idea is that if the built in policies are not good enough for you you start building your custom policies and just like in here I would start with the built in policies otherwise it will once again get really messy if anybody here has been administrating active directories back in the day with GPS group policy objects the policy is a bit the same it has inheritance so you define the policy at some level and it inherits all the settings beneath whatever is beneath that level where you set the policy and then auditing and monitoring of course with Azure monitor so the tooling is more or less there but by default none of these settings or none of these features are enabled so you need to configure those the earlier get you get to configuring those the better off you will be but if you already run several workloads in Azure it's fine you can still start using the Trulie so for auditing and monitoring the tools as your monitor which has been expanding quite rapidly even this week we got some new announcements for those I'll have a look on those in a second and then application insights which traditionally has been a tool for developers developers would enable app inside and and the and they would get data from the back end of their software so if they were running a website on has your app service they're able to enable application insight in there and then if something fails within their code application inside would give you what's really happening beneath this the services and how do we actually fix this and you can have automated tasks and actions in application inside but that's how it was initially marketed it's for developers but I see it's much more useful for IT pros as well and for admins who need to govern as your subscriptions because you get a lot of information out of apps in up inside on how things are working and how people are using those tools as a red visor it's a free tool and it gives you advices on how you should better configure your azor subscriptions and the idea is that it gets signals from Azure Security Center giving you security advice but it also gives you advice on performance also also on reliability and it's up to you really to follow those advices or simply discard them and say I know better than than some built in a I can recommend things to me log analytics that's always been a bit of a problem in understanding what log analytics is because it's traditionally been a separate service then it was partially connected with operations management suite which has a separate portal but now it's part of azure monitor so log analytics itself is best accessible from azure monitor as of today and finally if you run any sort of management solution in on-premises such a system center operations manager you can offload a lot of this back to your scrum installation or you can push your your log and data from scum or something similar back to Azure and keep on using these tools as well so with Azure monitor this is accessible from the portal I will show that to you in a bit and it's really about two things one is that you can have a look on something ad hoc you might have a virtual machine you might have a sequel database that is not behaving correctly or you suspect there's some sort of problem with it you simply select that resource in as your monitor and you select the type of counters you'd like to follow up on that and that's that it's it's exactly the same as you would have on a Windows server or a Windows workstation with performance monitor that you can run and that's been there for about 20 years but you can also create alerts based on those metrics so once you find a good metrics metric let's say you provision a new virtual machine and you want to have a metric that that the our system drive does not fill up you simply create a metric apply an alert on that and based on the alert you can have automated tasks to clean up the disk or you can simply do what everybody else does send an email to somebody who doesn't want to read the alert emails and who needs to act act and does what's new for our monitor this week we get smart groups which consolidates if you get a lot of alerts from different locations it consolidates those into a single group automatically meaning that if you have multiple services acting or behaving with such problems that they could be grouped together you can fire off a single alert instead of firing of 27 different alerts and thus the person getting to 27 emails doesn't really know where to start with but now they will only get one email or one activity or one task you could spin up a parcel task maybe to fix it if you know what might be the problem automatically or then you will connect this with a ticketing system like ServiceNow that would then enable you to run more advanced processes if that works better for you the other one metric alerts for logs that I mentioned it's now generally available starting this week it was in preview before I don't know how you treat preview and GA type of services I typically start using preview services as early as possible to see how they actually work and when we get the GA which means we also get support there's proper documentation in place then I know this is something I can now use more widely with my customers and in production environments as well application insights that I mentioned this provides an awful lot of information it's a bit overwhelming because you get so much data last night before the attendee party I was having dinner nearby that's at one of the restaurants and as it's a tradition they have a TV there I don't know why but it's own and there's there's football I think it's football or is it American football football anyways they're their sports that the ball is not around and somebody was explaining that that's an undertake or overtake or or touchdown or something else I know nothing about sports and it was a bit overwhelming to me because there are so many moving bits and statistics and people giving you their opinion and how things should go and what really happened here the same goes for application inside you open application inside for the first time there's about 2,000 different buttons that you can click and you're not really sure how should you get started with this the easiest way to get started with application inside is that when you provision a new service they typically have an option would you like us to automatically enable app insight for you you will check that press next and you're good later on when you need to find out what app inside is really doing for you you can then go to the service and there's a link to the app inside that was provisioned for you and it has two predefined metrics the predefined log entries for you that you can start actually using so on the left you can you can see one of the services that I provisioned this week for a demo I did on Tuesday on using BOTS with a bit of AI in the backend and I provisioned app inside when I provisioned the bot and with app inside it's now telling me how many instances do I have with the bots how many calls do I get to the API of the boat and is something failing in any of this the other two are recommendations for me on you should maybe fix this you should maybe fix that and we saw these type of problems and you can see the secure score impacts which is more security related even though we are not really asking security advice so this comes part from Security Center as well as as your advisor and just like an azure monitor you can create your custom metrics custom statistics in here bundle them all together or you can create a new dashboard in Azure portal and have a custom view on everything that is important for you what I typically like to do with my implementations is that I create custom dashboards that look nice that have the relevant information that I need to see and then I prop a TV at a customer's cafe or a place where they get coffee and see near the cubicles and then they can with one peak they can actually see what's happening with the services excuse me as a revisor this is probably the easiest to use because there's not that much thing so you can actually configure here you'll see the high availability which mostly relates to virtual machines do you have availability sets do you have replication for your databases then you get security of course from security center and performance on different things that you might not have configured yet as an example I do have one recommendation on some leftover blobs in Azure storage that I should maybe clean up this is not really the performance is not cost related it's more performance related when we start getting new services and the last one is of course cost so typically when you want to govern as your subscriptions many times you also want to understand what happens with the cost are we paying too much and log analytics which is now part of as your monitor it collects telemetry from all of your services be it virtual machine be it an azure sequel database be it a website or an app service build and as your functions underneath app service as a service solution log Analytics collects everything together and then we can decide what to do it do do with the logs from here typically I see in in environments with high security I see that we went to Oh float the logs to a separate system it might be something in on trim or it might be something that we run in a different subscription or a different cloud provider but there's also a query engine within log analytics meaning that all the logs we can collect from all the services that we have including possibly on-premises services they can then query against those and we can have alerts and tasks and actions based on those alerts against these logs with log analytics we get a separate query engine with a separate query language that we can use what I typically do I use two predefined queries or unless it's absolutely necessary to build my custom queries for something really specific you can see in the pictures it also gives you a nice overview on what's happening with the services the lower picture has a test virtual machine that's running about 20 processes and log analytics is able to analyze how is this virtual machine talking to different services and one which ports and what sort of traffic is occurring inbound and outbound from that VM alrighty so let's have a demo and for that to happen what I need to do I need to switch this this is always the most exciting part and we've got a blue screen luckily there's the thing in in Finnish language when you yell it loud enough at the PC you can probably get it working it's a hidden Windows 10 feature but I'll avoid the yelling I'll just use my mantra which is a Licata canonical Gabriella let's see no not working I should be okay there we go alrighty so I've got my Azure subscription here I've got a couple of subscriptions you can see the lower one with the cost is a little over run with the built-in budget I had 130 euro which I like to think it's about $25,000 because it looks more promising and I ran over and I've got a set limit I need it really is that early this week and then I've got a bunch of services in here that I that are frequently used so I just pinned us on the dashboard so we'll start with as your monitor first and Michael has been tweaking with the interface of as your monitor quite frequently so I feel that if two weeks goes by that I don't open this something happens there's five new buttons and five new recommendations I should be doing so we'll start with the metrics and I hope the font size yes it should be good enough so I get to select the subscription first and I do have one subscription resource group that I want to use I've got a lot of services in there because this is one of the infamous demo resource group do not delete it but not in use really so just delete if you don't need it and I'll select virtual machine from here and I've got that one virtual machine running in here then I get to select the metric and this virtual machine is based on the burstable class to be virtual machines which means it is ticking CPU credits for me and if I need to overload it a bit I can use those credits later on as long as I don't reboot the VM so let's see credits consumed on average it's looking quite good I can add a separate metric and it automatically selects the same resource for me which is nice so credits remaining we can see that I've got about two hundred twenty credits remaining which is quite good because I'm not using the V and that much and if I'm happy with this I can pin this in my dashboard and when we scroll to the far right we can see that here we go so this is the way of how I can use Azure monitors to start building my custom dashboards and you can of course create new dashboards upload download edit and share those same dashboards with other people so going back here I want to have a look at the logs so this is now the log analytics part so even if I'm in as your monitor I'm actually in log analytics now and you can see I'm actually using a separate service oh this is the log analytics work space that I'm using and there's a couple of built-in queries that I can use based on heartbeat performance usage and I can see lists all reporting computers in the last hour let's run this and it's going to all of the logs that I have in log analytics in that workspace and from the filtering I can actually see that it found 59 entries for mine for my virtual machine and I can drill down on this but as you can see the purpose of log analytics is not for me to go to all of the lines that often happened back in the day when somebody would complain that our Active Directory domain controller is not working correctly and somebody would say I'll just go to all of the domain controllers manual and check all of the logs to find the problem and they would have 27 domain controllers and it would take two weeks to resolve it so the same is here I don't want to go these two line by line I actually want to connect this with something else and that something else might be a reporting interface like power bi as part of office 365 or it could be a separate system that analyzes these and based on the type of alerts that we're getting we might be acting based on those okay so moving on forward to application insight and with application insights even though I provision those services automatically when I provision whatever services I'm doing it provisions the application inside for me I can go directly to all of those so what I want you do I had some spare time during summer so I built a small website which is called the aka dot m/s tracker you guys probably see when when you go on social media and somebody from Microsoft sends a message maybe a tweet and Twitter that hey if here's the service that that or the documentation that you're looking for and the address is aka dot m/s last something fun and I kept thinking it would be nice to have a directory of the aka dove MS URLs so I started tracking those with Azure so I'm peeking all of those from Twitter storing those in Ezra's equal and then I'm doing small analytics based on that I've been running it for about four months and I think I have about 250,000 aka dot MS URLs now I don't know what I'm doing with those but you can get the address here if you want to use this as well so I've got the addresses in here so this is simply a site that I need to use for testing application inside so what I'm actually doing here when I get the aka dot MS address let's say from a tweet it's a kdut ms last something but I but what Twitter does they replace that with their own T dot Co so I need to pick up that do an HTTP call and from the headers that I get back I need to resolve it back to the a Kaede of MS then get the title of the web website so that I know how it points back to the a cage of M is alias for that I need to use service so I'm using ESRI functions to do simple calls when I get the addresses I resolve those and I store those to the database it's quite simple but I still want to see what's happening with this I need to govern that it doesn't overrun in terms of cost I also need to diagnose if there's any sort of problems built in here so I can see there's some failed requests in here seven yesterday I think or yesterday seven not too many requests because it's been quite slow in that sense and from here I can see the application map and it shows me 113 instances about eleven percent of the calls that were initiated against this resolver this agile function failed and you recall when we started the demo I said I did over run a bit on my on my budget that's the reason they failed when I overrun my budget Azure shuts down all of the services that I have so this was running then it shut down the databases databases shut down and yanked away from from the function and it started failing before it was shut down as well this is what I can now use to actually understand what's happening and I also get metrics from here which uses as your monitor so by now you're seeing that hold on I've got as your monitor which is connected to log analytics but then I have application inside which is also using as your monitor so as your monitor is related to that you should be using the most to understand what's happening within your subscriptions okay switching back to slides there's too many buttons here let's see if I was lucky yes so let's move on to Azure governance tools we had a look at the monitoring and auditing tools and then we're moving a bit beyond these we moved to Azure governance so during ignite this week Microsoft announced as your governance which consists of as your policy singular policies that allow or deny certain actions or certain selections for as your admins who can access your portal your your subscription then we have as real cost management because we need to understand what sort of costs we are incurring in our services and this is based on the Cloudant acquisition Microsoft did I think last year and it slowly now been ported to be part of the azure portal then we have Azure blue prints which was also announced this week in preview and blueprints allow us to create blueprints that consist of policies and roles and settings and the last one is as a resource graph which allows us to query and see what sort of resources do we actually have in our Azure subscription that's not my phone I hope so starting with Azure policy policies enforce certain rules and typically how I see customers using this or asking to start using this is that we want to enforce that nobody will provision that one virtual machine that will cost the same as a large car would cost in Finland so instead of getting a VM we'd rather take the car so we want to enforce that nobody is actually provisioning anything that goes beyond X the euro or we want to enforce geographical locations we want to have all of the services in the West us data centers for example in Europe it would be North Europe or West Europe and there's a set of ready-made policies which are rather good I always start with those because there's little need to go beyond those when you get started you typically have the location restrictions you have the restriction on certain skills in virtual machines or different services and then you also want to have compliance based on those if you do custom policies they are simple JSON based text files that you can add but as I said you get you can build quite complex policies quite quickly so start easy with as your policies and use the building ones first and you can bundle together multiple policies so instead of having ten policies and applying each of those separately and getting ten different reports you can bundle them together to achieve a singular goal that would would then give you the compliance view that this bunch of policies is not complied in this and this serves management groups on the other hand in in Azure that's generally available starting about three weeks ago and management groups is a container technology not a container container but a container holding your policies holding your restrictions for different subscriptions different resource groups or different management groups and you start with the tenant root group which is built in it will be created the first time you go to Management Group settings and you need to allow yourself as global are mean you need to allow yourself permission to actually provision the tenant root group I'll show that in a bit how it happens then you can create any number of sub groups in this example I've got one for development and testing and one for production which is fairly simple to understand but you could have this based on location and then underneath those you could have this based based on on the environment or the need or a policy that you would about apply and then you bind your subscriptions and or resource groups as part of of these management groups and they will have inheritance meaning that if I set a set of policies in dev and test group here in in dev and test group management group that those policies will trickle down to whatever is underneath the dev and test group management group and and whoever is beneath those cannot bypass the policies and the settings that they have in place and you can also have nesting in there so if you said something in Devon test group and then you said something else it will also trickle down throughout all of those those groups that you will have the azure blueprints allow you to create predefined settings for your azure admins and operators we can bundle together policies there built-in templates roles and we can also curate the marketplace so we can disallow users on just going wild in the marketplace and pick and choose in everything they need we can actually restrict what will be happening within our Azure subscription so while the management group is a container for enforcing policies blueprints is a technology enforcing templates policies roles against the whole subscription and with blueprints the earlier you get started the better off you are because if you have a fresh as your subscription you can have the blueprint in place and when your admin start building solutions in there you can already enforce what you need within the blueprint the preview is available starting this week so this is not generally available yet but based on my testing during the summer it works quite well already so far so I would expect the GA to follow at some point in the near future and as your resource graph is quite new as well and this allows us in the old resources view of the portal – of course list everything we have in place but there's now a provider for PowerShell and as your CLI so we can query against as you're on what sort of resources do we have and this is the engine that gives us back the are the results and and the the reason for this is that we don't have to loop through everything we can actually query the engine and it's lightning fast when it's giving you stuff back you can see in the screenshot I'm using as you see alive I'm querying the graph and the query summarize count how many resources do we have in total in this subscription and it's about two hundred and twenty-two in there but if you like to use the old resources that gives you the same but you get paging it's a bit slower so if you don't need to do reporting on what assets do we have in place in this subscription then you can use the as a resource graph which is much more faster for you to use alrighty so let's have a look on this and once again let's do the button dance yes everything seems to be working so we'll start with other policies let me crank up the font size a bit I have two subscriptions here that I can access to our wit bit with the same account as an admin and I've got a few policies that I've set in here one is the allowed locations and it is non compliant meaning that I've said only one allowed location I think it was best US or West us – that's the only one that's allowed but I already had different resources provision treasurer that are not investing us they're in there in West Europe and and I've got 124 non-compliant resources so if I need to open this now I can actually see that 8 percent of my resources are compliant which is a bit sad but it's it's really the reason that they are in different different locations than they should be in so we can use as your policies to actually understand what if you have in place now what's not compliant it could be the location it could be a specific type of services it could be a specific setting one setting would be that I frequently get from customers is what if we move to Azure we set up virtual machines somebody has a local admin privilege in there what happens if they now go and configure the built-in windows firewall to allow port 80 inbound wouldn't that if we have the side to side VPN or Express route in place wouldn't that actually mean that somebody might be able to hack the VM and from there hop onto our internal network and I look at them and say yeah that's exactly what it means so you need to somehow control it and as your policy is one way of doing it of course you have different tools you have group policies or you can use in tune but with Azure policy we actually see that okay this is something that shouldn't be happening so we've got the built in policies in place a few ones here the allowed locations is a custom policy but it's based on a built in definition and from here I can see the definitions and I've got four initiative definitions and I've got the rest or policy definition a policy definition is a built in singular policy do not allow X do not allow this tuning allow that the the initiative is a bundle of one or more policies we want all of our virtual machines or oral all of our as recycle database basis to conform today's set of policies and we have ten policies that we put in the initiative don't get too fancy with this because once again you will end up in a situation that you cannot access anything any more maybe not even the policy definition is to remove those so you can also add a new policy definition if you want to build your own and here's the JSON file for building it you might need to go to dr. Microsoft chrome to actually look up what you need to need to have in there but if you have a look on on one of these VM shouldn't use or VM studios manage discs so let's audit all VMs that are not using managed disks so you can see from here ok this is how it works it's actually checking stuff in here so you can duplicate this build your own from here and from here I can now go to assignments and I can assign a single policy or I can assign an initiative so let me assign a single policy the scope that I need to select you can see from here that I've got the management group structure in place I've got the ten hundred groups that I cannot modify and under is there I've created ignite test so I'll select that one and optionally I can select a subscription as well so I might have a single subscription in that management group so this all applies to the whole of the subscription or I might now drill down to a single resource group so I had the demo resource group so I will only select that one and what would the policy be and these are the built-in definitions plus the custom definitions that we have in place place in here so so let's see something from here security-related let's monitor unencrypted VM disks in Azure Security Center so I'm adding this it's assigned by myself and I can create a managed identity in hopes that if this needs to be fixed I will have some sort of way of accessing the VM if I don't know the local password to manage identities so I'm creating that now and based on my experience it sometimes takes a little bit of time but there we go monitor unencrypted VM disks and we can go to compliance let me refresh that on encrypted disks not started yet so it with typical takes about ten minutes that it starts and it compiles true and starts checking what's happening with your policies so this is really how you built the policies typically starting or starting with the built-in ones and then moving on the the next thing I need to show you is the management groups and within management groups you can see that I've got the Ignite testing here and the interface is it's a bit different than what maybe you're used to in in Azure portal yourself one would imagine that while I'm selected the Ignite test management group I would actually configure it to the subscription but I need to configure it to the details through here and this allows me to now configure what happens in the management group and also what sort of policies will apply to this management group and in here if I go back in here I can add sub management groups in here I can also add sub subscriptions in here as well so going back to the policies I can now use the management groups that I create in here and in here I bind the subscriptions and/or multiple subscriptions as part of this management group or I create the sub sub management groups in here keep in mind that if you create management groups you test something and then you try I want to delete the management group you need to clean it up first so you need to remove the subscriptions from here and even then when it's removed you can check that with Azure CLI even if it's removed this interface in my experience actually shows you that it still exists so you need to logout from the portal log back in because it's so heavily cached that you cannot get rid of that and you cannot configure anything else unless it's gone moving on to Azure blue prints this is even even a simpler in a way but there's a nice trick here so I've got one blueprint created and I need to right-click this one to go to edit there's not too many places in Azure portal very very actually to right-click stuff this is one of those so I can only set the name I kind of change that later on and a location will be ignored test this is the management group that I had and in here I've added one artifact which is a policy I could add roles I could have different settings but I choose to use policies in here so allowed locations and this only allows a set value what's the value we set the value when we are assigned to Paulo they are the definition so going back here if I assign the blueprint this is a very very it will ask me what would be a location that you would like to use and for me since it's just a text field I actually need to look it up that it won't be worse to us to Drebin to lock the resources or not so by default none of the resources are locked but when I enabled the blueprint I can choose to lock the resources so that if something does not fit in here we'll simply lock those and and we cannot modify those and that would mean that then we then we need to modify the blueprint if we want to change or modify something at a later date so I've got the blueprint assigned now I can see from here it's succeeded and if I go and create a new virtual machine let's go for Windows Server 2016 I really like this new interface because it's slightly fast nowadays and it gives me a nice overview this will be used to be am 2018 I hope nobody else is using this and as the region as the location I am going with North Europe we always laugh at this back at home because North Europe to us is Finland of course but North Europe for a sure is close to Dublin and we don't think that's not Europe and I'm selecting the size I need to be used to add Maine and I need to select a super secure password fubar one two one two one two hash over a bunch of once you want you don't worry about put this online ok I'm happy with this review and create it's reviewing it now there's something missing or something is invalid management let's go with this review again please let's see if the validation goes true but it hasn't failed let's have a look the allowed location failed its disallowed by policy i said north europe that should be in helsinki but it's it's expecting west us to which i think i put in their reversed us regardless so I'm a global admin myself I owned the whole subscription and what I'm actually getting now is these are disallowed by policy and there's no skip or or or undo I I have to conform to the policy even if I'm an admin myself this is the whole reason we have blueprints and we have policies and we have management groups that we can actually look after the DOS guys who should know better on what they were actually doing and they have the permissions to do it the last thing that I'll quickly show you is in Azure Active Directory when you start using management groups you have to go to Azure Active Directory properties and there's a setting here global admin can manage as your subscriptions and management groups and this is a no by default you need to switch this to on so that you get to start using management groups otherwise even as an admin interval say I'm sorry you don't have permission to do this and the last thing is the azure advisor you saw the screens that already there's not that much else to do here you can configure certain settings or typically what you're most interested in is the performance and security and this automatically refreshes quite often and for me security off of course complains that I'm not following the Security Center recommendations so I can use the azure policies and the policy assignments and initiatives to conform the days but I can use as your adviser to actually understand am i following any of the stuff that I should be following in terms of configuring the settings switching back I'm starting to learn to use the buttons already so culture action our governors in three easy steps deployed policies you don't have to go with the management groups initially if you are not sure how you want to set those what kind of structure you want to have in place start with the existing templates it's tempting to build your own but it's really hard to keep track what did it be actually build again start with the location start with the allowed SKUs 4vm start with the allowed skills for sequel databases those are the easiest ones and then apply management groups then you know how the policies work you see the compliance with those you can move to management groups and you can map those policies that you created as part of the management groups because you know you're not breaking anything do use as your monitor to monitor what's happening in there and finally the fourth step which is not shown here but if you're feeling brave and you know how things are working out start testing out as your blueprint it's in preview now but once you have the policies in place once you have the management groups in place the next logical step is to go to as your blueprints as well thank you that is all that I have thank you for attending I'll be here for any questions if you have thanks

Leave a Reply

Your email address will not be published. Required fields are marked *