Share via

Governance workbook

  • Article

The governance workbook is an Azure Monitor workbook that provides a comprehensive overview of the governance posture of your Azure environment. It includes the standard metrics aligned with the Cloud Adoption Framework for all disciplines and has the capability to identify and apply recommendations to address noncompliant resources.

Screenshot showing the Governance workbook overview page.

This article details the tabs and information you find within the workbook.

Note

Azure Resource Graph queries are limited to 10,000 results. If you receive an error for too many rows, try selecting a smaller management group or reducing the number of subscriptions.


Overview

The overview tab provides general information about your environment, including:

  • Number of resources
  • Resource count by subscription (top 10)
  • Resource Number by type (top 10)
  • Resource count by Azure region

Virtual machine

The Virtual machine tab is focused on Compute resources to get more information about the resource count and configuration:

  • Virtual machine count by OS type
  • Virtual machines by type/size (for example, D2ms, D2v3)
  • Virtual machine scale set capacity and size
  • Compute disks (OS & data disk attached, OS & data disk size, OS disk SKU)
  • Compute networking (NIC, private IP, public IP attached)
  • Managed disk utilization
  • Compute optimization
    • Underused assets (identified by Azure Advisor)
    • Orphaned disks
    • Orphaned NICs
    • Current VM status (Creating, Starting, Running, Stopping, Stopped, Deallocating, Deallocated)
    • Virtual machine list filtered by power state

Storage + backup

The Storage + backup tab is focused on storage and backup resources:

  • Number of resource types
  • Resource details
  • Storage accounts details
    • Overview
    • Capacity
  • Backup details

    Important

    Vault diagnostic setting needs configured in Log Analytics Workspaces in order to see backup details.


Network

The Network tab is focusing on network resource configuration:

  • Number of network resources by resource type
  • NSGs shows all or orphaned network security groups
  • NSG rules shows network security group rules for the selected NSG from the pervious list
  • Public IPs shows all or orphaned public IPs
  • Application gateways shows all or orphaned application gateways with or without any backend IP and backend addresses
  • Load balancers shows all or orphaned load balancers with or without empty backend pools

PaaS

The PaaS tab is focusing platform as a service resource configuration:

  • Automation shows:
    • Azure Automation accounts, runbooks, and configurations
    • Logic App instances, APIs, and connectors
  • App services shows:
    • App Service plans, apps, and certificates
    • Azure Functions
    • API Apps
    • App gateways
    • Front Door
    • API Management
    • App Config stores
  • Data shows:
    • Cosmos DB accounts
    • SQL servers, databases
    • PostgreSQL servers (including flexible servers)
    • MySQL servers
    • MariaDB servers

Security

The Security tab is focusing on the security score for your subscriptions and controls

  • Security scores by subscription
  • Security scores by control
  • Top 5 attacked resources (with high severity)
  • Top alert types
  • New alerts in last 24 hours
  • MITRE ATT&CK tactics
  • Active alerts

Monitoring

The Monitoring tab shows Service Health information and main events impacting selected subscriptions:

  • All Service Health active incident
  • All changes performed on your resources for the past one day
  • All deleted resources for the past 14 days

Service retirement

The Services retirement tab shows Azure services that are being phased out in order to mitigate affected resources.


Resource age

The Resource age tab shows information about the creation and last change dates for resources in the selected subscription to help you identify old resources and perform sanitization.


Tag explorer

The Tag explorer tab helps you to filter/sort your resources by tag. You can list and identify resources with or without a specified tag name and with or without a value. You can filter each result by resource type.

You can also get general information on subscriptions and resource groups.


Cost Management

The Cost Management tab shows high level information about your cost and can be filtered by tag.


Usage + limits

Many Azure services have quotas, which are the assigned number of resources for your Azure subscription. Each quota represents a specific countable resource, such as:

  • The number of virtual machines you can create
  • The number of storage accounts you can use concurrently
  • The number of networking resources you can consume
  • The number of API calls to a particular service you can make

The Usage & limits tab shows resource this information about your subscriptions. To learn more about quotas, see Quotas overview.


Compliance

The Compliance tab helps you monitor policy compliance, the number of failures by resource, operation, and category.


Governance

Microsoft Defender for Cloud continuously assesses your hybrid and multicloud workloads and provides you with recommendations to harden your assets and enhance your security posture.

Central security teams often experience challenges when driving the personnel within their organizations to implement recommendations. The organizations' security posture can suffer as a result.

We're introducing a brand-new, built-in governance experience to set ownership and expected remediation timeframes to resolve recommendations.

Prerequisite: To use this governance report, you need to create security governance rules.

For more information, see Driving your organization to remediate security issues with recommendation governance in Microsoft Defender for Cloud.


Related content

Related FinOps capabilities:

Related products:

Related solutions: