Cloud Policy and Governance¶

The Cloud Policy and Governance capability

Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. It involves planning your initiatives and setting strategic priorities. Governance in Azure is primarily implemented with two services.

Azure Policy allows you to create, assign, and manage policy definitions to enforce rules for your resources. This feature keeps those resources in compliance with your corporate standards.
Azure Cost Management allows you to track cloud usage and expenditures for your Azure resources and other cloud providers.

Cloud Policy and Governance

Cloud policy and governance refers to the process of defining, implementing, and monitoring a framework of rules that guide an organization's FinOps efforts.

Define your governance goals and success metrics. Review and document how existing policies are updated to account for FinOps efforts. Review with all stakeholders to get buy-in and endorsement.

Establish a rollout plan that starts with audit rules and slowly (and safely) expands coverage to drive compliance without negatively impacting engineering efforts.

Implementing a policy and governance strategy enables organizations to sustainably implement FinOps at scale. Policy and governance can act as a multiplier to FinOps efforts by building them natively into day-to-day operations.

The Native Compliance Tracking and Enforcement Tools

Building on the basic set of policies across the organization

Formalize compliance reporting and promote within leadership conversations across stakeholders.
Map governance efforts to FinOps efficiencies that can be mapped back to more business value with less effort.
Expand coverage of more scenarios.
Consider evaluating ways to quantify the impact of each rule in cost and/or business value.
Integrate policy and governance into every conversation to establish a plan for how you want to automate the tracking and application of new policies.
Consider advanced governance scenarios outside of Azure Policy. Build monitoring solutions using systems like Power Automate or Logic Apps.

📌 3 Recommended FinOps Toolkit Workbooks

Governance Workbook is not just a monitoring tool—it's a FinOps operational enabler.
Embedding it into cloud financial management workflows ensures proactive cost control, policy adherence, and cross-team alignment.
Deploy all 3 recommended FinOps Toolkit workbooks for full coverage:
- Governance Workbook
- Cost Optimization Workbook
- Orphan Resources Workbook

Align with FinOps best practices to enhance cost visibility, enforce compliance, and optimize resource usage across Azure cloud infrastructure.

TASK 1: Implement Azure Governance, Cost Optimization, and Orphan Resource Workbooks

Work Breakdown Structure (WBS) — Azure's cloud infrastructure governance implementation plan

Timeline: 8 weeks (May & June)
Working Hours: 2 hours/day, 5 days/week (~10 hours/week)

Phase 1: Discovery & Planning (Weeks 1–2: May 1–14, ~28–42 hours)¶

Identify stakeholders (Finance, Operations, Security, Application Owners).
Document business requirements, compliance needs, tagging standards.
Audit existing Azure environment (policies, RBAC, monitoring setup).

Phase 2: Infrastructure Readiness (Weeks 3: May 15–21, ~14–21 hours)¶

Provision foundational Azure services (Azure Monitor, Log Analytics Workspace, Cost Management, Resource Graph).
Set up dedicated governance resource group (rg-finops-governance).

Phase 3: Azure Policy Development & Enforcement (Weeks 4–5: May 22–June 4, ~28–42 hours)¶

Develop Azure policy baselines (tags enforcement, SKU restrictions, naming conventions).
Assign policy initiatives at Management Group level with automated remediation tasks.

Phase 4: Workbook Deployment & Customization (Weeks 6: June 5–11, ~14–21 hours)¶

Deploy and customize FinOps Toolkit Workbooks (Governance, Cost Optimization, Orphan Resources).
Tailor dashboards and tagging strategy for business unit alignment.

Phase 5: Operational Integration & Alerts (Week 7: June 12–18, ~14–21 hours)¶

Integrate Azure Monitor alerts (policy violations, cost overruns, orphaned resources).
Embed dashboards into team workflows with clear RBAC assignments.

Phase 6: Continuous Monitoring & Improvement Setup (Week 8: June 19–25, ~14–21 hours)¶

Schedule monthly governance and FinOps reviews.
Establish feedback loops for ongoing refinement.

gantt
title Azure Governance & FinOps Implementation Timeline (May–June)
dateFormat  YYYY-MM-DD
excludes    weekends
section Discovery & Planning
Stakeholder Identification :crit, 2025-05-01, 2025-05-07
Requirements :crit, active, 2025-05-08, 2025-05-14
section Infrastructure Readiness
Provision Azure Services :2025-05-15, 2025-05-21
section Policy Development & Enforcement
Policy Development :2025-05-22, 2025-05-28
Policy Assignment & Remediation :2025-05-29, 2025-06-04
section Workbook Deployment & Customization
Workbook Deployment :2025-06-05, 2025-06-11
section Operational Integration & Alerts
Monitor & Alerts Integration :2025-06-12, 2025-06-18
section Continuous Improvement
Monthly Reviews Setup :2025-06-19, 2025-06-25

TASK 2: Azure FinOps Best Practices by Service Type

Compute
- Reserved Instances, Auto-Start/Stop schedules, VM rightsizing.
Database
- Auto-Pause serverless databases, Elastic Pools, query optimization.
Networking
- Cleanup unused IPs, optimize network costs, firewall analytics.
Storage
- Lifecycle management, delete unattached disks, replication strategies.
Web
- Serverless hosting, selective Always-On, telemetry management.
General
- Centralized cost management, strict tagging, budget alerts, CAF & WAF adherence.

🧭 Azure Governance Workbook¶

The Governance Workbook from the Microsoft FinOps Toolkit empowers enterprises to gain control, enforce accountability, and drive compliance in their Azure environments. It provides a centralised, policy-driven lens to observe and assess governance maturity across cost, resource, tagging, policy compliance, and ownership structures.

This aligns directly with the FinOps principles of visibility, optimisation, and accountability. When paired with FinOps cultural shifts (shared responsibility), this workbook becomes a critical control plane in enterprise FinOps operations.

🎯 Azure Governance Workbook Objective

Deploy, configure, and operationalise the Azure Governance Workbook to enable visibility and enforcement of governance standards across your enterprise Azure environment.

1. Establish a unified reporting framework (Azure Workbook) for cost, compliance, and resource governance.
2. Integrate seamlessly with FinOps processes—tagging, budgeting, rightsizing, and ongoing cost optimisation.
3. Align with enterprise best practices (e.g. security controls, naming conventions, tagging standards).

🛠️ Pre-requisites

Requirement	Details
Azure Subscription(s)	`Contributor/Reader` access (Reader is sufficient for workbook visualisation, Contributor for resource remediation)
Log Analytics Workspace	Required for telemetry ingestion
Azure Resource Graph (ARG)	Must be enabled for tenant-wide inventory queries
Permissions	Ensure role assignments to access billing, policy, tag, and RBAC data
Workbook Authoring Role	`Workbook Contributor` or Owner (`Workbook Contributor` - allows you to import, save, and deploy the workbook. `Reader` allows you to view all the workbook tabs without saving.)

📦 Step 1: Deploy the Governance Workbook¶

This template creates a new Azure Monitor workbook for governance based on the Cloud Adoption Framework.

This template creates a new Azure Monitor workbook for Governance

The governance workbook is an Azure Monitor workbook that provides a comprehensive overview of the governance posture of your Azure environment.

It includes the standard metrics aligned with the Cloud Adoption Framework for all disciplines and has the capability to identify and apply recommendations to address non-compliant resources.

📗 How to use this template¶

Once your workbook is deployed, you can use it by navigating to one of the following destinations:

From Azure Monitor:
- Select Workbooks in the menu.
- Verify your subscription is selected in the Subscription filter.
- Select the Governance workbook.
From the resource group:
- Select the workbook resource.
- Select Workbook in the menu.
From Azure workbooks:
- Select the Governance workbook.
- Select Workbook in the menu.

ℹ️ Pro tip: If you navigate to the workbook resource (2 or 3 above), consider adding the workbook as a favorite using the star icon to the right of the resource name to make it easier to find in the future. Favorite resources can be opened directly from the Resources > Favorite section of the Azure portal default home page.

Option 1: From Azure Portal

Go to Azure Monitor > Workbooks.
Click "Add workbook", then select "Gallery".
Search for "Governance".
Select the Governance Workbook (FinOps Toolkit).
Click “Deploy to Workbook”, select: - Subscription - Log Analytics Workspace - Resource Group (preferably FinOps/Platform RG) - Location (same as LA workspace)

Option 2: Manual ARM or Bicep Deployment (Advanced)

Clone repo:

git clone https://github.com/microsoft/finops-toolkit.git
cd finops-toolkit/src/workbooks/governance

Deploy ARM template (adjust parameters as needed):

az deployment group create \
  --resource-group my-finops-rg \
  --template-file governance-workbook.json \
  --parameters workbookDisplayName='Governance Workbook' \
              location='australiaeast'

🧩 Step 2: Configure Data Sources¶

Ensure the following are enabled and properly linked:

Source	Purpose
Azure Resource Graph	Inventory, orphaned resources, policy compliance
Cost Management + Billing API	Budget insights, department-wise spend
Azure Policy & Blueprints	Compliance status
Tagging Strategy	Ownership and cost attribution
Azure Monitor Logs	Visual and time-series trends

You may need to adjust KQL queries in the workbook to align with your internal tagging standards or custom policies.

🧮 Step 3: Validate Key Governance Sections¶

Section	Description	Action
Tag Compliance	Highlights missing critical tags (e.g., `CostCenter`, `Owner`, `Environment`)	Cross-reference with internal tag policy
Resource Ownership	Maps tagged `Owner` or `Application` values to resources	Validate ownership accuracy
Policy Compliance	Shows Azure Policy evaluations	Investigate non-compliance resources
Orphaned Resources	Detects unattached disks, idle IPs, unused NSGs, etc.	Mark for cleanup via Change Management Process
Cost Attribution	Maps cost to Business Units based on tags or Management Groups	Use as evidence in monthly chargeback reporting

📘 Step 4: Integrate with FinOps Processes¶

Monthly Governance Review:
Automate export to PDF or PowerPoint
Schedule a Governance Council meeting
Present workbook insights to FinOps Stakeholders (Finance, CloudOps, Security)
Automated Notifications:
Use Azure Monitor Alerts or Logic Apps to:
- Notify on new orphaned resources
- Trigger budget threshold warnings
FinOps Dashboard Integration:
Embed selected workbook tiles into a shared Azure Dashboard
Segment views by Subscription, Region, or Business Unit

🧼 Step 5: Ongoing Maintenance & Maturity¶

Task	Frequency	Owner
Tag schema review	Quarterly	Platform / FinOps Lead
Workbook KQL adjustment	As needed	Cloud Architect
Policy refinement	Monthly	Security & Compliance
Cross-team workshop	Bi-monthly	Cloud Center of Excellence (CCoE)
Archive orphaned resources	Weekly or on-demand	InfraOps Engineer

🌍 Best Practices¶

Use Management Groups to segment cost views by division or strategic business units.
Standardise tagging policy and enforce via Azure Policy with auditIfNotExists or modify.
Track governance KPIs, such as % of untagged resources, orphaned resources count, and policy compliance trends.
Tie workbook output to actionable remediation pipelines (e.g., Terraform, Bicep, Azure Automation).
Align with CAF and Well-Architected Framework pillars, especially: - Cost Optimisation - Operational Excellence - Governance & Compliance