Under the pressure to digitally transform, innovate and reduce the speed to market, enterprises have been moving many of their workloads into the cloud. However, managing hundreds or even thousands of applications in the cloud proves to be very challenging.

By moving to the cloud, engineers can achieve greater agility and speed, but it is often very hard for the enterprise to keep the cloud environment secure and compliant, control cloud infrastructure costs and meet their operational requirements. This is why many enterprises sacrifice speed for the purpose of control.

Of course, control is needed but if you sacrifice speed, you deprived yourself of what would be your competitive advantage. In a competitive market you need both speed and control.

Azure introduces a number of cloud-native governance capabilities so that an enterprise can keep control over its cloud environment without sacrificing speed of development. By using the tools, you can make the cloud platform enforce control automatically on your behalf without you having to be the gatekeeper. That should allow the engineers to have direct access to the cloud services they need in a complete self-service manner which is crucial to attain agility and speed.


To support true self service, subscriptions governed by management groups, blueprints and policies should be aligned with applications or workloads. This approach provides a high level of isolation between different workloads, reduces your blast radius and improves security. However, this also means that enterprises have to potentially manage hundreds or in some cases even thousands of subscriptions depending on how large their application portfolio is.

Management Group

This fundamental concept sits on top of subscriptions to help you organise them in a structured, hierarchical fashion. Everything that you define for your entire cloud environment hangs on the management group hierarchy. Enterprises should typically create a management group hierarchy that reflect their organisation structure up to a division level.


The main control mechanism for enforcement and compliance that is integrated with management groups and allow you to set up your guardrails in a structured manner. Policies offer real-time enforcement, compliance assessment and remediation at scale. A new concept of VM guest policies can even enforce compliance within virtual machines.


A concept that is designed to help you set up a cloud environment that is governed in a repeatable manner. It combines a number of artefacts such as ARM templates, policies, resource groups and role assignments in a declarative document for a complete environment setup.

Subscriptions governed by blueprints can be then handed out to application teams. This can dramatically decrease the amount of time required to put cloud applications into production.

Blueprints should be stored on the management group level so that they can be applied to subscriptions created under the management groups and reused in a consistent way.

Resource Graph

A tool that provides visibility at scale over your whole cloud infrastructure across multiple subscriptions.