Landing zone lifecycle management tools (preview)

Important

This is a preview feature. This information relates to a prerelease feature that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

This article gives you an overview of the new landing zone lifecycle management tools and enhancements provided through Microsoft Cloud for Sovereignty on GitHub. The plan is to continually improve their efficiency, reliability, and compliance capabilities to better meet the evolving needs of customers. The landing zone lifecycle management tools are:

  • Assessment: This tool performs a predeployment evaluation of Azure resources, such as their locations and Azure policy assignments, against established best practices.
  • Policy Compiler: This tool streamlines the policy management process. It systematically analyzes your organization's policy initiatives by examining key components.
  • Drift Analyzer: This tool monitors and compares the current state of the cloud environment with its original intended landing zone configuration. It identifies critical deviations or changes.
  • Resource Locations: This tool reports the Azure resource location information as provided by your Azure subscription.

Assessment

The Assessment tool provides a predeployment evaluation of Azure resources, such as their locations and Azure policy assignments, against established best practices. The tool assesses various aspects of a cloud environment, such as:

  • The Sovereign Landing Zone (SLZ) Baseline policy assignment.
  • The usage of Custom policy initiatives usage.
  • The individual policy assignments.

The tool gives you recommendations based on the severity of the findings. The recommendations are categorized as:

  • Best: Assign the SLZ Baseline policy initiative.
  • Better: Assign policies from the SLZ baseline in a custom initiative or another built-in initiative.
  • Good: Individually assign policies that are a part of the SLZ Baseline policy initiative.

Categories

The tool evaluates each of the following categories and gives severity levels based on findings.

  • Allowed locations
  • Confidential Computing (if selected at time of assessment)
  • Customer-managed keys
  • Architecture

Severity levels

The tool groups the category evaluation findings by the following severity levels:

Severity Finding
High Policy isn't found.
Medium Policy is assigned individually.
Low Policy is assigned as part of an initiative (not the baseline).
Informational Management groups aren't being used.
None No finding if the Baseline policy isn't assigned.

Policy Compiler

In the complex landscape of regulatory compliance, organizations face the challenging task of managing overlapping and conflicting policy initiatives. The Policy Compiler tool streamlines the policy management process. It systematically analyzes your organization's policy initiatives by examining key components, such as display names, descriptions, parameters, and effects.

The tool compares these elements across different policies and detects redundancies, conflicts, and gaps. It then uses this analysis to provide a set of recommended, reconciled policy initiatives that align with customers’ specific compliance needs, making policy management more efficient and reliable.

Use case example

Imagine Policy Compiler as a dedicated assistant who meticulously reviews all your policy documents, identifies any overlaps or contradictions, and then advises you on the best course of action. Whether you need to harmonize data protection policies across different jurisdictions or align security measures with varying industry standards, Policy Compiler helps creating a cohesive and clear policy framework.

Current features of the Policy Compiler

The current prototype of the Policy Compiler tool provides you with access to all built-in and custom Azure policy initiatives at their root scope. The tool helps you to consolidate all unique policies from selected initiatives into a single custom initiative. In the process, the tool gives you a comprehensive overview and simplification of the policy landscape.

Drift Analyzer

The Landing Zone Drift Analyzer tool monitors and compares the current state of the cloud environment with its original intended configuration. It identifies any critical changes or deviations that might affect your environmental integrity and compliance. These changes might be intentional or unintentional.

Drift Analyzer access information

For access, a public preview is available for users to check drift against a standard SLZ configuration. You can access the public preview from Cloud for Sovereignty quickstarts. Additionally, you can request the private preview, using which you check the drift against a registered landing zone, from this page.

Important

The public preview of Drift Analyzer offers limited functionality compared to the private preview.

Deviation categories

You can categorize the intentional or unintentional deviations that the tool identifies as follows:

  • Severity: Classifying the effect of changes by severity levels helps prioritize actions.
  • Management groups: Changes to management groups might result in security and compliance risks.
  • Policy initiative assignments: Modifications to policy assignments can cause operational risks.
  • Policy parameters: Modifications to policy parameters can cause operational risks.
  • Allowed locations: Changes to allowed locations can compromise security or compliance.
  • Log retention: Changes to log retention policies risk can cause data loss or noncompliance.
  • Severity changes: Changes to severity levels might lead to missed critical change notifications.
  • Management Group hierarchy: Changes to management group hierarchies can increase security risks.

Resource Locations

The Azure Resource Locations displays essential details of all resources within the selected subscription, including Resource Location, Resource Name, and Resource ID, facilitating a comprehensive view of resource distribution within the environment. This information can be displayed in a table and visually represented on a map.

This information was formerly part of the Assessment tool but has now been moved into its own area as we build out further functionality.

See also