OBED OWUSU
Management group governance · Azure Policy · Bicep · Workbooks · Remediation

Cloud Policy Compliance Dashboard. Azure governance that can detect, visualize, alert, and automatically restore compliance.

This project evolved into a full Azure governance observability platform built at management-group scope. It starts with a custom Cloud Governance Baseline initiative in mg-platform, pushes policy states into a centralized governance resource group, visualizes non-compliance through a workbook, triggers alerts through Azure Monitor, and finishes with automated remediation that hardens Storage Accounts and returns them to compliant state.

Bicep governance as code mg-platform initiative assignment Log Analytics + Workbook Azure Monitor alerts Managed identity remediation Policy states + KQL
Engineering deep dive (real Bicep, KQL, CLI) →
Scope: mg-platform + LearningCloud subscription Evidence: workbook, policy compliance, alerts, remediation Outcome: detect → alert → remediate → restore compliance
Sections Overview Business Impact Architecture Controls Gallery Validation flow Tech stack Challenges & fixes
Architecture diagram for Cloud Policy Compliance Dashboard
View full project on GitHub
Governance control surface
Azure Policy Workbook + alerts Auto-remediation
Architecture snapshot Full diagram included in package. 
GitHub → Bicep deployment → mg-platform initiative assignment
→ rg-governance-core → Log Analytics + Workbook
→ Scheduled query alerts → Action Group email
→ Policy remediation task → Storage setting hardened → Compliance restored
Overview

What this platform solves

In many Azure estates, policy exists but operations stop at basic auditing. Non-compliance is visible only inside Policy blades, alerts are inconsistent, and remediation is manual. This project turns governance into an operational platform: policy definitions and initiative assignment are managed as code, workbook views make compliance visible, alert rules notify stakeholders when risky configurations appear, and a remediation task can automatically harden affected resources and return the estate to compliant state.

The baseline

Management-group governance instead of one-off subscription checks.

The core design centers on a custom Cloud Governance Baseline initiative at mg-platform. That baseline contains both an audit control and a remediation control for Storage Account exposure. A dedicated governance resource group in the subscription hosts the workspace, workbook, action group, and alert rules used to operationalize the signals.

  • Custom policy definitions and initiative deployed with Bicep.
  • Initiative assigned at management-group scope with managed identity.
  • Governance workspace centralized in rg-governance-core.
  • Workbook, alert rules, and action group convert policy output into usable operational evidence.
The finished story

A full governance lifecycle, not just compliance reporting.

The final build now supports the complete lifecycle: a non-compliant storage account is detected by Azure Policy, surfaced in the workbook, used to fire an alert, and then automatically remediated by Azure Policy modify effect using the assignment’s managed identity. The storage setting is changed, policy compliance returns to 100%, and the workbook reflects a clean state.

Detect Visualize Alert Remediate Restore compliance
Business impact

Business value delivered by the Cloud Policy Compliance Dashboard.

This platform turns Azure governance from passive policy reporting into an operational compliance workflow. It gives teams a repeatable way to define standards, detect drift, alert stakeholders, and automatically restore compliant configuration.

  • Standardized governance across Azure environments by deploying reusable policy definitions, initiatives, and assignments as code.
  • Reduced cloud misconfiguration risk by detecting risky Storage Account settings through Azure Policy at management-group scope.
  • Improved compliance visibility by centralizing policy state evidence into a Log Analytics-backed Azure Workbook dashboard.
  • Reduced manual reporting effort by presenting audit-ready compliance views, affected resources, and policy results in one dashboard.
  • Improved operational response by triggering Azure Monitor alerts and Action Group email notifications when non-compliance appears.
  • Reduced remediation effort by using Azure Policy modify remediation with managed identity to automatically harden affected Storage Accounts.
  • Proved a complete governance lifecycle: detect, visualize, alert, remediate, and verify compliance restored to 100%.
Governance controls

How the controls work together

This platform was intentionally built in layers so that every governance function could be evidenced independently. Policy enforces the standard. Diagnostic settings stream the subscription Activity Log. Workbook queries summarize policy state. Scheduled query alerts react to non-compliance. Remediation uses the assignment identity to correct a real resource property.

Detection + visibility
  • Custom audit policy flagged Storage Accounts with risky public network settings.
  • Activity Log diagnostic settings streamed Policy events into Log Analytics.
  • Workbook tiles visualized non-compliance by policy definition and listed affected resources.
  • KQL queries were kept in repo to align workbook visuals and alerting logic with code.
Response + correction
  • Azure Monitor log search alert triggered when policy states became non-compliant.
  • Action Group delivered email notification proving the alert path worked.
  • Managed identity was attached to the initiative assignment for modify remediation.
  • Final remediation policy automatically set allowBlobPublicAccess = false.
Azure architecture

From Git push to restored compliance.

The architecture below follows the real journey of this build: infrastructure deployed with Bicep, policy assigned at management-group scope, telemetry and workbook resources deployed into the governance resource group, alerting validated against real policy states, and remediation executed through Azure Policy modify effect and managed identity.

Control-plane flow

  1. 1
    GitHub repository + Bicep modules
    Management group and subscription templates
    The repo holds custom policy definitions, initiative wiring, assignment logic, workbook JSON, KQL queries, and subscription-scope governance modules.
  2. 2
    mg-platform baseline deployment
    Azure Policy at management-group scope
    Bicep deploys the custom audit policy, remediation policy, and Cloud Governance Baseline initiative to mg-platform, then assigns it with a system-assigned managed identity.
  3. 3
    rg-governance-core observability layer
    Subscription scope
    A governance resource group hosts the Log Analytics workspace, workbook, action group, and log search alert rules.
  4. 4
    Diagnostic settings + Policy states
    Activity log to workspace
    Subscription Activity Log categories, including Policy, are streamed to the workspace so activity-based validation and investigations become possible.
  5. 5
    Alerting + remediation
    Azure Monitor + Azure Policy modify
    Alert rules monitor policy state data, action groups deliver notifications, and remediation tasks automatically correct targeted storage properties when resources are eligible for modify-based correction.

Validation flow

  1. 1
    Create an intentionally non-compliant Storage Account
    Blob public access and storage exposure settings created a real policy violation.
  2. 2
    Force policy scan and inspect Policy states
    The resource appeared as NonCompliant in Azure Policy and inside workbook queries.
  3. 3
    Validate alerting
    The non-compliance alert fired, was visible in alert history, and delivered email notification via the action group.
  4. 4
    Grant assignment identity RBAC
    Contributor was granted at subscription scope so the assignment-managed identity could perform modify remediation.
  5. 5
    Run remediation and verify result
    Azure Policy remediation succeeded, changed allowBlobPublicAccess to false, and the storage account returned to compliant state.
Validation walkthrough

How the platform was tested end to end.

The final validation was not theoretical. It used a deliberately non-compliant Storage Account, real policy scans, real workbook output, live alerting, and actual Azure Policy remediation. These are the exact proof points used to build the project story and deep dive.

1
Deploy the management-group baseline

Bicep deployed custom policy definitions, initiative, and assignment to mg-platform.

2
Deploy governance resources

rg-governance-core was created with workspace, workbook, action group, and alert rules.

3
Create a violating Storage Account

A Storage Account was created in the governance resource group with settings that triggered policy non-compliance.

4
Run policy scan and verify workbook

Policy state became non-compliant and the workbook donut/table showed the affected resources.

5
Verify alert fired and email delivered

The non-compliance alert rule triggered repeatedly and delivered a real email notification through the action group.

6
Execute remediation

A remediation task at management-group scope ran with the assignment-managed identity and corrected the storage setting.

7
Verify property changed

CLI output confirmed allowBlobPublicAccess changed to false.

8
Confirm compliance restored

Policy state returned to compliant and the workbook no longer showed any non-compliant results.

Tech stack

Azure-native services and implementation building blocks.

The stack is deliberately Azure-focused and operations-heavy to reflect a real governance engineering workflow rather than a demo app. Every component supports either enforcement, telemetry, alerting, or remediation.

Control plane
  • Azure Policy custom definitions
  • Policy initiative at management-group scope
  • Bicep templates for management-group and subscription deployments
  • Managed identity policy assignment
Observability + response
  • Log Analytics workspace
  • Azure Workbook with KQL-backed visuals
  • Azure Monitor log search alert rules
  • Action Group email notifications
  • Azure Policy remediation tasks
Project snapshot

Cloud Policy Compliance Dashboard

An Azure governance observability platform built with Bicep, Azure Policy, Log Analytics, Workbook dashboards, scheduled query alerts, and automated remediation.

Management-group governance Azure Policy Workbook + KQL Azure Monitor alerts Modify remediation
Assignment scope
mg-platform management group
Governance RG
rg-governance-core
Workspace
law-governance-core
Alert path
Policy state → scheduled query alert → action group email
Remediation target
Storage Account blob public access disabled automatically
Final state
Workbook clear, policy 100% compliant
Jump to full engineering deep dive →
Challenges & lessons learned

What broke during the build — and how it was fixed.

This project gained most of its value from real troubleshooting. The final platform story is stronger because the build encountered policy table issues, workbook query failures, alert rule limitations, and remediation design changes that had to be solved one by one.

Workbook query failed because the wrong table name was used

The first workbook and alert queries were written against PolicyResources, which failed inside the workspace. The fix was to switch the KQL logic to arg("").PolicyResources for workbook and alert use, and then validate the result directly inside the Log Analytics query editor.

  • Symptom: workbook tile error and alert query resolution failure.
  • Fix: use arg("").PolicyResources and re-deploy workbook JSON.
  • Outcome: donut chart, summary table, and alert query all worked from the same policy-state source.
Activity-based alerting looked correct in theory but failed in practice

The project explored a second alert path based on AzureActivity and Policy-related Activity Log records. That path turned out to be unreliable for the specific management-group validation story because the expected policy assignment events were not consistently landing in the workspace in a way the alert rule could use.

  • Symptom: activity alert deployed but never showed history.
  • Fix: keep the validated non-compliance alert as the production evidence path and treat activity alerting as an explored but non-final branch.
  • Outcome: the project story stayed truthful and the proven alert path remained the workbook/policy-state based alert.
The first remediation design targeted the wrong property for reliable modify remediation

The original Phase 5 idea was to modify Storage firewall behavior more directly, but the live behavior showed the remediation control was not producing a reliable remediable target. The remediation policy was redesigned to target allowBlobPublicAccess, which gave a clean modify-based remediation path and a clear, verifiable configuration change.

  • Symptom: remediation task accepted but discovered no deployments or left the resource unchanged.
  • Fix: replace the remediation definition with a modify policy that sets allowBlobPublicAccess = false.
  • Outcome: remediation succeeded with two deployments and the storage configuration changed automatically.
Remediation also required the assignment identity and RBAC to be correct

Modify remediation could not be added cleanly until the management-group initiative assignment had a system-assigned managed identity. After that identity existed, it still needed subscription-scope RBAC before the remediation task could actually execute successfully.

  • Symptom: initiative update and remediation behavior blocked by identity requirements.
  • Fix: recreate assignment with managed identity, grant Contributor at subscription scope, then run remediation again.
  • Outcome: Azure Policy remediation executed successfully and restored compliance.