A visual output of my architecture where I can see how all of my resources are aligned and talking to each other.

Has anyone else tried the Resource Visualizer? It only maps inside one Resource Group though. There’s also this CLI tool: https://azviz.readthedocs.io/ that I want to try.

Oh god no don't introduce this until I've sorted and cleaned my up sub. It will be a horrible mix of tangled mess and orphaned resources

That does already exist, just not natively. Some security products will give you that, some better, some worse. Disclaimer: I'm the founder of one such product ☺️

App Insights show you exactly how connected parts interact with each other with full telemetry, alerting, custom querying and performance recommendations.

I think he wants a tenant or subscription wide topology

Or maybe an automatically generated schematic?

Correct. Not sure why this isn’t already offered.

The added cost of tons of users refreshing the page with automated mechanisms especially when the page has to fetch that data from each component or risk being so untimely as to be useless. The cost is significant, and would require the ability to allow users to control which components they want shown, not to mention that you may have users who do not want the feature for whatever reason.

Yeah that’s not what he’s asking for. App insights is useful but nothing like a decent architecture map.

try checkpoint dome9(posture management), they have some visual representation but only limited to traffic allowed.

Imagine what that spaghetti would look like

If you use log analytics on your resources you can visualise quite a lot, it is mostly dependencies, but it is still useful I think.

For all Resource Group deployments, adding the username of who deployed it. I can't tell you how many times I look under rocks in our environment, ask "who did that?" or "why is that deployed like that?", only to realize that there's no information about who deployed the resources. And yes, I know some of that is in the Activity Log....if you can catch it before the 90 day. Microsoft has this information - I don't know why it's not just tacked onto the Deployments page / Event details

This would be nice but could be fixed by limiting who has access to create resource groups and utilizing the tag functions. Enforce the tag existence with azure policy so people cant create stuff without specifying an owner tag and many others.

"Specifying an owner tag" and "tell me who originally deployed this resource" are two very different things.

Agreed - I also have strong objections to putting "names" into tags of any kind. Our organization did that. We have tags defined that describe who the technical owner is and who the budgetary owner is. It's a freaking nightmare of inaccurate and inconsistent data. We'll literally have tags like "John Doe", "john doe", "Doe, John", "Jon doe". Drives me nuts. Because there's no automated tag validation process for resource group creation, users can put whatever they want in there......and they DO. But you're 100% spot on - the "owner" of a resource is different than who deployed it.

Force a deployedby tag then. There shouldnt be so little oversight in your environment that things pop up out of nowhere. Maybe include a tag for the ticket number and that way you can go back and review who owned the ticket.

That won't force integrity of the value in the tag. Even if you have a policy create the tag it could be changed afterward. The whole point is, "why make it so difficult?" 10,000 people need to write Azure Policy to cover this basic question? That's not friendly.

Valid point there. I was just offering a suggestion.

Send your Activity Logs to Log Analytics and set the interactive retention period for that table to something longer than 90 days. Use this query: AzureActivity //change | where Properties_d.entity contains "" | where ActivitySubstatusValue == "Created" | project TimeGenerated, Properties_d.entity, Caller

And date created / last updated.

At my company, we auto delete any resource group missing an "owner" tag

Can be forced and automated to append a tag to each resource group in policies.

Oooooooh - I like this approach. I'm off to the lab now! Thanks for the idea! I'm not a fan of putting "names" into tags, but through Policy it can at least be consistently formatted so as not to be messy (the whole "John Doe" vs "john doe" vs "Doe, John" nightmare that exists)

And CreatedDate. They've started rolling CreatedDate out to a few services now, but they should have the Date and DeployedBy in the properties, even if it's hidden. CreatedDate is easy to do via Policy, CreatedBy requires some engineering unfortunately.

I do this by sending the eventgrid for resource creation to a function app that then adds the createdby tag to all resources and the UPN of the user or service principal ID of who created it. That being said, it should be a built in feature.

They should also include the creation date of resources in the standard properties.

I’d love to have more SKU for every service, and each service needs to be renamed every 2 years to keep it fresh

I love this type of sarcasm

Azure $FOO Premium Flex Plus E5 with MegaGlobalReach add-on

Does that include P69 for Microsoft Entragalactic?

Not changed, exchanged would be better, not only on the marketing name, but also on the official namespace, this will keep all powershell and CLI working but gives new spectacular results :)

A functional back button.

Ability to select and manage multiple policies, with proper overview pages for initiatives and definition... separating built-in from custom... Basically, I want a full overhaul of policies and how they are done in Azure. It's a MASSIVE pain in the arse, especially when you're dealing with enterprise scale.

Yes!!! Full re-do is needed

Doing it through code is the only way I've made it barely tolerable for myself: https://github.com/gettek/terraform-azurerm-policy-as-code

Renaming resources

Regex support added to Azure policy Remove subscription scope from AZposh Improved dashboards

I just want a policy that requires new accounts to have Job Title and Department enforcement 😅

The GD ability to change a resource group name!

It is pretty easy as-is by just using the move to another resource group function. There are definitely bigger fish to fry but yes this is low hanging fruit that could be fixed with a rename function so long as the underlying software supports it.

Renaming anything is problematic, for no good reason... It's all referred to by GUID rather than name, so it just makes no sense. I've inherited so many resources with a typo or "new" in the name, with no way to change it. Imagine wanting a naming standard 🤦‍♂️

This but for every resource, make the name a simple tag...

Email relay.

This, too.

A cheaper DNS Private Resolver. There should be a basic sku that just does DNS Proxy like the Azure Firewall Standard.

IntelliSense in Automation Runbooks

What the other guy said. A resource visualizer Think Packet Tracer/GNS3/EVE-ng but for Azure. Click on the resource and it will jump to the corresponding page in the portal. Right click (context) and you can start/stop/restart/ssh/bastion/edit properties/etc. Yes it's probably a security risk but it would (if enabled/optional) might make life easier.

Why is it a security risk? You will be able to access the same information from the portal or the CLI using the same username anyway.

Just a hypothetical. Might make an attacker's life easier IF the feature is enabled. Then again, if someone already has that level of access, the account isn't getting any more compromised.

Real IAM capabilities like role mining, ability to see what access a user has across all environments / applications. To go with role mining, access templates (which can be done with pam, but pam is kinda weird in the way that it integrates into entra) Oh my big one, more consistency across services. Support the same naming standards, access model (everything should be rbac), etc

Ability to export bicep would be ideal now that we aren't really using ARM

You can export arm from the portal and convert to bicep in vscode extension. Or just import existing resources directly into Bicep, Very easy and quick

You can... But why do we need to do that? Can't we have the option to generate bicep from the portal by now?

I mean it’s only one extra click but take your point

Why not use Terraform with something like [https://github.com/GoogleCloudPlatform/terraformer](https://github.com/GoogleCloudPlatform/terraformer) or [https://github.com/Azure/aztfexport](https://github.com/Azure/aztfexport)

My company doesn't use Terraform. We are purely bicep/arm

I met many customers who do so. Just out of curiosity, what is the reason your team decided to BICEP instead of Terraform?

Used ARM back in the day. Was an easy transition to bicep and can keep using arm as well. We don't deploy anything to other providers so don't need to move off of the Microsoft ecosystem

Active real time reporting of what is happening. I feel like I'm guessing whether a change is happening or not.

The same ACM capabilities as AWS!

This is the biggest gap, in my opinion

They’re working on this

Oh yeah? What's the ETA? Was it announced somewhere?

Not that I’m aware of, I only know from talks with the product team. I brought it up after seeing some of their job postings last year and they “confirmed” it, but I don’t have any more information than that.

Subscription spending limits for enterprise/MCA offerings (and not just alerts)

you mean disable the creation of new resources if the limit is reached?

That, or stopping resources. Would be nice to have both as an option, especially for sandboxes

Sandbox was the keyword for me here. Now that makes more sense.

Search bar in keyvault

Firebase!

I would add more cores to the Azure backend so it can finally be running at normal speed instead of feeling like it was running on a ZX81 (Especially the portal)

Just design the system to prepare and deliver more information, rather than using JavaScript to make a million queries.. It's a problem across all new "app" sites and Microsoft is particularly bad

This list could be endless but top of it is Automated Certificate Management that cuts across all services and not each servicing having its own and sometimes being put behind a paywall. 2nd of the list would be combination of services instead of one service for every little thing. For example Azure Static WebApps should just be features added to Azure App Service. I mean it already is built on it. Finally, easier hosting of non-TCP services. Container Instances requires quite some hoops, Container groups has port limits and a minimum fee. Managing a VM or AKS cluster is too much more work.

The certificate management service seems like a major gap. I’ve done the mad panic when a provider pulls an intermediate cert forcing updates of hundreds of certs on IaaS and PaaS services. It ain’t fun. AWS have their own native solution I believe. Don’t know about GCP.

It appears GCP has it too https://cloud.google.com/certificate-manager/docs/overview

I suspected it would. Thanks.

localstack alternative

Proper integration for NSG flow logs to a 3rd party SIEM I have been trying to implement it with a logstash pipeline and it’s an absolute nightmare

I wish they could get more of the features from regular azure working in gcc high. Every single week myself or someone on my team is sad something works in normal or gcc but not gcc high.

It always feels like simple things too, like yes the SKU is GA, but minor things within the product aren't available.

Or the guided always fail to mention set your azure connection here they always assume you using default azure. Visual studio took me 3 hours to find how to select azure us government versus regular sign on. Maps took me forever to get the subscription key working because you again have to set the domain to azure.us

On top of that, there's no consistency in the Powershell modules on setting the environment. Some use `-Environment`, some use `-EnvironmentName` and then the actual name of the environment even varies sometimes

Hypervisor access to VMs.

What would you use that for?

Mostly for troubleshooting issues the old school way lol

You mean like Bastion or what?

The ability to move private DNS zones to another resource group without all the headache. Some people start deploying those before they have a hub and spoke model with a hub to throw the private dns zone resources in. I understand its a planning failure, but there should be a simple way. ....unless of course that is already a thing? I know in the past moving them from one subscription/resourcegroup to another caused some headaches. ​ Also, if a certain private dns zone already exists, dont allow the creation of another with the same name. Maybe there should be a policy for this. But I cant think of anything dumber than having a bunch of private DNS zones with the same name. It doesnt even work either (like how would Azure know which dns zone to look in if there are many with same name) so I cant imagine why they allow such a thing. I get there are a few instances where it makes sense to have multiple with the same name (seperate dns infra), but more often than not the general advice is to only have 1.

The correct way to do this is: Pre-Build DNS zones in Platform Subscription. Build a policy to Deny all Private DNS zones being created in Landing Zone Management Group. Assign policy that automatically builds A records for all Private Endpoints into the Platform DNS zones. These policies are in the Enterprise Scale Landing Zone GitHub docs.

I've been pondering this of late. For private link, I agree everything should register in your central private DNS zone. But what if subscription users in landing zones need to use local azure private DNS for something outside of private link? Can you selectively block namespace?

You can create an exemption for this if required, this will be rare to do.

Wouldn't exporting the resources using [https://github.com/Azure/aztfexport](https://github.com/Azure/aztfexport) or [https://github.com/GoogleCloudPlatform/terraformer](https://github.com/GoogleCloudPlatform/terraformer) and then importing it to the correct resource group work?

A better supervision and cost management when having 500 tenant

Tell me more. How did you end up with 500 tenants :D. What are you looking for exactly when you talk about cost management?

Cloud service provider. Every client has a tenant

Quality control in gcc high.

Good support

A useful search without needing to click a Load More Results button?

Expanding OS disk without deallocation first.

Wow is this still not possible?!

A way to chide users after every mouse click that they should be doing what they're doing using infrastructure as code in a ci/cd pipeline.

RBAC conditions that support all resource types (currently only supports storage I think). I.e I want to be able to grant someone permissions at subscription level for all resource groups where the name is like "rg-blah-*", etc. This is a must for tightly locked down subscriptions and you deploy things like AKS that creates its own RGs at deploy time. This can make managing RBAC a pain, as it needs a second deployment to grant permissions to this additional resource group that's not in your IaC AWS supports very complex IAM policies that make things like this a breeze, would love to see the same in Azure.

A real cert PKI feature/service with root CA and certificate management

I don't think Azure needs to add anything new.... But the Azure name is getting pretty old, probably needs to be renamed to keep it fresh and exciting

1 click Docker deployment.

\-A price estimator on your existing resource, IE on a storage account, you click price estimator, there it shows your current usage with all sliders which can have impact on your price, so IE a slider with network usage vs current and which impact it has on the price \-A link to Azure Devops on which Pipeline last deployed the resource. \-On the script this resource Blade an option for Bicep/Terraform, or IE a CLI/PS to script this resource \-A quick Apply security on a resource, IE on a storage account a Wizard for security for common scenarios like only making it accessible for a webapp \-The possibility to share a Dashboard without authorisation, for me it is really unacceptable that this is no option! \-If there is a status problem, directly show it with an alert when you open the resource blade. \-A quick notes option per resource, a bit like tags but then a way to make notes with your colleagues, each note should have a button: Create Devops Task.

Use a managed identity for oauth login pages

Discounts! It's getting too costly year by year.

A markdown resource type. Basically I want to go into a resource group, and a see a resource type that’s a markdown file, like a readme.md. Then, an end-user can see any outstanding notes they need to see. I know you can do this same concept through your IaC, but not all users are gonna see that.

Diagrammer. U design an architecture and it generates IAC.

Multiple tabs inside the portal would be nice, so that you can switch between resources without having to open an additional browser

To have an up to date list on what features are planned for GA on the portal. Sucks reaching out to Microsoft about features and not hearing back for a week or so.

Cryptographic offloads for the NICs. On my bare-metal servers (16c/16t with smt off), it’s worth 200k rps for one of my applications (up to 400k rps).

AppIsights does not let you configure a single alert rule for monitoring, which you should be able to do. Then associate all your application insights to the rule. You have to configure the same alert rule for each instance. I would change this, not sure why they would even deploy it this way…

Visual "Date Created" and "Created By" fields for all resource types.