Microsoft and its customers follow a shared responsibility model regarding security and compliance of the Microsoft Cloud environment. With the Programmatic Compliance tool, customers can evaluate the compliance of multiple services at the same time based on industry standards helping to improve time-to-value and accelerate innovation.
The Programmatic Compliance tool revolutionizes the compliance experience, delivering unified, machine-readable, and retrievable compliance data.
The Programmatic Compliance tool, deployed as a webapp to your Azure Subscription, focuses on enabling three pivotal personas and their scenarios within the compliance lifecycle, while also providing a solution that includes lookup by standard and service, along with a pre-deployment scenario:
In a few clicks, customers can easily find and export the relevant compliance information for reporting or deployment.
The Programmatic Compliance Preview (the "Preview") is licensed to you as part of your Azure subscription and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the Microsoft Product Terms and the Microsoft Products and Services Data Protection Addendum ("DPA"). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. MICROSOFT MAKES NO WARRANTY THAT THE DATA AND CONTENT PROVIDED AS PART OF THE PREVIEW IS ACCURATE, UP-TO-DATE, OR COMPLETE. THE PREVIEW (1) IS NOT DESIGNED, INTENDED, OR MADE AVAILABLE AS LEGAL SERVICES, AND (2) IS NOT INTENDED TO SUBSTITUTE FOR PROFESSIONAL LEGAL COUNSEL OR JUDGMENT. THE DATA AND CONTENT PROVIDED THROUGH THE PREVIEW SHOULD NOT BE USED IN PLACE OF CONSULTING WITH A QUALIFIED PROFESSIONAL LEGAL PROFESSIONAL FOR YOUR SPECIFIC NEEDS. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, Customer should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the DPA do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability.
[!NOTE] If you have been using the UI throughout the private preview stage as well, please just run
git pull
andgit install
on your instance to receive updates on ingesting built-in metadata rather than custom policies. Then, skip straight to step D below to redeploy the changes to the web app.
[!NOTE] Terraform is the infrastructure script deployment tool we used to set up the UX. You could also use the portal to create the webapp and deploy the UX code.
Set-Location -Path .\pipeline\terraform
.tfvars
file to set up the terraform variables. Make sure the resource group that hosts the UX webapp is different from the resource group of the storage account created in the next step. Below is an example of the contents of a .tfvars
file:resource_group_name = "ProgrammaticComplianceRG"
location = "eastus"
azure_app_name = "ProgrammaticCompliance
az login
az account set -s <subscription id>
az account show
terraform init -backend-config="resource_group_name=${BACKEND_STORAGE_ACCOUNT_RG}" -backend-config="storage_account_name=${BACKEND_STORAGE_ACCOUNT_NAME}" -backend-config="container_name=${BACKEND_STORAGE_CONTAINER_NAME}"
BACKEND_STORAGE_ACCOUNT_RG
is the resource group of the storage account that hosts the terraform state file
BACKEND_STORAGE_ACCOUNT_NAME
is the storage account that hosts the terraform state file
BACKEND_STORAGE_CONTAINER_NAME
is the container of the storage account that hosts the terraform state file
terraform plan -out plan.tfplan
[!NOTE] It's good practice to save the terraform plan file so that when you run the terraform apply command, terraform doesn't try to regenerate another plan.
terraform apply plan.tfplan
[!IMPORTANT] Please update the Redirect URI in the App registration and roles configurations step with the actual URL assigned to the webapp once it is created.
The following steps should be done in your terminal, from the directory into which you cloned the Git repository.
node -v
npm -v
[!NOTE] This UX was built using Node.js v18.17.1 and npm v9.8.1.
.env
file with the following contentsREACT_APP_CLIENT_ID=<your value goes here>
REACT_APP_TENANT_ID=<your value goes here>
REACT_WEBAPP_URL=<your value goes here>
The above values are the id of the tenant which hosts the webapp and the app registration and the id of the app registration configured in the App registration and roles configurations step.
[!NOTE] The name of the above file is indeed
.env
- This is the name convention for a React environment variables file.
npm install
[!NOTE] Ignore generated warnings. Following the suggested commands may change the versions of various dependencies and break their relationship.
npm run build
Compress-Archive -Path * -DestinationPath deployment.zip
az webapp deployment source config-zip --resource-group <WEBAPP_RESOURCE_GROUP> --name <WEBAPP_NAME> --src deployment.zip
Congratulations! You have now successfully configured and deployed your Programmatic Compliance website. Let the testing begin!
[!NOTE] Optionally, one may use the custom manual policies for the purpose of manual attestation when automated policies are not available or partially address a control. The custom manual policies are not required by the UX or Azure Resource Graph API based retrieval of programmatic compliance information.
Download the latest version of PowerShell
Download the latest version of Az PowerShell. If already installed, update the module if needed.
Clone the project to your local repository.
git clone [email protected]:microsoft/ProgrammaticCompliance.git
Set-Location -Path .\ProgrammaticCompliance
git checkout develop
git branch
You should be under the develop branch.
[!NOTE] If the clone doesn't work, you don't have git downloaded. Execute the following command first and then try again.
winget search Git.Git winget install --id Git.Git -e --source winget
Set-Location -Path .\CustomPolicies\PowerShell
.\EnvConfig.ps1
You can configure a service principal and give it enough privileges to create the custom policies.
.\Login.ps1 -ApplicationId <Service Principal client ID> -TenantId <Tenant ID>
.\Login.ps1 -TenantId <Tenant ID>
[!NOTE] A management group can only hold up to 500 policy definitions. With this in mind, since there are over 4000 policy definitions to create, this process will create ~9 management groups that will together host all of the policy definitions. Once the policy definitions become built-in, this step will no longer be needed.
Elevate your access to manage all of your subscription's management groups by following the steps here
If you need to add others to access your custom policies, navigate to IAM in the root management group portal and assign the Reader role to them.
[!IMPORTANT] You can create a custom role that only has permissions to read the policy definitions and policy metadata resources. Assign that custom role to users so that they do not have access to all of the other resources under the root management group.
Create the management groups in which the custom policies will be created (about 9 management groups are needed to host the custom policy definitions)
Create the custom policy definitions resources
.\PoliciesCreate.ps1 -TenantId <Tenant ID> -ManagementGroupIds <Array of the created management group names (comma separated)>
Example:
.\PoliciesCreate.ps1 -TenantId XXXX -ManagementGroupIds TestGroup1,TestGroup2,TestGroup3,TestGroup4,TestGroup5,TestGroup6,TestGroup7,TestGroup8,TestGroup9
.\PoliciesCreate.ps1 -TenantId <Tenant ID> -ApplicationId <Service Principal ID> -ManagementGroupIds <Array of the created management group names (comma separated)>
Example:
.\PoliciesCreate.ps1 -TenantId XXXX -ApplicationId AAAA -ManagementGroupIds TestGroup1,TestGroup2,TestGroup3,TestGroup4,TestGroup5,TestGroup6,TestGroup7,TestGroup8,TestGroup9
Delete the custom policy definitions resources when they are not needed
.\PoliciesCleanUp.ps1 -TenantId <Tenant ID> -ManagementGroupIds <Array of the created management group names (comma separated)>
Example:
.\PoliciesCleanUp.ps1 -TenantId XXXX -ManagementGroupIds TestGroup1,TestGroup2,TestGroup3,TestGroup4,TestGroup5,TestGroup6,TestGroup7,TestGroup8,TestGroup9
.\PoliciesCleanUp.ps1 -TenantId <Tenant ID> -ApplicationId <Service Principal ID> -ManagementGroupIds <Array of the created management group names (comma separated)>
Example:
.\PoliciesCleanUp.ps1 -TenantId XXXX -ApplicationId AAAA -ManagementGroupIds TestGroup1,TestGroup2,TestGroup3,TestGroup4,TestGroup5,TestGroup6,TestGroup7,TestGroup8,TestGroup9