Obed Owusu
mg-platform · Azure Policy · Bicep · Workbooks

Cloud Policy Compliance Dashboard. mg-platform governance you can see, ship, and prove.

A management group level governance baseline that turns Azure Policy signals into a live compliance system. The Cloud Governance Baseline is deployed once at mg-platform, a standardized "rg-governance-core pattern" is rolled out to every subscription (Dev/Test/Prod), and Log Analytics + Workbooks transform policy telemetry into real-time insights. Alerts flag misconfigurations within minutes, all delivered through a multi-stage GitHub Actions pipeline.

mg-platform baseline Dev/Test/Prod subscription pattern Azure Policy + custom initiatives Log Analytics + Workbook insights GitHub Actions (OIDC multi-stage)
See the full architecture →
View project on GitHub
Scope: mg-platform + sub-dev/test/prod Pipeline: GitHub Actions (Build → Dev → Test → Prod) Outcomes: dashboards, alerts, evidence for auditors
Sections Overview Architecture Governance & alerts Gallery Demo story Tech stack Lessons
Architecture diagram for Cloud Policy Compliance Dashboard
Cloud Policy Compliance Dashboard – mg-platform view
mg-platform sub-dev · sub-test · sub-prod
Architecture snapshot Full diagram & screenshots below. 
GitHub repo → GitHub Actions CI/CD
→ mg-platform: Cloud-Governance-Baseline (policies + initiative)
→ sub-dev / sub-test / sub-prod: rg-governance-core + Log Analytics
→ Workbook dashboards + alerts → Platform team inbox
Overview

From scattered subscription policies to a unified mg-platform governance baseline.

Most teams enable a few policies per subscription and stop there. This project treats governance as an engineering product at the management-group level: Bicep-defined policies and initiatives deployed once at mg-platform, rolled out automatically to sub-dev, sub-test and sub-prod via GitHub Actions, and surfaced through a single mg-level Workbook and alerting pattern that works consistently across all environments.

The problem

Policies scattered across subscriptions, no unified governance story.

In most Azure environments, each subscription has slightly different policies—often applied manually. There’s no mg-level view, inconsistent alerting and no repeatable mechanism for onboarding new subscriptions into governance

  • Policies duplicated and managed manually at subscription scope.
  • No defined pattern for governance resources (Workspaces, Workbooks, alerts).
  • Dev/Test/Prod behave differently because there’s no CI/CD pipeline deploying governance.
What this project does

An mg-platform governance baseline delivered through CI/CD.

The Cloud Policy Compliance Dashboard defines a Cloud-Governance-Baseline initiative at mg-platform and a rg-governance-core pattern for each subscription. A GitHub Actions pipeline builds, validates and deploys to sub-dev, sub-test, and sub-prod, ensuring the same governance posture is enforced across all environments.

mg-platform initiative sub-dev/test/prod governance RGs Log Analytics workspaces Workbook dashboards Action Groups & alerts Dev → Test → Prod pipeline Extensible for NSG / tags / diagnostics
Azure architecture

End to end governance flow: from mg-platform Bicep to Workbook insights..

The diagram breaks the platform into three verticals, GitHub CI/CD, mg-platform control plane, and telemetry. Showing how a single push to main rolls out a governance baseline across Dev/Test/Prod and drives a shared mg-level compliance dashboard..

Logical flow

  1. 1
    GitHub repo – governance as code
    Bicep modules · Workbook JSON · KQL · pipelines
    All governance artefacts live in a single repository: Bicep for policies & initiatives, mg-platform deployment, rg-governance-core, Workbook JSON, and KQL queries.
  2. 2
    GitHub Actions – Build & Validate
    Developer pushes to main
    A pipeline logs into Azure using OIDC, installs Bicep, and runs what-if against the mg-platform and dev subscription templates before any changes are applied.
  3. 3
    Deploy Cloud-Governance-Baseline to mg-platform
    Management group deployment scope
    A management-group deployment creates the custom Storage policy and the Cloud-Governance-Baseline initiative, then assigns it at mg-platform so all child subscriptions inherit the baseline.
  4. 4
    Deploy rg-governance-core to Dev/Test/Prod
    Subscription deployment scope
    A matrix job in the pipeline deploys rg-governance-core into sub-dev, sub-test and sub-prod with a Log Analytics workspace, Action Group, alert rules and Workbook.
  5. 5
    Resource changes & policy evaluation
    Azure Policy at mg-platform
    When someone creates a misconfigured resource (e.g. a public Storage Account), the mg-platform baseline evaluates it and writes results into Policy tables and AzureActivity.
  6. 6
    Workbook & alerts – governance you can see
    The Workbook shows non-compliant resources by policy and subscription, while KQL-based alerts send notifications via the governance Action Group (email / Teams / ticketing).

Why this is a full Azure governance baseline not just a policy..

  • Policies and the initiative are managed at mg-platform, not per subscription.
  • A governance RG pattern (rg-governance-core) is deployed to each subscription.
  • Log Analytics + Workbook provide a single mg-level view across dev/test/prod.
  • GitHub Actions ensures the same baseline is applied consistently to all environments.
  • The initiative is designed to host future controls: NSG hygiene, tag enforcement, diagnostics, and more.
Governance & alerting

From mg-platform policy signals to actionable remediation..

The right side of the architecture shows the telemetry pipeline: resource changes, policy evaluations, and DENY events flowing into Log Analytics. Workbook dashboards surface non-compliance, while alert rules drive actionable notifications to platform or security teams.

Signals

Signals: Policy, AzureActivity and KQL.

  • PolicyResources summarise compliant vs. non-compliant resources across policies, subscriptions and resource groups.
  • AzureActivity captures real time DENY events generated by mg-platform policies.
  • KQL queries power Workbook visuals and shared alert rules reused (and parameterised) across Dev/Test/Prod
Actions

Actions: Dashboards, alerts and audit ready evidence.

  • Workbook dashboards show non-compliance by policy, subscription and resource group.
  • Alert rules notify a governance Action Group (email/Teams) when risky configurations appear
  • Exports from the Workbook (CSV/JSON) become audit evidence at the mg-platform level.
Demo walkthrough

A 5–7 minute walkthrough of mg-platform governance in action.

This demo traces a misconfiguration created in sub-dev as it flows through mg-platform evaluation, surfaces inside the Workbook and triggers an actionable alert in the governance mailbox.

Scenario

Scenario: A public Storage Account is created in sub-dev.

  • Create a Storage Account with public network access enabled in sub-dev.
  • Show the mg-platform initiative and assignment evaluating the resource.
  • Open the Workbook to show the Dev non-compliant slice lighting up.
  • Open the alert email generated by the governance Action Group.
Key messages

Governance as a product, not a PDF.

  • mg-platform owns the baseline; subscriptions inherit instead of inventing their own rules.
  • Dev/Test/Prod share the same pattern, deployed by one pipeline.
  • Dashboards and alerts turn policy into operational signals, not static documentation
Tech stack

Azure platform services and automation used.

This project uses Azure-native services and GitHub Actions to mirror how a platform engineering team would deploy and operate a governance baseline across management groups and subscriptions.

Azure platform
  • Azure Policy (custom definitions + Cloud-Governance-Baseline initiative).
  • Management Groups (mg-platform) and mg-level assignments.
  • Azure Resource Manager / Bicep for mg and subscription deployments.
  • Log Analytics workspaces per subscription in "rg-governance-core".
  • Azure Monitor alert rules + Action Groups.
  • Azure Workbooks for mg-level compliance reporting.
Tooling & automation
  • Bicep modules split by scope (mg: policies/initiative/assignment · subscription: governance RG).
  • GitHub Actions with OIDC for secure, secretless deployments.
  • KQL powering Workbook visuals and alert rules.
  • Optional Logic Apps for future remediation automation.
Lessons learned

What building this taught me about Azure governance at scale.

Moving from subscription-level policies to a management-group baseline changes how you design in Azure: governance becomes modular, versioned, tested, and deployed just like application code. You start thinking in terms of platforms not individual subscriptions.

Technical lessons
  • How to structure Bicep for management-group vs. subscription scopes.
  • How initiatives and assignments behave when deployed from mg-platform downward.
  • How to reuse Workbooks and alert rules consistently across subscriptions.
Architecture mindset
  • Design for a single mg-level source of truth to eliminate subscription drift.
  • Governance requires CI/CD, observability and testing just like any other product.
  • Baselines must be extensible, so new controls (NSG, tags, diagnostics, security) can be added without re-architecting.