| title | description | author | ms.author | ms.date | ms.topic | ms.service | ms.subservice | ms.reviewer |
|---|---|---|---|---|---|---|---|---|
Governance workbook |
Azure Monitor workbook focused on governance, providing an overview of your Azure environment's governance posture and compliance. |
flanakin |
micflan |
04/02/2025 |
concept-article |
finops |
finops-toolkit |
nteyan |
Warning
This workbook is being retired
The Workload optimization report will be retired on December 31, 2025, and will no longer be supported. We recommend using the Azure Advisor Cost Optimization workbook instead, which provides similar capabilities with more features and ongoing support.
- Sign in to the Azure portal.
- Search for Azure Advisor.
- In the left navigation menu, select Workbooks.
- In the Workbooks Gallery, select the Cost Optimization (Preview) workbook template.
- Select an area to explore.
The governance workbook is an Azure Monitor workbook that provides a comprehensive overview of the governance posture of your Azure environment. It includes the standard metrics aligned with the Cloud Adoption Framework for all disciplines and has the capability to identify and apply recommendations to address noncompliant resources.
:::image type="content" source="./media/governance/overview-governance.png" border="true" alt-text="Screenshot showing the Governance workbook overview page." lightbox="./media/governance/overview-governance.png":::
This article details the tabs and information you find within the workbook.
Note
Azure Resource Graph queries are limited to 10,000 results. If you receive an error for too many rows, try selecting a smaller management group or reducing the number of subscriptions.
The overview tab provides general information about your environment, including:
- Number of resources
- Resource count by subscription (top 10)
- Resource Number by type (top 10)
- Resource count by Azure region
The Virtual machine tab is focused on Compute resources to get more information about the resource count and configuration:
- Virtual machine count by OS type
- Virtual machines by type/size (for example, D2ms, D2v3)
- Virtual machine scale set capacity and size
- Compute disks (OS & data disk attached, OS & data disk size, OS disk SKU)
- Compute networking (NIC, private IP, public IP attached)
- Managed disk utilization
- Compute optimization
- Underused assets (identified by Azure Advisor)
- Orphaned disks
- Orphaned NICs
- Current VM status (Creating, Starting, Running, Stopping, Stopped, Deallocating, Deallocated)
- For more information about each power state, see Azure VM states and billing status.
- Virtual machine list filtered by power state
The Storage + backup tab is focused on storage and backup resources:
- Number of resource types
- Resource details
- Storage accounts details
- Overview
- Capacity
- Backup details
[!IMPORTANT] Vault diagnostic setting needs configured in Log Analytics Workspaces in order to see backup details.
The Network tab is focusing on network resource configuration:
- Number of network resources by resource type
- NSGs shows all or orphaned network security groups
- NSG rules shows network security group rules for the selected NSG from the pervious list
- Public IPs shows all or orphaned public IPs
- Application gateways shows all or orphaned application gateways with or without any backend IP and backend addresses
- Load balancers shows all or orphaned load balancers with or without empty backend pools
The PaaS tab is focusing platform as a service resource configuration:
- Automation shows:
- Azure Automation accounts, runbooks, and configurations
- Logic App instances, APIs, and connectors
- App services shows:
- App Service plans, apps, and certificates
- Azure Functions
- API Apps
- App gateways
- Front Door
- API Management
- App Config stores
- Data shows:
- Cosmos DB accounts
- SQL servers, databases
- PostgreSQL servers (including flexible servers)
- MySQL servers
- MariaDB servers
The Security tab is focusing on the security score for your subscriptions and controls
- Security scores by subscription
- Security scores by control
- Top 5 attacked resources (with high severity)
- Top alert types
- New alerts in last 24 hours
- MITRE ATT&CK tactics
- Active alerts
The Monitoring tab shows Service Health information and main events impacting selected subscriptions:
- All Service Health active incident
- All changes performed on your resources for the past one day
- All deleted resources for the past 14 days
The Services retirement tab shows Azure services that are being phased out in order to mitigate affected resources.
The Resource age tab shows information about the creation and last change dates for resources in the selected subscription to help you identify old resources and perform sanitization.
The Tag explorer tab helps you to filter/sort your resources by tag. You can list and identify resources with or without a specified tag name and with or without a value. You can filter each result by resource type.
You can also get general information on subscriptions and resource groups.
The Cost Management tab shows high level information about your cost and can be filtered by tag.
Many Azure services have quotas, which are the assigned number of resources for your Azure subscription. Each quota represents a specific countable resource, such as:
- The number of virtual machines you can create
- The number of storage accounts you can use concurrently
- The number of networking resources you can consume
- The number of API calls to a particular service you can make
The Usage & limits tab shows resource this information about your subscriptions. To learn more about quotas, see Quotas overview.
The Compliance tab helps you monitor policy compliance, the number of failures by resource, operation, and category.
Microsoft Defender for Cloud continuously assesses your hybrid and multicloud workloads and provides you with recommendations to harden your assets and enhance your security posture.
Central security teams often experience challenges when driving the personnel within their organizations to implement recommendations. The organizations' security posture can suffer as a result.
We're introducing a brand-new, built-in governance experience to set ownership and expected remediation timeframes to resolve recommendations.
Prerequisite: To use this governance report, you need to create security governance rules.
For more information, see Driving your organization to remediate security issues with recommendation governance in Microsoft Defender for Cloud.
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
[!div class="nextstepaction"] Give feedback
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
[!div class="nextstepaction"] Vote on or suggest ideas
Related FinOps capabilities:
Related products:
Related solutions: