Programmatic Compliance tool
Microsoft and its customers follow a shared responsibility model regarding security and compliance of the Microsoft Cloud environment. With the Programmatic Compliance tool, customers can evaluate the compliance of multiple services at the same time based on industry standards, helping to improve time-to-value and accelerate innovation.
The Programmatic Compliance tool revolutionizes the compliance experience by providing unified, machine-readable, and easily retrievable compliance data. A unified experience means that the tool serves as a single source for all compliance information, ensuring consistency and accuracy. The machine-readable format allows seamless integration with other systems via a public API, while the retrievable nature ensures unfettered access to the latest compliance information.
Technical prerequisites
To effectively utilize the Programmatic Compliance tool, ensure you meet the following technical prerequisites:
- Proficiency in Azure services and architecture
- Experience with cloud compliance and security standards
- Familiarity with infrastructure as code (IaC) tools, such as Terraform
- Understanding of Azure Resource Graphs REST API for data retrieval
Key personas and responsibilities
The Programmatic Compliance tool, deployed as a Web App to your Azure subscription, is designed to support three key personas in the compliance lifecycle: the Compliance Officer, the Service Owner, and the Cloud Architect. This tool provides a comprehensive solution that includes lookup by standard and service, along with a predeployment scenario.
The Compliance Officer needs to ensure Microsoft provides compliance capabilities for a given service to meet the company's industry/internal standards.
The Service Owner needs to assess risk for the service and evaluate the controls and policies to approve or deny a service for deployment.
The Cloud Architect needs to understand any actions they need to take to configure and maintain the compliance and security of each service within their solution.
To assign other roles, refer to Create custom policies.
Use cases and capabilities
The Programmatic Compliance tool is structured into three main sections to streamline your compliance management process. In a few clicks, you can easily find and export the relevant compliance information for reporting or deployment.
The first section allows you to discover the measures Microsoft undertakes to maintain compliance and filter control domains to focus on specific areas like Network Security. As a Programmatic Compliance user, you opt for a regulatory framework that resonates with your industry.
View compliance actions: Discover the measures Microsoft undertakes to maintain compliance.
Filter control domains: Concentrate further on specific domains such as Network Security.
Explore individual entries: Delve into the particulars of Microsoft's compliance strategies.
The second section enables you to you assess an individual service, evaluate the compliance of each Azure service, review configurable compliance features, and monitor built-in policies to audit service deployments.
Assess individual Azure services: Evaluate the compliance of each Azure service.
Review configurable compliance features: Review deployable service features to align with compliance standards.
Review monitoring policies: Review built-in policies for auditing service deployments.
The final section provides options for further analysis and export compliance information in various formats and utilize API capabilities to retrieve compliance data programmatically for seamless updates.
Export compliance information: Extract data in various formats for compliance reporting. The following screenshot shows a sample export to CSV.
Utilize API capability: Retrieve compliance data programmatically for effortless updates.
Note
Currently, the Programmatic Compliance tool supports only Azure among Microsoft's in-scope cloud platforms and services.
Prerequisites to deploy the Programmatic Compliance tool
- Clone the solution/repo from https://github.com/microsoft/ProgrammaticCompliance.
- Ensure you have an Azure subscription with permissions to create and manage App registrations, add user.impersonation and user.read permissions, and grant Admin consent for Microsoft to permeate changes.
- Ensure you have the latest version of Terraform installed locally.
- Ensure you have the latest version of Az CLI installed locally.
- Download and install Node.js, which includes Node Package Manager (NPM), for your operating system. Use the Long Term Support (LTS) to avoid any fresh issues with the current version.
- Visual Studio Code or some other equivalent IDE to make code edits.
Create the Azure Web App that hosts the UX
To create and deploy the Azure Web App that hosts the UX, follow these steps in the given order:
Register the Azure Web App
Navigate to the Azure portal, search, and select App registrations.
Within the App registrations page, select New registration.
Give a name to the app, for example, ProgrammaticCompliance.
Under Redirect URI, select Single-Page application (SPA) and enter https://webapp.azurewebsites.net as a value. The Redirect URI is the URL assigned to the Web App deployed in the subsequent steps. You can come back and update this URI after the Web App is created. Remember to check the boxes for Access token and ID tokens.
Select Register.
After the app registration succeeds, navigate to Your_New_Registration > Manage > API Permissions and select Add a permission. Add the following delegated permissions:
Azure Service Management with user_impersonation permissions.
Microsoft Graph with the user.read permissions.
Return to the API Permissions view and select Grant admin consent for Microsoft to permeate changes.
In case there are other users who need access to the app, follow the steps as detailed in Assign Azure roles to external users using the Azure portal to add them to your tenant as guests.
Deploy the Azure Web App using Terraform
Note
Terraform is the infrastructure script deployment tool used to set up the UX. You could also use the Azure portal to create the Web App and deploy the UX code.
Navigate to the Terraform scripts root folder in your terminal of choice.
Set-Location -Path .\\pipeline\\terraformCreate a storage account that hosts the Terraform state file through the portal.
Create a container in the storage account created earlier that hosts the Terraform state file.
Create a .tfvars file to set up the Terraform variables. Make sure the resource group that hosts the UX Web App is different from the resource group of the storage account created in the earlier steps. An example of the contents of a .tfvars file is as follows:
resource_group_name = "ProgrammaticComplianceRG" location = "eastus" azure_app_name = "ProgrammaticCompliance"Sign in to your tenant and ensure that you're using the target subscription of your choice.
az login az account set -s <subscription id> az account showInitialize the Terraform backend.
terraform init -backend-config="resource_group_name=${BACKEND_STORAGE_ACCOUNT_RG}" -backend-config="storage_account_name=${BACKEND_STORAGE_ACCOUNT\_NAME}" -backend-config="container_name=${BACKEND_STORAGE_CONTAINER_NAME}"where,
BACKEND_STORAGE_ACCOUNT_RG is the resource group of the storage account that hosts the Terraform state file. BACKEND_STORAGE_ACCOUNT_NAME is the storage account that hosts the Terraform state file. BACKEND_STORAGE_CONTAINER_NAME is the container of the storage account that hosts the Terraform state file.Create the Terraform plan.
terraform plan -out plan.tfplanTip
It's good practice to save the Terraform plan file so that when you run the terraform apply command in the next step, Terraform doesn't try to regenerate another plan.
Create the infrastructure.
terraform apply plan.tfplanImportant
Update the Redirect URI in the App registration and roles configurations step with the actual URL assigned to the Web App once it is created.
Prepare project dependencies
Perform the following steps in your terminal from the directory where you cloned the Git repository.
To verify that Node.js and npm are installed correctly, open a terminal, and run the following commands to check their versions:
node -vnpm -vNote
This UX was built using Node.js v18.17.1 and npm v9.8.1.
Create a .env file with the following contents:
REACT_APP_CLIENT_ID=<your value goes here> REACT_APP_TENANT_ID=<your value goes here> REACT_WEBAPP_URL=<your value goes here>The entered values are the tenant ID that hosts the Azure Web App and its registration, as well as the Azure Web App registration ID configured in the App registration and roles configurations step.
Note
The file name is .env, which is the standard naming convention for a React environment variables file.
Use npm to install project dependencies and wait until completion:
npm installImportant
Ignore any generated warnings. Following the suggested commands might alter the versions of various dependencies and disrupt their compatibility.
Deploy the UX code to the Web App created
Build and create a zip file that contains the source code at the root of the project:
npm run build Compress-Archive -Path \* -DestinationPath deployment.zipDeploy the zip file to the Web App:
az webapp deployment source config-zip --resource-group <WEBAPP_RESOURCE_GROUP> --name <WEBAPP_NAME> --src deployment.zip
Congratulations! You now successfully deployed the Programmatic Compliance Web App. Now, you can start testing the tool.
Retrieve information using API
You can retrieve the compliance information programmatically using Azure Resource Graph REST API (ARG).
Here's a sample query that retrieves features supported by Azure Kubernetes Service, mapping to the specific NIST 800-53 R4 framework control SP-28 - Protection of Information at Rest:
policyresources
| where type == "microsoft.policyinsights/policymetadata"
| where properties.metadata.offeringName == "Azure Kubernetes Service (AKS)" and properties.metadata.frameworkControlsMappings contains "NIST_SP_800-53_R4_SC-28"
| extend ItemName = properties.metadataId
| extend Service = properties.metadata.offeringName
| mv-expand features = properties.metadata.features
| extend FeatureName = features.featureName
| extend FeatureDescription = features.featureDescription
| extend FeatureGuidance = features.featureGuidance
| extend FeatureReference = features.featureReference
| extend MCSBID = properties.metadataId
| extend Metadata = properties.metadata
| extend AllProperties = properties
| project ItemName, Service, FeatureName, FeatureDescription, FeatureGuidance, FeatureReference, AllProperties
The output of the sample query is shown in the following screenshot:
Frequently asked questions
What industry standards does the Programmatic Compliance tool support?
- CIS Azure 2.0.0
- ISO 27001-2013
- NIST SP 800-53 Rev. 4
- PCI DSS 4.0
- SOC 2 Type 2
Why are there no policies visible for certain Azure services?
Currently, only a few Azure Services has policies available to monitor specific configuration settings.
What do each of the three sections of the Programmatic Compliance tool mean?
The first section describes Microsoft's obligations to meet a particular industry standard at the time of release. Many of these obligations are at a platform level rather than for specific Azure services.
The second section outlines the customer's obligations when configuring and deploying the Azure service to maintain alignment with the industry standard control.
The third section details the policies for the Azure service that can be deployed to monitor the service's alignment with the industry standard control.
Resources
Connect to GitHub to get the solution: https://github.com/microsoft/ProgrammaticCompliance
For more information about Programmatic Compliance, contact ProgCompFeed@microsoft.com
Disclaimer
Programmatic compliance is (1) not designed, intended, or made available as legal services, and (2) not intended to substitute for professional legal counsel or judgment. The data and content provided shouldn't be used as a replacement for consulting with a qualified legal professional for your specific needs.