The azure-native:security:GovernanceRule resource, part of the Pulumi Azure Native provider, defines governance rules that enforce remediation timeframes and ownership for security assessments across Azure subscriptions, management groups, or multi-cloud connectors. This guide focuses on three capabilities: scope hierarchy (subscription, management group, security connector), owner assignment and notification settings, and remediation deadlines with priority ordering.
Governance rules reference existing subscriptions, management groups, or security connectors, and apply to security assessments already present in those scopes. The examples are intentionally small. Combine them with your own security policies and organizational structure.
Enforce remediation deadlines at subscription level
Security teams typically start by defining governance rules at the subscription level, assigning ownership and deadlines for security recommendations.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const governanceRule = new azure_native.security.GovernanceRule("governanceRule", {
description: "A rule for critical recommendations",
displayName: "Admin's rule",
governanceEmailNotification: {
disableManagerEmailNotification: false,
disableOwnerEmailNotification: false,
},
isDisabled: false,
isGracePeriod: true,
ownerSource: {
type: azure_native.security.GovernanceRuleOwnerSourceType.Manually,
value: "user@contoso.com",
},
remediationTimeframe: "7.00:00:00",
ruleId: "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rulePriority: 200,
ruleType: azure_native.security.GovernanceRuleType.Integrated,
scope: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
sourceResourceType: azure_native.security.GovernanceRuleSourceResourceType.Assessments,
});
import pulumi
import pulumi_azure_native as azure_native
governance_rule = azure_native.security.GovernanceRule("governanceRule",
description="A rule for critical recommendations",
display_name="Admin's rule",
governance_email_notification={
"disable_manager_email_notification": False,
"disable_owner_email_notification": False,
},
is_disabled=False,
is_grace_period=True,
owner_source={
"type": azure_native.security.GovernanceRuleOwnerSourceType.MANUALLY,
"value": "user@contoso.com",
},
remediation_timeframe="7.00:00:00",
rule_id="ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rule_priority=200,
rule_type=azure_native.security.GovernanceRuleType.INTEGRATED,
scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
source_resource_type=azure_native.security.GovernanceRuleSourceResourceType.ASSESSMENTS)
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule for critical recommendations"),
DisplayName: pulumi.String("Admin's rule"),
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(false),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule for critical recommendations",
DisplayName = "Admin's rule",
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = false,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule for critical recommendations")
.displayName("Admin's rule")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(false)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.sourceResourceType("Assessments")
.build());
}
}
resources:
governanceRule:
type: azure-native:security:GovernanceRule
properties:
description: A rule for critical recommendations
displayName: Admin's rule
governanceEmailNotification:
disableManagerEmailNotification: false
disableOwnerEmailNotification: false
isDisabled: false
isGracePeriod: true
ownerSource:
type: Manually
value: user@contoso.com
remediationTimeframe: 7.00:00:00
ruleId: ad9a8e26-29d9-4829-bb30-e597a58cdbb8
rulePriority: 200
ruleType: Integrated
scope: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
sourceResourceType: Assessments
The scope property targets a specific subscription where the rule applies. The ownerSource assigns responsibility (here, manually to a specific user), while remediationTimeframe sets a 7-day deadline. The sourceResourceType specifies that this rule governs security assessments. The governanceEmailNotification block controls whether owners and managers receive email alerts when assessments require remediation.
Apply rules across management groups with exclusions
Organizations with multiple subscriptions use management group scopes to enforce policies broadly while excluding specific subscriptions.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const governanceRule = new azure_native.security.GovernanceRule("governanceRule", {
description: "A rule for a management group",
displayName: "Management group rule",
excludedScopes: ["/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"],
governanceEmailNotification: {
disableManagerEmailNotification: true,
disableOwnerEmailNotification: false,
},
isDisabled: false,
isGracePeriod: true,
ownerSource: {
type: azure_native.security.GovernanceRuleOwnerSourceType.Manually,
value: "user@contoso.com",
},
remediationTimeframe: "7.00:00:00",
ruleId: "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rulePriority: 200,
ruleType: azure_native.security.GovernanceRuleType.Integrated,
scope: "providers/Microsoft.Management/managementGroups/contoso",
sourceResourceType: azure_native.security.GovernanceRuleSourceResourceType.Assessments,
});
import pulumi
import pulumi_azure_native as azure_native
governance_rule = azure_native.security.GovernanceRule("governanceRule",
description="A rule for a management group",
display_name="Management group rule",
excluded_scopes=["/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"],
governance_email_notification={
"disable_manager_email_notification": True,
"disable_owner_email_notification": False,
},
is_disabled=False,
is_grace_period=True,
owner_source={
"type": azure_native.security.GovernanceRuleOwnerSourceType.MANUALLY,
"value": "user@contoso.com",
},
remediation_timeframe="7.00:00:00",
rule_id="ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rule_priority=200,
rule_type=azure_native.security.GovernanceRuleType.INTEGRATED,
scope="providers/Microsoft.Management/managementGroups/contoso",
source_resource_type=azure_native.security.GovernanceRuleSourceResourceType.ASSESSMENTS)
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule for a management group"),
DisplayName: pulumi.String("Management group rule"),
ExcludedScopes: pulumi.StringArray{
pulumi.String("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
},
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(true),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("providers/Microsoft.Management/managementGroups/contoso"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule for a management group",
DisplayName = "Management group rule",
ExcludedScopes = new[]
{
"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
},
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = true,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "providers/Microsoft.Management/managementGroups/contoso",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule for a management group")
.displayName("Management group rule")
.excludedScopes("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(true)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("providers/Microsoft.Management/managementGroups/contoso")
.sourceResourceType("Assessments")
.build());
}
}
resources:
governanceRule:
type: azure-native:security:GovernanceRule
properties:
description: A rule for a management group
displayName: Management group rule
excludedScopes:
- /subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
governanceEmailNotification:
disableManagerEmailNotification: true
disableOwnerEmailNotification: false
isDisabled: false
isGracePeriod: true
ownerSource:
type: Manually
value: user@contoso.com
remediationTimeframe: 7.00:00:00
ruleId: ad9a8e26-29d9-4829-bb30-e597a58cdbb8
rulePriority: 200
ruleType: Integrated
scope: providers/Microsoft.Management/managementGroups/contoso
sourceResourceType: Assessments
When scope targets a management group, the rule applies to all descendant subscriptions except those listed in excludedScopes. This allows organization-wide enforcement with targeted exceptions. The rulePriority determines evaluation order when multiple rules apply to the same scope; lower numbers take precedence.
Govern multi-cloud resources via security connectors
Teams managing GCP or AWS resources through Azure Security Center apply governance rules to assessments from external cloud providers.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const governanceRule = new azure_native.security.GovernanceRule("governanceRule", {
description: "A rule on critical GCP recommendations",
displayName: "GCP Admin's rule",
governanceEmailNotification: {
disableManagerEmailNotification: true,
disableOwnerEmailNotification: false,
},
isDisabled: false,
isGracePeriod: true,
ownerSource: {
type: azure_native.security.GovernanceRuleOwnerSourceType.Manually,
value: "user@contoso.com",
},
remediationTimeframe: "7.00:00:00",
ruleId: "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rulePriority: 200,
ruleType: azure_native.security.GovernanceRuleType.Integrated,
scope: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
sourceResourceType: azure_native.security.GovernanceRuleSourceResourceType.Assessments,
});
import pulumi
import pulumi_azure_native as azure_native
governance_rule = azure_native.security.GovernanceRule("governanceRule",
description="A rule on critical GCP recommendations",
display_name="GCP Admin's rule",
governance_email_notification={
"disable_manager_email_notification": True,
"disable_owner_email_notification": False,
},
is_disabled=False,
is_grace_period=True,
owner_source={
"type": azure_native.security.GovernanceRuleOwnerSourceType.MANUALLY,
"value": "user@contoso.com",
},
remediation_timeframe="7.00:00:00",
rule_id="ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rule_priority=200,
rule_type=azure_native.security.GovernanceRuleType.INTEGRATED,
scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
source_resource_type=azure_native.security.GovernanceRuleSourceResourceType.ASSESSMENTS)
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule on critical GCP recommendations"),
DisplayName: pulumi.String("GCP Admin's rule"),
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(true),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule on critical GCP recommendations",
DisplayName = "GCP Admin's rule",
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = true,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule on critical GCP recommendations")
.displayName("GCP Admin's rule")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(true)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector")
.sourceResourceType("Assessments")
.build());
}
}
resources:
governanceRule:
type: azure-native:security:GovernanceRule
properties:
description: A rule on critical GCP recommendations
displayName: GCP Admin's rule
governanceEmailNotification:
disableManagerEmailNotification: true
disableOwnerEmailNotification: false
isDisabled: false
isGracePeriod: true
ownerSource:
type: Manually
value: user@contoso.com
remediationTimeframe: 7.00:00:00
ruleId: ad9a8e26-29d9-4829-bb30-e597a58cdbb8
rulePriority: 200
ruleType: Integrated
scope: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector
sourceResourceType: Assessments
The scope property can target a security connector resource, which bridges Azure Security Center to GCP or AWS. This allows you to enforce the same remediation policies on multi-cloud security findings. The rule applies to assessments generated by the connector, treating external cloud resources like native Azure resources for governance purposes.
Beyond these examples
These snippets focus on specific governance rule features: scope hierarchy (subscription, management group, security connector), owner assignment and notification controls, and remediation timeframes and grace periods. They’re intentionally minimal rather than full security governance frameworks.
The examples reference pre-existing infrastructure such as Azure subscriptions and management groups, security connectors for multi-cloud resources, and security assessments to govern. They focus on configuring the rule rather than provisioning the underlying security infrastructure.
To keep things focused, common governance patterns are omitted, including:
- Conditional rule application (conditionSets for filtering assessments)
- Member scope inheritance (includeMemberScopes)
- Rule activation controls (isDisabled for temporary suspension)
- Grace period configuration details
These omissions are intentional: the goal is to illustrate how each governance rule feature is wired, not provide drop-in compliance modules. See the GovernanceRule resource reference for all available configuration options.
Let's configure Azure Security Governance Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Scope & Hierarchy
What scope formats can I use for governance rules?
You can apply governance rules to three scope types: management groups (
providers/Microsoft.Management/managementGroups/{managementGroup}), subscriptions (subscriptions/{subscriptionId}), or security connectors (subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}).Can I change the scope or ruleId after creating a governance rule?
No, both
scope and ruleId are immutable properties. Changing either requires recreating the resource.How do I exclude specific subscriptions from a management group rule?
Use the
excludedScopes property with an array of subscription paths, such as /subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23.Rule Priority & Conflicts
What happens if two governance rules have the same priority on the same scope?
Rules with the same
rulePriority value on the same scope are not allowed. Each rule must have a unique priority number within its scope.How does rule priority work?
Lower
rulePriority numbers have higher priority. For example, a rule with priority 100 takes precedence over one with priority 200.Remediation & Timeframes
How do I format the remediation timeframe?
Use timespan format like
7.00:00:00 for 7 days, following the pattern days.hours:minutes:seconds.What's the difference between isDisabled and isGracePeriod?
isDisabled controls whether the rule is active or inactive. isGracePeriod defines whether there’s a grace period for remediation, which is affected by the remediationTimeframe setting.Ownership & Notifications
How do I specify who owns a governance rule?
Configure
ownerSource with a type (such as Manually) and value (such as an email address like user@contoso.com).Can I disable email notifications for rule owners or managers?
Yes, use
governanceEmailNotification with disableOwnerEmailNotification and disableManagerEmailNotification boolean flags to control notifications.