The azure-native:security:GovernanceRule resource, part of the Pulumi Azure Native provider, defines governance rules that enforce remediation timeframes and ownership for security assessments across Azure subscriptions, management groups, or multi-cloud connectors. This guide focuses on three capabilities: scope hierarchy (subscription, management group, security connector), owner assignment and notification settings, and remediation deadlines with priority ordering.
Governance rules reference existing subscriptions, management groups, or security connectors, and apply to security assessments already present in those scopes. The examples are intentionally small. Combine them with your own security policies and organizational structure.
Enforce remediation deadlines at subscription level
Security teams typically start by defining governance rules at the subscription level, assigning ownership and deadlines for security recommendations.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const governanceRule = new azure_native.security.GovernanceRule("governanceRule", {
description: "A rule for critical recommendations",
displayName: "Admin's rule",
governanceEmailNotification: {
disableManagerEmailNotification: false,
disableOwnerEmailNotification: false,
},
isDisabled: false,
isGracePeriod: true,
ownerSource: {
type: azure_native.security.GovernanceRuleOwnerSourceType.Manually,
value: "user@contoso.com",
},
remediationTimeframe: "7.00:00:00",
ruleId: "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rulePriority: 200,
ruleType: azure_native.security.GovernanceRuleType.Integrated,
scope: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
sourceResourceType: azure_native.security.GovernanceRuleSourceResourceType.Assessments,
});
import pulumi
import pulumi_azure_native as azure_native
governance_rule = azure_native.security.GovernanceRule("governanceRule",
description="A rule for critical recommendations",
display_name="Admin's rule",
governance_email_notification={
"disable_manager_email_notification": False,
"disable_owner_email_notification": False,
},
is_disabled=False,
is_grace_period=True,
owner_source={
"type": azure_native.security.GovernanceRuleOwnerSourceType.MANUALLY,
"value": "user@contoso.com",
},
remediation_timeframe="7.00:00:00",
rule_id="ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rule_priority=200,
rule_type=azure_native.security.GovernanceRuleType.INTEGRATED,
scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
source_resource_type=azure_native.security.GovernanceRuleSourceResourceType.ASSESSMENTS)
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule for critical recommendations"),
DisplayName: pulumi.String("Admin's rule"),
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(false),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule for critical recommendations",
DisplayName = "Admin's rule",
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = false,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule for critical recommendations")
.displayName("Admin's rule")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(false)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.sourceResourceType("Assessments")
.build());
}
}
resources:
governanceRule:
type: azure-native:security:GovernanceRule
properties:
description: A rule for critical recommendations
displayName: Admin's rule
governanceEmailNotification:
disableManagerEmailNotification: false
disableOwnerEmailNotification: false
isDisabled: false
isGracePeriod: true
ownerSource:
type: Manually
value: user@contoso.com
remediationTimeframe: 7.00:00:00
ruleId: ad9a8e26-29d9-4829-bb30-e597a58cdbb8
rulePriority: 200
ruleType: Integrated
scope: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
sourceResourceType: Assessments
The scope property targets a specific subscription where the rule applies. The ownerSource assigns responsibility (here, manually to a specific user), while remediationTimeframe sets a 7-day deadline. The sourceResourceType specifies that this rule governs security assessments. The governanceEmailNotification block controls whether owners and managers receive email alerts when assessments require remediation.
Apply rules across management groups with exclusions
Organizations with multiple subscriptions use management group scopes to enforce policies broadly while excluding specific subscriptions.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const governanceRule = new azure_native.security.GovernanceRule("governanceRule", {
description: "A rule for a management group",
displayName: "Management group rule",
excludedScopes: ["/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"],
governanceEmailNotification: {
disableManagerEmailNotification: true,
disableOwnerEmailNotification: false,
},
isDisabled: false,
isGracePeriod: true,
ownerSource: {
type: azure_native.security.GovernanceRuleOwnerSourceType.Manually,
value: "user@contoso.com",
},
remediationTimeframe: "7.00:00:00",
ruleId: "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rulePriority: 200,
ruleType: azure_native.security.GovernanceRuleType.Integrated,
scope: "providers/Microsoft.Management/managementGroups/contoso",
sourceResourceType: azure_native.security.GovernanceRuleSourceResourceType.Assessments,
});
import pulumi
import pulumi_azure_native as azure_native
governance_rule = azure_native.security.GovernanceRule("governanceRule",
description="A rule for a management group",
display_name="Management group rule",
excluded_scopes=["/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"],
governance_email_notification={
"disable_manager_email_notification": True,
"disable_owner_email_notification": False,
},
is_disabled=False,
is_grace_period=True,
owner_source={
"type": azure_native.security.GovernanceRuleOwnerSourceType.MANUALLY,
"value": "user@contoso.com",
},
remediation_timeframe="7.00:00:00",
rule_id="ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rule_priority=200,
rule_type=azure_native.security.GovernanceRuleType.INTEGRATED,
scope="providers/Microsoft.Management/managementGroups/contoso",
source_resource_type=azure_native.security.GovernanceRuleSourceResourceType.ASSESSMENTS)
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule for a management group"),
DisplayName: pulumi.String("Management group rule"),
ExcludedScopes: pulumi.StringArray{
pulumi.String("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
},
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(true),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("providers/Microsoft.Management/managementGroups/contoso"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule for a management group",
DisplayName = "Management group rule",
ExcludedScopes = new[]
{
"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
},
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = true,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "providers/Microsoft.Management/managementGroups/contoso",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule for a management group")
.displayName("Management group rule")
.excludedScopes("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(true)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("providers/Microsoft.Management/managementGroups/contoso")
.sourceResourceType("Assessments")
.build());
}
}
resources:
governanceRule:
type: azure-native:security:GovernanceRule
properties:
description: A rule for a management group
displayName: Management group rule
excludedScopes:
- /subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
governanceEmailNotification:
disableManagerEmailNotification: true
disableOwnerEmailNotification: false
isDisabled: false
isGracePeriod: true
ownerSource:
type: Manually
value: user@contoso.com
remediationTimeframe: 7.00:00:00
ruleId: ad9a8e26-29d9-4829-bb30-e597a58cdbb8
rulePriority: 200
ruleType: Integrated
scope: providers/Microsoft.Management/managementGroups/contoso
sourceResourceType: Assessments
When scope targets a management group, the rule applies to all descendant subscriptions except those listed in excludedScopes. This allows organization-wide enforcement with targeted exceptions. The rulePriority determines evaluation order when multiple rules apply to the same scope; lower numbers take precedence.
Govern multi-cloud resources via security connectors
Teams managing GCP or AWS resources through Azure Security Center apply governance rules to assessments from external cloud providers.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const governanceRule = new azure_native.security.GovernanceRule("governanceRule", {
description: "A rule on critical GCP recommendations",
displayName: "GCP Admin's rule",
governanceEmailNotification: {
disableManagerEmailNotification: true,
disableOwnerEmailNotification: false,
},
isDisabled: false,
isGracePeriod: true,
ownerSource: {
type: azure_native.security.GovernanceRuleOwnerSourceType.Manually,
value: "user@contoso.com",
},
remediationTimeframe: "7.00:00:00",
ruleId: "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rulePriority: 200,
ruleType: azure_native.security.GovernanceRuleType.Integrated,
scope: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
sourceResourceType: azure_native.security.GovernanceRuleSourceResourceType.Assessments,
});
import pulumi
import pulumi_azure_native as azure_native
governance_rule = azure_native.security.GovernanceRule("governanceRule",
description="A rule on critical GCP recommendations",
display_name="GCP Admin's rule",
governance_email_notification={
"disable_manager_email_notification": True,
"disable_owner_email_notification": False,
},
is_disabled=False,
is_grace_period=True,
owner_source={
"type": azure_native.security.GovernanceRuleOwnerSourceType.MANUALLY,
"value": "user@contoso.com",
},
remediation_timeframe="7.00:00:00",
rule_id="ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
rule_priority=200,
rule_type=azure_native.security.GovernanceRuleType.INTEGRATED,
scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
source_resource_type=azure_native.security.GovernanceRuleSourceResourceType.ASSESSMENTS)
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewGovernanceRule(ctx, "governanceRule", &security.GovernanceRuleArgs{
Description: pulumi.String("A rule on critical GCP recommendations"),
DisplayName: pulumi.String("GCP Admin's rule"),
GovernanceEmailNotification: &security.GovernanceRuleEmailNotificationArgs{
DisableManagerEmailNotification: pulumi.Bool(true),
DisableOwnerEmailNotification: pulumi.Bool(false),
},
IsDisabled: pulumi.Bool(false),
IsGracePeriod: pulumi.Bool(true),
OwnerSource: &security.GovernanceRuleOwnerSourceArgs{
Type: pulumi.String(security.GovernanceRuleOwnerSourceTypeManually),
Value: pulumi.String("user@contoso.com"),
},
RemediationTimeframe: pulumi.String("7.00:00:00"),
RuleId: pulumi.String("ad9a8e26-29d9-4829-bb30-e597a58cdbb8"),
RulePriority: pulumi.Int(200),
RuleType: pulumi.String(security.GovernanceRuleTypeIntegrated),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector"),
SourceResourceType: pulumi.String(security.GovernanceRuleSourceResourceTypeAssessments),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var governanceRule = new AzureNative.Security.GovernanceRule("governanceRule", new()
{
Description = "A rule on critical GCP recommendations",
DisplayName = "GCP Admin's rule",
GovernanceEmailNotification = new AzureNative.Security.Inputs.GovernanceRuleEmailNotificationArgs
{
DisableManagerEmailNotification = true,
DisableOwnerEmailNotification = false,
},
IsDisabled = false,
IsGracePeriod = true,
OwnerSource = new AzureNative.Security.Inputs.GovernanceRuleOwnerSourceArgs
{
Type = AzureNative.Security.GovernanceRuleOwnerSourceType.Manually,
Value = "user@contoso.com",
},
RemediationTimeframe = "7.00:00:00",
RuleId = "ad9a8e26-29d9-4829-bb30-e597a58cdbb8",
RulePriority = 200,
RuleType = AzureNative.Security.GovernanceRuleType.Integrated,
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
SourceResourceType = AzureNative.Security.GovernanceRuleSourceResourceType.Assessments,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.GovernanceRule;
import com.pulumi.azurenative.security.GovernanceRuleArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleEmailNotificationArgs;
import com.pulumi.azurenative.security.inputs.GovernanceRuleOwnerSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var governanceRule = new GovernanceRule("governanceRule", GovernanceRuleArgs.builder()
.description("A rule on critical GCP recommendations")
.displayName("GCP Admin's rule")
.governanceEmailNotification(GovernanceRuleEmailNotificationArgs.builder()
.disableManagerEmailNotification(true)
.disableOwnerEmailNotification(false)
.build())
.isDisabled(false)
.isGracePeriod(true)
.ownerSource(GovernanceRuleOwnerSourceArgs.builder()
.type("Manually")
.value("user@contoso.com")
.build())
.remediationTimeframe("7.00:00:00")
.ruleId("ad9a8e26-29d9-4829-bb30-e597a58cdbb8")
.rulePriority(200)
.ruleType("Integrated")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector")
.sourceResourceType("Assessments")
.build());
}
}
resources:
governanceRule:
type: azure-native:security:GovernanceRule
properties:
description: A rule on critical GCP recommendations
displayName: GCP Admin's rule
governanceEmailNotification:
disableManagerEmailNotification: true
disableOwnerEmailNotification: false
isDisabled: false
isGracePeriod: true
ownerSource:
type: Manually
value: user@contoso.com
remediationTimeframe: 7.00:00:00
ruleId: ad9a8e26-29d9-4829-bb30-e597a58cdbb8
rulePriority: 200
ruleType: Integrated
scope: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector
sourceResourceType: Assessments
The scope property can target a security connector resource, which bridges Azure Security Center to GCP or AWS. This allows you to enforce the same remediation policies on multi-cloud security findings. The rule applies to assessments generated by the connector, treating external cloud resources like native Azure resources for governance purposes.
Beyond these examples
These snippets focus on specific governance rule features: scope hierarchy (subscription, management group, security connector), owner assignment and notification controls, and remediation timeframes and grace periods. They’re intentionally minimal rather than full security governance frameworks.
The examples reference pre-existing infrastructure such as Azure subscriptions and management groups, security connectors for multi-cloud resources, and security assessments to govern. They focus on configuring the rule rather than provisioning the underlying security infrastructure.
To keep things focused, common governance patterns are omitted, including:
- Conditional rule application (conditionSets for filtering assessments)
- Member scope inheritance (includeMemberScopes)
- Rule activation controls (isDisabled for temporary suspension)
- Grace period configuration details
These omissions are intentional: the goal is to illustrate how each governance rule feature is wired, not provide drop-in compliance modules. See the GovernanceRule resource reference for all available configuration options.
Let's configure Azure Security Governance Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Rule Configuration & Scope
What properties can't be changed after creating a governance rule?
The
ruleId and scope properties are immutable and cannot be modified after creation.What scope formats are supported for governance rules?
Three formats are supported: management group (
providers/Microsoft.Management/managementGroups/{managementGroup}), subscription (subscriptions/{subscriptionId}), or security connector (subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}).What happens if I create two rules with the same priority on the same scope?
Rules with the same
rulePriority value on the same scope are not allowed and will cause an error.Does a lower or higher priority number take precedence?
Lower numbers have higher priority. For example, a rule with
rulePriority 100 takes precedence over one with priority 200.Remediation & Grace Period
How do I specify the remediation timeframe?
Use timespan format in the
remediationTimeframe property. For example, 7.00:00:00 represents 7 days.What does the grace period setting do?
The
isGracePeriod property defines whether there’s a grace period on the governance rule, affecting when remediation enforcement begins based on the remediationTimeframe.Notifications & Ownership
How do I set manual ownership for a governance rule?
Configure
ownerSource with type set to Manually and value as the owner’s email address (e.g., user@contoso.com).How do I control email notifications for managers and owners?
Use the
governanceEmailNotification object with disableManagerEmailNotification and disableOwnerEmailNotification boolean flags to control notifications.Advanced Configuration
How do I exclude specific subscriptions from a governance rule?
Use the
excludedScopes array with subscription paths. For example, ["/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"] excludes that subscription from the rule.What does the includeMemberScopes property control?
The
includeMemberScopes property defines whether the rule is a management scope rule, determining if it applies to a master connector as a single scope or across a management scope.