Governance Policies Azure Monitoring Action Groups - Azure/az-prototype GitHub Wiki
Governance policies for Action Groups
Domain: azure-monitoring
| Name | Description |
|---|---|
| Action group with multi-channel notifications and metric alerts | Action group with email, webhook, and role-based receivers linked to metric alerts |
| Description | Instead |
|---|---|
| Do not deploy monitoring without action groups | Create action groups first, then link them to all alert rules |
| Do not use personal email addresses in action groups | Use distribution lists or team mailboxes for reliable notification delivery |
| Check | Severity | Description |
|---|---|---|
| AZ-AG-001 | Required | Create action groups with email and webhook notification channels for critical alerts |
| AZ-AG-002 | Required | Use Common Alert Schema for all receivers |
| AZ-AG-003 | Required | Create metric alerts for critical resource health indicators |
| AZ-AG-004 | Recommended | Create activity log alerts for subscription-level administrative events |
Create action groups with email and webhook notification channels for critical alerts
Severity: Required
Rationale: Without action groups, alerts fire but nobody is notified — incidents go undetected
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Insights/actionGroups
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/metricAlerts | alert-critical-metrics | Metric alert rules that reference this action group for notification delivery |
| Microsoft.Insights/scheduledQueryRules | alert-log-query | Log alert rules based on KQL queries that reference this action group |
| Microsoft.Insights/activityLogAlerts | alert-activity-log | Activity log alerts for subscription-level administrative events |
Use Common Alert Schema for all receivers
Severity: Required
Rationale: Common Alert Schema provides a standardized payload format across all alert types for consistent processing
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Insights/actionGroups
Create metric alerts for critical resource health indicators
Severity: Required
Rationale: Proactive alerting on CPU, memory, response time, and error rate prevents outages from going undetected
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Insights/actionGroups
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/actionGroups | ag-ops | Action group defining notification receivers for metric alert delivery |
Create activity log alerts for subscription-level administrative events
Severity: Recommended
Rationale: Track resource deletions, role assignments, and policy changes at the subscription level
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Insights/actionGroups
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/actionGroups | ag-ops | Action group defining notification receivers for activity log alert delivery |