azure-policy VS balanced-employee-ip-agreement

Reference: https://github.com/Azure/azure-policy

I just came across this post over in the Azure subreddit and it gave me a good idea on one way to deal with rogue Azure subscriptions - just have them default into a Management Group where a policy is in-place that basically denies use of any and all services.

Oooo, that's a nice trick for the use of the root management group which usually has best practice to leave empty. I like that a lot! Could maybe pair that with the "deny all resource types" policy sample, and then even if someone does create a new subscription it's pretty much 100% neutered until someone pulls it out of the root management group and places it somewhere else.

Found a 2018 Github article - https://github.com/Azure/azure-policy/issues/102

MS Repo https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions

I can see here that is expecting azure-policy/AzureWindowsBaseline.mof at master · Azure/azure-policy · GitHub: "LOCAL SERVICE, NETWORK SERVICE". However, that would exclude the web app pools.

Azure shared with us a GitHub repository contains built-in samples of Azure Policies that can be used as reference for creating and assigning policies to your subscriptions and resource groups.

The only real way you'll be able to do this is via an Azure Policy, alongside a deny effect - where your policy would restrict based on the type field, with the values passed in via an array parameter (example)

[2] https://github.com/github/balanced-employee-ip-agreement/blo...

I worked for a company and they wanted to do something similar, I think they went with something boilerplate or from an attorney. I suggested a compromise and we use something similar to the [GitHub Balanced Employee Intellectual Property Agreement (BEIPA)](https://github.com/github/balanced-employee-ip-agreement/blo...).

I'm not sure if in your circumstance they would go for it, but it worked out for me. Here is the github blog post - https://github.blog/2017-03-21-work-life-balance-in-employee...

I think this is reasonable advice, in some settings. But for many of us, I think it’s just not practical anymore.

The lines have become too blurred. I work from home, I have one office and one desk. The computer on the desk was purchased by my company but other stuff wasn’t like my mouse or my iPad. I have work Slack on my phone, which is my personal phone.

Granted, I work for a startup. This isn’t a company IT department managed laptop. It’s a MBP they had shipped directly from Apple to me.

The GitHub Balanced Employee IP Agreement acknowledges that this distinction is arbitrary and unhelpful:

> In California the main difference made by BEIPA is that IP developed with company equipment or relating to the company's business, but in an employee's free time and which the employee is not involved in as an employee, is not owned by the company (but the company does get a non-exclusive and unlimited license if the IP relates to the company's business). This recognizes that from the employee perspective, segregating one's life activities based on ownership of devices at hand or relatedness to an employer's potentially vast range of business that an individual employee is not involved with as an employee imposes significant cognitive overhead and often doesn't happen in practice, whatever agreements state.

- https://github.com/github/balanced-employee-ip-agreement

I hope that more employee agreements move this direction so we can stop trying to enforce this distinction.

I interviewed with Sysco Labs and they had some IP stuff in the contract that was absolutely bonkers. They accounted for everything, even if I died then I couldn’t pass on my IP to my kids, it would go to them instead. I asked them to remove it and replace it with BEIPA but they didn’t go for it. I asked if they would negotiate at all on any part of the contract. They said no. I walked away from that job even though I really wanted it. They showed me who they were as a company and I didn’t like what I saw.