Governance and compliance
📘Microsoft Certified: Azure Fundamentals (AZ-900)
1. What is Governance in Azure?
Governance means setting rules and controls to make sure cloud resources are:
- Secure
- Compliant with company policies
- Cost-controlled
- Configured correctly
- Following standards
In Azure, governance helps organizations make sure all resources follow company and regulatory requirements.
Azure Policy is one of the most important governance tools in Azure.
2. What is Azure Policy?
Azure Policy is a service in Azure that helps you:
- Create rules (policies)
- Enforce those rules
- Make sure resources stay compliant
- Automatically fix non-compliant resources (in some cases)
It ensures that resources in Azure follow organizational standards.
Simple Definition for Exam
Azure Policy is a service that enforces organizational standards and assesses compliance across Azure resources.
3. Why Azure Policy is Important
In an IT environment, different teams may create:
- Virtual Machines
- Storage accounts
- Databases
- Networking resources
Without control:
- Resources may be deployed in wrong regions
- Encryption may not be enabled
- Tags may be missing
- Expensive SKUs may be selected
- Security settings may not follow standards
Azure Policy helps prevent and control these issues automatically.
4. How Azure Policy Works
Azure Policy works in 3 simple steps:
Step 1 – Define a Policy
You create a rule such as:
- Only allow resources in a specific region
- Require encryption on storage accounts
- Require a tag like “Department”
- Only allow specific VM sizes
Step 2 – Assign the Policy
You assign the policy to:
- Management group
- Subscription
- Resource group
Step 3 – Evaluate Compliance
Azure checks:
- New resources (before or during deployment)
- Existing resources (after deployment)
It then marks them:
- Compliant
- Non-compliant
5. Key Components of Azure Policy
To pass the exam, you must understand these components:
5.1 Policy Definition
A policy definition contains:
- The rule (what is allowed or not allowed)
- The conditions
- The effect (what happens if rule is violated)
Example:
- If storage account does not have encryption enabled → Deny
Microsoft provides many built-in policy definitions, and you can also create custom policies.
5.2 Initiative (Policy Set)
An initiative is a group of policies bundled together.
Instead of assigning many policies one by one, you assign one initiative.
Example:
- Security baseline initiative
- Regulatory compliance initiative
Initiatives are used to manage compliance at scale.
5.3 Assignment
A policy assignment applies a policy to a scope.
Scope can be:
- Management group (highest level)
- Subscription
- Resource group
- Individual resource
Policies apply to everything inside that scope.
5.4 Parameters
Policies can use parameters.
This allows flexibility.
Example:
Instead of hardcoding region = East US,
You define a parameter for allowed regions.
This makes the policy reusable.
6. Policy Effects (Very Important for Exam)
Policy effects define what happens when a resource violates the rule.
You must remember these effects:
6.1 Deny
- Blocks the deployment.
- Resource cannot be created or modified.
Example:
If someone tries to create a VM in an unauthorized region → Deployment fails.
6.2 Audit
- Allows deployment.
- Marks resource as non-compliant.
Example:
If encryption is not enabled → Resource is created, but reported as non-compliant.
6.3 Append
- Adds additional settings during deployment.
Example:
Automatically add required tags.
6.4 Modify
- Changes or adds properties automatically.
- Often used for adding tags.
6.5 DeployIfNotExists
- Automatically deploys a required resource if missing.
Example:
If diagnostic settings are not enabled → Azure automatically deploys them.
6.6 Disabled
- Policy exists but does nothing.
7. Compliance Evaluation
Azure Policy continuously evaluates resources.
There are two types of evaluation:
1. Real-time evaluation
- Happens during deployment.
2. Periodic evaluation
- Checks existing resources regularly.
Results are shown in:
- Compliance dashboard
- Compliance percentage
- List of non-compliant resources
8. Azure Policy vs RBAC (Very Important Difference)
Many students confuse these.
| Azure Policy | RBAC |
|---|---|
| Controls what can be deployed | Controls who can access resources |
| Enforces rules | Manages permissions |
| Focuses on compliance | Focuses on access control |
Example:
- RBAC: Who can create a VM?
- Policy: What type of VM can be created?
9. Azure Policy vs Azure Blueprints (Exam Concept)
Although Azure Blueprints is being replaced by newer methods, for AZ-900 you should know:
- Azure Policy enforces compliance rules.
- Blueprints help deploy a set of resources + policies together.
10. Real IT Environment Examples
Here are practical examples used in companies:
Example 1 – Enforcing Resource Locations
Company policy:
All data must stay in a specific region.
Policy:
Deny resources outside approved region.
Result:
Prevents accidental deployment in unauthorized regions.
Example 2 – Mandatory Tags
Company requires:
- CostCenter
- Department
- Environment (Prod/Test/Dev)
Policy:
Deny or Modify if tags are missing.
Result:
Better cost tracking and reporting.
Example 3 – Enforcing Encryption
Requirement:
All storage accounts must have encryption enabled.
Policy:
Deny unencrypted storage accounts.
Result:
Improves data protection compliance.
Example 4 – Limiting VM Sizes
Requirement:
Only approved VM sizes allowed to control cost.
Policy:
Deny non-approved VM SKUs.
Result:
Prevents overspending.
Example 5 – Enforcing Diagnostic Logging
Requirement:
All resources must send logs to Log Analytics.
Policy:
DeployIfNotExists to enable diagnostics.
Result:
Improves monitoring and security tracking.
11. Built-in Policies
Azure provides many built-in policies for:
- Security
- Networking
- Storage
- Regulatory compliance (ISO, NIST, etc.)
- Tag enforcement
- Resource restrictions
You do NOT need to memorize specific policy names for AZ-900, but understand that built-in policies exist.
12. Regulatory Compliance in Azure Policy
Azure Policy helps organizations align with:
- ISO standards
- NIST
- GDPR
- SOC
- Other regulatory frameworks
Azure provides built-in compliance initiatives that map to these standards.
13. Remediation Tasks
For policies with:
- DeployIfNotExists
- Modify
You can create a remediation task to fix existing non-compliant resources.
This helps enforce compliance on already deployed resources.
14. Management Groups and Policy Inheritance
Policies assigned at higher levels apply to lower levels.
Hierarchy:
Management Group
→ Subscription
→ Resource Group
→ Resource
If you assign a policy at management group level:
It applies to all subscriptions under it.
This ensures organization-wide governance.
15. Important Exam Points to Remember
You should clearly understand:
✔ Azure Policy enforces standards
✔ It evaluates compliance
✔ It works at management group, subscription, and resource group levels
✔ Deny blocks deployment
✔ Audit allows but reports
✔ DeployIfNotExists auto-deploys missing components
✔ Policy ≠ RBAC
✔ Initiatives group multiple policies
✔ Used for compliance and governance
16. Quick Summary for Revision
Azure Policy is used to:
- Enforce rules
- Control configurations
- Ensure compliance
- Prevent non-approved deployments
- Automatically remediate issues
- Monitor compliance status
It is a core governance tool in Azure and frequently tested in AZ-900.
