Exam Notes
Evaluation Order: Disabled → Deny → Append/Modify → Audit. DeployIfNotExists and AuditIfNotExists run after resource creation completes.
Policy & Governance
Governance at Scale
Azure governance ensures resources comply with organizational standards and policies. Governance controls cascade down the resource hierarchy, enabling centralized management at scale.
Azure PolicyEnforce Standards
+
BlueprintsEnvironment Templates
+
Management GroupsHierarchy Scope
=
ComplianceAt Scale
Azure Policy
Azure Policy evaluates resources and actions against business rules defined as policy definitions. Policies can audit, deny, modify, or deploy resources to ensure compliance.
Policy Components
Policy Definition
A JSON rule describing what to evaluate and what action to take.
- Conditions - When the policy applies
- Effect - What happens on match
- Parameters - Configurable values
Policy Assignment
Applying a policy definition to a specific scope.
- Scope - MG, subscription, or RG
- Exclusions - Resources to skip
- Parameters - Values for this assignment
Initiative (Policy Set)
A collection of related policy definitions grouped together.
- Simplify assignment management
- Track compliance as a group
- Example: "CIS Benchmark", "ISO 27001"
Exemptions
Temporarily or permanently exclude resources from policy.
- Waiver - Temporary, with expiration
- Mitigated - Addressed via other means
- Maintains audit trail
Policy Effects
The effect determines what happens when a policy rule matches. Effects are evaluated in a specific order during resource creation and updates.
| Effect | Description | Use Case |
|---|---|---|
| Disabled | Policy not evaluated | Testing, temporary disable |
| Audit | Log warning, allow resource | Visibility without blocking |
| Deny | Block resource creation/update | Prevent non-compliant resources |
| Append | Add fields to resource | Add required tags or properties |
| Modify | Add, update, or remove properties | Enforce tags, disable public access |
| AuditIfNotExists | Audit if related resource missing | Check for diagnostic settings |
| DeployIfNotExists | Deploy related resource if missing | Auto-deploy monitoring agents |
| DenyAction | Block specific actions on resources | Prevent deletion of critical resources |
Policy Inheritance
Policies assigned at a higher scope automatically apply to all child resources. This enables centralized governance across thousands of subscriptions.
Root MG PolicyApplies to ALL
→
Child MGInherits + Own
→
SubscriptionInherits + Own
→
ResourcesAll Policies Apply
Key Points
- Policies are additive down the hierarchy
- Child scopes cannot override parent Deny policies
- Use exemptions for exceptions
- More restrictive policies at lower scopes add to parent
Common Patterns
- Root MG - Security baselines, required tags
- Platform MG - Networking, identity policies
- Landing Zone MG - Workload-specific rules
- Subscription - Application-specific exceptions
Compliance & Remediation
Azure Policy continuously evaluates resources for compliance. Non-compliant resources can be remediated automatically or manually.
Compliance Dashboard
- Overall compliance percentage
- Non-compliant resources by policy
- Compliance over time trends
- Export to CSV for reporting
Remediation Tasks
- Fix existing non-compliant resources
- Required for Modify and DeployIfNotExists
- Uses managed identity for deployment
- Can run on-demand or scheduled
Compliance States
| State | Description |
|---|---|
| Compliant | Resource meets all applicable policy requirements |
| Non-Compliant | Resource violates one or more policy rules |
| Exempt | Resource excluded via waiver or mitigation |
| Conflicting | Multiple policies with conflicting rules |
| Not Started | Evaluation hasn't run yet |
Azure Blueprints
Azure Blueprints enable declarative definition of repeatable sets of Azure resources that implement organizational standards. Blueprints orchestrate deployment of role assignments, policy assignments, ARM templates, and resource groups.
Blueprint Artifacts
shield_person
Role Assignments
RBAC at subscription or RG
gavel
Policy Assignments
Governance rules
code
ARM Templates
Infrastructure as Code
inventory_2
Resource Groups
Containers for resources
Blueprint Lifecycle
DraftCreate & Edit
→
PublishedVersioned & Locked
→
AssignedDeploy to Scope
Blueprint Locking
- Don't Lock - Resources can be modified
- Do Not Delete - Prevent deletion only
- Read Only - No modifications allowed
Locks protect blueprint-deployed resources from changes, even by Owners.
Blueprints vs ARM Templates
- Blueprints maintain relationship after deployment
- Support versioning and update tracking
- Can deploy RBAC and Policy (ARM cannot)
- Provide resource locking capabilities
Best Practices
Start with Audit
Deploy new policies in Audit mode first. Review impact before switching to Deny.
Use Initiatives
Group related policies into initiatives for easier management and compliance tracking.
Assign at Right Scope
Apply policies at the highest appropriate scope. Use exemptions for exceptions.
Built-in First
Use built-in policies when possible. Create custom only when necessary.
Version Control
Store custom policies in Git. Use CI/CD for policy deployment.
Regular Review
Monitor compliance dashboards. Review and remediate non-compliant resources.
Quick Reference
| Concept | Description | Key Points |
|---|---|---|
| Policy Definition | JSON rule for compliance | Conditions + Effect + Parameters |
| Policy Assignment | Apply definition to scope | MG, Subscription, or RG |
| Initiative | Group of policies | Assign multiple policies together |
| Exemption | Exclude from policy | Waiver (temporary) or Mitigated |
| Blueprint | Environment template | RBAC + Policy + ARM + RGs |
| Remediation | Fix non-compliant resources | Modify, DeployIfNotExists |