Azure Governance — Policy, Management Groups & Compliance

“Welcome back. As organizations grow on Azure, a critical challenge emerges: how do you ensure every team follows security standards, cost policies, and compliance requirements without manually reviewing every deployment? The answer is Azure Governance — a set of tools that enforce standards automatically. Azure Policy, Management Groups, RBAC at scale, and compliance frameworks work together to give you control without slowing teams down. This is essential knowledge for AZ-104 and AZ-305, and for anyone running Azure in a real enterprise.”

“Management Groups are containers above the subscription level. Most tutorials show Azure with a single subscription, but enterprises have dozens or hundreds. Management Groups let you organize subscriptions into a hierarchy that mirrors your organizational structure — a Finance department group, an IT group, a Development group. Any policy or RBAC assignment at a Management Group level automatically applies to all subscriptions beneath it. This is how enterprises enforce enterprise-wide standards: assign a 'Require encryption at rest' policy to the root management group and it applies to every subscription automatically.”

“Azure Policy is the enforcement engine. A policy definition describes a condition and an effect. The Deny effect is the strongest — if a deployment violates the policy, Azure blocks it entirely. Useful for security-critical requirements like 'no public IP addresses in production'. The Audit effect allows the deployment but marks it as non-compliant in your compliance dashboard — useful for tracking without breaking deployments. DeployIfNotExists is a powerful automatic remediation tool: if a VM is created without the monitoring agent, the policy automatically deploys it. Over 500 built-in policies cover everything from security baselines to naming conventions to regional restrictions.”

“Policy Initiatives group related policies together under a single assignment. Instead of assigning 30 individual security policies to every subscription, you assign the Azure Security Benchmark initiative and get all 200+ controls in one step. Microsoft provides built-in initiatives for major compliance frameworks: CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, ISO 27001, PCI DSS, HIPAA. When auditors ask for evidence of compliance, you show them your Defender for Cloud compliance dashboard, which maps your initiative compliance to specific framework controls. Custom initiatives let you encode your organization's specific standards as a named, reusable collection.”

“RBAC governance is about controlling who can do what across your Azure environment. The principle of least privilege means every user, service, and application gets exactly the permissions they need — no more. Assign roles to Microsoft Entra ID security groups, not individual users — when someone joins a team, add them to the group and they get all the required access. When they leave, remove them from the group. Privileged Identity Management is the enterprise standard for sensitive roles like Owner or Global Admin — users don't have permanent access. They activate the role when needed, specify a reason, get time-limited access, and all activation is logged. Access Reviews automatically ask managers to certify their team's role assignments are still appropriate.”

“Azure Blueprints package everything needed to deploy a compliant environment — policies, RBAC assignments, ARM templates, and resource groups — into a single versioned artifact. Assign a Blueprint to a subscription and it deploys all components and enforces all policies in one operation. Blueprints are ideal for creating consistent environments for new teams or projects. Azure Landing Zones are Microsoft's reference architecture for enterprise Azure — a pre-designed management group hierarchy, policies for security and governance, hub networking, and monitoring. You can deploy a Landing Zone using the Azure Portal Accelerator (wizard-based) or using the official Terraform/Bicep modules from Microsoft's GitHub.”

“Defender for Cloud's regulatory compliance dashboard translates your Azure resource configurations into evidence of compliance against major standards. For each framework control, it shows which Azure resources comply and which don't, with direct links to fix non-compliant resources. When auditors come asking for SOC 2 or ISO 27001 evidence, you export the compliance report from this dashboard — it shows your compliance score, the specific controls, and the evidence. This transforms annual compliance audits from a months-long scramble into an ongoing, always-current dashboard.”

“Let me show governance in action. I'll create a management group hierarchy and show policy inheritance. Assign the built-in 'Require a tag on resources' policy and watch it flag existing untagged resources. Create a custom policy that denies creation of large expensive VM SKUs — then try to create one and show the denial. View the compliance dashboard. Finally, configure PIM for the Owner role — show how a user activates it, provides justification, and gets time-limited access.”

“Governance is one of the highest-weighted topics in AZ-104 and the foundation of AZ-305 architecture. Key exam points: policies assigned at a higher scope override lower scopes — a Deny policy at the management group level cannot be overridden by a subscription-level Allow. Policy effects in order of strength: Deny → Audit → Append → DeployIfNotExists. PIM requires Microsoft Entra ID P2 licensing — this appears in scenario questions. Management Group policy inheritance is automatic — no configuration needed in child subscriptions. Blueprint assignments are locked — users cannot modify or delete blueprinted resources without unlocking the Blueprint assignment.”