← Previous Chapter 16 — Azure Cost Management
Chapter 17 of 20 AZ-900 (Azure Fundamentals Certification) ↑ Index
Next → Chapter 18 — Resource Locks, Tags & Azure Arc
AZ-900 (Azure Fundamentals Certification) Chapter 17 of 20 by ClinuxTech

Chapter 17 — Azure Governance Tools

What is Cloud Governance?

Governance in cloud computing means having policies, processes, and controls to ensure that your Azure environment is:

  • Compliant with regulations and company policies

  • Secure — resources configured correctly

  • Cost-controlled — no surprise spending

  • Consistent — standardized configurations across teams

Without governance, teams deploy resources however they want — creating security gaps, inconsistent configurations, and runaway costs.

1. Azure Policy

What Is It?

Azure Policy is a service that allows you to create, assign, and manage rules (policies) that enforce governance standards on your Azure resources.

Policies evaluate resources and flag non-compliant ones — or prevent non-compliant resources from being created at all.

How Azure Policy Works

Policy Definition:
  "All VMs must use Premium SSD managed disks"
        │
        ▼
Policy Assignment:
  Apply to: Subscription "Production"
        │
        ▼
Evaluation:
  VM-01: Premium SSD ✓ Compliant
  VM-02: Standard HDD ✗ Non-compliant → flagged or blocked

Policy Effects

When a resource violates a policy, the effect determines what happens:

Effect

Behavior

Deny

Block the resource from being created or updated

Audit

Allow creation but log it as non-compliant

AuditIfNotExists

Audit if a related resource doesn't exist

Append

Add required fields to a resource at creation

Modify

Automatically change resource properties to be compliant

DeployIfNotExists

Deploy a related resource if it doesn't exist

Built-In Policies

Azure provides hundreds of built-in policy definitions you can assign without writing your own:

Policy Example

What It Enforces

Allowed locations

Resources can only be created in specific regions

Allowed VM SKUs

Only certain VM sizes are permitted

Require tags

Resources must have specific tags

Enable diagnostic logs

Resources must send logs to a workspace

Require HTTPS only

Storage accounts must enforce HTTPS

MFA for subscription owners

Identity security enforcement

Policy Initiatives (Policy Sets)

An initiative is a collection of related policy definitions grouped together to achieve a broader compliance goal.

Example initiative: "Enable Monitoring in Azure Security Center"

  • Contains 25+ individual policies

  • Assign one initiative instead of 25 separate policies

Initiative: "CIS Microsoft Azure Foundations Benchmark"
  ├── Policy 1: MFA enabled for admin accounts
  ├── Policy 2: OS disk encryption enabled
  ├── Policy 3: SQL auditing enabled
  ├── ...
  └── Policy N: Security contact email set

Compliance Dashboard

After assigning policies, Azure Policy gives you a compliance dashboard:

Compliance State:
  Overall:     78% compliant
  ├── Prod subscription: 82% compliant
  └── Dev subscription:  68% compliant

Non-compliant resources: 14
  ├── 6 VMs without disk encryption
  ├── 5 storage accounts without HTTPS
  └── 3 SQL servers without auditing

2. Azure Blueprints

What Is It?

Azure Blueprints allows you to define a repeatable set of Azure resources and policies that can be deployed consistently across multiple subscriptions.

Think of a blueprint as a template for a subscription's governance setup — like a construction blueprint that defines exactly how to build a compliant environment.

What a Blueprint Can Include

Azure Blueprint: "ISO 27001 Compliant Environment"
  ├── Role Assignments (RBAC roles for security team)
  ├── Policy Assignments (encryption, logging, tagging policies)
  ├── Resource Groups (standard naming convention)
  └── ARM Templates (deploy required resources like Key Vault, Log Analytics)

Blueprint vs. ARM Template vs. Azure Policy

 

ARM Template

Azure Policy

Azure Blueprint

Deploys resources

Enforces compliance

Tracks deployed environment

Can be locked

Repeatable across subscriptions

Manual

Blueprint Lifecycle

1. Create Blueprint (define components)
2. Publish Blueprint (version it)
3. Assign Blueprint (apply to subscription)
4. Track compliance (see if environment drifts from blueprint)

Note: Microsoft announced Azure Blueprints will be deprecated in favor of Azure Deployment Environments and Template Specs. However, it remains on the AZ-900 exam for now.

3. Role-Based Access Control (RBAC)

What Is It?

Azure RBAC controls who can do what with Azure resources. It ensures that people only have the permissions they need — following the principle of least privilege.

(RBAC was introduced in Chapter 13 in the context of Entra ID — here we cover it from the Azure resource governance perspective.)

Role Assignment Components

A role assignment has three parts:

WHO             WHAT ROLE         WHERE (Scope)
──────────────────────────────────────────────
Alice           Contributor       Subscription "Production"
Bob             Reader            Resource Group "WebApp-RG"
DevOps Team     Virtual Machine Contributor  Resource "my-vm"

Built-In Roles (Review)

Role

Can Manage Resources

Can Manage Access

Owner

Contributor

Reader

View only

User Access Administrator

Custom Roles

When built-in roles don't fit your needs, you can create custom roles with exactly the permissions required:

{
  "Name": "VM Operator",
  "Actions": [
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action"
  ],
  "NotActions": [],
  "Scope": "/subscriptions/{subscription-id}"
}

This lets a VM Operator start/restart VMs — but not delete or create them.

RBAC Scope Hierarchy

Management Group  ─→  broadest scope
  └── Subscription
        └── Resource Group
              └── Resource  ─→  narrowest scope

Assignments at a higher level INHERIT down.
You can narrow permissions at a lower level.

4. Azure Resource Locks

(Locks are covered in detail in Chapter 18 — introduced here as a governance concept.)

Resource Locks prevent accidental deletion or modification of critical resources — an important governance tool alongside policies and RBAC.

Governance Tools Summary

Tool

What It Does

Azure Policy

Enforce rules — compliant or blocked

Azure Blueprints

Repeatable compliant environment templates

Azure RBAC

Control who can access and manage resources

Resource Locks

Prevent accidental deletion or changes

Governance Together

Good governance uses all tools in combination:

1. RBAC       → Control who can deploy and manage
2. Policy     → Enforce what configurations are allowed
3. Blueprints → Package everything for consistent deployment
4. Locks      → Protect critical resources from accidents
5. Tags       → Organize and track for cost and auditing
6. Budget     → Alert on spending limits

Quick Recap

Azure Policy    → Enforce rules across resources (Deny, Audit, Append)
Initiatives     → Groups of related policies (e.g., CIS benchmark)
Azure Blueprints → Deploy governed environments consistently
RBAC            → Least-privilege access (Owner > Contributor > Reader)
Custom Roles    → Fine-grained permissions you define
Scope           → Management Group > Subscription > RG > Resource

Official References

Next Chapter → Chapter 18: Resource Locks, Tags & Azure Arc

 

Tags: Azure Azure Tutorial Cloud Computing Azure Beginner Microsoft Azure Az900
← Previous Chapter Chapter 16 — Azure Cost Management
View All Chapters
Next Chapter → Chapter 18 — Resource Locks, Tags & Azure Arc