L11. Azure Policy & Blueprints
Course outlineLesson 11 of 18
Azure Policy enforces governance rules across subscriptions. The AZ-500 exam tests policy effects (deny, audit, modify, deployIfNotExists), initiative assignments, and the difference between Policy and Blueprints.
What Is Azure Policy?
Azure Policy evaluates resources against rules (policy definitions) and enforces compliance. Policies do not retroactively fix non-compliant resources: they prevent future violations (Deny effect) or report existing ones (Audit effect).
Policy Effects
| Effect | Behavior |
|---|---|
| Deny | Blocks the resource creation/update if non-compliant |
| Audit | Allows the operation but marks the resource as non-compliant |
| Modify | Adds/replaces/removes a property on the resource automatically |
| DeployIfNotExists | Deploys a related resource if it does not exist (for example, deploy Log Analytics agent) |
| AuditIfNotExists | Audits if a related resource is missing |
| Disabled | Policy is defined but not enforced |
Initiatives (Policy Sets)
An Initiative is a collection of policy definitions grouped for a common goal. Example: the "Azure Security Benchmark" initiative contains 200-plus policies that together implement the ASB framework.
Assign an initiative to a management group, subscription, or resource group: all child resources inherit the assignment.
Exemptions and Exclusions
- Exclusion scope: Exclude a specific resource group or resource from a policy assignment entirely
- Exemption: Mark a specific resource as "waived" or "mitigated" with an expiry date
Azure Blueprints
Blueprints bundle role assignments, policy assignments, ARM templates, and resource groups into a single deployable package. They enforce governance at subscription creation time. Exam trap: Blueprints are being deprecated in favour of Deployment Stacks. The exam may still test Blueprints: know they exist and that they combine Policy plus RBAC plus templates.
- ✓Deny blocks future violations; Audit reports them. Neither retroactively fixes existing non-compliance
- ✓DeployIfNotExists and Modify effects require a managed identity on the policy assignment
- ✓Initiative = collection of policies for a common goal: assign once, covers all child resources
- ✓Exemptions are time-bound and auditable. Exclusion scopes are permanent and not tracked as exceptions
- ✓Blueprints combine Policy plus RBAC plus ARM templates; being deprecated but still exam-testable
1. What is the effect of an Azure Policy with the 'Deny' effect?
2. An Azure Policy initiative is best described as:
3. Which policy effect would you use to add a required tag to all new resources without blocking creation if the tag is missing?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.