Cyber Intelligence
Compute, Storage & Data · 25% of exam

L11. Azure Policy & Blueprints

Course outlineLesson 11 of 18

Azure Policy enforces governance rules across subscriptions. The AZ-500 exam tests policy effects (deny, audit, modify, deployIfNotExists), initiative assignments, and the difference between Policy and Blueprints.

What Is Azure Policy?

Azure Policy evaluates resources against rules (policy definitions) and enforces compliance. Policies do not retroactively fix non-compliant resources: they prevent future violations (Deny effect) or report existing ones (Audit effect).

Policy Effects

EffectBehavior
DenyBlocks the resource creation/update if non-compliant
AuditAllows the operation but marks the resource as non-compliant
ModifyAdds/replaces/removes a property on the resource automatically
DeployIfNotExistsDeploys a related resource if it does not exist (for example, deploy Log Analytics agent)
AuditIfNotExistsAudits if a related resource is missing
DisabledPolicy is defined but not enforced
Exam tip: DeployIfNotExists and Modify effects require a managed identity assigned to the policy assignment: the policy needs permission to make changes.

Initiatives (Policy Sets)

An Initiative is a collection of policy definitions grouped for a common goal. Example: the "Azure Security Benchmark" initiative contains 200-plus policies that together implement the ASB framework.

Assign an initiative to a management group, subscription, or resource group: all child resources inherit the assignment.

Exemptions and Exclusions

  • Exclusion scope: Exclude a specific resource group or resource from a policy assignment entirely
  • Exemption: Mark a specific resource as "waived" or "mitigated" with an expiry date
Exam tip: Exemptions are auditable and time-bound. Exclusion scopes are permanent and not audited as exceptions.

Azure Blueprints

Blueprints bundle role assignments, policy assignments, ARM templates, and resource groups into a single deployable package. They enforce governance at subscription creation time. Exam trap: Blueprints are being deprecated in favour of Deployment Stacks. The exam may still test Blueprints: know they exist and that they combine Policy plus RBAC plus templates.

Exam Focus Points
  • Deny blocks future violations; Audit reports them. Neither retroactively fixes existing non-compliance
  • DeployIfNotExists and Modify effects require a managed identity on the policy assignment
  • Initiative = collection of policies for a common goal: assign once, covers all child resources
  • Exemptions are time-bound and auditable. Exclusion scopes are permanent and not tracked as exceptions
  • Blueprints combine Policy plus RBAC plus ARM templates; being deprecated but still exam-testable
Knowledge Check

1. What is the effect of an Azure Policy with the 'Deny' effect?

2. An Azure Policy initiative is best described as:

3. Which policy effect would you use to add a required tag to all new resources without blocking creation if the tag is missing?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available