Cyber Intelligence
Azure Management and Governance · 30-35% of exam

L13. Azure Governance: Policy, Blueprints, and Compliance Manager

Video generating

Check back soon for the video lesson on Azure Governance: Policy, Blueprints, and Compliance Manager

Azure governance tools enforce organizational standards across subscriptions. The AZ-900 exam tests Azure Policy, Azure Blueprints, Microsoft Purview, and the Microsoft Service Trust Portal.

Azure Policy

Azure Policy evaluates resources against business rules (called policy definitions) and enforces compliance at scale. How it works:

  1. Define a policy (e.g., "VMs must use approved SKUs only")
  2. Assign the policy to a scope (management group, subscription, or resource group)
  3. Azure evaluates all existing and new resources against the policy
  4. Non-compliant resources are flagged; some policies auto-remediate
Effect types (exam relevant):
  • Deny: blocks the creation of non-compliant resources
  • Audit: logs non-compliance but does not block
  • DeployIfNotExists: deploys a companion resource if it doesn't exist (e.g., deploy Defender agent to all new VMs)
  • Append: adds additional settings to a resource
Policy initiatives (also called policy sets) are groups of related policies evaluated together. The "Azure Security Benchmark" is a built-in initiative.

Azure Blueprints

A Blueprint is a package of policy assignments, role assignments, resource groups, and ARM templates that can be deployed as a unit to new environments. Use Blueprints when: you need to provision a new subscription that already meets governance requirements out of the box (e.g., a new team environment that has required policies, RBAC, and networking pre-configured). Difference from ARM templates: Blueprints maintain a relationship between the blueprint definition and its assigned subscriptions, enabling audit and updates over time.

Microsoft Purview

Microsoft Purview is a unified data governance and compliance solution that discovers, classifies, and governs data across Azure, on-premises, and multi-cloud. Key capabilities:

  • Data Map: catalog and classify data assets
  • Data Estate Insights: understand where sensitive data lives
  • Compliance Manager: assess and improve compliance posture

Microsoft Service Trust Portal

The Service Trust Portal (servicetrust.microsoft.com) contains Microsoft's compliance documentation: audit reports, compliance guides, and certifications (ISO 27001, SOC 2, FedRAMP). Use when: you need evidence of Microsoft's compliance with specific regulatory frameworks.

ToolPurpose
Azure PolicyEnforce and audit resource compliance
Azure BlueprintsPackage governance artifacts for repeatable environments
Microsoft PurviewData governance and sensitivity classification
Service Trust PortalMicrosoft compliance documentation and audit reports
Exam tip: Azure Policy can deny resource creation. Blueprints package multiple governance elements. Purview governs data classification and discovery.

Exam Focus Points
  • Azure Policy enforces rules at scale: Deny blocks creation, Audit logs, DeployIfNotExists auto-deploys companions
  • Policy initiatives (policy sets) group related policies for evaluation together
  • Azure Blueprints package policies, RBAC, resource groups, and templates for repeatable environment provisioning
  • Microsoft Purview provides data classification, cataloging, and sensitivity discovery across hybrid and multi-cloud
  • Service Trust Portal contains Microsoft audit reports and compliance documentation (ISO, SOC 2, FedRAMP)
Knowledge Check

1. A security team wants to prevent anyone from creating Azure resources outside of approved regions. Which Azure governance tool should they use?

2. A compliance officer needs to find Microsoft's ISO 27001 audit certification for Azure. Where should they look?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.

Start AZ-900 prep free10-day free trial available