L13. Azure Governance: Policy, Blueprints, and Compliance Manager
Video generating
Check back soon for the video lesson on Azure Governance: Policy, Blueprints, and Compliance Manager
Azure governance tools enforce organizational standards across subscriptions. The AZ-900 exam tests Azure Policy, Azure Blueprints, Microsoft Purview, and the Microsoft Service Trust Portal.
Azure Policy
Azure Policy evaluates resources against business rules (called policy definitions) and enforces compliance at scale. How it works:
- Define a policy (e.g., "VMs must use approved SKUs only")
- Assign the policy to a scope (management group, subscription, or resource group)
- Azure evaluates all existing and new resources against the policy
- Non-compliant resources are flagged; some policies auto-remediate
- Deny: blocks the creation of non-compliant resources
- Audit: logs non-compliance but does not block
- DeployIfNotExists: deploys a companion resource if it doesn't exist (e.g., deploy Defender agent to all new VMs)
- Append: adds additional settings to a resource
Azure Blueprints
A Blueprint is a package of policy assignments, role assignments, resource groups, and ARM templates that can be deployed as a unit to new environments. Use Blueprints when: you need to provision a new subscription that already meets governance requirements out of the box (e.g., a new team environment that has required policies, RBAC, and networking pre-configured). Difference from ARM templates: Blueprints maintain a relationship between the blueprint definition and its assigned subscriptions, enabling audit and updates over time.
Microsoft Purview
Microsoft Purview is a unified data governance and compliance solution that discovers, classifies, and governs data across Azure, on-premises, and multi-cloud. Key capabilities:
- Data Map: catalog and classify data assets
- Data Estate Insights: understand where sensitive data lives
- Compliance Manager: assess and improve compliance posture
Microsoft Service Trust Portal
The Service Trust Portal (servicetrust.microsoft.com) contains Microsoft's compliance documentation: audit reports, compliance guides, and certifications (ISO 27001, SOC 2, FedRAMP). Use when: you need evidence of Microsoft's compliance with specific regulatory frameworks.
| Tool | Purpose |
|---|---|
| Azure Policy | Enforce and audit resource compliance |
| Azure Blueprints | Package governance artifacts for repeatable environments |
| Microsoft Purview | Data governance and sensitivity classification |
| Service Trust Portal | Microsoft compliance documentation and audit reports |
- ✓Azure Policy enforces rules at scale: Deny blocks creation, Audit logs, DeployIfNotExists auto-deploys companions
- ✓Policy initiatives (policy sets) group related policies for evaluation together
- ✓Azure Blueprints package policies, RBAC, resource groups, and templates for repeatable environment provisioning
- ✓Microsoft Purview provides data classification, cataloging, and sensitivity discovery across hybrid and multi-cloud
- ✓Service Trust Portal contains Microsoft audit reports and compliance documentation (ISO, SOC 2, FedRAMP)
1. A security team wants to prevent anyone from creating Azure resources outside of approved regions. Which Azure governance tool should they use?
2. A compliance officer needs to find Microsoft's ISO 27001 audit certification for Azure. Where should they look?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.