AZ-900 Exam Cram: Azure Governance and Compliance
Describe features and tools in Azure for governance and compliance
Azure Governance and Compliance Cram Sheet
This guide covers the essential tools and features required to maintain control, security, and regulatory compliance within the Microsoft Azure ecosystem.
Topic Weighting
[!IMPORTANT] This topic falls under Unit 3: Describe Azure Management and Governance, which typically accounts for 30-35% of the AZ-900 exam. Governance and Compliance specific tools represent approximately 10-12% of the total exam content.
| Feature | Exam Importance | Focus Area |
|---|---|---|
| Azure Policy | High | Enforcement & Compliance |
| Resource Locks | High | Accidental Deletion Prevention |
| Service Trust Portal | Medium | Audit Reports & Documentation |
| Microsoft Purview | Medium | Data Discovery & Lineage |
| Tags | Medium | Cost & Resource Management |
Key Concepts Summary
1. Azure Policy
Azure Policy is a service used to create, assign, and manage policies. These policies enforce different rules over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- Policy Definition: Describes the condition and the effect (e.g., "Only allow G-series VMs").
- Policy Assignment: The scope at which the policy takes effect (Management Group, Subscription, or Resource Group).
2. Resource Locks
Locks help you prevent accidental deletion or modification of your Azure resources.
- CanNotDelete: Authorized users can still read and modify a resource, but they can't delete it.
- ReadOnly: Authorized users can read a resource, but they can't delete or update it.
3. Microsoft Purview
A family of data governance, risk, and compliance solutions. It helps you gain a single pane of glass view into your data across on-premises, multi-cloud, and SaaS environments.
4. Service Trust Portal (STP)
A public website that provides access to details on how Microsoft implements and monitors security, privacy, and compliance. It is where you find ISO/SOC audit reports.
Visual Governance Hierarchy
Common Pitfalls
- Policy vs. RBAC:
- Pitfall: Thinking RBAC prevents resource creation based on properties.
- Reality: RBAC controls Who (identity) has access. Azure Policy controls What (properties/rules) can be created.
- Lock Inheritance:
- Pitfall: Applying a lock at the resource group and expecting it not to affect resources inside.
- Reality: Locks are inherited by all child resources. If you lock a Resource Group, you lock every VM inside it.
- Service Trust Portal vs. Azure Portal:
- Pitfall: Looking for Microsoft's compliance audit documents inside the Azure Management portal.
- Reality: These are hosted on the separate Service Trust Portal (STP).
Mnemonics / Memory Triggers
- P.L.T. (Policy, Locks, Tags): The "Three Pillars" of basic governance.
- The Lock "RO-CD" (Road):
- RO = Read Only (Can't touch anything).
- CD = Can't Delete (Can edit, but can't trash).
- Purview = Preview: Microsoft Purview gives you a "preview" (visibility) of all your data lineage across different clouds.
Formula / Equation Sheet
Governance Tool Comparison
| Tool | Goal | Action |
|---|---|---|
| Azure Policy | Compliance | Evaluates resources for non-compliance and blocks creation if rules are broken. |
| Resource Locks | Protection | Prevents users from deleting critical infrastructure. |
| Azure Blueprints | Standardization | Orchestrates deployment of Role Assignments, Policy Assignments, and ARM Templates. |
| Azure Arc | Hybrid Governance | Extends Azure governance (Policy/RBAC) to on-prem or AWS/GCP servers. |
Practice Set
1. Which Azure service should you use to find the SOC audit reports for Microsoft's datacenters?
- Answer: Service Trust Portal (STP).
2. A company wants to ensure that all virtual machines are created only in the 'East US' region. Which tool should they use?
- Answer: Azure Policy.
3. You have a critical SQL database that must never be deleted. You have applied a 'CanNotDelete' lock to the Resource Group. What happens if a user tries to delete the database?
- Answer: The deletion will fail because the lock is inherited from the Resource Group.
4. True or False: Azure Policy can be used to automatically remediate non-compliant resources.
- Answer: True (using the 'deployIfNotExists' or 'modify' effect).
5. Which service provides a way to manage governance for your servers running on-premises or in other clouds using the Azure Portal?
- Answer: Azure Arc.