Lab: Implementing Azure Governance and Compliance
Describe features and tools in Azure for governance and compliance
Lab: Implementing Azure Governance and Compliance
This hands-on lab guides you through the practical application of Azure's primary governance tools: Azure Policy, Resource Locks, and Resource Tags. These tools ensure that resources remain compliant with organizational standards and are protected from accidental changes.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges and to clean up your environment.
Prerequisites
- An active Azure Subscription (Free Trial is sufficient).
- Azure CLI installed locally or access to Azure Cloud Shell.
- Permissions to create Resource Groups and assign Policies (Owner or Contributor role).
Learning Objectives
- Enforce Compliance: Create and assign an Azure Policy to restrict resource locations.
- Prevent Accidental Deletion: Apply a
CanNotDeleteResource Lock to a critical resource. - Organize Resources: Implement a tagging strategy for cost tracking and management.
- Verify Governance: Use the Azure CLI and Portal to validate that restrictions are active.
Architecture Overview
The following diagram illustrates the hierarchy where governance tools are applied in this lab:
Step-by-Step Instructions
Step 1: Create a Resource Group
Before applying governance, we need a container for our resources.
az group create --name "brainybee-gov-lab" --location "eastus"▶Console alternative
- Search for Resource groups in the Azure Portal.
- Click + Create.
- Select your subscription.
- Name it
brainybee-gov-laband select East US. - Click Review + create and then Create.
Step 2: Apply a Resource Lock
Resource locks prevent accidental deletion or modification of critical resources. We will apply a CanNotDelete lock to our new group.
az lock create --name "LockGroup" --resource-group "brainybee-gov-lab" --lock-type "CanNotDelete" --notes "Prevent accidental deletion of the governance lab."[!TIP] Even an Owner of the subscription cannot delete a resource until this lock is manually removed first.
▶Console alternative
- Open your resource group
brainybee-gov-lab. - On the left menu, scroll to Settings and select Locks.
- Click + Add.
- Name:
LockGroup, Lock type:Delete. - Click OK.
Step 3: Assign an Azure Policy
Azure Policy enforces rules. We will assign a policy that only allows resources to be created in specific regions (e.g., East US and West US).
# Assign the 'Allowed Locations' policy
az policy assignment create --name "Restrict-Locations" \
--policy "e56962a6-4747-49cd-b67b-bf8b01975a4c" \
--params "{'listOfAllowedLocations': {'value': ['eastus', 'westus']}}" \
--resource-group "brainybee-gov-lab"▶Console alternative
- Search for Policy in the Azure Portal.
- Select Assignments > Assign policy.
- Scope: Select
brainybee-gov-lab. - Policy definition: Search for Allowed locations.
- Under Parameters, uncheck "Only show parameters that need input" and select East US and West US.
- Click Review + create > Create.
Step 4: Apply Resource Tags
Tags are key-value pairs used for metadata. We'll tag the resource group for cost center tracking.
az group update --name "brainybee-gov-lab" --set tags.Dept=Finance tags.Project=GovernanceCheckpoints
| Check | Action | Expected Result |
|---|---|---|
| Verify Lock | Attempt to delete the group: az group delete --name "brainybee-gov-lab" | Error: The scope is locked and cannot be deleted. |
| Verify Policy | Attempt to create a storage account in ukwest: az storage account create -n brainybeetest -g brainybee-gov-lab -l ukwest --sku Standard_LRS | Error: Request disallowed by policy. |
| Verify Tags | View tags: az group show --name "brainybee-gov-lab" --query tags | Output shows Dept: Finance and Project: Governance. |
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
AuthorizationFailed | Insufficient permissions to assign policies. | Ensure you have 'Owner' or 'User Access Administrator' roles. |
ScopeLocked | Trying to delete/move a resource with a lock. | Remove the lock from the 'Locks' blade in the portal before deleting. |
PolicyViolation | Trying to deploy in a region not in your 'Allowed' list. | Change the deployment location to 'eastus' or update the policy params. |
Clean-Up / Teardown
To delete the resources, you must first remove the lock.
- Remove the lock:
az lock delete --name "LockGroup" --resource-group "brainybee-gov-lab"- Delete the resource group:
az group delete --name "brainybee-gov-lab" --yes --no-waitConcept Review
Understanding the hierarchy of Azure Governance tools is essential for the AZ-900 exam:
\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, fill=blue!10, rounded corners, minimum width=3cm}] \node (MG) {Management Groups}; \node (SUB) [below of=MG] {Subscriptions}; \node (RG) [below of=SUB] {Resource Groups}; \node (RES) [below of=RG] {Resources};
\draw[->] (MG) -- (SUB);
\draw[->] (SUB) -- (RG);
\draw[->] (RG) -- (RES);
\node[draw=none, fill=none, right=2cm of RG, text width=4cm] (note) {\small \textbf{Governance Applied:}\\ - Policies\\ - Locks\\ - Tags\\ - RBAC};\end{tikzpicture}
| Tool | Primary Purpose | Real-World Example |
|---|---|---|
| Azure Policy | Enforce standards / Compliance | Disallowing the creation of expensive G-series VMs. |
| Resource Locks | Data protection / Safety | Locking a Production Database from being deleted. |
| Tags | Taxonomy / Billing | Tagging resources with Environment: Production for cost split. |
| Microsoft Purview | Data Governance | Mapping sensitive data across SQL and Blob storage. |