A policy definition is the JSON-based rule in Azure Policy that specifies the conditions to evaluate and the effect to apply when those conditions are met or not met.

A policy assignment associates a policy definition or initiative with a specific scope (management group, subscription, resource group, or resource), determining where the rule is evaluated.

Policy initiative (policy set)

A policy initiative is a collection of policy definitions grouped together to achieve a single overall goal, such as enforcing a security or compliance baseline across a subscription.

Deny vs Audit (policy effects)

Deny blocks non-compliant create or update operations. Audit allows the operation but marks the resource as non-compliant in Azure Policy reports.

The level in the Azure hierarchy where RBAC roles, policy assignments, and locks are applied: management group, subscription, resource group, or individual resource.

What is ReadOnly lock?

A resource lock type that allows read access but blocks any modification or deletion of resources at or under the locked scope.

Policy and Compliance: Azure Policy, Locks, and Blueprints Concepts — Microsoft Azure Fundamentals (AZ-900): Complete Exam-Ready Masterclass

Q: Your security team wants to ensure that no one can accidentally delete the resource group that contains your production virtual network. Which Azure feature should you use first?

Apply a CanNotDelete lock to that resource group.. A CanNotDelete resource lock on the resource group prevents deletion of the group and its resources, even for users who normally have permission via RBAC. Reader would block changes but also block necessary updates; Policy audits configuration, not deletions; disabling a subscription is too broad.

Big Picture: Governance, Compliance, and Where Azure Policy Fits

Why Governance Matters

At scale, two issues appear: configuration drift (resources not matching standards) and accidental damage (critical resources deleted or changed). Azure has tools to prevent both.

Key Governance Tools

Azure gives you three main governance tools: Azure Policy for configuration compliance, resource locks for change protection, and blueprint-like setups using initiatives and templates.

Canonical Azure Policy Definition

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

What You Must Distinguish

For AZ-900, you must tell apart: RBAC (who can do what), Azure Policy (what configurations are allowed), and resource locks (stop deletion or changes even if someone has permission).

Azure Policy Core Concepts: Definitions, Assignments, and Effects

Policy Definitions

A policy definition states the rule and effect. Example: "Storage accounts must use HTTPS only" with effect Deny. It describes what you care about and what to do if not met.

Policy Assignments and Scope

A policy assignment says where to apply the definition: management group, subscription, resource group, or resource. Children inherit policies from parent scopes.

Common Policy Effects

Key effects: Deny (block), Audit (flag), Append (add settings), DeployIfNotExists (auto-deploy missing config). These control how strictly Azure enforces rules.

Continuous Evaluation

Azure Policy evaluates resources over time, not just at creation. You can see current compliance state in Azure Policy dashboards and remediate issues.

Example: Enforcing Tags and Regions with Azure Policy

Scenario: University IT

Finance wants every resource tagged with costCenter; security wants production only in West Europe. You use Azure Policy to standardize these rules across subscriptions.

Requiring Tags

Use a "Require a tag and its value" policy with effect Deny, assigned at subscription scope. Any resource without the costCenter tag is blocked at creation or update.

Restricting Regions

Use an "Allowed locations" policy with effect Deny, assigned at management group scope. Only West Europe and North Europe are allowed; others are blocked.

Viewing Compliance

The Azure Policy blade shows compliance percentage, non-compliant resources, and which policies are failing, so you can audit and remediate configuration drift.

Initiatives and the Modern Replacement for Classic Blueprints

From Blueprints to Initiatives

Classic Azure Blueprints have been de-emphasized. Today, you typically use policy initiatives plus infrastructure-as-code templates to define standard environments.

What Is a Policy Initiative?

A policy initiative is a collection of policy definitions grouped for a goal, like a "Production baseline" with policies for tags, regions, logging, and encryption.

Blueprint-Like Templates

Organizations combine policy initiatives with ARM/Bicep templates or Terraform to deploy both rules and resources for a standard, compliant environment.

Exam Angle

If you see "blueprint" on AZ-900, think: a reusable design that bundles governance rules and standard resources for consistent, compliant deployments.

Resource Locks: Protecting Critical Assets from Accidental Changes

What Are Resource Locks?

Resource locks add a last line of defense so that even highly privileged users cannot easily delete or change critical resources by accident.

Lock Types

ReadOnly: read but no update or delete. CanNotDelete: can read and modify but not delete. These override what RBAC would normally allow.

Scope and Inheritance

Apply locks at subscription, resource group, or resource level. Locks are inherited by child resources, protecting everything under that scope.

Use Cases

Use locks to protect production databases, core networking resource groups, or shared hub VNets from accidental deletion or modification.

Thought Exercise: Picking the Right Tool (RBAC vs Policy vs Locks)

Work through these short scenarios mentally and decide whether RBAC, Azure Policy, or resource locks is the best primary tool. Then compare your reasoning with the guidance.

Scenario A: A student worker should be able to start and stop VMs in a lab resource group, but must not be able to delete VMs or change networking.

Ask yourself: Is this about who can do what, or about configuration standards, or about accidental deletion?
Best tool: RBAC. Assign a role such as Virtual Machine Contributor at the resource group, possibly combined with more granular roles.

Scenario B: Your organization’s policy says all storage accounts must have encryption enabled and must be in specific regions.

Is this about access, configuration, or protection against deletion?
Best tool: Azure Policy. Use policies like "Allowed locations" and "Require encryption" with Deny or Audit effects.

Scenario C: You have a mission-critical production database. Even admins sometimes make mistakes during late-night maintenance.

Is this about who is allowed, standard settings, or preventing accidental deletion?
Best tool: Resource locks. Apply a CanNotDelete lock to the database or its resource group.

Reflect: Could you combine tools? Yes. In real environments you often use RBAC + Policy + locks together for layered governance.

Quiz 1: Azure Policy Fundamentals

Check your understanding of Azure Policy core concepts.

Which statement best describes a policy assignment in Azure Policy?

It is the JSON document that defines the rule and effect to evaluate resources.
It is the action that permanently fixes all non-compliant resources automatically.
It is the association of a policy definition with a specific scope such as a subscription or resource group.
It is a lock that prevents users from modifying resources that violate a policy.

Show Answer

Answer: C) It is the association of a policy definition with a specific scope such as a subscription or resource group.

A policy assignment links a policy definition (the rule and effect) to a particular scope, such as a management group, subscription, resource group, or individual resource. The definition is the rule; the assignment is where that rule applies.

Quiz 2: RBAC vs Policy vs Locks

Test your ability to select the right governance tool.

Your security team wants to ensure that no one can accidentally delete the resource group that contains your production virtual network. Which Azure feature should you use first?

Assign the Reader role to all users on that resource group.
Create an Azure Policy initiative that audits deletions on that resource group.
Apply a CanNotDelete lock to that resource group.
Disable the Azure subscription that contains that resource group.

Show Answer

Answer: C) Apply a CanNotDelete lock to that resource group.

A CanNotDelete resource lock on the resource group prevents deletion of the group and its resources, even for users who normally have permission via RBAC. Reader would block changes but also block necessary updates; Policy audits configuration, not deletions; disabling a subscription is too broad.

Compliance Views, Audit-Only Policies, and Common Exam Traps

Compliance Dashboard

Azure Policy shows compliance percentages, policy assignments, and non-compliant resources, helping you demonstrate adherence to internal or external standards.

Audit vs Deny Effects

Audit flags non-compliance without blocking. Deny blocks non-compliant actions. Start with Audit to measure impact, then move to Deny when ready.

Exam Trap: RBAC vs Policy

RBAC is about who can do what. Azure Policy is about what configurations are allowed. Both can apply at the same time but solve different problems.

Exam Trap: Locks vs Policy

Locks prevent deletion or modification; they do not enforce settings. Policy enforces or audits settings but does not by itself stop deletions.

Key Term Flashcards: Policy, Locks, and Governance

Use these flashcards to reinforce the most important terms for the exam.

Azure Policy (canonical definition): Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Policy definition: A policy definition is the JSON-based rule in Azure Policy that specifies the conditions to evaluate and the effect to apply when those conditions are met or not met.
Policy assignment: A policy assignment associates a policy definition or initiative with a specific scope (management group, subscription, resource group, or resource), determining where the rule is evaluated.
Policy initiative (policy set): A policy initiative is a collection of policy definitions grouped together to achieve a single overall goal, such as enforcing a security or compliance baseline across a subscription.
Deny vs Audit (policy effects): Deny blocks non-compliant create or update operations. Audit allows the operation but marks the resource as non-compliant in Azure Policy reports.
Resource lock: ReadOnly: A ReadOnly lock prevents any modifications or deletions of a resource or scope; users can read data but cannot change or delete resources even if RBAC would normally allow it.
Resource lock: CanNotDelete: A CanNotDelete lock allows read and modify operations but prevents deletion of the locked resource or any child resources at that scope.
role-based access control (RBAC) (canonical): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Scope (governance context): Scope is the level at which you apply RBAC roles, policy assignments, or locks: management group, subscription, resource group, or individual resource, with inheritance to child scopes.
Blueprint-like environment: A blueprint-like environment is a reusable design that combines policy initiatives and infrastructure-as-code templates to deploy standardized, compliant Azure environments repeatedly.

Quick Design Exercise: Building a Compliant Subscription

Imagine you are setting up a new production subscription for your organization. Based on what you have learned, sketch a simple governance plan using Azure Policy, RBAC, and locks.

Take 2–3 minutes and, on paper or in your notes, answer:

RBAC

Who should be Owner or Contributor at the subscription level?
Which teams should get more limited roles (for example, Reader, Virtual Machine Contributor) at specific resource groups?

Azure Policy

List three rules you would enforce. Examples:
Allowed locations
Required tags (environment, costCenter)
Require encryption at rest for storage and databases
For each rule, decide: Audit or Deny? Why?
At what scope would you assign them (subscription vs resource group)?

Resource locks

Identify two critical resources or resource groups you would protect with locks.
Decide whether each gets ReadOnly or CanNotDelete, and briefly justify.

When you finish, compare your notes with this mental checklist:

Do you separate who can do what (RBAC) from what configurations are allowed (Policy)?
Do your locks focus on truly critical assets, not everything?

This kind of structured thinking is exactly what AZ-900 scenario questions are testing. Your upcoming mock exam and gap guide in Skarp will surface which of these choices you are most and least confident about.

Key Terms

Scope: The level in the Azure hierarchy where RBAC roles, policy assignments, and locks are applied: management group, subscription, resource group, or individual resource.
Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
ReadOnly lock: A resource lock type that allows read access but blocks any modification or deletion of resources at or under the locked scope.
Resource lock: An Azure feature that prevents accidental modification or deletion of resources by applying a ReadOnly or CanNotDelete lock at a given scope.
CanNotDelete lock: A resource lock type that allows reading and modifying resources but prevents their deletion at or under the locked scope.
Policy assignment: The association of a policy definition or initiative with a specific scope (management group, subscription, resource group, or resource) where the rule is enforced or audited.
Policy definition: The JSON-based rule in Azure Policy that specifies conditions to evaluate on resources and the effect to apply when those conditions are met or not met.
Policy initiative: A collection of policy definitions grouped together to achieve a specific goal, such as enforcing a security or compliance baseline across many resources.
Compliance dashboard: The view in Azure Policy that shows compliance status for policy assignments, including percentages, non-compliant resources, and details about violations.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.