SkarpChapter 18 of 20
Compliance, Data Protection, and Governance in Azure
Connect governance tools with compliance and data protection goals so you can reason about how Azure helps organizations meet regulatory and internal standards.
Governance vs Management in Azure
Governance vs Management
Governance sets the rules of the game in Azure (what is allowed, who can do what, how data must be protected). Management is the day-to-day running of resources within those rules.
What Governance Covers
Governance includes policies, standards, and guardrails: allowed regions and SKUs, required tags, access rules, and compliance requirements set by security and architecture teams.
What Management Covers
Management is operational work: creating VMs, patching, rotating secrets, responding to alerts. It uses Azure tools to operate resources but does not define the high-level rules.
Azure Tools in Each Category
Governance tools: Azure Policy, RBAC, management groups, naming and tagging standards. Management tools: Azure portal, Azure PowerShell, Azure CLI, Azure Monitor.
Exam Framing
On AZ-900, if a scenario emphasizes enforcing standards across subscriptions or restricting locations, think governance. If it is about restarting or configuring one resource, think management.
Compliance, Data Protection, and the Shared Responsibility Model
Shared Responsibility Model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Microsoft vs Customer Duties
Microsoft secures the cloud (datacenters, host infrastructure). You secure and govern what you run in the cloud: configurations, identities, data, and access.
Compliance Proof from Microsoft
Azure offers certifications and attestations (ISO 27001, SOC, GDPR support, HIPAA support). These prove the platform can support regulated workloads, not that your solution is compliant by default.
Your Compliance Tasks
You must set encryption, access control, data residency, and retention. Governance tools like Azure Policy and RBAC help you turn legal and internal rules into technical controls.
Exam Angle
If a question asks who is responsible for data classification, access approval, or retention, the answer is the customer, not Microsoft, even in a highly certified Azure region.
Azure Governance Building Blocks: Management Groups, Subscriptions, and Resource Groups
Where Governance Attaches
Azure governance is applied at management groups, subscriptions, resource groups, and resources. Policies and RBAC can be scoped to any of these levels.
Management Groups
Management groups sit above subscriptions and let you apply policies and RBAC centrally. Child subscriptions inherit these rules automatically.
Subscriptions and Resource Groups
Subscriptions isolate billing and environments. Resource groups organize related resources. Both can have their own RBAC and policy assignments for finer control.
Individual Resources
RBAC and some policies can target a single VM, database, or storage account, but this does not scale, so it is used sparingly for exceptions.
Best Practice and Exam Hint
Best practice: set broad rules high (management group/subscription) and refine lower. If a question says “all current and future subscriptions,” think management groups.
Azure Policy: Enforcing Rules for Compliance
What Azure Policy Is
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources to keep them compliant.
Definitions, Assignments, Parameters
You define what to check (policy definition), assign it to a scope (assignment), and often use parameters to reuse the same definition with different settings.
Policy Effects
Common effects: Deny (block), Audit (log), Append (add fields like tags), Modify (change properties to meet standards). Effects turn rules into real enforcement.
Compliance Examples
Examples: restrict regions to EU, require tags on storage, enforce encryption and secure transfer. These all map naturally to Azure Policy definitions.
Exam Clue: At-Scale Enforcement
If a scenario is about enforcing standards at scale or viewing compliance across subscriptions, think Azure Policy, not RBAC or just monitoring.
Role-Based Access Control (RBAC) for Governance
What Azure RBAC Is
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
RBAC Building Blocks
RBAC ties together security principals (identities), role definitions (permissions), and scopes (where they apply) like subscriptions or resource groups.
Least Privilege in Practice
Governance uses RBAC to grant only the minimum rights needed, for example, Contributor on one resource group, Reader on shared infrastructure.
Governance Scenarios
Examples: only central admins manage policies; app teams manage their own resources; auditors get Security Reader access for visibility without changes.
Exam Distinction: RBAC vs Policy
RBAC answers “who can do what.” Azure Policy answers “what configurations are allowed.” Exam questions often test this distinction directly.
How Azure Policy and RBAC Work Together
Scenario Overview
A company must keep data in EU regions and restrict who can change these rules while letting app teams deploy freely within guardrails.
Using Azure Policy
The governance team creates an Allowed locations policy, assigns it to the EMEA management group with only EU regions, and uses a Deny effect.
Using RBAC
Only a small security team has Owner or Policy Contributor at the management group. App teams have Contributor only on their own resource groups.
Resulting Governance Model
Policy enforces data residency; RBAC controls who can change policies and who can create resources. App teams can innovate but cannot violate rules.
Exam Takeaway
If a scenario mentions both enforcing configurations and limiting who can alter rules, the correct design usually combines Azure Policy and RBAC.
Azure Compliance Offerings and Trust Documentation
Why Compliance Offerings Matter
Azure backs its platform with certifications and documentation so organizations can trust it for regulated workloads and show regulators concrete evidence.
Standards and Frameworks
Azure supports global and regional standards like ISO 27001, SOC reports, PCI-DSS, and GDPR-related controls, plus industry-specific frameworks.
Trust Documentation
Microsoft publishes details on data handling, encryption, key management, and incident response, giving transparency into how the platform operates.
Your Role Despite Certifications
Even with many certifications, customers must still configure access, encryption, and policies correctly to make their own solutions compliant.
Exam Signal
If a scenario mentions auditors asking for proof Azure meets a standard, the answer is Azure’s compliance offerings and trust documentation, not a technical feature alone.
Thought Exercise: Classify the Requirement
Work through these short scenarios and decide whether each is mainly about governance, management, or both, and which Azure features are most relevant.
- Scenario A: A company wants to ensure that no one can deploy resources in regions outside their home country. They also want a dashboard showing any non-compliant resources.
- Question: Is this governance, management, or both? Which Azure service(s) would you use?
- Scenario B: A dev team needs to restart a virtual machine and increase its size to handle more traffic.
- Question: Governance, management, or both? Which Azure service(s) or tools are in play?
- Scenario C: Internal auditors need read-only access to view all resources and policies in production subscriptions, but they must not be able to change anything.
- Question: Governance, management, or both? Which Azure feature is key here?
- Scenario D: A bank must show regulators that customer data is encrypted at rest and that only authorized apps can access a particular database.
- Question: Governance, management, or both? Which combination of Azure capabilities would you highlight?
Pause and write down your answers before checking the guidance below.
Suggested answers to compare with your thinking:
- A: Governance; Azure Policy (Allowed locations) and compliance dashboard.
- B: Management; Azure portal/CLI/PowerShell to manage the VM.
- C: Governance; Azure RBAC roles like Reader or Security Reader at subscription/management group scope.
- D: Both; encryption features (for example, storage/database encryption, possibly customer-managed keys) plus RBAC, Microsoft Entra ID, and Azure Policy to enforce encryption.
Quiz 1: Governance vs Management and Shared Responsibility
Test your understanding of core governance concepts.
Which statement best describes Azure governance in the context of the shared responsibility model?
- Azure governance tools completely replace the customer’s responsibility for compliance.
- Azure governance tools help customers translate their compliance and security requirements into technical rules and access controls, but customers still own their configurations.
- Azure governance is only about monitoring performance and health of resources.
- Azure governance is handled entirely by Microsoft; customers only manage their applications.
Show Answer
Answer: B) Azure governance tools help customers translate their compliance and security requirements into technical rules and access controls, but customers still own their configurations.
Azure governance (using tools like Azure Policy and RBAC) helps customers implement their own rules and compliance requirements in Azure. Under the shared responsibility model, Microsoft secures the cloud platform, but customers must configure their resources and access controls correctly.
Quiz 2: Azure Policy vs RBAC
Check that you can distinguish Azure Policy from RBAC in scenarios.
An organization wants to ensure that only a small security team can modify policies at the subscription level, while application teams can deploy resources but must obey those policies. Which combination of Azure features best meets this requirement?
- Azure Policy only
- Azure RBAC only
- Azure Policy to enforce rules and Azure RBAC to restrict who can change policies
- Azure Monitor alerts and Azure Advisor recommendations
Show Answer
Answer: C) Azure Policy to enforce rules and Azure RBAC to restrict who can change policies
Azure Policy enforces configuration rules (such as allowed regions), while Azure RBAC controls who can manage those policies and who can deploy resources. Together they create a strong governance model. Azure Monitor and Azure Advisor are important, but they do not enforce access or configuration rules in the same way.
Key Terms Review: Governance and Compliance in Azure
Use these flashcards to reinforce the core definitions and distinctions you need for AZ-900.
- Governance (in Azure context)
- The process of defining and enforcing rules, policies, and standards across Azure environments (for example, allowed regions, required tags, access models) to meet regulatory and internal requirements.
- Management (in Azure context)
- Day-to-day operational tasks on Azure resources (for example, creating VMs, patching, scaling, responding to alerts) performed within the boundaries set by governance.
- Azure Policy (definition)
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- role-based access control (RBAC) (definition)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- Shared responsibility model (definition)
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- Scope (in RBAC and Azure Policy)
- The level at which a role or policy is applied: management group, subscription, resource group, or individual resource. Child scopes inherit from parent scopes unless overridden.
- Compliance offerings and trust documentation
- Microsoft’s portfolio of certifications, attestations, and documentation (for example, ISO 27001, SOC reports, GDPR-related information) that demonstrate Azure’s platform alignment with external standards.
- Least privilege principle
- Security principle where each identity is granted the minimum set of permissions needed to perform its tasks, at the narrowest possible scope.
- Policy effect: Deny vs Audit
- Deny blocks non-compliant deployments from succeeding. Audit allows the deployment but logs non-compliance for review and reporting.
- Management group (governance use)
- A container above subscriptions used to organize them and apply Azure Policy and RBAC centrally, so rules and access control are inherited by all child subscriptions.
Key Terms
- scope
- In Azure governance, the boundary at which a policy or RBAC role is applied, such as management group, subscription, resource group, or individual resource.
- governance
- In Azure, the process of defining and enforcing rules, standards, and policies across environments to meet regulatory and internal requirements, typically using tools like Azure Policy, RBAC, and management groups.
- management
- In Azure, the day-to-day operational work of creating, configuring, and maintaining resources, following the rules established by governance.
- Azure Policy
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- least privilege
- A security principle where identities are given only the minimum permissions required to perform their tasks, reducing risk if an account is compromised.
- management group
- An Azure container above subscriptions that lets you organize subscriptions and apply Azure Policy and RBAC centrally, with inheritance to child subscriptions.
- trust documentation
- Microsoft’s documentation describing how Azure handles security, privacy, data protection, and compliance, used by organizations to understand and justify their use of Azure.
- compliance offerings
- Microsoft’s set of certifications, attestations, and regulatory alignments (such as ISO 27001, SOC, PCI-DSS, GDPR-related controls) that demonstrate Azure’s platform meets external standards.
- shared responsibility model
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.