3.6 Azure Governance Features: Putting It All Together
Key Takeaways
- Azure governance combines Management Groups, Azure Policy, RBAC, Resource Locks, Tags, and Blueprints to enforce organizational standards.
- Management Groups provide governance scope across multiple subscriptions; Azure Policy enforces rules on resources.
- RBAC controls who can access resources; Azure Policy controls what resources can do — they work together.
- Microsoft Purview Compliance Manager provides a compliance score and actionable recommendations for improving compliance posture.
- A well-designed governance strategy prevents unauthorized resource creation, enforces compliance, and controls costs.
Azure Governance Features: Putting It All Together
Quick Answer: Governance in Azure = Management Groups (scope) + Azure Policy (rules) + RBAC (access) + Resource Locks (protection) + Tags (organization). These tools work together to enforce standards across your Azure environment.
The Azure Governance Stack
Effective governance in Azure requires combining multiple features. Each feature has a specific role:
| Feature | Purpose | Example |
|---|---|---|
| Management Groups | Organize subscriptions for governance | Group all production subscriptions under "Production" management group |
| Azure Policy | Enforce rules on resource configuration | "All storage accounts must use HTTPS" |
| RBAC | Control who can access resources | "Jane is a Contributor on the Production subscription" |
| Resource Locks | Prevent accidental deletion/modification | CanNotDelete lock on production databases |
| Tags | Organize and track resources | "CostCenter: CC-1001" on all Finance department resources |
| Budgets & Alerts | Control spending | Alert when spending reaches 80% of monthly budget |
How Governance Features Interact
Policy + RBAC (Complementary)
- RBAC answers: "Can this user create a VM?" (access control)
- Policy answers: "Can a VM be created in this region/size?" (resource rules)
- A user with Owner role might be BLOCKED by Policy from creating a VM in a restricted region
- Both are enforced through Azure Resource Manager
Management Groups + Policy (Inheritance)
- Apply a Policy at the Management Group level
- All subscriptions, resource groups, and resources below INHERIT the policy
- Example: "Deny VM creation > 8 vCPUs" at the Dev Management Group prevents all dev subscriptions from creating large VMs
Tags + Cost Management (Tracking)
- Apply tags to resources: "Department: Marketing"
- Filter Azure Cost Management by tag to see Marketing's spending
- Set tag-scoped budgets and alerts
Locks + Lifecycle Management (Protection)
- Apply CanNotDelete to production resource groups
- Resources can still be modified but not accidentally deleted
- Combines with RBAC to create layered protection
Governance Decision Matrix
| "I want to..." | Use This Feature |
|---|---|
| Organize subscriptions hierarchically | Management Groups |
| Restrict which regions resources can be created in | Azure Policy (Allowed Locations) |
| Control who can manage Azure resources | RBAC (Role Assignments) |
| Prevent accidental deletion of critical resources | Resource Locks (CanNotDelete) |
| Track costs by department or project | Tags + Cost Management |
| Ensure all VMs are encrypted | Azure Policy |
| Get compliance posture across standards | Microsoft Purview Compliance Manager |
| Enforce tagging on all new resources | Azure Policy (Require Tag) |
| Set spending limits with notifications | Budgets and Alerts |
On the Exam: Governance questions often describe a scenario and ask which feature to use. Focus on the INTENT: controlling access = RBAC, enforcing resource rules = Policy, preventing deletion = Locks, organizing for cost = Tags.
A company wants to prevent developers from creating VMs larger than 4 vCPUs across all development subscriptions. Which governance approach should they use?
Which combination of features would you use to control WHO can create resources AND WHAT types of resources they can create?
A user with the Owner RBAC role tries to create a storage account without HTTPS, but an Azure Policy requires HTTPS on all storage accounts. What happens?