What is the difference between Azure Policy and Azure RBAC?

Azure Policy controls WHAT resources can do; RBAC controls WHO can access resources. Azure Policy controls WHAT resources can do (e.g., "VMs must be encrypted"). RBAC controls WHO has access to resources (e.g., "User A can create VMs"). They are complementary — a user with Owner permissions can still be blocked by Policy.

Which Azure Policy effect prevents non-compliant resources from being created?

Deny. The Deny effect blocks the creation or modification of non-compliant resources. The Audit effect only flags them as non-compliant but does not prevent creation. This is the most common enforcement mechanism.

What is an Azure Policy Initiative?

A group of related policy definitions assigned together. A Policy Initiative (formerly Policy Set) groups multiple related policy definitions together so they can be assigned and managed as a single unit. This simplifies compliance management when multiple policies need to be enforced together.

A company wants to ensure all new VMs are only created in the US East and West Europe regions. Which Azure feature should they use?

Azure Policy with "Allowed Locations" policy. The built-in "Allowed Locations" Azure Policy restricts which Azure regions resources can be created in. By assigning this policy with the Deny effect, any attempt to create a resource in a non-allowed region will be blocked.

Azure Policy

Quick Answer: Azure Policy enforces rules on Azure resources. It can audit existing resources for compliance and prevent non-compliant resources from being created. Policy controls WHAT resources can do. RBAC controls WHO can access resources.

What Is Azure Policy?

Azure Policy is a governance service that lets you create, assign, and manage policies that enforce rules on your Azure resources. These policies ensure your resources comply with corporate standards and service level agreements.

How Azure Policy Works

Define — Create a policy definition (or use a built-in one) that specifies the rule
Assign — Assign the policy to a scope (management group, subscription, or resource group)
Evaluate — Azure Policy evaluates all resources within the scope
Report — Non-compliant resources are flagged in the compliance dashboard
Enforce — New resources that violate the policy can be blocked from creation

Policy Effects

When a policy evaluates a resource, different effects can occur:

Effect	Description
Audit	Flags non-compliant resources but does NOT block them (report only)
Deny	Blocks the creation or modification of non-compliant resources
Append	Adds specified fields to a resource (e.g., automatically add a required tag)
Modify	Changes properties on a resource (e.g., add or modify tags)
DeployIfNotExists	Deploys a related resource if it does not exist (e.g., deploy a diagnostic setting)
AuditIfNotExists	Audits if a related resource does not exist
Disabled	Turns off the policy evaluation

Built-in Policy Examples

Policy	Description
Allowed locations	Restrict which Azure regions resources can be created in
Allowed VM SKUs	Limit which VM sizes can be deployed
Require tag on resources	Enforce that all resources must have a specific tag
Inherit tag from resource group	Automatically copy tags from the resource group to new resources
Storage account encryption	Require encryption on all storage accounts
SQL DB transparent data encryption	Ensure SQL databases have TDE enabled

Policy Initiatives

A Policy Initiative (previously called a Policy Set) groups multiple related policy definitions together for easier management and assignment.

Example initiative: "Enable Azure Monitor for VMs" includes policies to:

Deploy the Log Analytics agent
Deploy the Dependency agent
Audit if the agents are not installed
Configure diagnostic settings

On the Exam: When a question describes needing to enforce multiple related compliance rules simultaneously, the answer is a Policy Initiative (not individual policies).

Azure Policy vs. RBAC

Feature	Azure Policy	Azure RBAC
Focus	WHAT resources can do	WHO can access resources
Example	"VMs must be in US East region"	"User A can create VMs"
Enforcement	Rules on resource properties	Permissions for users/groups
Default	Resources are allowed unless a policy denies	Access is denied unless a role grants it

On the Exam: Azure Policy and RBAC are complementary but different. A user with Owner permissions could still be BLOCKED by Azure Policy from creating a VM in a restricted region. Policy overrides RBAC permissions for resource configuration.

Compliance Dashboard

Azure Policy provides a compliance dashboard in the Azure portal that shows:

Overall compliance percentage
Per-policy compliance status
Non-compliant resources with remediation guidance
Compliance trends over time

Microsoft Azure Fundamentals

3.3 Azure Policy

Key Takeaways

Azure Policy

What Is Azure Policy?

How Azure Policy Works

Policy Effects

Built-in Policy Examples

Policy Initiatives

Azure Policy vs. RBAC

Compliance Dashboard

Microsoft Azure Fundamentals

1Introduction

2Domain 1: Cloud Concepts (25-30%)

3Domain 2A: Azure Architecture Components

4Domain 2B: Azure Compute Services

5Domain 2C: Azure Networking Services

6Domain 2D: Azure Storage Services

7Domain 2E: Azure Identity, Access, and Security

8Domain 3A: Azure Cost Management

9Domain 3B: Azure Governance and Compliance

10Domain 3C: Azure Monitoring and Management Tools

11Additional Azure Services and Exam Review

12Advanced Azure Topics and Service Deep Dives

3.3 Azure Policy

Key Takeaways

Azure Policy

What Is Azure Policy?

How Azure Policy Works

Policy Effects

Built-in Policy Examples

Policy Initiatives

Azure Policy vs. RBAC

Compliance Dashboard