2.6 Azure Policy, Locks, Tags, and Governance Controls

Governance Controls Work Together

Azure governance is not one feature. RBAC controls who can perform actions. Azure Policy controls whether resource configurations are allowed or compliant. Locks protect resources from accidental writes or deletes. Tags organize resources for reporting and automation. Budgets, cost alerts, and Advisor recommendations help administrators monitor and improve the environment.

AZ-104 questions often include several controls and ask which one solves a specific requirement. If the requirement says prevent creation of resources in unapproved regions, think Azure Policy. If it says prevent accidental deletion of a production database, think lock. If it says identify cost center, think tag. If it says allow a user to restart VMs, think RBAC.

Azure Policy

Azure Policy evaluates resource properties against policy definitions. A policy assignment applies a definition or initiative at a scope. An initiative is a set of policies. Compliance state tells you whether resources match the assignment. Effects determine what happens.

Portal path: Policy > Definitions, Policy > Assignments, and Policy > Compliance. For a workload scope, you can also start from the management group, subscription, or resource group and view Policy from there.

Scenario: The organization requires all storage accounts to disable public network access. A deny policy can prevent noncompliant new deployments. An audit policy can report existing noncompliance. A deployIfNotExists or modify approach may help remediate certain settings if the policy supports it and has the right managed identity. The exam often asks whether you need prevention, reporting, or remediation.

Locks

Azure supports two common management lock levels. CanNotDelete permits authorized reads and writes but blocks deletes. ReadOnly permits reads but blocks writes and deletes. Locks can be assigned at subscription, resource group, or resource scope and are inherited by child resources.

Locks are not a backup strategy. If data inside a service is deleted through a data-plane operation, a management lock might not protect it depending on the service and operation. Use service-specific protection such as soft delete, backup, versioning, and access controls where needed.

Tags

Tags are name-value metadata applied to resources, resource groups, and subscriptions. They help with cost allocation, ownership, automation, lifecycle, and reporting. Common tags include CostCenter, Owner, Environment, Application, and DataClassification.

Tags are not inherited automatically by every child resource in all situations. Azure Policy can be used to require a tag, append a tag, or inherit a tag from a resource group where policy definitions support that pattern. Exam questions frequently ask how to ensure new resources have required tags; the answer is usually policy, not a manual portal reminder.

Cost Governance And Advisor

Budgets and cost alerts notify administrators when spend reaches thresholds. They do not automatically prevent resource creation unless paired with automation or policy decisions. Azure Advisor provides recommendations for cost, reliability, security, operational excellence, and performance. Advisor does not itself grant or remove access.

Scenario: A sandbox subscription must alert at 80 percent of a monthly budget and again at 100 percent. Configure a budget in Cost Management with thresholds and action groups or email notifications. Do not use a resource lock; a lock protects resources, not spending.

Scenario: Advisor recommends resizing underutilized VMs. That recommendation is advisory. An administrator still needs RBAC permission and change approval to resize or shut down resources.

Portal And CLI Decision Logic

Use the portal to browse built-in policy definitions, assign initiatives, inspect compliance, configure locks, and view Cost Management reports. Use CLI for repeatable governance rollout.

az policy assignment list --scope /subscriptions/<sub-id>
az policy state summarize --management-group corp-prod
az lock create --name protect-prod --lock-type CanNotDelete --resource-group rg-prod
az tag create --resource-id <resource-id> --tags CostCenter=1001 Environment=Prod

For exam command interpretation, pay attention to the scope path. A lock created on rg-prod does not protect resources in rg-dev. A policy assignment at a management group can affect many subscriptions. A tag command updates metadata; it does not grant permissions.

Exam Traps

Trap 1: choosing tags as a security control. Tags can drive automation and reporting, but they do not prevent access.

Trap 2: choosing locks for compliance rules. A lock can stop deletion or writing, but it cannot require HTTPS-only storage or allowed VM sizes. Use Azure Policy for configuration compliance.

Trap 3: assuming audit blocks deployment. Audit reports noncompliance. Deny blocks noncompliant requests.

Trap 4: assuming budgets stop spend by themselves. Budgets notify. They can trigger action groups, but a budget alone is not the same as an Azure Policy deny.

Trap 5: overlooking permissions needed for remediation. Some policy remediation tasks require a managed identity with sufficient permissions to deploy or modify resources.