4.3 Compliance Management Design
Key Takeaways
- Azure Policy evaluates resource properties against rules and can Deny, Audit, Append, Modify, DeployIfNotExists, AuditIfNotExists, or Disable; related policies are grouped into initiatives (policy sets), such as a NIST SP 800-53 or PCI DSS initiative
- Policy evaluation order is Disabled, then Append and Modify, then Deny, then Audit, then AuditIfNotExists and DeployIfNotExists
- Microsoft Defender for Cloud's Regulatory Compliance dashboard maps assigned policy initiatives to named standards (NIST, PCI DSS, ISO 27001, the Microsoft cloud security benchmark) and continuously scores control-level pass/fail, now integrated with Microsoft Purview Compliance Manager
- Azure landing zones apply governance across 8 CAF design areas — including management group/subscription organization and governance itself — as the standard framework for compliance-by-design at enterprise scale
- Azure Blueprints is being retired: phased retirement began July 31, 2026, with full retirement (permanent deletion of un-exported artifacts) on January 31, 2027 — recommend Azure Deployment Stacks plus Template Specs for new compliant, repeatable landing-zone deployments instead
Why This Topic Matters
"Recommend a solution for managing compliance" is the second bullet under Design governance, and it is where AZ-305 tests whether you can operationalize governance, not just structure it. Domain 1 carries 25-30% of the exam, and compliance-management questions are dense with named Azure services (Azure Policy, initiatives, Microsoft Defender for Cloud, landing zones) that each solve a slightly different piece of the same problem: proving, continuously and at scale, that resources match required rules. This is also the section where a very current change matters for exam-takers studying in mid-to-late 2026: Azure Blueprints is being retired, and Microsoft's own guidance now points architects toward Deployment Stacks and Template Specs instead.
Azure Policy: Effects and Evaluation Order
Azure Policy definitions describe a business rule and an effect — what happens when a resource matches or violates that rule.
| Effect | What it does |
|---|---|
| Deny | Blocks the create or update request outright when the resource violates the rule |
| Audit | Allows the resource but marks it non-compliant for reporting; no enforcement |
| Append | Adds a specified property (e.g., a tag) during creation/update; the value cannot be removed by the caller |
| Modify | Adds, updates, or removes properties (most commonly tags) at creation/update time and via a remediation task against existing resources |
| DeployIfNotExists | If a related resource is missing (e.g., a diagnostic setting), automatically deploys a template to create it |
| AuditIfNotExists | Same detection logic as DeployIfNotExists, but only flags non-compliance instead of remediating it |
| Disabled | Effect is turned off entirely, useful while testing a policy's condition logic |
Evaluation order matters when multiple policies could apply to the same resource: Disabled → Append and Modify → Deny → Audit → AuditIfNotExists and DeployIfNotExists. Practically, this means append/modify effects run and adjust the resource before deny is evaluated, so a Modify policy can sometimes bring a resource into compliance before a Deny policy would have blocked it.
Related policy definitions are grouped into initiatives (policy sets) so an architect can assign one initiative — for example, a built-in "NIST SP 800-53" or "PCI DSS" initiative — instead of dozens of individual policies.
Microsoft Defender for Cloud: Regulatory Compliance Dashboard
When a scenario needs continuous, reportable evidence against a named external standard (not just an internal rule), the answer is the Regulatory Compliance dashboard inside Microsoft Defender for Cloud. It:
- Maps assigned policy initiatives to compliance standards such as ISO 27001, PCI DSS, SOC 2, and the Microsoft cloud security benchmark.
- Continuously assesses resources against each standard's controls and shows pass/fail at the control level, not just the resource level.
- Works across Azure, AWS, and GCP resources when those clouds are onboarded to Defender for Cloud.
- Now integrates with Microsoft Purview Compliance Manager for a single, organization-wide compliance score spanning cloud infrastructure and Microsoft 365 data governance.
Exam distinction: Azure Policy is the enforcement/remediation engine; the Regulatory Compliance dashboard is the reporting and control-mapping layer built on top of policy initiatives.
Azure Landing Zones for Governance at Scale
Building on the hierarchy from 4.1, Azure landing zones formalize governance across 8 CAF design areas: Azure billing and Microsoft Entra tenant; identity and access management; management group and subscription organization; network topology and connectivity; security; management; governance; and platform automation and DevOps. When a scenario asks for "centralized, policy-driven governance" plus a "hub-and-spoke or Virtual WAN network topology" plus "platform/landing-zone separation across many subscriptions," the landing zone framework is the intended answer — it is Microsoft's opinionated reference implementation combining the management group tree, baseline Azure Policy assignments, and network topology into one design.
Azure Blueprints Retirement (Current, Exam-Relevant Change)
Azure Blueprints previously bundled ARM templates, policy assignments, and RBAC assignments into a single versioned "blueprint" that could be assigned and tracked as a unit. Microsoft is retiring Azure Blueprints: a phased retirement began July 31, 2026, and full retirement — including permanent deletion of any blueprint definitions, versions, and assignments that are not exported — occurs on January 31, 2027. Microsoft's replacement is two complementary services used together:
- Template Specs — store and version the deployment artifact (an ARM/Bicep template) in Azure, or use a Git repository.
- Azure Deployment Stacks — assign, deploy, and manage the lifecycle of that artifact as a unit, including deny-assignment locking so deployed resources cannot be modified or deleted outside the stack.
For any new landing-zone or compliant-baseline deployment design, recommend Deployment Stacks + Template Specs rather than Blueprints. If a scenario references an existing Blueprints deployment, the correct architectural recommendation is to plan a migration and export any definitions before the January 31, 2027 cutoff.
Exam Scenario
A company needs virtual machines in production subscriptions to automatically remediate missing antimalware and disk-encryption settings without manual intervention, and flag any VM that cannot be fixed. The correct combination is a DeployIfNotExists-effect policy (auto-remediates by deploying the missing configuration) alongside an AuditIfNotExists policy for settings that require manual follow-up, assigned via an initiative and tracked through the Regulatory Compliance dashboard for reporting.
Takeaways for the Exam
- Map the verb in the requirement to the effect: "block" → Deny, "flag only" → Audit, "fix automatically" → DeployIfNotExists or Modify, "fix only at creation" → Append.
- Choose the Regulatory Compliance dashboard when the requirement names an external standard (ISO, PCI DSS, NIST) rather than an internal rule.
- Know that Azure Blueprints is legacy and being retired (phased retirement started July 31, 2026; full retirement January 31, 2027) — Deployment Stacks plus Template Specs is now the correct recommendation for new designs.
A regulated company needs continuous, control-level evidence that its Azure resources meet the ISO 27001 standard, viewable as a single pass/fail score per control rather than per resource. Which Azure capability directly provides this?
An architect is designing a new repeatable, compliant landing-zone deployment in the second half of 2026 and wants deployed resources locked against out-of-band modification. Given Azure Blueprints' retirement timeline, what should the architect recommend instead?
Which Azure Policy effect evaluation order is correct when multiple policies could apply to the same resource?