4.3 Compliance Management Design

Key Takeaways

  • Azure Policy evaluates resource properties against rules and can Deny, Audit, Append, Modify, DeployIfNotExists, AuditIfNotExists, or Disable; related policies are grouped into initiatives (policy sets), such as a NIST SP 800-53 or PCI DSS initiative
  • Policy evaluation order is Disabled, then Append and Modify, then Deny, then Audit, then AuditIfNotExists and DeployIfNotExists
  • Microsoft Defender for Cloud's Regulatory Compliance dashboard maps assigned policy initiatives to named standards (NIST, PCI DSS, ISO 27001, the Microsoft cloud security benchmark) and continuously scores control-level pass/fail, now integrated with Microsoft Purview Compliance Manager
  • Azure landing zones apply governance across 8 CAF design areas — including management group/subscription organization and governance itself — as the standard framework for compliance-by-design at enterprise scale
  • Azure Blueprints is being retired: phased retirement began July 31, 2026, with full retirement (permanent deletion of un-exported artifacts) on January 31, 2027 — recommend Azure Deployment Stacks plus Template Specs for new compliant, repeatable landing-zone deployments instead
Last updated: July 2026

Why This Topic Matters

"Recommend a solution for managing compliance" is the second bullet under Design governance, and it is where AZ-305 tests whether you can operationalize governance, not just structure it. Domain 1 carries 25-30% of the exam, and compliance-management questions are dense with named Azure services (Azure Policy, initiatives, Microsoft Defender for Cloud, landing zones) that each solve a slightly different piece of the same problem: proving, continuously and at scale, that resources match required rules. This is also the section where a very current change matters for exam-takers studying in mid-to-late 2026: Azure Blueprints is being retired, and Microsoft's own guidance now points architects toward Deployment Stacks and Template Specs instead.

Azure Policy: Effects and Evaluation Order

Azure Policy definitions describe a business rule and an effect — what happens when a resource matches or violates that rule.

EffectWhat it does
DenyBlocks the create or update request outright when the resource violates the rule
AuditAllows the resource but marks it non-compliant for reporting; no enforcement
AppendAdds a specified property (e.g., a tag) during creation/update; the value cannot be removed by the caller
ModifyAdds, updates, or removes properties (most commonly tags) at creation/update time and via a remediation task against existing resources
DeployIfNotExistsIf a related resource is missing (e.g., a diagnostic setting), automatically deploys a template to create it
AuditIfNotExistsSame detection logic as DeployIfNotExists, but only flags non-compliance instead of remediating it
DisabledEffect is turned off entirely, useful while testing a policy's condition logic

Evaluation order matters when multiple policies could apply to the same resource: Disabled → Append and Modify → Deny → Audit → AuditIfNotExists and DeployIfNotExists. Practically, this means append/modify effects run and adjust the resource before deny is evaluated, so a Modify policy can sometimes bring a resource into compliance before a Deny policy would have blocked it.

Related policy definitions are grouped into initiatives (policy sets) so an architect can assign one initiative — for example, a built-in "NIST SP 800-53" or "PCI DSS" initiative — instead of dozens of individual policies.

Microsoft Defender for Cloud: Regulatory Compliance Dashboard

When a scenario needs continuous, reportable evidence against a named external standard (not just an internal rule), the answer is the Regulatory Compliance dashboard inside Microsoft Defender for Cloud. It:

  • Maps assigned policy initiatives to compliance standards such as ISO 27001, PCI DSS, SOC 2, and the Microsoft cloud security benchmark.
  • Continuously assesses resources against each standard's controls and shows pass/fail at the control level, not just the resource level.
  • Works across Azure, AWS, and GCP resources when those clouds are onboarded to Defender for Cloud.
  • Now integrates with Microsoft Purview Compliance Manager for a single, organization-wide compliance score spanning cloud infrastructure and Microsoft 365 data governance.

Exam distinction: Azure Policy is the enforcement/remediation engine; the Regulatory Compliance dashboard is the reporting and control-mapping layer built on top of policy initiatives.

Azure Landing Zones for Governance at Scale

Building on the hierarchy from 4.1, Azure landing zones formalize governance across 8 CAF design areas: Azure billing and Microsoft Entra tenant; identity and access management; management group and subscription organization; network topology and connectivity; security; management; governance; and platform automation and DevOps. When a scenario asks for "centralized, policy-driven governance" plus a "hub-and-spoke or Virtual WAN network topology" plus "platform/landing-zone separation across many subscriptions," the landing zone framework is the intended answer — it is Microsoft's opinionated reference implementation combining the management group tree, baseline Azure Policy assignments, and network topology into one design.

Azure Blueprints Retirement (Current, Exam-Relevant Change)

Azure Blueprints previously bundled ARM templates, policy assignments, and RBAC assignments into a single versioned "blueprint" that could be assigned and tracked as a unit. Microsoft is retiring Azure Blueprints: a phased retirement began July 31, 2026, and full retirement — including permanent deletion of any blueprint definitions, versions, and assignments that are not exported — occurs on January 31, 2027. Microsoft's replacement is two complementary services used together:

  • Template Specs — store and version the deployment artifact (an ARM/Bicep template) in Azure, or use a Git repository.
  • Azure Deployment Stacks — assign, deploy, and manage the lifecycle of that artifact as a unit, including deny-assignment locking so deployed resources cannot be modified or deleted outside the stack.

For any new landing-zone or compliant-baseline deployment design, recommend Deployment Stacks + Template Specs rather than Blueprints. If a scenario references an existing Blueprints deployment, the correct architectural recommendation is to plan a migration and export any definitions before the January 31, 2027 cutoff.

Exam Scenario

A company needs virtual machines in production subscriptions to automatically remediate missing antimalware and disk-encryption settings without manual intervention, and flag any VM that cannot be fixed. The correct combination is a DeployIfNotExists-effect policy (auto-remediates by deploying the missing configuration) alongside an AuditIfNotExists policy for settings that require manual follow-up, assigned via an initiative and tracked through the Regulatory Compliance dashboard for reporting.

Takeaways for the Exam

  • Map the verb in the requirement to the effect: "block" → Deny, "flag only" → Audit, "fix automatically" → DeployIfNotExists or Modify, "fix only at creation" → Append.
  • Choose the Regulatory Compliance dashboard when the requirement names an external standard (ISO, PCI DSS, NIST) rather than an internal rule.
  • Know that Azure Blueprints is legacy and being retired (phased retirement started July 31, 2026; full retirement January 31, 2027) — Deployment Stacks plus Template Specs is now the correct recommendation for new designs.
Test Your Knowledge

A regulated company needs continuous, control-level evidence that its Azure resources meet the ISO 27001 standard, viewable as a single pass/fail score per control rather than per resource. Which Azure capability directly provides this?

A
B
C
D
Test Your Knowledge

An architect is designing a new repeatable, compliant landing-zone deployment in the second half of 2026 and wants deployed resources locked against out-of-band modification. Given Azure Blueprints' retirement timeline, what should the architect recommend instead?

A
B
C
D
Test Your Knowledge

Which Azure Policy effect evaluation order is correct when multiple policies could apply to the same resource?

A
B
C
D