This chapter covers Azure Compliance Dashboard and Regulatory Standards, a critical area for the AZ-104 exam. Understanding how to assess and report compliance against frameworks like CIS, NIST, and PCI DSS is essential for governance. Expect 5-10% of exam questions to touch on compliance monitoring, Azure Policy, and regulatory compliance. You'll learn how to use the Compliance Dashboard, interpret regulatory standards, and map controls to Azure resources.
Jump to a section
Imagine you run a large hospital that must comply with HIPAA. You have a central compliance office. The Azure Compliance Dashboard is like that office's wall of monitors and filing cabinets. Each monitor shows a different regulatory standard (e.g., HIPAA, GDPR, ISO 27001) as a set of checklists. The compliance officer (you) can see at a glance which controls are green (compliant), yellow (at risk), or red (non-compliant). The filing cabinets contain detailed evidence: audit logs, configuration snapshots, and policy assignments. When an inspector arrives, you don't scramble to gather papers; you open the relevant drawer and hand over a pre-assembled binder. The dashboard automatically pulls data from all departments (Azure services) via Azure Policy and Azure Security Center. It doesn't fix problems—it shows you what's broken. If a control fails (e.g., storage accounts not encrypted), the dashboard flags it and links to the exact resource. You then assign a team to fix it. The dashboard also tracks progress over time, showing trends in compliance posture. In short, it's a centralized, real-time, automated compliance monitoring and reporting tool that maps Azure configurations to regulatory frameworks.
What is the Azure Compliance Dashboard?
The Azure Compliance Dashboard is a centralized view within Microsoft Defender for Cloud (formerly Azure Security Center) that provides a real-time assessment of your Azure environment against regulatory compliance standards. It maps Azure Policy initiatives to specific controls within frameworks like CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, PCI DSS, ISO 27001, and SOC 2. The dashboard displays a compliance score and a breakdown of compliant vs. non-compliant resources per control.
Why It Exists
Organizations must adhere to various regulatory requirements depending on their industry and geography. Manually tracking compliance across hundreds of resources is error-prone and time-consuming. The Compliance Dashboard automates assessment by continuously evaluating Azure Policy assignments and reporting results against built-in or custom regulatory standards. This enables administrators to demonstrate compliance during audits and quickly remediate non-compliant resources.
How It Works Internally
The Compliance Dashboard relies on three core components: - Azure Policy: Defines rules (policies) and sets of rules (initiatives) that enforce or audit resource configurations. For regulatory compliance, Microsoft provides built-in initiative definitions that correspond to specific standards. - Microsoft Defender for Cloud: Aggregates policy evaluation results and presents them in the Compliance Dashboard. It also provides security recommendations and threat detection. - Azure Resource Graph: Underpins the querying and aggregation of resource compliance data across subscriptions.
When you enable a regulatory compliance standard in Defender for Cloud, the following happens: 1. Defender for Cloud assigns the corresponding built-in policy initiative to your subscription (or management group). 2. Azure Policy evaluates each resource against the policies within the initiative. Each policy corresponds to a specific control in the regulatory standard. 3. Evaluation results (compliant, non-compliant, or error) are sent to Defender for Cloud. 4. Defender for Cloud calculates a compliance score based on the number of compliant controls vs. total controls. 5. The dashboard displays per-control breakdowns, including affected resources and remediation steps.
Key Components, Values, and Defaults
Built-in Regulatory Standards: The following standards are available out-of-the-box (subject to change):
- CIS Microsoft Azure Foundations Benchmark v1.1.0, v1.3.0, v1.4.0 - NIST SP 800-53 Rev. 4 and Rev. 5 - PCI DSS v3.2.1 - ISO 27001:2013 - SOC 2 Type II - Azure Security Benchmark (Microsoft's own) - FedRAMP Moderate and High - HIPAA/HITRUST - Compliance Score: Percentage of compliant controls. A control is compliant if all associated policies are compliant. - Controls: A control is a group of policies that address a specific requirement (e.g., 'Ensure encryption at rest'). - Initiative: A collection of policies. For example, the 'CIS Microsoft Azure Foundations Benchmark' initiative contains over 100 policies. - Default Assignment: When you enable a standard in Defender for Cloud, the initiative is automatically assigned to the subscription scope. You can also assign it manually via Azure Policy. - Evaluation Frequency: Policies are evaluated every 24 hours by default, but changes trigger near-real-time evaluations (within minutes).
Configuration and Verification Commands
You can manage compliance standards using the Azure Portal, Azure CLI, or PowerShell.
Azure CLI:
# List available regulatory compliance standards
az security regulatory-compliance-standards list
# Show compliance status for a specific standard (e.g., CIS 1.1.0)
az security regulatory-compliance-standards show --name "CIS Microsoft Azure Foundations Benchmark 1.1.0"
# Get compliance details for a standard
az security regulatory-compliance-standards show --name "CIS 1.1.0" --query "properties.complianceState"PowerShell:
# Get regulatory compliance standards
Get-AzRegulatoryComplianceStandard
# Get compliance details for a standard
Get-AzRegulatoryComplianceStandard -Name "CIS Microsoft Azure Foundations Benchmark 1.1.0" | Select-Object -ExpandProperty ControlsAzure Portal: Navigate to Microsoft Defender for Cloud > Regulatory Compliance. Select a standard to view its controls and compliance status.
Interaction with Related Technologies
Azure Policy: The Compliance Dashboard is essentially a visualization of Azure Policy evaluation results grouped by regulatory framework. Without Azure Policy, there is no compliance data.
Microsoft Defender for Cloud: Provides the dashboard and additional security recommendations. You must have Defender for Cloud enabled (at least the free tier) to access the Compliance Dashboard.
Azure Blueprints: Can be used to deploy a compliant environment by assigning policy initiatives, role assignments, and resource templates. However, the Compliance Dashboard does not directly use Blueprints; it only evaluates policies.
Azure Resource Graph: Used for custom queries and reporting. You can write KQL queries to extract compliance data for custom dashboards.
Custom Standards and Initiatives
You can create custom regulatory compliance standards by building your own policy initiatives and mapping them to controls. In the Compliance Dashboard, you can add custom standards by importing a JSON file that defines the standard, its controls, and the associated initiative. This is useful for internal compliance frameworks or less common regulations.
Limitations
The Compliance Dashboard only evaluates policies that are part of the assigned initiative. If a resource is non-compliant with a policy not in the initiative, it won't affect the compliance score.
The dashboard does not enforce remediation; it only reports. You must manually fix non-compliant resources or use Azure Policy's 'deployIfNotExists' effect.
Compliance scores are not real-time; they update every few hours or on-demand via refresh.
Not all Azure regions support all standards. Check regional availability.
Enable Microsoft Defender for Cloud
Navigate to the Azure Portal and open Microsoft Defender for Cloud. Ensure it is enabled on your subscription (the free tier is sufficient for compliance dashboard). If not, click 'Get started' and enable. This activates the security monitoring and compliance assessment capabilities. Without this step, the Compliance Dashboard will not be available.
Select a Regulatory Compliance Standard
In Defender for Cloud, go to 'Regulatory Compliance'. Click 'Manage compliance policies' and then select the subscription. Under 'Regulatory compliance standards', choose a built-in standard like 'CIS Microsoft Azure Foundations Benchmark 1.1.0'. Click 'Enable'. This assigns the corresponding policy initiative to your subscription.
Review Policy Assignment
After enabling, the policy initiative is assigned at the subscription scope. You can verify by going to Azure Policy > Assignments. You should see an assignment with name like '[Preview]: Azure Security Benchmark' or the specific standard. The assignment has parameters that may need configuration (e.g., list of allowed locations). Default parameters work for initial assessment.
Wait for Evaluation
Azure Policy evaluates resources every 24 hours by default. To trigger an immediate evaluation, you can run `az policy state trigger-scan` or use PowerShell `Start-AzPolicyComplianceScan`. The scan may take up to 30 minutes to complete. After the scan, results appear in the Compliance Dashboard.
Analyze Compliance Results
Go back to Defender for Cloud > Regulatory Compliance. Select the enabled standard. You'll see a compliance percentage and a list of controls. Each control shows compliant and non-compliant resources. Click a control to see detailed policy evaluations and affected resources. Identify non-compliant resources and plan remediation.
Scenario 1: Healthcare Provider Achieving HIPAA Compliance
A hospital chain migrates patient records to Azure. They must comply with HIPAA. The compliance team enables the HIPAA/HITRUST standard in Defender for Cloud. The dashboard immediately shows 40% compliance. They drill into controls like 'Encryption at rest' and see that several storage accounts have encryption disabled. They use Azure Policy to enforce encryption via 'deployIfNotExists' effect, automatically deploying encryption settings. Over weeks, compliance rises to 95%. The dashboard provides audit-ready reports for HHS inspections.
Scenario 2: Financial Services Adhering to PCI DSS
A fintech company processes credit card transactions. They need to comply with PCI DSS v3.2.1. They enable the standard and discover that their virtual networks are missing network security groups (NSGs) on critical subnets. The dashboard flags the control 'Restrict network access to cardholder data'. The team creates NSGs with deny rules and assigns them via Azure Policy. They also set up just-in-time VM access to meet access control requirements. The dashboard tracks progress and generates a compliance report for their acquiring bank.
Scenario 3: Government Contractor Meeting FedRAMP
A defense contractor deploys a workload in Azure Government. They must meet FedRAMP High. They enable FedRAMP High standard. The dashboard shows that their Azure SQL databases are not using Transparent Data Encryption (TDE). They use Azure Policy to audit TDE and remediate non-compliant databases. They also configure Azure Backup with long-term retention to meet data recovery controls. The dashboard is used during annual assessments to demonstrate continuous compliance.
Common Misconfigurations
Not enabling Defender for Cloud: Without it, the dashboard is empty.
Assigning multiple standards without reviewing overlapping policies, causing duplicate evaluations.
Ignoring 'error' states in policy evaluation, which indicate misconfigured policies (e.g., missing parameters).
Relying solely on the dashboard without implementing remediation automation, leading to manual overhead.
What AZ-104 Tests
AZ-104 objective 1.2 'Manage governance and compliance' includes: configure and manage Azure Policy, assign policy initiatives, and interpret compliance results. Directly tested: enabling regulatory compliance standards, viewing compliance status, and understanding the relationship between Azure Policy and the Compliance Dashboard. You will NOT be asked to create custom standards or write complex policies; focus on built-in standards and basic remediation.
Common Wrong Answers
'Compliance Dashboard is part of Azure Policy' – Wrong. The dashboard is part of Microsoft Defender for Cloud, but it relies on Azure Policy evaluations. Candidates confuse the tool with the service.
'You must enable Azure Security Center (now Defender for Cloud) paid tier' – Wrong. The free tier includes the Compliance Dashboard. The paid tier adds threat detection but is not required for compliance reporting.
'Compliance Dashboard automatically remediates non-compliant resources' – Wrong. It only reports. Remediation requires manual action or policy effects like 'deployIfNotExists'.
'You can only use built-in standards' – Wrong. You can import custom standards via JSON.
Specific Numbers and Terms
CIS Benchmark versions: 1.1.0, 1.3.0, 1.4.0.
Default evaluation frequency: 24 hours.
Compliance score = (compliant controls / total controls) * 100.
'Control' vs 'Policy': A control is a requirement; a policy is a rule that checks compliance.
Edge Cases
If a policy is not applicable to a resource (e.g., policy for SQL on a storage account), it is marked as 'compliant' by default.
If a policy evaluation returns an error (e.g., insufficient permissions), the control shows as 'error' and does not count toward compliance.
When you disable a standard, the policy initiative remains assigned. You must manually delete the assignment to stop evaluation.
Eliminating Wrong Answers
If the question asks 'Where do you view regulatory compliance?', answer 'Microsoft Defender for Cloud' (not Azure Policy).
If asked about automatic remediation, look for 'Azure Policy deployIfNotExists' or 'remediation task', not the dashboard.
If asked about cost, remember the free tier includes compliance dashboard; paid tier is for advanced security.
The Compliance Dashboard is in Microsoft Defender for Cloud, not Azure Policy.
Built-in regulatory standards include CIS, NIST, PCI DSS, ISO 27001, SOC 2, FedRAMP, HIPAA.
Enabling a standard assigns a policy initiative to your subscription.
Compliance score = (compliant controls / total controls) * 100.
Policy evaluation occurs every 24 hours by default.
The free tier of Defender for Cloud includes the Compliance Dashboard.
Custom standards can be imported via JSON.
The dashboard does not remediate; it only reports.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy Compliance View
Shows compliance of individual policies and initiatives.
Does not group policies by regulatory framework.
No compliance score or control grouping.
Available in Azure Policy blade.
Good for detailed policy-level troubleshooting.
Compliance Dashboard (Defender for Cloud)
Groups policies into regulatory standards (e.g., CIS, NIST).
Provides a compliance percentage per standard.
Organizes policies into controls that map to regulatory requirements.
Available in Microsoft Defender for Cloud.
Best for audit readiness and executive reporting.
Mistake
The Compliance Dashboard is a feature of Azure Policy.
Correct
The Compliance Dashboard is part of Microsoft Defender for Cloud. Azure Policy provides the underlying evaluation engine, but the dashboard is a separate UI in Defender for Cloud.
Mistake
You need Azure Defender (paid tier) to use the Compliance Dashboard.
Correct
The free tier of Defender for Cloud includes the Compliance Dashboard. The paid tier adds additional security features but is not required for compliance assessment.
Mistake
The Compliance Dashboard automatically fixes non-compliant resources.
Correct
The dashboard only reports compliance status. Remediation requires manual action or Azure Policy effects like 'deployIfNotExists' with remediation tasks.
Mistake
Compliance scores are updated in real-time.
Correct
Policy evaluations occur every 24 hours by default, though changes can trigger near-real-time updates. The dashboard refreshes periodically; you can manually refresh it.
Mistake
You can only use built-in regulatory standards.
Correct
You can create custom regulatory compliance standards by importing a JSON definition that maps your own policy initiatives to controls.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Go to Microsoft Defender for Cloud > Regulatory Compliance. Click 'Manage compliance policies', select your subscription, then enable a regulatory compliance standard (e.g., CIS 1.1.0). This assigns the corresponding policy initiative. The dashboard will populate after the first policy evaluation (within 24 hours or after manual scan).
Azure Policy is a service that enforces and audits resource configurations. The Compliance Dashboard is a UI in Defender for Cloud that visualizes policy evaluation results grouped by regulatory framework. Azure Policy provides the raw compliance data; the dashboard organizes it for audit purposes.
Yes. In the Compliance Dashboard, click 'Manage compliance policies', select your subscription, then click 'Add custom standard'. Upload a JSON file that defines the standard, its controls, and the associated policy initiative. The initiative must already exist in Azure Policy.
The dashboard refreshes based on policy evaluation cycles. By default, policies evaluate every 24 hours. You can trigger an on-demand evaluation using Azure CLI: 'az policy state trigger-scan'. The dashboard UI may take up to 30 minutes to reflect new results.
No. The free tier of Microsoft Defender for Cloud includes the Compliance Dashboard. Azure Defender (paid) adds advanced threat protection but is not required for compliance reporting.
The dashboard itself does not remediate. You can manually fix resources, or use Azure Policy with 'deployIfNotExists' effect and create a remediation task. Alternatively, use Azure Automation runbooks or manual scripts.
It means all controls within the selected regulatory standard are fully compliant. Each control is a group of policies; all policies must be compliant for the control to be compliant. Note that not all policies may be applicable, but they still count as compliant if they are not applicable.
You've just covered Azure Compliance Dashboard and Regulatory Standards — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?