This chapter covers designing governance solutions in Azure, focusing on Azure Policy, management groups, resource tagging, and Azure Blueprints. Governance is a critical topic on the AZ-305 exam, appearing in approximately 15-20% of questions, often integrated with cost management and security scenarios. You will learn how to enforce organizational standards, assess compliance, and automate governance at scale using these tools.
Jump to a section
Imagine a city building permit office. The city has a master zoning plan that defines what types of buildings can go where (residential, commercial, industrial). The permit office enforces this plan. When a contractor wants to build a new structure, they must submit a permit application. The office checks the application against the zoning plan: is this building type allowed in this zone? Are the required safety features included? If approved, the permit is issued with specific conditions (e.g., maximum height, fire sprinklers). The office also conducts periodic inspections to ensure ongoing compliance. If a violation is found, a notice is issued, and the contractor must remediate or face penalties. This is exactly how Azure Policy works: Azure Policy defines the 'zoning plan' (policies) that govern resource types, locations, SKUs, and tags. When a resource is created or updated, Azure Policy evaluates the request against the defined policies. If it violates a policy, the request can be denied or the resource marked non-compliant. Policy assignments are like permit conditions applied to a specific scope (subscription, resource group). Just as the permit office can audit existing buildings, Azure Policy can evaluate existing resources for compliance. And just as the city can have different zones, Azure Policy uses 'initiatives' to group related policies. The key mechanism: Azure Policy uses a 'deny' effect to block non-compliant resources at creation time, or 'audit' to flag them without blocking, or 'modify' to auto-remediate. The policy engine runs on every PUT/PATCH request to the Azure Resource Manager, checking the request payload against the policy rules before the resource is created or updated. This is not like Azure RBAC, which controls who can act; Azure Policy controls what resources are allowed to exist.
What is Azure Governance and Why Does It Matter?
Azure governance is the framework of rules, policies, and processes that ensure resources are deployed and managed in a consistent, compliant, and cost-effective manner. Without governance, organizations face sprawl, security risks, and cost overruns. The AZ-305 exam expects you to design governance solutions that align with business requirements, regulatory standards, and operational best practices.
Management Groups: The Hierarchical Foundation
Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. They form a hierarchy: a single root management group (tenant root group) at the top, with child management groups and subscriptions underneath. You can create up to 10,000 management groups in a single directory. A management group can have up to 1,000 child management groups. The hierarchy supports up to 6 levels of depth (not including the root level).
Purpose: Management groups allow you to apply policies and RBAC assignments at a high level, which are inherited by all subscriptions and resource groups below. This reduces administrative overhead.
Key exam fact: The root management group is automatically created when you first navigate to the Management Groups blade in the Azure portal. You cannot delete it. It contains all subscriptions in the tenant.
Inheritance: Policies and RBAC assignments applied at a management group are inherited by all child management groups, subscriptions, and resources. However, if you assign a policy at a subscription level, it does not propagate up to the management group.
Limitations: You cannot move a management group into another management group if it contains subscriptions that are in a different Azure AD tenant. Also, you can only have one root management group.
Azure Policy: The Rule Engine
Azure Policy is a service that creates, assigns, and manages policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements. Azure Policy evaluates resources and actions against policy definitions.
- Policy Definition: A JSON document that defines the condition and the effect. Conditions use logical operators (if, then) and can check resource properties like location, size, tags, SKU, and more. Effects include: - Deny: Blocks the creation or update of a non-compliant resource. This is the strongest effect and is evaluated before the resource is created. - Audit: Creates a warning event in the activity log but does not block the request. Useful for detecting non-compliant resources without breaking deployments. - Append: Adds additional fields to the resource during creation or update. For example, automatically adding a required tag. - AuditIfNotExists: Enables auditing of resources related to the target resource. For example, auditing virtual machines that do not have a specific extension installed. - DeployIfNotExists: Deploys a template to remediate non-compliant resources. For example, automatically deploying a network security group. - Modify: Similar to Append but can also change existing properties on a resource. Requires a 'modify' role assignment. - Disabled: The policy is not evaluated. Useful for testing or temporarily turning off a policy.
Policy Initiative (PolicySet): A group of policy definitions that are tracked together. For example, the 'Azure Security Benchmark' initiative includes many individual policies. Initiatives simplify management and compliance reporting.
Assignment: Applying a policy or initiative to a specific scope (management group, subscription, resource group). You can also exclude sub-scopes using 'Exclusions'.
Policy Parameters: Allow you to reduce the number of policy definitions by making them reusable. For example, a parameter can specify which locations are allowed, so you don't need a separate policy for each location.
Compliance: Resources are evaluated for compliance at regular intervals (every 24 hours by default) and on any create/update operation. You can view compliance state in the Azure portal or via Azure Resource Graph.
Resource Tags: Organizing and Governing
Tags are metadata key-value pairs applied to Azure resources. They are not inherited from the resource group; you must explicitly assign them. Tags help with organization, cost allocation, and policy enforcement.
Tag Naming: Case-sensitive, up to 512 characters for the key and 256 characters for the value (except for storage accounts, which have lower limits).
Policy and Tags: You can use Azure Policy to enforce tagging rules, such as requiring a specific tag on new resources (using the 'deny' effect) or automatically applying a tag if missing (using 'modify' or 'append').
Cost Reporting: Tags are used to group costs in Azure Cost Management. For example, you can tag resources by department or project.
Limitations: Not all resource types support tags. Some resources, like Azure DNS zones, do not support tags. Also, tags cannot be applied to classic resources (ASM).
Azure Blueprints: Package and Deploy Governance
Azure Blueprints enable you to define a repeatable set of Azure resources that implements and adheres to your organization's standards, patterns, and requirements. A blueprint is a declarative package that includes:
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
Blueprint Definition: Created in the Blueprints service. It is versioned, so you can track changes. You can publish multiple versions.
Blueprint Assignment: Deploying a blueprint to a subscription. During assignment, you can specify parameters. The blueprint creates the resources and applies the policies and roles.
Blueprint vs. ARM Template: An ARM template deploys resources; a blueprint also deploys policies, roles, and resource groups, and it can be versioned and tracked. Blueprints are more about governance than infrastructure.
Exam Note: Blueprints are being deprecated in favor of deployment stacks and templates. However, they are still on the exam. Know the difference.
Azure Resource Graph: Query and Discover
Azure Resource Graph is a service that extends Azure Resource Manager and provides an efficient way to query resources across subscriptions. It uses the Kusto Query Language (KQL). You can use it to:
Find resources that are non-compliant with policies.
Generate reports on resource inventory.
Quickly find resources by properties.
Performance: Resource Graph returns results in milliseconds, even across thousands of subscriptions.
Exam Tip: Use 'where' clauses to filter, and 'project' to select columns. Example: resources | where type =~ 'microsoft.compute/virtualmachines' | project name, location, tags
Azure Policy Effects in Detail
Understanding the order of evaluation is critical for the exam. When a resource creation request arrives at Azure Resource Manager: 1. Resource Manager receives the request and authenticates it. 2. Azure Policy evaluates the request against all applicable policies. Policies with 'Deny' effect are evaluated first. If any deny policy matches, the request is rejected with a 403 (Forbidden) status. 3. If no deny, policies with 'Append' or 'Modify' effects are applied, altering the request payload. 4. The resource is created with the modified payload. 5. Audit policies are evaluated and log events. 6. DeployIfNotExists policies trigger deployment of remediation templates if needed.
Evaluation Order: Deny > Append/Modify > Audit > AuditIfNotExists > DeployIfNotExists.
Multiple Policies: If multiple policies apply, they are evaluated in alphabetical order by policy name. If two policies conflict (one allows, one denies), the deny wins.
Not Scoped: Policies assigned at a higher scope (e.g., management group) apply to all child scopes unless excluded.
Compliance and Remediation
Compliance states include: - Compliant: Resource meets the policy condition. - Non-compliant: Resource does not meet the condition. - Exempt: Resource is exempt from policy evaluation (requires an exemption assignment). - Conflict: Two or more policies assign different effects to the same resource (rare).
Remediation: For policies with 'DeployIfNotExists' or 'Modify' effects, you can create a remediation task to bring existing non-compliant resources into compliance. Remediation tasks run asynchronously and can take time.
Policy Aliases
Aliases are the property paths that policies can evaluate. For example, Microsoft.Compute/virtualMachines/sku.name is an alias for the VM SKU. You can discover aliases using the Azure CLI:
az provider show --namespace Microsoft.Compute --expand "resourceTypes/aliases" --query "resourceTypes[].aliases"Designing a Governance Strategy
When designing, consider: - Scope: Start with management groups for broad policies, then drill down to subscriptions and resource groups for specific needs. - Inheritance vs. Assignment: Assign policies at the highest possible scope to reduce duplication, but use exclusions carefully. - Policy Effects: Use 'deny' for mandatory requirements (e.g., allowed regions), 'audit' for monitoring, and 'modify' for auto-correction. - Tagging Strategy: Define a standard set of tags (e.g., CostCenter, Environment, Owner) and enforce them with policies. - Compliance Monitoring: Use Azure Policy compliance dashboard and Azure Resource Graph for reporting.
Blueprint Lifecycle
Create blueprint definition with artifacts (policies, roles, ARM templates).
Publish a version (e.g., v1.0).
Assign to a subscription. You can assign multiple times.
Update the blueprint (new version) and reassign to update existing subscriptions.
Delete assignment to remove resources? No, deleting an assignment does not delete the resources; it only removes the link. Resources remain.
Common Pitfalls
Policy not applying to existing resources: Policies only evaluate on create/update by default. To evaluate existing resources, you must trigger a compliance scan or use 'DeployIfNotExists' remediation.
Too many policies: Can cause performance issues. Limit to 500 policies per scope.
Tag inheritance confusion: Tags are not inherited. Use policy with 'append' or 'modify' to automatically apply tags from the resource group.
Command Examples
Create a policy definition:
az policy definition create --name "allowed-locations" --rules '{"if":{"not":{"field":"location","in":["eastus","westus"]}},"then":{"effect":"deny"}}'Assign policy:
az policy assignment create --name "allowed-locations-assignment" --policy "allowed-locations" --scope /subscriptions/{subscription-id}Create management group:
az account management-group create --name "MyGroup" --display-name "My Group"Query resources with Resource Graph:
resources
| where type =~ 'microsoft.compute/virtualmachines'
| where properties.storageProfile.osDisk.osType == 'Windows'
| project name, locationDefine Governance Requirements
Begin by gathering business and compliance requirements. Identify mandatory tags (e.g., CostCenter, Environment), allowed regions (e.g., only East US and West US), and required resource configurations (e.g., VM SKUs, encryption). Document these in a governance requirements document. This step is crucial because it drives the design of management groups, policies, and blueprints. The AZ-305 exam may present a scenario where you must infer requirements from business constraints. For example, a company with a data sovereignty regulation must restrict resource locations to specific Azure regions. This requirement directly translates to a policy definition with a 'deny' effect for disallowed locations.
Design Management Group Hierarchy
Create a management group structure that reflects your organization's structure. For example, a top-level 'Corporate' group, with child groups for 'Sales', 'Engineering', and 'Finance'. Each child group contains relevant subscriptions. Apply common policies at the highest appropriate level. For instance, a policy that requires encryption can be assigned at the root management group, ensuring it applies to all subscriptions. Remember the hierarchy depth limit of 6 levels. Use naming conventions that make the hierarchy clear. In the Azure portal, you can create management groups under the 'Management groups' blade. Use the 'az account management-group create' command for automation.
Create and Assign Azure Policies
Define policy definitions using JSON or built-in definitions. For each requirement, choose the appropriate effect. For example, to enforce a specific tag on all resources, use a policy with 'deny' effect if the tag is missing. For auto-remediation, use 'modify' or 'deployIfNotExists'. Assign policies to management groups or subscriptions. Use parameters to make policies reusable. Test policies in a non-production environment first. Use 'audit' effect initially to see what resources would be affected, then switch to 'deny' after validation. Use Azure CLI or PowerShell to create and assign policies at scale.
Implement Tagging Strategy
Define a standard set of tags and enforce them via Azure Policy. For example, require tags like 'CostCenter', 'Environment', and 'Owner' on all resources. Use 'append' effect to automatically add a tag if it is missing. Ensure that tags are applied consistently for cost reporting and resource organization. Use Azure Policy to prevent removal of required tags. Remember that tags are not inherited, so you must explicitly apply them. Use policy to copy tags from the resource group to resources using 'modify' effect or a custom policy. Use 'az tag' commands to manage tags programmatically.
Set Up Compliance Monitoring and Remediation
After policies are assigned, monitor compliance using the Azure Policy dashboard. View compliance states per policy and per resource. For non-compliant resources, create remediation tasks for policies with 'deployIfNotExists' or 'modify' effects. Remediation tasks run asynchronously and can be scheduled. Use Azure Resource Graph to query non-compliant resources for custom reporting. Set up alerts for compliance changes using Azure Monitor. Regularly review and update policies to adapt to new requirements. The exam may ask about remediation tasks and how they differ from manual fixes.
Scenario 1: Multinational Corporation with Data Residency Requirements
A global company must ensure that all Azure resources are deployed only in approved regions (e.g., US East, EU West) to comply with data sovereignty laws. They use a root management group with a child group for each continent. At the root group, they assign a built-in policy 'Allowed locations' with a deny effect, specifying the approved regions. They also create a custom policy to require a 'DataClassification' tag (e.g., Public, Internal, Confidential). For resources missing the tag, an 'append' effect adds a default 'Internal' tag. They use Azure Blueprints to deploy a standard landing zone with these policies pre-assigned. Common issues: forgetting to add a new region to the allowed list causes deployment failures; policy updates take up to 30 minutes to propagate. They use Azure Resource Graph to audit compliance weekly.
Scenario 2: Startup with Cost Control Needs
A startup wants to prevent deployment of expensive VM SKUs (e.g., GPU instances) to control costs. They create a custom policy that denies creation of VMs with SKUs containing 'Standard_N' (N-series). They also enforce a 'CostCenter' tag on all resources, using a 'modify' effect to auto-tag resources from the resource group tag. They assign these policies at the subscription level. They use Azure Cost Management with tag-based filtering to allocate costs. Pitfall: developers often try to create VMs in a different region to bypass the policy, so they also enforce allowed regions. They set up compliance alerts to notify the finance team of any non-compliant resources.
Scenario 3: Government Agency with Strict Compliance
A government agency must comply with NIST 800-53. They use Azure Policy's built-in 'NIST SP 800-53 R4' initiative, which includes hundreds of policies. They assign this initiative at the root management group. They also create custom policies for agency-specific requirements. They use Azure Blueprints to deploy a secure baseline that includes policies, RBAC roles, and network security groups. They perform monthly compliance scans using Azure Policy's compliance dashboard and generate reports for auditors. Challenge: the initiative includes many policies that may conflict with operational needs, requiring careful exclusions. They use exemptions sparingly and document each exemption. They also use Azure Resource Graph to quickly identify non-compliant resources across thousands of subscriptions.
What AZ-305 Tests on Governance (Objective 1.2)
The exam focuses on designing a governance solution that meets business requirements. Key areas: - Management Groups: Understand hierarchy, inheritance, and limitations. Know that you can have up to 10,000 management groups and 6 levels of depth. The root management group cannot be moved or deleted. - Azure Policy: Effects (Deny, Audit, Append, Modify, DeployIfNotExists, AuditIfNotExists, Disabled). Evaluation order. Policy vs. RBAC. Policy parameters and initiatives. Compliance states. - Resource Tags: Tag inheritance (no automatic), policy enforcement, cost reporting. Tag limits (512 for key, 256 for value). - Azure Blueprints: Blueprint vs. ARM template. Versioning. Artifacts. Assignment and lifecycle. Deprecation note: Blueprints are being replaced, but still tested. - Azure Resource Graph: KQL basics. Use for compliance queries.
Common Wrong Answers and Why Candidates Choose Them
'Assign policy at resource group level for global compliance' – Wrong. For organization-wide rules, assign at management group or subscription level to ensure all resources inherit. Candidates confuse scope with granularity.
'Tags are inherited from the resource group' – Wrong. Tags are not inherited. Candidates assume inheritance like policies. Reality: you must explicitly apply tags or use policy to propagate them.
'Use Azure RBAC to restrict resource locations' – Wrong. RBAC controls who can act, not what resources can be created. Policy controls resource properties. Candidates confuse authorization with governance.
'Azure Policy evaluates resources continuously in real-time' – Wrong. Evaluation happens on create/update and every 24 hours. Not real-time. Candidates overestimate frequency.
'Blueprint assignments automatically update resources when the blueprint is updated' – Wrong. Updating a blueprint does not automatically update existing assignments; you must reassign the new version. Candidates think blueprints are like templates that redeploy.
Specific Numbers and Terms That Appear on the Exam
Management group depth limit: 6 levels.
Maximum management groups: 10,000.
Policy evaluation order: Deny > Append/Modify > Audit > AuditIfNotExists > DeployIfNotExists.
Default compliance scan interval: 24 hours.
Tag key max length: 512 characters; value max: 256.
Blueprint versioning: publish versions (e.g., 1.0, 2.0).
Policy definition structure: JSON with 'if' and 'then'.
Edge Cases and Exceptions
Policy with 'Deny' effect can be overridden by an 'Audit' policy at a higher scope? No. Deny always wins if both apply. But if the deny policy is at a lower scope and the audit at higher, the deny at lower scope blocks the resource.
Exclusions: You can exclude a sub-scope from a policy assignment. Exclusions are not inherited.
Policy on classic resources: Azure Policy does not support classic (ASM) resources.
Remediation tasks: Only for 'DeployIfNotExists' and 'Modify' effects. They run asynchronously.
How to Eliminate Wrong Answers
If the question is about enforcing a rule (e.g., 'must have tag'), look for policy, not RBAC.
If the question is about cost control, consider policy on SKU or region.
If the question involves multiple subscriptions, think management groups.
If the question asks for a repeatable deployment with governance, think Blueprints.
Use the process of elimination: if an option says 'tags are inherited', it's wrong.
Management groups support a hierarchy up to 6 levels deep and a maximum of 10,000 groups.
Azure Policy evaluation order: Deny > Append/Modify > Audit > AuditIfNotExists > DeployIfNotExists.
Tags are not inherited; use Azure Policy 'append' or 'modify' to auto-apply tags.
Azure Policy compliance scans occur every 24 hours by default and on resource create/update.
Azure Blueprints are versioned packages that include policies, roles, and ARM templates.
Use Azure Resource Graph with KQL to query resources across subscriptions for compliance.
Remediation tasks only work with 'DeployIfNotExists' and 'Modify' policy effects.
The root management group cannot be deleted and contains all subscriptions in the tenant.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy
Controls resource properties (e.g., location, size, tags)
Uses policy definitions with conditions and effects
Enforced at create/update time and via compliance scans
Can deny or audit resource creation
Scoped to management groups, subscriptions, resource groups
Azure RBAC
Controls user permissions (who can do what)
Uses role definitions and role assignments
Enforced at runtime for any operation
Controls access, not resource configuration
Scoped to management groups, subscriptions, resource groups, or individual resources
Azure Blueprint
Package of policies, roles, and ARM templates
Versioned and can be updated
Creates a locked-down resource group structure
Supports compliance tracking and auditing
Being deprecated in favor of deployment stacks
ARM Template
Declarative JSON template for deploying resources
No built-in versioning (use source control)
Does not include policy or role assignments natively
Focused on infrastructure deployment
Actively developed and widely used
Mistake
Azure Policy and Azure RBAC are the same thing.
Correct
Azure RBAC controls who can perform actions on resources (authorization). Azure Policy controls what resources can be created or modified (configuration compliance). They are complementary but distinct. RBAC uses role assignments; Policy uses policy definitions with effects like deny and audit.
Mistake
Tags are automatically inherited from the parent resource group.
Correct
Tags are not inherited in Azure. A resource does not automatically get the tags of its resource group. You must explicitly assign tags to each resource, or use Azure Policy with 'append' or 'modify' effect to propagate tags from the resource group.
Mistake
Assigning a policy at the root management group applies to all subscriptions, including those in other Azure AD tenants.
Correct
Policies assigned at the root management group apply only to subscriptions within the same Azure AD tenant. They do not cross tenant boundaries.
Mistake
Azure Blueprints automatically update existing resources when the blueprint definition is updated.
Correct
Updating a blueprint definition and publishing a new version does not automatically update resources in existing assignments. You must manually reassign the new version to the subscription to apply changes. Blueprints are not like continuous deployment.
Mistake
Azure Policy evaluates resources in real-time, every few seconds.
Correct
Azure Policy evaluates resources when they are created or updated, and during periodic compliance scans (every 24 hours by default). It is not real-time. You can trigger an on-demand scan using Azure CLI or PowerShell.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Policy controls the properties of resources (e.g., allowed locations, required tags) and enforces compliance rules. Azure RBAC controls who has access to resources and what actions they can perform. Policy is about 'what' resources are allowed; RBAC is about 'who' can manage them. For example, a policy can deny creation of VMs in a specific region, while RBAC can grant a user 'Contributor' role to manage VMs.
Use Azure Policy with a 'deny' or 'append' effect. Create a policy definition that checks for the existence of a tag (e.g., 'CostCenter'). If missing, the 'deny' effect blocks creation; the 'append' effect adds a default value. Assign the policy at a high scope like the root management group to cover all subscriptions. For existing resources, use a 'modify' policy with a remediation task to add tags.
Yes. Create a policy that evaluates the 'Microsoft.Compute/virtualMachines/sku.name' alias. For example, deny creation of VMs with SKUs containing 'Standard_N' to block GPU instances. Use the 'deny' effect. You can also use parameters to allow a list of approved SKUs. Assign the policy at the subscription or management group level.
Management groups provide a hierarchical structure to organize subscriptions for policy and access management. They allow you to apply Azure Policy and RBAC assignments at a high level, which then inherit to all child subscriptions and resource groups. This reduces administrative overhead and ensures consistent governance across the organization.
Use the Azure Policy compliance dashboard in the Azure portal. You can view compliance per policy and per resource. For custom queries, use Azure Resource Graph. For example: `policyResources | where properties.policyAssignmentName == 'my-policy' | project resourceId, complianceState`. You can also trigger an on-demand compliance scan using `az policy state trigger-scan`.
Existing resources are not automatically affected by a new 'Deny' policy. They become 'non-compliant' in the compliance report, but they are not deleted or modified. The 'Deny' effect only blocks new create/update operations. To remediate existing resources, you can use a 'DeployIfNotExists' or 'Modify' policy with a remediation task, or manually update the resources.
Azure Blueprints are not being actively developed and are in a deprecation process. Microsoft recommends using deployment stacks and ARM templates for new deployments. However, Blueprints are still available and may appear on the AZ-305 exam. You should understand their concepts but focus on the newer alternatives for real-world use.
You've just covered Designing Governance Solutions — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?