This chapter covers regulatory compliance by design in Microsoft Azure, a critical topic for the AZ-305 exam. You will learn how to architect solutions that meet industry standards (e.g., HIPAA, GDPR, PCI DSS) using Azure Policy, Blueprints, and Microsoft Defender for Cloud. Approximately 15-20% of exam questions touch governance and compliance, making this a high-yield area. Mastering these concepts ensures you can design compliant, auditable, and secure Azure environments from the ground up.
Jump to a section
Imagine you are an architect designing a skyscraper. The building code (regulatory compliance) is a set of mandatory rules: fire exits every 30 meters, sprinklers in every room, emergency lighting on each floor, and a minimum corridor width of 1.2 meters. You don't build a generic structure and then check if it passes code; you design it with code in mind from the start. The city inspector (Azure Policy) reviews your blueprints and construction at each phase, not just at the end. If you install a door that is too narrow, the inspector flags it immediately (deny effect). If you use a non-compliant material, the inspector can alert you but allow construction to continue (audit effect). Some requirements are enforced automatically — for example, fire alarms must be on a separate circuit (built-in policy). Others require you to submit documentation (remediation tasks). The building code also changes over time; when a new regulation is passed, the inspector re-evaluates existing buildings (policy initiative). If a building was compliant when built but no longer meets updated code, the inspector issues a notice (non-compliant resource). The building owner can then decide to retrofit (remediate) or accept the risk. In Azure, regulatory compliance is designed by applying policies that enforce or audit controls, using initiatives that group related policies, and continuously monitoring compliance status via dashboards. Just as a building inspector doesn't care about your interior decoration, Azure Policy doesn't care about application code — it focuses on infrastructure configurations that affect security and compliance.
What is Regulatory Compliance by Design?
Regulatory compliance by design means embedding compliance controls into the architecture of your Azure environment from the outset, rather than bolting them on after deployment. This proactive approach ensures that resources are automatically configured to meet specific regulatory standards (e.g., HIPAA, GDPR, PCI DSS, SOC 2, FedRAMP). The primary Azure services used are Azure Policy, Azure Blueprints, and Microsoft Defender for Cloud (formerly Azure Security Center). Azure Policy enforces rules on resource configurations, Azure Blueprints packages policy definitions, role assignments, and resource templates into a deployable unit, and Microsoft Defender for Cloud provides continuous compliance assessment and recommendations.
Why It Exists
Organizations must demonstrate compliance to auditors, avoid fines, and protect sensitive data. Manual compliance checks are error-prone and unscalable. Azure's compliance tools automate enforcement, monitoring, and reporting. The exam tests your ability to select the right combination of services to meet compliance requirements, such as using Azure Policy to enforce encryption on storage accounts or Azure Blueprints to deploy a compliant landing zone.
How It Works Internally
Azure Policy evaluates resources against policy definitions (rules) and determines if they are compliant. Policies can have effects: Deny (blocks creation/modification), Audit (logs but allows), Append (adds fields), AuditIfNotExists, DeployIfNotExists, Disabled, and Modify. The evaluation occurs on resource creation, update, or on a defined schedule (typically every 24 hours). Policy definitions are grouped into initiatives (policy sets) that represent a larger compliance goal, such as "HITRUST/HIPAA" or "NIST SP 800-53." Azure Blueprints orchestrates the deployment of policies, role assignments, ARM templates, and resource groups. When you assign a blueprint, it creates a versioned, tracked deployment that can be updated and re-assigned. Microsoft Defender for Cloud continuously scans your subscriptions and provides a secure score based on compliance with built-in regulatory standards. It also offers regulatory compliance dashboard that shows which controls are passed or failed.
Key Components, Values, Defaults, and Timers
Policy Definition: JSON object that defines the rule. Example: "if": {"field": "type", "equals": "Microsoft.Storage/storageAccounts"}, "then": {"effect": "deny"}.
Initiative Definition: Collection of policy definitions. Built-in initiatives include "HITRUST/HIPAA" and "NIST SP 800-53 R4."
Assignment: Applying a policy or initiative to a scope (management group, subscription, resource group).
Effect: Deny blocks non-compliant resources; Audit logs but allows; Append adds fields (e.g., tags); DeployIfNotExists deploys a resource if missing (e.g., a Log Analytics agent).
Evaluation Frequency: Every 24 hours for existing resources; on create/update for new/modified resources.
Compliance State: Compliant, Non-compliant, Conflict, Error, Not started.
Remediation Task: For DeployIfNotExists or Modify effects, a remediation task can fix non-compliant resources.
Azure Blueprints: Published versioning (e.g., v1.0, v1.1). Each assignment tracks the blueprint version.
Microsoft Defender for Cloud: Secure score (0-100%), regulatory compliance dashboard updates every 24 hours.
Configuration and Verification Commands
Using Azure CLI:
# Create a custom policy definition
az policy definition create --name "deny-storage-public-access" --rules deny-storage-public-access.json --display-name "Deny public access on storage accounts"
# Assign policy to a subscription
az policy assignment create --policy "deny-storage-public-access" --scope /subscriptions/{subId}
# Get compliance state
az policy state list --resource /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account}
# Create a blueprint
az blueprint create --name "myBlueprint" --scope /subscriptions/{subId} --blueprint-file blueprint.json
# Assign a blueprint
az blueprint assignment create --name "myAssignment" --location eastus --blueprint-name "myBlueprint" --scope /subscriptions/{subId}Using PowerShell:
# Create policy definition
New-AzPolicyDefinition -Name "deny-storage-public-access" -Policy .\deny-storage-public-access.json
# Assign policy
New-AzPolicyAssignment -Name "deny-storage-public-access" -PolicyDefinitionId /subscriptions/{subId}/providers/Microsoft.Authorization/policyDefinitions/deny-storage-public-access -Scope /subscriptions/{subId}
# Get compliance
Get-AzPolicyState -ResourceId /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account}Interaction with Related Technologies
Azure Blueprints bundles policies, RBAC roles, and ARM templates to create a consistent, compliant environment. Blueprints are versioned and can be updated; assignments can be updated to the latest version.
Microsoft Defender for Cloud uses security policies that are essentially Azure Policy assignments. It provides a regulatory compliance dashboard that maps controls to standards like PCI DSS 3.2.1, ISO 27001, and SOC 2.
Azure Resource Graph can query compliance data across subscriptions: where type =~ "microsoft.authorization/policyassignments".
Azure Management Groups allow hierarchical policy application; policies at higher levels affect all child subscriptions.
Azure DevOps can integrate compliance checks via Azure Policy as part of CI/CD pipelines, using tasks like "Check Azure Policy Compliance."
Exam Focus: Specific Numbers and Values
The exam expects you to know that Azure Policy evaluation occurs every 24 hours for existing resources.
Built-in regulatory compliance initiatives: HITRUST/HIPAA, NIST SP 800-53 R4, PCI DSS v3.2.1, ISO 27001, SOC 2 Type II, FedRAMP Moderate.
Effects: Deny (hard block), Audit (log only), Append (adds fields), DeployIfNotExists (deploys resource if missing), Modify (changes fields), Disabled, AuditIfNotExists.
Azure Blueprints: versioning scheme (e.g., v1.0), and you can update assignments to a newer published version.
Microsoft Defender for Cloud: Secure score ranges from 0% to 100%; regulatory compliance dashboard refreshes every 24 hours.
Common trap: Candidates confuse Azure Policy with Azure RBAC. Policy controls *what* resources can be created/modified; RBAC controls *who* can perform actions.
Step-by-Step Process to Design Compliance
Identify regulatory requirements (e.g., GDPR requires data encryption at rest).
Map requirements to Azure Policy definitions (e.g., require storage encryption).
Group related policies into an initiative (e.g., "GDPR Initiative").
Assign the initiative to the appropriate scope (management group, subscription).
Use Azure Blueprints to package the initiative with role assignments and ARM templates for a compliant landing zone.
Monitor compliance via Microsoft Defender for Cloud regulatory compliance dashboard.
Remediate non-compliant resources using remediation tasks or manual changes.
Update policies as regulations change and re-assign blueprints.
Common Pitfalls
Overlapping policies: Two policies with conflicting effects (e.g., one allows public access, another denies) cause evaluation conflicts.
Exclusion scopes: Using exclusions incorrectly can bypass compliance. Ensure exclusions are documented and audited.
Remediation timing: DeployIfNotExists policies only remediate on the next evaluation cycle unless a remediation task is triggered.
Blueprint versioning: Assigning a blueprint without specifying a version always uses the latest published version; this can cause unexpected changes if the blueprint is updated.
Performance and Scale
Azure Policy can handle tens of thousands of resources per subscription. Evaluations are distributed across Azure Resource Manager. Blueprints can deploy to multiple subscriptions in a management group hierarchy. Microsoft Defender for Cloud can aggregate compliance data across multiple subscriptions and management groups. The secure score is calculated based on all recommendations; a single non-compliant resource can lower the score.
Identify Regulatory Requirements
Begin by determining which compliance standards apply to your organization: HIPAA, GDPR, PCI DSS, SOC 2, FedRAMP, etc. Each standard has specific controls, such as encryption at rest, access controls, logging, and network segmentation. Document these requirements in a compliance matrix. This step is crucial because it drives all subsequent design decisions. For example, GDPR Article 32 requires encryption of personal data; this translates to an Azure Policy that denies storage accounts without encryption enabled.
Map Requirements to Azure Policy Definitions
For each control, create or select an existing Azure Policy definition. Built-in definitions cover many common requirements, such as 'Storage accounts should use customer-managed keys for encryption' (HIPAA) or 'Audit usage of custom RBAC roles' (NIST). If no built-in policy exists, create a custom one using JSON. The policy definition includes an 'if/then' clause: if the resource type matches a condition, then apply an effect (deny, audit, append, etc.).
Group Policies into Initiatives
Combine related policy definitions into a policy set (initiative) that represents a compliance standard. For example, the built-in 'HITRUST/HIPAA' initiative includes over 100 policies. Initiatives allow you to assign a single entity to a scope and track compliance holistically. Use the Azure portal, CLI, or PowerShell to create an initiative. The initiative JSON references multiple policy definition IDs.
Assign Initiative to Scope
Assign the initiative to a management group, subscription, or resource group. The assignment includes parameters (e.g., allowed locations) and an effect (e.g., deny). You can also set exclusions to exempt specific resources, but this should be used sparingly. Once assigned, Azure Policy evaluates all resources within the scope against the initiative. Compliance results are available in the portal within minutes for new resources, within 24 hours for existing.
Package with Azure Blueprints
Azure Blueprints enables you to define a repeatable set of Azure resources that adheres to compliance standards. A blueprint includes the policy initiative, role assignments, ARM templates, and resource groups. When you publish a blueprint, it creates a version. Assign the blueprint to a subscription to deploy the entire compliant environment. Blueprints track which version of policies and templates are deployed, aiding in audit.
Monitor Compliance via Defender for Cloud
Microsoft Defender for Cloud provides a regulatory compliance dashboard that shows the compliance posture against selected standards (e.g., PCI DSS 3.2.1). It maps controls to Azure Policy initiatives and displays pass/fail status. The dashboard updates every 24 hours. Use it to identify non-compliant resources and prioritize remediation. The secure score also reflects compliance improvements.
Remediate Non-Compliant Resources
For policies with 'DeployIfNotExists' or 'Modify' effects, create a remediation task to automatically fix non-compliant resources. For example, a policy might require a network security group on a subnet; a remediation task deploys the missing NSG. Manual remediation may be needed for 'Audit' policies. Use the Azure portal, CLI, or PowerShell to trigger remediation. Note that remediation tasks run asynchronously and may take time.
Update and Version Policies
Regulations evolve. When a new control is required, update the policy initiative by adding or modifying definitions. Republish the blueprint if used. Existing assignments can be updated to the latest initiative version. Use version control (e.g., Git) for policy definitions and blueprints to track changes. Azure Policy supports multiple versions of a policy definition; you can deprecate old versions.
Enterprise Scenario 1: Healthcare Provider Achieving HIPAA Compliance
A large hospital network migrates patient records to Azure. They must comply with HIPAA Security Rule, which requires encryption of ePHI at rest and in transit, access controls, audit logs, and network segmentation. The architecture team creates a management group hierarchy: one for production workloads, one for development. They assign the built-in 'HITRUST/HIPAA' initiative to the production management group. This initiative includes policies that deny storage accounts without encryption, require TLS 1.2, and enforce network security groups on subnets. They also create a custom policy to require Azure Private Link for all PaaS services accessing ePHI. Azure Blueprints are used to deploy a 'HIPAA-compliant landing zone' that includes the initiative, a Log Analytics workspace for audit logs, and RBAC roles (e.g., Security Reader, Compliance Administrator). The compliance team monitors the regulatory compliance dashboard in Microsoft Defender for Cloud daily. One common issue: developers accidentally creating storage accounts in a non-compliant region; the 'Deny' effect prevents this. Performance: the policy evaluation adds minimal latency to resource creation (under 1 second). At scale, with 10,000+ resources, the compliance dashboard still loads within seconds. Misconfiguration: a policy that denies all public endpoints might block legitimate scenarios; they use exclusions for specific resources like a public-facing API that is exempted after risk assessment.
Enterprise Scenario 2: Financial Services Meeting PCI DSS
A fintech company processes credit card transactions and must comply with PCI DSS v3.2.1. Requirement 1.3 prohibits direct public access between the internet and any system component in the cardholder data environment (CDE). They use Azure Policy to enforce that no network security group allows inbound traffic from 'Any' to the CDE subnets. They also require encryption of cardholder data at rest (AES-256) and in transit (TLS 1.2). The built-in 'PCI DSS v3.2.1' initiative includes these policies. They assign it at the subscription level. To ensure consistent deployment, they create an Azure Blueprint that deploys the CDE resources (VMs, storage, SQL) with the initiative pre-assigned. The blueprint also assigns the 'Payment Card Industry (PCI DSS) v3.2.1' regulatory compliance standard in Microsoft Defender for Cloud. They use DeployIfNotExists policies to automatically install the Log Analytics agent on VMs for log collection. A common pitfall: forgetting to enable 'Audit' on certain policies; they use 'Deny' for critical controls to prevent non-compliance. The secure score is used to track progress; they aim for 100% on PCI DSS controls. Performance: the CDE has 500 VMs; policy evaluation completes within 24 hours. Misconfiguration: a policy that denies any changes to NSGs might break operations; they use 'Audit' for non-critical NSG rules and 'Deny' only for explicit prohibited rules.
Enterprise Scenario 3: Global Company Adhering to GDPR
A multinational corporation must comply with GDPR for all EU citizen data. They use Azure Policy to enforce data residency: storage accounts and databases must be deployed in EU regions. They create a custom policy that denies resource creation outside 'westeurope' and 'northeurope'. They also require encryption at rest and in transit, and enforce that diagnostic logs are enabled for key services. The built-in 'GDPR' initiative is assigned to all subscriptions that process EU data. They use Azure Blueprints to deploy a 'GDPR Landing Zone' that includes the initiative, a Log Analytics workspace, and Azure Key Vault for customer-managed keys. Microsoft Defender for Cloud is configured with the 'GDPR' regulatory compliance standard. They also use Azure Policy's 'Append' effect to automatically add a tag 'DataSubject: EU' to resources containing personal data. A challenge: some legacy resources in non-EU regions must be migrated; they use 'Audit' initially to identify non-compliant resources, then plan migration. Performance: across 50 subscriptions, the compliance dashboard aggregates data without issues. Misconfiguration: a policy that denies all non-EU regions might block a necessary test deployment; they use exclusions for non-production subscriptions.
Exactly What AZ-305 Tests
Objective 1.2 is "Design a governance model." The exam focuses on:
Selecting the correct service for a given compliance requirement: Azure Policy for enforcement, Azure Blueprints for repeatable deployments, Microsoft Defender for Cloud for monitoring.
Understanding policy effects: especially 'Deny' vs 'Audit' vs 'DeployIfNotExists'.
Knowing built-in compliance initiatives: HITRUST/HIPAA, PCI DSS, ISO 27001, SOC 2, FedRAMP Moderate, NIST SP 800-53.
Blueprint versioning and assignment.
Remediation tasks.
Management group hierarchy for policy inheritance.
Secure score and regulatory compliance dashboard.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: "Use Azure RBAC to enforce encryption." Candidates confuse RBAC (who can do what) with Policy (what resources can be). RBAC cannot enforce resource configuration; it only controls access to actions.
Wrong answer: "Azure Policy evaluates resources every hour." The actual default evaluation cycle is every 24 hours. Candidates assume a shorter interval.
Wrong answer: "Azure Blueprints are the same as ARM templates." Blueprints include ARM templates but also policies, role assignments, and resource groups as a single deployable package. ARM templates only deploy resources.
Wrong answer: "Microsoft Defender for Cloud only provides security recommendations." It also provides regulatory compliance assessments and a dedicated dashboard.
Specific Numbers and Terms That Appear on the Exam
Evaluation frequency: 24 hours.
Built-in initiatives: HITRUST/HIPAA, PCI DSS v3.2.1, ISO 27001, SOC 2 Type II, FedRAMP Moderate, NIST SP 800-53 R4.
Effects: Deny, Audit, Append, DeployIfNotExists, Modify, AuditIfNotExists, Disabled.
Secure score: 0-100%.
Blueprint versioning: v1.0, v1.1, etc.
Remediation task: triggered manually or via policy.
Edge Cases and Exceptions
Policy conflicts: If two policies assign different effects to the same resource, the most restrictive effect wins (e.g., deny overrides audit).
Exclusions: Excluding a resource group from a policy assignment does not exclude child resources unless specified.
DeployIfNotExists policies: They only deploy missing resources; they do not modify existing ones unless a remediation task is triggered.
Blueprint assignment: If you assign a blueprint without specifying a version, it uses the latest published version. If the blueprint is updated, the assignment is not automatically updated.
How to Eliminate Wrong Answers
If the scenario requires enforcing a configuration (e.g., "storage accounts must have encryption"), choose Azure Policy with 'Deny' effect.
If the scenario requires deploying a consistent set of resources (e.g., landing zone with policies and roles), choose Azure Blueprints.
If the scenario requires continuous compliance monitoring and reporting, choose Microsoft Defender for Cloud.
If the scenario mentions a specific regulatory standard (e.g., HIPAA), look for the built-in initiative name in the answer choices.
Always check the effect: 'Audit' only logs non-compliance, 'Deny' blocks it. The exam often asks which effect to use for a given requirement.
Azure Policy evaluates resources every 24 hours for existing resources and on create/update for new/modified resources.
Built-in regulatory compliance initiatives include HITRUST/HIPAA, PCI DSS v3.2.1, ISO 27001, SOC 2 Type II, FedRAMP Moderate, and NIST SP 800-53 R4.
Policy effects: Deny (blocks), Audit (logs), Append (adds fields), DeployIfNotExists (deploys missing resource), Modify (changes fields), AuditIfNotExists, Disabled.
Azure Blueprints package policy initiatives, role assignments, and ARM templates with versioning support.
Microsoft Defender for Cloud provides a regulatory compliance dashboard that updates every 24 hours and a secure score from 0-100%.
Remediation tasks are required for DeployIfNotExists and Modify policies to fix non-compliant resources.
Exclusions in policy assignments apply to the specified scope only; child resources are not automatically excluded.
When two policies conflict, the most restrictive effect (e.g., Deny) takes precedence.
Azure Policy controls resource configuration; Azure RBAC controls access to actions.
Blueprints must be published and assigned; assignments are not automatically updated when the blueprint changes.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy
Controls what resources can be created or modified (configuration enforcement).
Uses policy definitions with effects like Deny, Audit, Append.
Evaluates resource properties against rules.
Can automatically remediate non-compliant resources.
Scoped to management group, subscription, or resource group.
Azure RBAC
Controls who can perform actions on resources (access control).
Uses role definitions with permissions (e.g., Contributor, Reader).
Evaluates identity and actions against role assignments.
Does not enforce resource configuration; only allows or denies actions.
Scoped to management group, subscription, resource group, or resource.
Azure Policy
Enforces rules on existing and new resources.
Can be assigned independently to scopes.
Provides compliance state and remediation.
No versioning of assignments; policy definitions can be versioned.
Does not deploy resources by itself.
Azure Blueprints
Packages policies, roles, and ARM templates into a deployable unit.
Assigns a set of resources and policies together.
Tracks version of the blueprint (e.g., v1.0).
Assignments can be updated to a newer blueprint version.
Deploys resources (e.g., VMs, networks) as part of the blueprint.
Mistake
Azure Policy can enforce compliance on existing resources immediately upon assignment.
Correct
Azure Policy evaluates existing resources on a schedule (every 24 hours) or when a resource is created/updated. New policies may take up to 24 hours to show compliance status for existing resources.
Mistake
Azure Blueprints are the same as ARM templates.
Correct
Blueprints include ARM templates but also incorporate Azure Policy, RBAC role assignments, and resource groups. They provide versioning and tracking, whereas ARM templates only deploy infrastructure.
Mistake
Microsoft Defender for Cloud's regulatory compliance dashboard updates in real time.
Correct
The dashboard refreshes every 24 hours. Changes made to resources or policies take up to 24 hours to be reflected.
Mistake
A policy with 'Deny' effect prevents all changes to existing non-compliant resources.
Correct
Deny effect only blocks creation or modification of resources that do not meet the policy condition. It does not automatically change existing resources; they remain non-compliant until remediated.
Mistake
Excluding a resource group from a policy assignment also excludes all resources in that group.
Correct
Excluding a resource group excludes the group itself, but child resources (e.g., storage accounts) are still evaluated. To exclude child resources, you must specify them explicitly in the exclusion list.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Policy enforces compliance rules on resources (e.g., require encryption). Azure Blueprints packages policies, role assignments, and ARM templates into a deployable unit for creating consistent environments. Blueprints include versioning and can be updated, while Policy assignments are standalone. For example, to deploy a compliant landing zone, use Blueprints; to enforce encryption on all storage accounts, use Policy.
Azure Policy evaluates resources every 24 hours for existing resources. New or updated resources are evaluated at creation or modification time. You can also trigger an on-demand evaluation using the Azure CLI or PowerShell, but the default schedule is daily.
Yes, if the policy effect is DeployIfNotExists or Modify, you can create a remediation task to automatically fix non-compliant resources. For example, a policy that requires a Log Analytics agent on VMs can deploy the agent via a remediation task. However, for Audit or Deny effects, manual intervention is required.
Azure Policy includes built-in initiatives for major standards: HITRUST/HIPAA, PCI DSS v3.2.1, ISO 27001, SOC 2 Type II, FedRAMP Moderate, NIST SP 800-53 R4, and UK OFFICIAL. These initiatives group multiple policy definitions that map to the standard's controls.
Microsoft Defender for Cloud provides a regulatory compliance dashboard that shows your compliance posture against selected standards (e.g., PCI DSS, GDPR). It maps controls to Azure Policy initiatives and displays pass/fail status. It also provides recommendations to improve compliance and a secure score (0-100%).
A remediation task is used to automatically fix resources that are non-compliant due to DeployIfNotExists or Modify policies. For example, if a policy requires a diagnostic setting on a resource, a remediation task can deploy that setting. Remediation tasks can be triggered manually or on a schedule, and they run asynchronously.
Yes, when assigning a policy or initiative, you can specify exclusions at the scope level (e.g., exclude a resource group or individual resource). However, exclusions are not inherited by child resources unless explicitly included. Use exclusions sparingly and document them for audit purposes.
You've just covered Regulatory Compliance by Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?