This chapter covers Azure Policy exemptions and compliance scoring, two critical features for managing security governance at scale. For the AZ-500 exam, you need to understand how exemptions work, when to use them, and how they affect compliance scores. Approximately 5-10% of exam questions touch on this topic area, often in scenarios involving audit requirements, waiver management, or troubleshooting non-compliant resources that should be exempt. Mastering these concepts will help you design effective policy-driven security controls and interpret compliance dashboards correctly.
Jump to a section
Imagine a library with strict rules: no food, no loud music, and all books must be returned within 14 days. The librarian (Azure Policy) enforces these rules automatically. However, sometimes a patron (resource) needs an exception—like a student with a research project who must keep a book for 30 days, or a study group that needs to discuss loudly. The librarian issues a 'fine exemption slip' (policy exemption) that overrides the rule for that specific patron. The slip must state the reason (e.g., 'research project') and has an expiration date. The librarian still knows the rule exists but chooses not to enforce it for that patron. Importantly, the exemption slip is not a rule change—it's a waiver. If the slip expires, the rule applies again. Similarly, an Azure Policy exemption does not change the policy definition; it just excludes a specific resource or resource group from compliance evaluation for that policy. The exemption must have a name, a category (e.g., 'Mitigated' or 'Waiver'), and an expiration date. The compliance score still counts the resource as 'non-compliant' if the exemption expires, but as 'exempt' during the exemption period, which affects the overall compliance percentage.
What Are Azure Policy Exemptions and Why Do They Exist?
Azure Policy is a governance service that enforces rules on resources to ensure compliance with organizational standards. However, there are legitimate reasons why a resource might need to be temporarily or permanently excluded from a policy's effect. For example, a development server may need to be exempt from a policy that mandates specific security configurations because it is used for testing. An exemption allows you to mark a resource or resource group as 'exempt' from a specific policy assignment, meaning the policy will not evaluate that resource for compliance. Exemptions are not the same as exclusions (which remove resources from the scope entirely) or policy overrides (which change the policy definition). They are a targeted waiver that preserves the policy assignment while acknowledging that the resource does not need to comply for a specified reason.
How Exemptions Work Internally
When you create an exemption, Azure Policy adds an entry to the policy assignment's metadata that identifies the exempted scope (resource or resource group) and the exemption details. During a compliance scan, the engine checks whether a resource is within an exemption scope. If it is, the resource is marked as 'Exempt' rather than 'Compliant' or 'Non-compliant'. The exemption does not change the policy evaluation logic; it simply skips the evaluation for that resource. The exemption has an expiration date (optional but recommended), after which the resource reverts to being evaluated normally. Exemptions are stored as child resources of the policy assignment and can be viewed in the Azure portal, via Azure CLI, PowerShell, or REST API.
Key Components and Defaults
Exemption Name: A unique name within the policy assignment.
Exemption Category: Two categories: 'Mitigated' (the risk is addressed by other means) and 'Waiver' (the resource is allowed to be non-compliant for a valid reason). The exam expects you to know the difference.
Expiration Date: Optional, but recommended to enforce temporary waivers. If not set, the exemption is permanent.
Description: A free-text field to explain why the exemption is granted.
Metadata: Optional key-value pairs for additional context.
Creating an Exemption via CLI
az policy exemption create --name MyExemption --policy-assignment MyAssignment --scope /subscriptions/.../resourceGroups/MyRG/providers/Microsoft.Compute/virtualMachines/MyVM --exemption-category Waiver --expires-on 2025-12-31T23:59:00Z --description "Temporary waiver for testing"How Exemptions Affect Compliance Scoring
Compliance scoring is the process of calculating the percentage of compliant resources for a given policy assignment. The formula is:
Compliance Percentage = (Compliant Resources / (Total Resources - Exempt Resources)) * 100Wait, that's not entirely accurate. Let's clarify: The compliance score is calculated as:
Compliance Percentage = (Compliant Resources / (Compliant + Non-compliant)) * 100Exempt resources are excluded from both the numerator and denominator. So if you have 100 resources, 80 compliant, 10 non-compliant, and 10 exempt, the compliance percentage is 80 / (80+10) = 88.9%, not 80%. This is a common exam trap. Exempt resources do not count as compliant or non-compliant; they are simply removed from the calculation. This means exemptions can artificially inflate compliance scores if used excessively.
Interaction with Other Azure Policy Features
Exclusions: Exclusions remove resources from the policy assignment scope entirely. They are more permanent and are defined at assignment time. Exemptions are more granular and can be added after assignment.
Remediation: Exempt resources are not remediated because they are not evaluated.
Policy Initiatives: Exemptions can be applied to individual policies within an initiative, not just the entire initiative.
Inheritance: Exemptions are scoped to a specific resource or resource group. They do not apply to child resources unless explicitly specified. For example, if you exempt a resource group, all resources in that group are exempt from that policy. If you exempt a single VM, only that VM is exempt, not its disks or NICs.
Compliance Dashboard and Reports
In the Azure portal, the Policy Compliance blade shows a pie chart of Compliant, Non-compliant, and Exempt resources. You can filter by exemption category. The compliance state is also available via Azure Resource Graph queries:
policyresources
| where type == 'microsoft.authorization/policyexemptions'
| project exemptionName, policyAssignmentId, scope, exemptionCategoryBest Practices
Always set an expiration date for temporary exemptions to avoid permanent non-compliance.
Use 'Mitigated' category when a compensating control is in place (e.g., a different policy enforces the same requirement).
Use 'Waiver' category when the resource is allowed to be non-compliant (e.g., legacy system).
Document the reason thoroughly for audit trails.
Regularly review exemptions and remove expired ones.
Exam-Specific Details
The exam may present a scenario where a policy is showing non-compliant resources that you believe should be compliant. The correct answer might be to create an exemption with the appropriate category.
Another scenario: You need to temporarily exclude a resource from a policy while maintaining the policy assignment. Exemption is the answer, not exclusion.
The compliance score calculation is a common trick: exempt resources are excluded from the denominator.
Exemptions are not supported for all policy effects? Actually, they are supported for all effects, but the exam might test that exemptions only apply to 'Audit' and 'Deny'? No, exemptions apply to all policy effects, including 'Modify' and 'DeployIfNotExists'. However, for 'DeployIfNotExists', the resource is still evaluated but the deployment is skipped. Know that exemptions do not prevent evaluation; they just change the compliance state.
Step-by-Step Walkthrough of Creating an Exemption
Identify the policy assignment: Navigate to Policy > Compliance, select a policy assignment, and go to 'Exemptions'.
Add exemption: Click 'Add exemption'.
Set scope: Choose the resource or resource group to exempt. You can also exempt a management group.
Select category: Choose 'Mitigated' or 'Waiver'.
Set expiration: Optionally set an expiration date/time.
Add description: Provide a justification.
Create: The exemption is created immediately.
Verification
After creation, the resource will appear as 'Exempt' in the compliance view. You can also list exemptions via CLI:
az policy exemption list --policy-assignment MyAssignmentTroubleshooting
If an exemption does not take effect, check that the scope is correct. The exemption scope must be within the policy assignment scope.
If the compliance percentage seems off, consider that exempt resources are excluded from the calculation.
Exemptions are not inherited by default. If you exempt a resource group, all resources in that group are exempt. But if you exempt a single VM, its child resources are not exempt.
Advanced: Exemptions and Azure Policy as Code
Exemptions can be defined in ARM templates or Bicep files for infrastructure-as-code deployments. Example ARM template snippet:
{
"type": "Microsoft.Authorization/policyExemptions",
"apiVersion": "2022-06-01",
"name": "MyExemption",
"properties": {
"policyAssignmentId": "/subscriptions/.../providers/Microsoft.Authorization/policyAssignments/MyAssignment",
"exemptionCategory": "Waiver",
"expiresOn": "2025-12-31T23:59:00Z",
"displayName": "My Exemption"
}
}Summary of Key Points
Exemptions are for excluding specific resources from policy evaluation without modifying the policy assignment.
Two categories: Mitigated and Waiver.
Exempt resources are excluded from compliance percentage calculation (numerator and denominator).
Exemptions can expire.
Exemptions are scoped to a specific resource or resource group.
Not inherited automatically.
Now, let's dive into the step-by-step process of how exemptions affect compliance scoring.
Policy Assignment Evaluation
Azure Policy runs compliance scans periodically (every 24 hours by default) or on-demand. For each resource in the assignment scope, the policy engine evaluates whether the resource meets the policy condition. Before evaluation, the engine checks if there is an active exemption for that resource. If an exemption exists and has not expired, the resource is immediately marked as 'Exempt' and no further evaluation occurs. The exemption must match the exact policy assignment ID and the resource scope. The engine uses the exemption's expiration date; if the current time is past the expiration, the exemption is considered expired and the resource is evaluated normally. The exemption category (Mitigated or Waiver) does not affect the evaluation logic; it only serves as metadata for reporting.
Compliance State Categorization
After evaluation (or exemption check), the resource is assigned a compliance state: 'Compliant' if it meets the policy, 'Non-compliant' if it does not, or 'Exempt' if an active exemption exists. The compliance state is stored in the policy assignment's compliance state table. This table is used to generate the compliance percentage. The key point is that 'Exempt' is a separate state from 'Compliant' or 'Non-compliant'. The resource is not considered compliant; it is simply excluded from the compliance calculation. This distinction is important for audit and reporting. For example, a resource might be exempt because it is a test environment, but it is still technically non-compliant. The exemption acknowledges the non-compliance but allows it.
Compliance Percentage Calculation
The compliance percentage is calculated using the formula: (Number of Compliant Resources) / (Number of Compliant Resources + Number of Non-compliant Resources) * 100. Exempt resources are excluded from both the numerator and denominator. For example, if you have 100 resources total, 80 compliant, 10 non-compliant, and 10 exempt, the compliance percentage is 80 / (80+10) = 88.9%. If you mistakenly include exempt resources in the denominator, you would get 80/100 = 80%, which is incorrect. The exam loves to test this nuance. Also, if all resources are exempt, the denominator becomes zero, and the compliance percentage is shown as 'N/A' or 0%. This is a rare edge case.
Exemption Expiration and Re-evaluation
When an exemption expires, the resource is no longer exempt. At the next compliance scan, the resource is evaluated normally. If it is non-compliant, it will appear as 'Non-compliant'. This can cause a sudden drop in compliance percentage. To avoid this, you should either renew the exemption or remediate the resource before expiration. The expiration date is checked during each scan. If the exemption is set without an expiration date, it is permanent and never expires. The exam may test that permanent exemptions are discouraged because they can hide non-compliance indefinitely.
Reporting and Audit Trail
All exemptions are logged in the Azure Activity Log and can be audited. The compliance dashboard shows the count of exempt resources. You can export compliance data to CSV or use Azure Resource Graph to query exemptions. For example, you can list all exemptions that are about to expire. The exam may ask about how to identify exemptions that are expiring soon. Use the Azure CLI command: az policy exemption list --query "[?expiresOn != null && expiresOn <= '2025-12-31']" --output table. Also, you can set up alerts for policy compliance changes, including when resources move from exempt to non-compliant.
Scenario 1: Temporary Waiver for a Legacy Application
A financial services company has a policy that requires all virtual machines to use managed disks. However, they have a legacy application running on a VM that uses unmanaged disks because the application code directly accesses the VHD files. The migration to managed disks is planned for next quarter. The security team creates an exemption for that specific VM with category 'Waiver' and an expiration date set to the end of the quarter. This allows the VM to remain non-compliant temporarily without affecting the overall compliance score. The exemption is documented with a description referencing the migration ticket. The security team sets up a monthly review to check pending exemptions. When the migration is complete, they remove the exemption and the VM becomes compliant. In production, they have hundreds of such exemptions, each with a unique expiration date. They use Azure Policy to enforce that exemptions must have an expiration date, using a custom policy that audits exemptions without an expiration date.
Scenario 2: Mitigated Risk with Compensating Controls
A healthcare organization has a policy that mandates encryption at rest using Azure Disk Encryption. However, some of their VMs are using Azure Storage Service Encryption (SSE) which is also encryption at rest but not the specific type required by the policy. The security team determines that SSE is an acceptable compensating control because it meets the regulatory requirement for encryption. They create exemptions with category 'Mitigated' for these VMs. The exemption description explains that SSE is in place. The compliance dashboard shows these VMs as exempt, not non-compliant. This avoids false positives in reports. The team also has a separate policy that requires SSE, so the overall security posture is maintained. In production, they have a process to review mitigated exemptions annually to ensure the compensating control still applies.
Scenario 3: Development Environment Exemption
A tech company uses Azure Policy to enforce strict security configurations on production resources. However, their development environment needs more flexibility. They have a management group for development with a policy assignment that includes exemptions for all resources in that group. The exemption category is 'Waiver' with a permanent expiration (no expiration date). This allows developers to experiment without policy violations. However, this also means the development environment is not compliant, which is acceptable for non-production. The compliance score for the overall subscription is calculated excluding these exempt resources, so it reflects only production compliance. The security team regularly audits the exemptions to ensure no production resources are mistakenly exempted. They use Azure Resource Graph to list all exemptions and verify the scope.
Common Misconfigurations
Forgetting to set an expiration date on temporary exemptions, leading to permanent non-compliance.
Using 'Waiver' instead of 'Mitigated' when a compensating control exists, which may misrepresent the risk.
Exempting a resource group but expecting child resources to be exempt individually—they are, but only if the exemption scope includes them.
Overusing exemptions, which can hide widespread non-compliance and create a false sense of security.
Performance Considerations
Exemptions are metadata and do not impact policy evaluation performance significantly. However, having thousands of exemptions can make compliance reports harder to manage. Best practice is to use exemptions sparingly and review them regularly.
Exactly What AZ-500 Tests on This Topic
AZ-500 objective 4.3 (Security Operations) includes 'Manage Azure Policy' and specifically covers 'Configure and manage policy exemptions' and 'Interpret compliance scores'. The exam expects you to:
Create and manage exemptions using Azure portal, CLI, PowerShell, and ARM templates.
Understand the difference between 'Mitigated' and 'Waiver' categories.
Calculate compliance percentage correctly given a scenario.
Know that exemptions are scoped to a resource or resource group within the policy assignment scope.
Understand that exemptions do not apply to child resources unless the scope is the parent.
Recognize that exemptions can expire and that expired exemptions cause resources to be evaluated again.
Common Wrong Answers and Why Candidates Choose Them
Confusing Exemptions with Exclusions: Many candidates think that exemptions remove resources from the policy assignment scope. Actually, exclusions are defined at assignment time and remove the resource from the scope entirely. Exemptions keep the resource in scope but mark it as exempt. The exam may present a scenario where you need to temporarily exclude a resource; the correct answer is 'exemption', not 'exclusion'.
Incorrect Compliance Percentage Calculation: The most common trap. Candidates often include exempt resources in the denominator, resulting in a lower percentage. For example, if there are 10 resources, 8 compliant, 1 non-compliant, and 1 exempt, the correct compliance percentage is 8/9 = 88.9%, not 8/10 = 80%. The exam will give you a scenario and ask for the compliance percentage.
Assuming Exemptions Inherit to Child Resources: Candidates may think that exempting a resource group automatically exempts all child resources. Actually, if you exempt a resource group, all resources in that group are exempt because the scope is the group. But if you exempt a specific VM, its disks and NICs are not exempt unless you explicitly exempt them. The exam may test this with a scenario where a VM is exempt but its disk is non-compliant.
Mixing Up Exemption Categories: Candidates may use 'Waiver' when 'Mitigated' is appropriate. The exam may ask which category to use for a resource that has a compensating control. The answer is 'Mitigated'.
Specific Numbers and Values That Appear on the Exam
The default compliance scan interval is 24 hours.
Exemption expiration date format: YYYY-MM-DDThh:mm:ssZ (ISO 8601).
Exemption categories: 'Mitigated' and 'Waiver'.
The compliance percentage formula: Compliant / (Compliant + Non-compliant) * 100.
Exempt resources are excluded from both numerator and denominator.
Edge Cases and Exceptions
If all resources are exempt, the compliance percentage is undefined (N/A).
Exemptions can be applied to management groups.
Exemptions are not supported for policy assignments with 'Disabled' effect? Actually, they are supported but pointless because the policy is already disabled.
Exemptions cannot be created for policies that are not assigned.
Exemptions are regional? No, they are global.
How to Eliminate Wrong Answers
If a question asks about temporarily excluding a resource from policy evaluation, look for 'exemption' not 'exclusion'.
If a question asks about compliance percentage, compute it carefully excluding exempt resources.
If a question asks about category for a resource with compensating control, choose 'Mitigated'.
If a question asks about scope, remember that exemptions are not inherited to child resources unless the scope is the parent.
Exam Tip
When you see a compliance score question, always identify the number of exempt resources and subtract them from the total before calculating the percentage. Also, note that the exam may ask about the impact of expired exemptions on compliance score.
Exemptions are used to exclude specific resources from policy evaluation without modifying the policy assignment.
Two exemption categories: 'Mitigated' (compensating control in place) and 'Waiver' (allowed non-compliance).
Exempt resources are excluded from compliance percentage calculation (both numerator and denominator).
Always set an expiration date for temporary exemptions to avoid permanent non-compliance.
Exemptions are not inherited to child resources unless the scope is the parent resource group.
Exemptions can be created via Azure portal, CLI, PowerShell, or ARM templates.
Expired exemptions cause resources to be evaluated normally, potentially becoming non-compliant.
The default compliance scan interval is 24 hours.
These come up on the exam all the time. Here's how to tell them apart.
Policy Exemption
Added after policy assignment
Exempt resources are still within the assignment scope
Exempt resources are marked as 'Exempt' in compliance
Can have expiration date
Two categories: Mitigated and Waiver
Policy Exclusion
Defined at policy assignment creation
Excluded resources are removed from scope entirely
Excluded resources do not appear in compliance at all
No expiration date
No categories; simply removed
Mistake
Exemptions make a resource compliant.
Correct
Exemptions do not make a resource compliant; they mark it as 'Exempt', which is a separate state. The resource is still non-compliant but is excluded from compliance percentage calculations. The compliance state is 'Exempt', not 'Compliant'.
Mistake
Exemptions are inherited by child resources automatically.
Correct
Exemptions are not inherited. If you exempt a resource group, all resources in that group are exempt because the scope includes them. But if you exempt a specific VM, its child resources (disks, NICs) are not exempt unless you explicitly exempt them. The exemption scope is exact.
Mistake
Exemptions and exclusions are the same thing.
Correct
Exclusions are defined at policy assignment time and remove resources from the assignment scope entirely. Exemptions are added later and keep resources in scope but mark them as exempt. Excluded resources are not evaluated at all; exempt resources are evaluated but the result is overridden to 'Exempt'.
Mistake
Compliance percentage includes exempt resources in the denominator.
Correct
The compliance percentage is calculated as Compliant / (Compliant + Non-compliant) * 100. Exempt resources are excluded from both numerator and denominator. Including them would give a lower percentage.
Mistake
Permanent exemptions are recommended for long-term waivers.
Correct
Permanent exemptions are discouraged because they hide non-compliance indefinitely. Best practice is to set an expiration date even for long-term waivers and review them periodically. The exam expects you to know that expiration dates should be used.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A policy exemption is a waiver that marks a resource as 'Exempt' from a policy assignment, keeping the resource in scope but excluding it from compliance calculations. A policy exclusion removes the resource from the policy assignment scope entirely, so the policy does not apply at all. Exemptions are added after assignment and can expire; exclusions are defined at assignment time and are permanent. For the exam, remember that exemptions are for temporary or justified non-compliance, while exclusions are for resources that should never be governed by the policy.
Exempt resources are excluded from the compliance percentage calculation. The formula is: (Compliant Resources) / (Compliant Resources + Non-compliant Resources) * 100. Exempt resources are not counted in either the numerator or denominator. For example, if you have 100 resources, 80 compliant, 10 non-compliant, and 10 exempt, the compliance percentage is 80/(80+10) = 88.9%, not 80%. This is a common exam trap.
Yes, you can create an exemption without an expiration date, but it is not recommended. Permanent exemptions can hide non-compliance indefinitely, leading to security risks. Best practice is to always set an expiration date, even for long-term waivers, and review them regularly. The exam expects you to know that expiration dates should be used.
When an exemption expires, the resource is no longer exempt. At the next compliance scan (default every 24 hours), the resource is evaluated normally. If it is non-compliant, it will appear as 'Non-compliant', and the compliance percentage will decrease accordingly. You should either renew the exemption or remediate the resource before expiration.
Yes, if you exempt a resource group, all resources within that resource group are exempt because the exemption scope includes the entire group. However, if you exempt a specific resource like a VM, its child resources (e.g., disks, NICs) are not exempt unless you explicitly exempt them. Exemptions are not inherited down the resource hierarchy beyond the exact scope.
The two categories are 'Mitigated' and 'Waiver'. 'Mitigated' is used when a compensating control addresses the policy requirement (e.g., another policy enforces the same security control). 'Waiver' is used when the resource is allowed to be non-compliant for a valid reason (e.g., legacy application). The exam may ask you to choose the correct category for a given scenario.
You can use Azure CLI: az policy exemption list --query "[?expiresOn != null && expiresOn <= '2025-12-31']" --output table. Replace the date with your desired threshold. You can also use Azure Resource Graph or the portal. The exam may test your ability to identify expiring exemptions.
You've just covered Azure Policy Exemptions and Compliance Scoring — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?