This chapter covers Azure Policy Initiatives, a key governance feature that helps you enforce and audit compliance across your Azure resources. Understanding initiatives is critical for the AZ-900 exam, especially under the 'Azure Management Governance' domain (objective 3.2), which carries approximately 15-20% of the exam weight. By the end of this chapter, you will know what initiatives are, how they differ from individual policies, and how to use them to manage compliance at scale.
Jump to a section
Imagine you are the city planner for a new town. You don't just set one rule—you create a 'building code initiative' that bundles many individual rules: all buildings must be within 30 feet of a fire hydrant, have sprinkler systems, use earthquake-resistant foundations, and have wheelchair-accessible entrances. This initiative is assigned to all new construction projects in the city. When a contractor submits a plan for a new building, the city automatically checks it against the entire initiative. If any single rule is violated (e.g., no sprinkler system), the entire building permit is denied. The contractor cannot pick and choose which rules to follow—the initiative enforces them all together. In Azure, an initiative is a collection of policy definitions (the rules) that are assigned to a scope (like a subscription or resource group). When you assign an initiative, Azure evaluates all resources against every policy in the initiative. If a resource violates any policy, it is marked as non-compliant. Initiatives ensure consistent governance across your entire Azure environment, just like a building code ensures safety and compliance across an entire city.
What is Azure Policy Initiative and the Business Problem It Solves
Azure Policy is a service that allows you to create, assign, and manage policies that enforce rules for your Azure resources. However, in a real enterprise, you rarely need just one rule. You need a set of rules that work together to achieve a compliance goal. For example, to ensure a resource is secure, you might need rules that enforce HTTPS, require encryption, and restrict public access. Creating and assigning each rule individually is inefficient and error-prone. This is where Azure Policy Initiatives come in.
An Azure Policy Initiative is a collection of policy definitions (individual policies) that are grouped together to achieve a specific compliance goal, such as 'Enable Monitoring in Azure Security Center' or 'Ensure Secure Access to Resources.' Initiatives simplify management by allowing you to assign a single object that contains multiple policies. When you assign an initiative to a scope (management group, subscription, resource group), all the policies in that initiative are evaluated against every resource in that scope. This ensures consistent enforcement and auditing across your environment.
How It Works – Step by Step Mechanism
Create an Initiative Definition: You start by defining an initiative. The definition includes a name, description, category, and a list of policy definitions (each with its own parameters). You can use built-in initiatives provided by Azure or create custom ones.
Assign the Initiative to a Scope: You assign the initiative to a management group, subscription, or resource group. During assignment, you can set parameters for each policy (e.g., allowed locations) and exclude specific resources or resource groups.
Evaluation: Azure Policy continuously evaluates all resources within the assigned scope against every policy in the initiative. For each resource, Azure checks if it complies with each policy. If a resource violates any policy, it is marked as non-compliant for that policy.
Compliance State: The initiative's compliance state is determined by the compliance of its member policies. If all policies are compliant, the initiative is compliant. If any policy is non-compliant, the initiative is non-compliant. You can view the compliance state per policy and per resource in the Azure portal.
Remediation: For policies that have a deployIfNotExists or modify effect, you can create remediation tasks to automatically bring non-compliant resources back into compliance. Remediation tasks are executed at the initiative level, allowing you to fix multiple policy violations in one go.
Key Components, Tiers, and Pricing
Initiative Definition: Contains metadata and a list of policy definition references. Stored in a management group or subscription.
Initiative Assignment: Binds the initiative to a scope with parameters and exclusions.
Policy Definitions: Individual rules (e.g., allowed locations, require encryption). Each has an effect (audit, deny, deployIfNotExists, etc.).
Parameters: Allow you to customize policies at assignment time (e.g., which locations are allowed).
Exclusions: You can exclude specific resources or resource groups from evaluation.
Compliance States: Compliant, Non-compliant, Conflicting, Error, Not started.
Azure Policy itself is a free service. There is no cost for creating, assigning, or evaluating policies and initiatives. However, if you use remediation tasks that involve deploying resources (e.g., deploying a Log Analytics agent), you may incur costs for those resources.
Comparison to On-Premises Equivalent
In an on-premises environment, enforcing a set of rules across servers and applications typically involves manual checks, custom scripts, or third-party configuration management tools like Group Policy or Chef. These tools require significant setup and maintenance. Azure Policy Initiatives automate this process at the cloud scale. Instead of manually checking each server, you define your rules once and Azure automatically evaluates all resources. Additionally, Azure Policy integrates with Azure DevOps for policy-as-code, allowing you to version control and deploy policies alongside your infrastructure.
Azure Portal and CLI Touchpoints
Azure Portal:
Navigate to Azure Policy > Initiatives to create and manage initiatives.
Under 'Assignments', you can assign initiatives to scopes.
The 'Compliance' blade shows the compliance state of all initiatives and their member policies.
Azure CLI:
# Create a custom initiative definition
az policy initiative create --name "MyInitiative" --policy-definitions '[
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/...",
"parameters": {}
}
]' --display-name "My Initiative" --description "Ensures..."
# Assign an initiative to a subscription
az policy assignment create --name "MyAssignment" --policy-set-definition "MyInitiative" --scope /subscriptions/{subscriptionId}
# View compliance state
az policy state list --resource "/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}"PowerShell:
# Create an initiative definition
$definition = New-AzPolicySetDefinition -Name 'MyInitiative' -PolicyDefinition @(
@{ PolicyDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/...'; Parameters = @{} }
) -DisplayName 'My Initiative' -Description 'Ensures...'
# Assign initiative
New-AzPolicyAssignment -Name 'MyAssignment' -PolicySetDefinition $definition -Scope '/subscriptions/{subscriptionId}'
# Get compliance state
Get-AzPolicyState -ResourceId '/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}'Concrete Business Scenarios
Scenario 1: Financial Services Company A bank must comply with PCI DSS. They create an initiative 'PCI DSS Compliance' that includes policies for encryption at rest, encryption in transit, network security groups rules, and logging. They assign this initiative to all subscriptions that handle credit card data. Any new resource that violates a policy is denied or audited, and the compliance team gets a clear view of non-compliant resources.
Scenario 2: Healthcare Provider A hospital needs to enforce HIPAA rules. They use built-in initiatives like 'HITRUST/HIPAA' which includes over 100 policies. They assign it to their production subscription. When a developer tries to create a storage account without encryption, the policy denies the creation. The initiative ensures that all resources meet the required security baseline.
Scenario 3: Retail Company A retail chain wants to ensure all resources are deployed only in approved Azure regions (US East, US West) and that all disks are encrypted. They create a custom initiative with two policies: 'Allowed Locations' and 'Audit Unencrypted Disks'. They assign it to their entire management group. Any resource in an unapproved region is denied, and unencrypted disks are audited. The compliance dashboard shows which resources need attention.
1. Identify Compliance Requirements
Begin by determining the specific compliance goals your organization must meet, such as regulatory standards (e.g., HIPAA, PCI DSS) or internal security baselines. For AZ-900, understand that initiatives are designed to group policies that serve a common purpose. Document the exact rules you need to enforce, such as 'all storage accounts must use HTTPS' or 'VMs must be in approved regions'. This step is crucial because it defines the scope and content of your initiative. In the exam, you may be asked which policies to include for a given compliance scenario.
2. Create or Select an Initiative Definition
Navigate to the Azure Policy service in the portal. Under 'Authoring', select 'Definitions' and then 'Initiative definition'. You can choose a built-in initiative (e.g., 'ISO 27001:2013') or create a custom one. For custom initiatives, you must specify a name, description, category, and a list of policy definition IDs. Each policy can have parameters that you define at this stage. For AZ-900, know that built-in initiatives are provided by Microsoft and cover common standards like NIST, CIS, and FedRAMP. Custom initiatives allow flexibility for unique requirements.
3. Assign the Initiative to a Scope
After creating the definition, you must assign it to a scope – a management group, subscription, or resource group. In the portal, go to 'Assignments' and click 'Assign initiative'. Select your initiative, choose the scope, and configure parameters. You can also set exclusions (e.g., exclude a specific resource group from evaluation). During assignment, you can set the enforcement mode: 'Enabled' (policies are enforced and evaluated) or 'Disabled' (policies are not enforced but still evaluated for compliance). For the exam, remember that assignment is what makes the initiative active.
4. Monitor Compliance
Once assigned, Azure Policy automatically evaluates all resources in the scope against every policy in the initiative. You can view the compliance state in the Azure portal under 'Compliance' for the initiative. The dashboard shows the overall compliance percentage, a breakdown per policy, and a list of non-compliant resources. For each non-compliant resource, you can see which specific policy it violates. This monitoring is continuous – any new or updated resource is evaluated. For AZ-900, understand that compliance states include 'Compliant', 'Non-compliant', 'Error', and 'Not started'.
5. Remediate Non-Compliance
For policies that support remediation (those with deployIfNotExists or modify effects), you can create remediation tasks. In the portal, go to the initiative's compliance view, select a non-compliant policy, and click 'Create remediation task'. This task will automatically deploy resources or modify configurations to bring resources into compliance. For example, if a policy requires a Log Analytics agent on VMs, the remediation task will install the agent. Remediation tasks run at the initiative level, meaning one task can fix multiple policy violations. For AZ-900, know that not all policies support remediation – only those with specific effects.
Real-World Scenarios
Scenario 1: Multi-National Corporation Enforcing Data Residency A global company must ensure that all customer data remains within specific geographic boundaries due to GDPR. They create a custom initiative called 'GDPR Data Residency' that includes the built-in policy 'Allowed Locations' parameterized to only allow EU regions (e.g., West Europe, North Europe). They also include a custom policy that denies creation of resources without a data residency tag. They assign this initiative to all subscriptions that process EU customer data. The compliance team monitors the dashboard weekly. When a developer in the US accidentally tries to deploy a storage account in East US, the policy denies the creation, and the developer receives an error message. This proactive enforcement prevents costly compliance violations. If the initiative were not in place, the resource would be created, and the company might face fines during an audit.
Scenario 2: Healthcare Provider Automating Security Baselines A hospital uses the built-in 'HITRUST/HIPAA' initiative, which contains over 100 policies covering encryption, network security, logging, and access controls. They assign this initiative to their production subscription. The initiative includes a policy that audits VMs without disk encryption. The compliance dashboard shows that 15 VMs are non-compliant. The security team creates a remediation task for the disk encryption policy, which automatically encrypts the disks using Azure Disk Encryption. Without the initiative, the team would have to manually check each VM and apply encryption, which is error-prone and time-consuming. The initiative also includes a policy that denies creation of VMs without encryption, preventing future non-compliance.
Scenario 3: Retail Chain Managing Multiple Subsidiaries A retail chain has multiple subsidiaries, each with its own subscription. The central IT team wants to enforce a common set of policies across all subsidiaries, such as requiring all resources to have cost center tags and be deployed in approved regions. They create a custom initiative 'Common Governance Baseline' that includes policies for tagging and allowed locations. They assign this initiative to the root management group, which covers all subscriptions. Each subsidiary can still have its own additional policies or exclusions. The central team can view compliance across the entire organization from a single dashboard. If a subsidiary creates a resource without the required tags, it is marked non-compliant, and the central team can follow up. This centralized governance ensures consistency while allowing autonomy. Without the initiative, each subsidiary would need to implement the same policies individually, leading to inconsistencies and administrative overhead.
Exam Focus for AZ-900
Objective 3.2: Describe Azure Policy Initiatives
This objective specifically tests your understanding of what initiatives are, how they differ from individual policies, and when to use them. Expect 2-3 questions on this topic.
Common Wrong Answers and Why Candidates Choose Them
'An initiative is the same as a policy.' – Candidates confuse the two because both enforce rules. Reality: A policy is a single rule; an initiative is a group of policies. The exam may ask: 'Which should you use to enforce multiple related rules?' The answer is an initiative.
'Initiatives can only be assigned to subscriptions.' – Candidates think scoping is limited. Reality: Initiatives can be assigned to management groups, subscriptions, and resource groups. The most common assignment is to a management group to cover multiple subscriptions.
'Initiatives are evaluated only at creation time.' – Candidates think evaluation is a one-time event. Reality: Azure Policy continuously evaluates resources. Any change to a resource triggers evaluation.
'All policies support remediation.' – Candidates assume every policy can auto-fix non-compliance. Reality: Only policies with deployIfNotExists or modify effects support remediation. Policies with deny or audit effects do not.
Specific Terms and Values That Appear on the Exam
'Initiative definition' vs 'Initiative assignment'
'Scope' – management group, subscription, resource group
'Compliance state' – Compliant, Non-compliant, Error, Conflicting, Not started
'Effect' – Deny, Audit, Append, DeployIfNotExists, Modify
'Built-in initiatives' – e.g., ISO 27001, NIST SP 800-53, FedRAMP, HITRUST/HIPAA
'Remediation task' – only available for specific effects
'Exclusions' – can exclude specific resources or resource groups from evaluation
Edge Cases and Tricky Distinctions
An initiative can contain policies from different categories (e.g., security, networking, cost). The exam may test that initiatives are not limited to a single category.
An initiative can be assigned to a scope that already has individual policies assigned. Both are evaluated independently. The exam may ask: 'If a resource violates a policy in an initiative, is it also non-compliant for the initiative?' Yes.
When you exclude a resource from an initiative assignment, that resource is not evaluated against any policy in that initiative. However, it may still be evaluated by other policies assigned directly.
The 'enforcement mode' can be set to 'Disabled' for testing purposes. In disabled mode, policies are still evaluated but not enforced (deny effect does not block creation). This is useful for testing compliance before enforcing.
Memory Trick or Decision Tree
To decide whether to use a policy or an initiative, ask: 'Do I need one rule or multiple related rules?' If multiple, choose initiative. Think of a policy as a single law and an initiative as a code of laws. Also remember: Initiatives are assigned to scopes; policies are included in initiatives. For the exam, if you see a scenario requiring multiple rules for compliance (e.g., 'Ensure all resources are encrypted, have tags, and are in allowed regions'), the answer is an initiative.
Azure Policy Initiatives are collections of individual policy definitions grouped to achieve a specific compliance goal.
Initiatives can be assigned to management groups, subscriptions, or resource groups, enabling broad governance.
Built-in initiatives are provided by Microsoft for standards like ISO 27001, NIST, and HIPAA.
Compliance is evaluated continuously; resources are checked against all policies in the initiative.
Remediation tasks can auto-fix non-compliance only for policies with deployIfNotExists or modify effects.
Exclusions allow you to exempt specific resources or resource groups from an initiative assignment.
Initiatives are free; costs may incur only for remediation actions that deploy resources.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy (Individual Policy)
A single rule or requirement (e.g., 'Allowed locations').
Assigned directly to a scope.
Evaluates resources against that one rule.
Cannot group multiple rules into one assignment.
Simpler to create for a single requirement.
Azure Policy Initiative
A collection of multiple policies grouped for a common goal (e.g., 'PCI DSS Compliance').
Assigned to a scope, but contains multiple policies.
Evaluates resources against all policies in the initiative.
Simplifies management by assigning one object instead of many.
Ideal for complex compliance scenarios.
Mistake
An initiative is just another name for a policy.
Correct
A policy is a single rule (e.g., 'allowed locations'), while an initiative is a collection of multiple policies. Initiatives are used to group related policies for a common compliance goal.
Mistake
Initiatives can only be assigned to subscriptions.
Correct
Initiatives can be assigned to management groups, subscriptions, and resource groups. Assigning to a management group applies the initiative to all subscriptions within that group.
Mistake
Initiatives are evaluated only when they are first assigned.
Correct
Azure Policy continuously evaluates resources. Any change to a resource (create, update, delete) triggers an evaluation against all assigned initiatives and policies.
Mistake
All policies within an initiative can be remediated automatically.
Correct
Only policies with the 'deployIfNotExists' or 'modify' effect support remediation. Policies with 'deny' or 'audit' effects do not.
Mistake
An initiative can only contain policies from the same category.
Correct
Initiatives can contain policies from any category (e.g., security, networking, cost management). They are grouped by a common goal, not by category.
Azure Policy is a service that lets you create, assign, and manage individual policy definitions (rules) for your resources. An initiative is a collection of policies that are grouped together to achieve a specific compliance goal. Think of a policy as a single law and an initiative as a code of laws. For example, a policy might require all storage accounts to use HTTPS, while an initiative might combine that policy with others to enforce a security baseline. On the AZ-900 exam, you may be asked which to use when multiple rules are needed; the answer is an initiative.
Yes, you can assign an initiative to a management group, subscription, or resource group. Assigning to a resource group applies the initiative only to resources within that group. This is useful for targeted governance. For example, you might assign a 'Production Security' initiative to a resource group containing production resources. On the exam, remember that scope can be any of these three levels.
Built-in initiatives are pre-defined collections of policies provided by Microsoft to help you comply with common regulatory standards. Examples include 'ISO 27001:2013', 'NIST SP 800-53', 'FedRAMP High', and 'HITRUST/HIPAA'. These initiatives contain dozens or hundreds of policies that align with the requirements of those standards. You can assign them directly without creating custom policies. For AZ-900, know that built-in initiatives exist and are available in the Azure portal under Policy > Definitions.
Remediation is the process of automatically fixing non-compliant resources. It is only available for policies that have a 'deployIfNotExists' or 'modify' effect. When you create a remediation task for an initiative, you select a specific policy within the initiative that supports remediation. Azure then deploys the required resources or modifies configurations to bring non-compliant resources into compliance. For example, if a policy requires a Log Analytics agent on VMs, the remediation task will install the agent. Remediation tasks can be run manually or scheduled. On the exam, remember that not all policies support remediation.
Yes, when you assign an initiative, you can specify exclusions – resources or resource groups that should not be evaluated by that initiative. This is useful for resources that are exempt from certain policies due to technical or business reasons. For example, you might exclude a 'sandbox' resource group from a security initiative. Exclusions are defined at assignment time and can be modified later. On the exam, exclusions are a common feature to test understanding of scope management.
Each policy in the initiative is evaluated independently. A resource can be non-compliant for multiple policies. The initiative's overall compliance state is 'Non-compliant' if any policy is non-compliant. In the compliance view, you can see a breakdown per policy and per resource. For example, a VM might be non-compliant for both 'disk encryption' and 'network security group' policies. The initiative shows as non-compliant, and you can drill down to see which policies are violated. On the exam, expect questions about how compliance is aggregated.
Azure Policy itself is a free service. There is no charge for creating, assigning, or evaluating policies or initiatives. However, if you use remediation tasks that deploy resources (e.g., deploying a Log Analytics agent or creating a storage account for logs), you will incur costs for those resources. Additionally, you may incur costs for other Azure services that are required by the policies (e.g., Azure Security Center if you enable monitoring). On the exam, remember that the policy service is free, but remediation actions may have associated costs.
You've just covered Azure Policy Initiatives — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?