This chapter covers Azure's security and governance capabilities, which are foundational to understanding how Microsoft protects cloud resources and helps organizations meet compliance requirements. For the AZ-900 exam, this objective area (Cloud Concepts, Objective 1.5) typically accounts for about 15-20% of the questions, making it a critical topic to master. We'll explore Azure's shared responsibility model, defense-in-depth, identity services, governance tools like Azure Policy and Blueprints, and compliance offerings. By the end, you'll understand how Azure enables secure and compliant cloud environments, even for beginners with zero IT background.
Jump to a section
Imagine you own a large corporate office building. You need to control who enters the building (authentication), what they can access once inside (authorization), and ensure that sensitive documents are kept safe (encryption). You also need to monitor who comes and goes (auditing) and have a plan for emergencies (disaster recovery). In the cloud, Azure provides a similar layered security model. Azure Active Directory (Azure AD) is like the main reception desk that checks IDs and issues badges. Role-Based Access Control (RBAC) is like floor-specific access cards that only open certain doors. Azure Policy is like a building code that enforces rules (e.g., all doors must have fire exits). Azure Blueprints are pre-approved floor plans that ensure every new office follows the same security standards. Azure Security Center is like a security guard patrol that watches for suspicious activity and alerts you. Just as you wouldn't leave your building's front door unlocked, Azure ensures that every resource is protected by default through defense-in-depth—multiple layers of security so that if one fails, another catches it. The mechanism is identical: identity is the new perimeter, and governance is enforced through policies that are applied at the root management group and inherited down to individual resources.
What is Security and Governance in the Cloud?
Security and governance in the cloud refer to the set of tools, policies, and practices that protect cloud resources, data, and applications from threats while ensuring compliance with organizational and regulatory standards. In traditional on-premises environments, you control everything—physical servers, network cables, and data center access. In the cloud, the responsibility is shared between you and Microsoft. This is called the shared responsibility model. Microsoft secures the physical infrastructure (data centers, hardware, networking), while you are responsible for securing your data, identities, and access configurations. For example, if you misconfigure a storage account to be publicly accessible, that's your fault, not Microsoft's.
How It Works: Defense in Depth
Azure uses a defense-in-depth strategy, which layers multiple security controls so that if one layer fails, another protects the asset. Imagine a castle with a moat, walls, guards, and a treasure chest with a lock. The layers are: - Physical security: Guards, biometrics, and surveillance at Azure data centers. - Identity and access: Azure AD, Multi-Factor Authentication (MFA), and RBAC. - Network security: Network Security Groups (NSGs), Azure Firewall, and DDoS protection. - Data security: Encryption at rest and in transit, Azure Key Vault for secrets. - Application security: Web Application Firewall (WAF), App Service authentication. - Monitoring and alerting: Azure Security Center, Azure Sentinel, and Log Analytics.
Key Components, Tiers, and Pricing Models
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It provides authentication (verifying who you are) and authorization (what you can do). Azure AD has four editions: Free (included with Azure subscription), Office 365 Apps, Premium P1, and Premium P2. The Free edition supports up to 500,000 directory objects and includes basic MFA via conditional access. Premium editions add features like Identity Protection and Privileged Identity Management (PIM).
Role-Based Access Control (RBAC) is an authorization system built on Azure Resource Manager. You assign roles (e.g., Owner, Contributor, Reader) to users, groups, or service principals at a specific scope (management group, subscription, resource group, or resource). Roles are collections of permissions. For example, the 'Reader' role can only view resources, not modify them. RBAC is free to use.
Azure Policy is a governance tool that creates, assigns, and manages policies. Policies enforce rules (e.g., 'only allow VMs from a certain region') and can be applied at any scope. They are inherited down the hierarchy. For example, if you apply a policy at the subscription level, it applies to all resource groups and resources in that subscription. Azure Policy has a free tier and a paid tier (Azure Policy as Code) for advanced compliance reporting.
Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. A blueprint is a package of artifacts (e.g., resource groups, policies, role assignments, ARM templates) that can be deployed to new subscriptions. Blueprints are free, but you pay for the resources they deploy.
Microsoft Defender for Cloud (formerly Azure Security Center) is a unified infrastructure security management system. It provides security posture management (Secure Score), threat detection, and recommendations. The free tier offers basic assessment and recommendations; the paid tier (Microsoft Defender for Cloud) adds advanced threat protection for workloads.
Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It uses AI to analyze security data across the enterprise. Pricing is based on data ingestion volume.
Comparison to On-Premises
In an on-premises environment, you must purchase, configure, and maintain all security hardware and software (firewalls, IDS/IPS, SIEM, etc.). You are 100% responsible for security. In Azure, Microsoft handles physical security, hypervisor security, and network infrastructure. You focus on identity, data, and application security. Governance tools like Azure Policy do not exist on-premises—they are cloud-native, allowing you to enforce compliance at scale automatically.
Azure Portal and CLI Touchpoints
You can manage security and governance through the Azure Portal (web interface), Azure CLI (command-line), Azure PowerShell, or ARM/Bicep templates. For example, to assign a policy via CLI:
az policy assignment create --name "audit-vm-managed-disks" --policy "e6b89c6c-3a7a-4a6c-8a1b-6e8c9a6d7e8f" --scope /subscriptions/12345678-1234-1234-1234-123456789abcTo view RBAC assignments:
az role assignment list --assignee user@contoso.com --allTo create a blueprint:
az blueprint create --name "MyBlueprint" --management-group "mg-Contoso"Business Scenarios
Healthcare compliance: A hospital must comply with HIPAA. They use Azure Policy to enforce encryption on all storage accounts and deny public access. Azure Blueprints deploy a pre-configured environment with audit logs enabled. Microsoft Defender for Cloud monitors for threats and provides Secure Score recommendations.
Financial services: A bank uses Azure AD Premium P2 with Identity Protection to detect risky sign-ins and require MFA. RBAC ensures only traders can access trading systems. Azure Sentinel collects logs from all resources and uses analytics rules to detect anomalies.
Retail startup: A small e-commerce company uses Azure AD Free for user authentication. They assign Contributor role to developers and Reader to auditors. They deploy Azure Policy to enforce tagging on all resources for cost tracking.
1. Set Up Azure AD
Start by creating an Azure AD tenant (your organization's identity directory). In the Azure Portal, go to Azure Active Directory > Create a tenant. Choose whether to create a new tenant or use an existing one. Azure AD is free for up to 500,000 objects. You can add users manually or sync from on-premises Active Directory using Azure AD Connect. Once set up, you can enable MFA for administrators via Conditional Access policies (requires Premium P1).
2. Assign RBAC Roles
Navigate to the subscription or resource group you want to secure. Click 'Access control (IAM)' > 'Add role assignment'. Select a role (e.g., Contributor) and choose a user, group, or service principal. RBAC is inherited, so assigning a role at the subscription level grants permissions to all resource groups and resources within. Use the principle of least privilege—give only the permissions needed. For example, assign 'Reader' to auditors and 'Contributor' to developers.
3. Create and Assign Azure Policies
Go to Azure Policy in the portal. Select 'Definitions' to see built-in policies (e.g., 'Allowed locations', 'Audit use of managed disks'). Click 'Assign' to apply a policy to a scope (management group, subscription, or resource group). Policies can be enforced (deny non-compliant resources) or audit-only (log compliance). For example, assign the 'Allowed locations' policy to restrict VM creation to US East and US West. Policy effects include Deny, Audit, Append, and DeployIfNotExists.
4. Configure Microsoft Defender for Cloud
In the portal, search for 'Microsoft Defender for Cloud'. Enable the subscription for the free tier, which provides Secure Score and recommendations. To enable advanced threat protection, upgrade to the paid tier (per workload). Review the Secure Score dashboard—it shows your overall security posture based on implemented controls. Click on recommendations (e.g., 'Enable MFA for administrative users') to remediate issues directly.
5. Implement Azure Blueprints
Go to 'Blueprints' in the portal. Click 'Create blueprint' and start from a blank blueprint or a sample (e.g., 'ISO 27001'). Add artifacts: resource groups, ARM templates, policy assignments, and role assignments. Publish the blueprint and assign it to a subscription. Blueprints ensure consistent governance—every new subscription can be provisioned with the same security baseline. Blueprints are versioned, so you can update them over time.
Scenario 1: Healthcare Compliance (HIPAA) A hospital chain migrates patient records to Azure. They must comply with HIPAA, which requires encryption of protected health information (PHI) at rest and in transit, access controls, and audit logs. The team uses Azure Policy to enforce that all storage accounts have encryption enabled and deny public access. They assign the 'Audit' effect to detect non-compliant resources. Azure Blueprints deploy a secure environment with Azure SQL Database (transparent data encryption), Azure Key Vault for encryption keys, and diagnostic settings streaming logs to Log Analytics. Microsoft Defender for Cloud monitors for misconfigurations and provides Secure Score. The hospital also uses Azure AD Conditional Access to require MFA for all users accessing PHI. Common issues: forgetting to enable auditing on SQL databases, leading to compliance gaps; misconfigured NSGs allowing public access to databases. Cost: Azure Policy and Blueprints are free; Defender for Cloud paid tier costs ~$15 per resource/month; Log Analytics ingestion costs ~$2.30 per GB.
Scenario 2: Financial Services (PCI DSS) A bank processes credit card transactions and must comply with PCI DSS. They use Azure Policy to enforce that only approved regions (e.g., US East, US West) are used, and require encryption for all storage. RBAC ensures only a small team of administrators has 'Owner' permissions on the subscription. Azure Blueprints deploy a pre-configured network architecture with Azure Firewall and DDoS Protection. Azure Sentinel ingests logs from all resources and uses built-in analytics rules to detect suspicious activity, such as unusual login patterns. The bank also implements Privileged Identity Management (PIM) for just-in-time access to critical resources. Common mistakes: failing to restrict network access to the Azure SQL database, leaving it open to all IPs; not enabling audit logging on the database, which is required for PCI DSS. Cost: Azure Firewall ~$1.25/hour; DDoS Protection ~$2,944/month; Sentinel ~$2.30/GB ingested.
Scenario 3: Retail Startup (GDPR) A European e-commerce startup needs to comply with GDPR, which requires data protection and the right to be forgotten. They use Azure Policy to enforce tagging on all resources (e.g., 'DataClassification: Personal'). Azure AD B2C handles customer identity and allows users to delete their accounts. Azure Key Vault stores database connection strings and API keys. The startup uses RBAC to give developers 'Contributor' access to development resource groups but 'Reader' to production. They also set up Azure Policy to deny creation of resources in non-EU regions to ensure data stays within GDPR boundaries. Common issues: not enabling diagnostic logs for key services, making it hard to audit data access; forgetting to enforce encryption at rest on Azure SQL Database. Cost: Azure AD B2C is free for first 50,000 MAU; Key Vault ~$0.03 per 10,000 operations; Azure Policy free.
Exam Objective: 1.5 Describe security and governance in the cloud
This objective is part of the 'Cloud Concepts' domain. You will be tested on your understanding of the shared responsibility model, defense-in-depth, Azure AD, RBAC, Azure Policy, Azure Blueprints, and Microsoft Defender for Cloud. The exam expects you to know which tool is used for what purpose, not how to configure them in detail.
Common Wrong Answers and Why Candidates Choose Them: 1. 'Azure Policy is used to control access to resources.' Wrong – Azure Policy enforces rules on resource configurations (e.g., allowed regions), not access. RBAC controls access. Candidates confuse 'policy' with 'permissions'. 2. 'Microsoft is responsible for all security in the cloud.' Wrong – The shared responsibility model means you are responsible for data, identities, and access. Microsoft secures the infrastructure. Candidates think the cloud provider does everything. 3. 'Azure Blueprints are the same as ARM templates.' Wrong – Blueprints package multiple artifacts (including ARM templates, policies, roles) to create a repeatable environment. ARM templates are just one type of artifact. Candidates think they are interchangeable. 4. 'Defense-in-depth means using a single strong security control.' Wrong – Defense-in-depth uses multiple layers. Candidates confuse it with 'defense in depth' as a single solution.
Specific Terms and Values: - Shared responsibility model: infrastructure vs. customer responsibilities. - Defense-in-depth layers: physical, identity, network, data, application, monitoring. - Azure AD editions: Free, Office 365 Apps, Premium P1, Premium P2. - RBAC roles: Owner, Contributor, Reader (built-in). - Policy effects: Deny, Audit, Append, DeployIfNotExists. - Blueprints: versioned, can include ARM templates, policies, role assignments. - Microsoft Defender for Cloud: Secure Score, recommendations, free vs. paid.
Edge Cases and Tricky Distinctions: - Azure Policy vs. RBAC: Policy enforces 'what' resources can be created (e.g., only in US East); RBAC controls 'who' can access them. - Azure Blueprints vs. Resource Groups: Blueprints create a consistent environment across subscriptions; resource groups are logical containers within a subscription. - Azure AD vs. Active Directory Domain Services: Azure AD is cloud-based identity; AD DS is on-premises directory service. They can sync but are different.
Memory Trick: 'Policies Police, RBAC Restricts, Blueprints Build, Defender Detects.' Use this to remember the primary function: Azure Policy enforces rules (police), RBAC controls access (restricts), Blueprints deploy consistent environments (build), Defender for Cloud monitors threats (detects).
The shared responsibility model: Microsoft secures infrastructure; you secure data, identities, and access.
Defense-in-depth uses multiple layers: physical, identity, network, data, application, monitoring.
Azure AD provides identity and access management; Free edition includes up to 500,000 objects.
RBAC roles: Owner (full access), Contributor (manage resources), Reader (view only).
Azure Policy enforces compliance rules on resources; effects include Deny, Audit, Append, DeployIfNotExists.
Azure Blueprints package multiple artifacts (ARM templates, policies, roles) for repeatable deployments.
Microsoft Defender for Cloud provides Secure Score and recommendations; paid tier adds threat detection.
Azure Policy is NOT for access control – that's RBAC.
Azure Blueprints are NOT the same as ARM templates – they are a higher-level orchestration tool.
Azure AD Premium P2 includes Identity Protection and Privileged Identity Management.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy
Enforces rules on resource configurations (e.g., allowed regions, required tags)
Applies to resources at any scope (management group, subscription, resource group)
Uses policy definitions with effects like Deny, Audit, Append
Free to use
Example: Deny creation of VMs without managed disks
RBAC
Controls user access to resources (who can do what)
Applies to users, groups, or service principals at a scope
Uses role definitions with permissions (e.g., Owner, Contributor, Reader)
Free to use
Example: Grant Contributor role to a developer on a resource group
Mistake
Azure Policy is used to control user access to resources.
Correct
Azure Policy enforces rules on resource configurations (e.g., allowed VM sizes, required tags). User access is controlled by RBAC (Role-Based Access Control).
Mistake
Microsoft is responsible for securing all customer data in the cloud.
Correct
Under the shared responsibility model, Microsoft secures the physical infrastructure, but customers are responsible for their data, identities, and access configurations.
Mistake
Azure Blueprints are the same as ARM templates.
Correct
Azure Blueprints are a package of artifacts that can include ARM templates, policies, role assignments, and resource groups. ARM templates are just one component of a blueprint.
Mistake
Defense-in-depth means having a single strong security control.
Correct
Defense-in-depth uses multiple layers of security (physical, identity, network, data, application, monitoring) so that if one layer fails, another protects the asset.
Mistake
Azure AD Free edition includes all security features like Identity Protection.
Correct
Azure AD Free includes basic authentication and MFA via conditional access templates. Identity Protection is only available in Premium P2.
Azure Policy enforces rules on the configuration of resources (e.g., 'all VMs must use managed disks'), while RBAC controls who can access and manage those resources (e.g., 'John can create VMs in this resource group'). Think of Policy as the building code (what you can build) and RBAC as the keys (who can enter). The exam loves to test this distinction.
No. Azure AD is a cloud-based identity and access management service, while on-premises Active Directory (AD DS) is a directory service for Windows domain networks. They can be synced using Azure AD Connect, but they are separate products. Azure AD uses REST APIs and OAuth, while AD DS uses LDAP and Kerberos.
It defines which security tasks are handled by Microsoft and which by the customer. Microsoft is responsible for the physical data centers, network, and hypervisor. The customer is responsible for data, identities, access, and configurations. For SaaS, Microsoft handles more; for IaaS, the customer handles more.
Azure Blueprints are a declarative way to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates as a single, versioned package. ARM templates are JSON files that define infrastructure resources. Blueprints can include ARM templates, but they also include governance artifacts. Blueprints are designed for compliance and governance at scale.
Secure Score is a metric that measures your security posture based on implemented security controls. It ranges from 0 to 100. Each recommendation (e.g., enable MFA) contributes a certain number of points. The higher the score, the better your security posture. It helps you prioritize actions to improve security.
Basic MFA (e.g., via Conditional Access templates) is available with Azure AD Free. However, advanced MFA features like risk-based policies require Premium P1 or P2. For most enterprise scenarios, Premium P1 is sufficient. The exam may ask which edition includes Identity Protection (Premium P2).
Azure Policy enforces rules on existing and new resources. Azure Blueprints creates a complete environment with resources, policies, and roles pre-configured. Blueprints use policies as artifacts. You can assign policies independently, but blueprints ensure consistent governance across multiple subscriptions.
You've just covered Security and Governance in the Cloud — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?