This chapter covers Azure Policy and Initiatives, a core governance mechanism in Microsoft Azure that enforces organizational standards and assesses compliance at scale. For the SC-900 exam, this topic appears in Domain 4 (Compliance Solutions) under Objective 4.1, typically accounting for 5-10% of exam questions. You will need to understand the difference between Azure Policy and Role-Based Access Control (RBAC), the effects of policy assignments, and how initiatives group policies for comprehensive compliance. Mastering this topic is essential for passing the compliance section of the exam.
Jump to a section
Imagine Azure Policy as a city's building code enforcement department. The city council (management group) issues building codes (policy definitions) that apply to all structures in the city. These codes specify requirements like 'all commercial buildings must have sprinkler systems' (ensure resource compliance) or 'no building may exceed 10 stories' (deny non-compliant construction). The enforcement team (Azure Policy engine) reviews every building permit application (resource creation request) before it is approved. If a proposed building violates a code, the permit is denied immediately (deny effect). For existing buildings, inspectors (compliance evaluation) periodically check for compliance and issue citations (non-compliant status). Some codes are 'recommended' (audit effect) — the inspector notes the violation but allows occupancy. The city also has 'initiatives' (policy sets) like 'Fire Safety Package' that bundles sprinkler, alarm, and exit sign requirements into one enforcement group. Importantly, the enforcement team does not design the buildings (Azure RBAC) — it only checks compliance. This separation ensures that builders (developers) can create resources freely as long as they follow the codes.
What is Azure Policy?
Azure Policy is a service in Azure that allows you to create, assign, and manage policies that enforce rules over your cloud resources. It evaluates resources for compliance with those rules, providing a dashboard for compliance state. Unlike Azure RBAC, which focuses on who can do what (permissions), Azure Policy focuses on what resources are allowed or denied (configuration). For example, RBAC can allow a user to create virtual machines, but Azure Policy can ensure those VMs are only created in a specific region or of a specific SKU.
How It Works Internally
Azure Policy works through a combination of policy definitions, assignments, and effects. When you create a policy definition, you specify a condition using JSON format. The condition evaluates resource properties during creation, update, or periodic compliance scans. The policy is then assigned to a scope (management group, subscription, or resource group). The Azure Policy engine runs continuously in the background, evaluating all existing resources against assigned policies. When a new resource is created or an existing resource is updated, the engine checks the condition. Based on the effect specified in the policy, the engine either denies the operation, audits it, appends tags, or takes other actions.
Key Components
Policy Definition: A JSON document that describes the condition and effect. Example:
{
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "deny"
}
}- Initiative Definition: Also called a policy set, it is a collection of policy definitions grouped together to achieve a common goal. For example, the 'ISO 27001' initiative includes many policies for security compliance. - Assignment: The application of a policy or initiative to a specific scope. You can also exclude sub-scopes from the assignment. - Effect: The action taken when the condition is met. Common effects: - Deny: Prevents the resource creation or update. - Audit: Creates a warning event in the activity log but does not block the operation. - Append: Adds additional fields to the resource during creation or update (e.g., tags). - AuditIfNotExists: Enables auditing of resources that do not have specified extensions or configurations. - DeployIfNotExists: Deploys a template to remediate non-compliant resources. - Disabled: Effectively turns off the policy.
Defaults and Timers
Azure Policy evaluates resources periodically. The default compliance scan interval is every 24 hours for existing resources. However, policy evaluation for new or updated resources happens in near real-time (within minutes). There is no configurable timer for the scan; it is fixed by the platform.
Configuration and Verification
You can create policies using the Azure portal, Azure CLI, PowerShell, or ARM templates. For example, to create a policy that denies resources not in East US:
Azure CLI:
az policy definition create --name "deny-location" --display-name "Deny any location other than East US" --description "This policy denies creation of resources not in East US" --rules '{"if":{"field":"location","notIn":["eastus"]},"then":{"effect":"deny"}}'To assign the policy:
az policy assignment create --name "deny-location-assignment" --policy "deny-location" --scope "/subscriptions/{subscriptionId}"To check compliance:
az policy state list --resource "/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}"Interaction with Related Technologies
Azure Policy works alongside Azure RBAC, Azure Blueprints, and Azure Management Groups. RBAC controls who can create resources; Policy controls what resources can be created. Azure Blueprints can include policy assignments as part of a blueprint definition. Management groups provide hierarchical scopes for policy assignment, allowing inheritance to all child subscriptions.
Common Exam Scenarios
Inheritance: Policies assigned at a management group apply to all subscriptions and resource groups within it, unless explicitly excluded.
Multiple policies: If multiple policies apply, the most restrictive effect (deny > audit > append) takes precedence. However, if one policy denies and another appends, the deny wins.
Remediation: For policies with DeployIfNotExists effect, you can trigger remediation tasks to fix non-compliant resources.
Step-by-Step: Creating and Assigning a Policy
Identify the requirement: For example, require all storage accounts to use HTTPS only.
Create a policy definition: Define the condition and effect in JSON.
Assign the policy: Choose scope (e.g., subscription) and set parameters if any.
Evaluate compliance: Wait for the scan or trigger an on-demand evaluation.
Remediate: If using DeployIfNotExists, run remediation.
Edge Cases
Exclusions: You can exclude specific child scopes or resources from a policy assignment. This is useful for exempting test environments.
Policy effects on existing resources: Deny and Append only apply during creation or update. To enforce on existing resources, use Audit or DeployIfNotExists with remediation.
Initiative vs. single policy: Initiatives are needed when you want to assign multiple policies together and track compliance as a group. The exam often tests when to use an initiative instead of individual policies.
Exam Focus
The SC-900 exam will test your ability to distinguish Azure Policy from RBAC, understand policy effects (especially deny vs. audit), and know that initiatives group policies. You may see scenarios where you need to select the correct effect for a given requirement. Remember: Azure Policy is about resource configuration, not user permissions.
Define the Policy Requirement
Identify the business rule that needs to be enforced. For example, 'All resources must be deployed in the East US region'. This requirement is translated into a condition that checks the 'location' field of a resource. The condition uses operators like equals, notIn, exists, etc. The effect is chosen based on whether the rule should block non-compliant resources (deny) or just alert (audit). At this stage, you also decide if you need a single policy or an initiative (multiple policies). For example, a 'Security Baseline' initiative might include policies for encryption, logging, and network security.
Create the Policy Definition in JSON
The policy definition is written in JSON. It includes a 'policyRule' with 'if' and 'then' sections. The 'if' section defines the condition using fields like 'type', 'location', 'tags', or 'sku'. The 'then' section specifies the effect. For example, to deny resources not in East US, the JSON would check 'field': 'location' with 'notIn': ['eastus']. The definition can also include parameters (e.g., allowed locations) to make the policy reusable. The definition is stored in Azure as a resource of type 'Microsoft.Authorization/policyDefinitions'.
Assign the Policy to a Scope
The policy definition is assigned to a management group, subscription, or resource group. The assignment includes the scope (e.g., subscription ID) and optionally exclusions (e.g., a specific resource group). You can also set parameters at assignment time. For example, if the policy definition has a parameter for allowed locations, you can specify 'eastus' and 'westus' in the assignment. The assignment creates a resource of type 'Microsoft.Authorization/policyAssignments'. Once assigned, the policy becomes active within that scope.
Evaluate Compliance
Azure Policy continuously evaluates resources against assigned policies. For new resources, evaluation occurs during the create or update operation (real-time). For existing resources, a full compliance scan runs every 24 hours. You can also trigger an on-demand scan using Azure CLI: 'az policy state trigger-scan'. The compliance state is reported as 'Compliant', 'Non-compliant', 'Conflict', 'Error', or 'Not started'. Non-compliant resources are listed in the Azure portal under 'Compliance' for the policy.
Remediate Non-Compliant Resources
If the policy effect is 'DeployIfNotExists', you can create a remediation task to automatically fix non-compliant resources. For example, a policy that requires a diagnostic setting on storage accounts can deploy the missing setting. Remediation uses a managed identity to perform the deployment. You can trigger remediation manually or set it to run automatically on new non-compliant resources. For 'Audit' or 'Deny' effects, remediation is manual (e.g., delete and recreate the resource).
Enterprise Scenario 1: Enforcing Regional Compliance
A global company must ensure that all resources are deployed only in approved Azure regions due to data sovereignty laws. They create a custom policy definition that denies any resource not in the allowed list of regions (e.g., East US, West Europe). The policy is assigned at the root management group, covering all subscriptions. Exclusions are made for a test subscription that uses a non-approved region. The compliance dashboard shows 100% compliance after remediation. Misconfiguration: if the policy is assigned at the subscription level instead of the management group, new subscriptions might be missed. Also, if the policy uses 'audit' instead of 'deny', non-compliant resources are created but flagged, leading to potential legal issues.
Enterprise Scenario 2: Tagging Governance
A company wants to enforce cost center tags on all resources. They use a policy with effect 'Append' to automatically add the 'CostCenter' tag if missing. The policy is assigned to all resource groups. When a user creates a VM without the tag, Azure Policy appends a default value (e.g., 'Unknown'). This ensures all resources are tagged for cost tracking. The challenge is that 'Append' only works during creation; existing resources remain untagged. A separate 'DeployIfNotExists' policy with remediation is used to tag existing resources. Common pitfall: if two policies try to append different values for the same tag, the assignment order determines which one wins, potentially causing inconsistent tagging.
Enterprise Scenario 3: Security Baseline Initiative
A financial institution uses the built-in 'PCI-DSS v3.2.1' initiative to enforce security controls. This initiative includes dozens of policies covering encryption, network security, and logging. The initiative is assigned to production subscriptions. Non-compliant resources trigger alerts to the security team. The initiative's compliance score helps during audits. Performance consideration: evaluating many policies across thousands of resources can delay compliance scans, but Azure Policy scales automatically. A common misconfiguration is excluding critical resources from the initiative, creating security gaps.
What SC-900 Tests
Objective 4.1 focuses on describing the capabilities of Azure Policy and initiatives. The exam expects you to:
Differentiate between Azure Policy and Azure RBAC.
Identify the purpose of policy effects: Deny, Audit, Append, DeployIfNotExists.
Understand that initiatives are groups of policies.
Know that policies can be assigned at management group, subscription, or resource group scope.
Recognize that policies evaluate resources for compliance and can prevent non-compliant resource creation.
Common Wrong Answers
'Azure Policy controls who can create resources' — This is RBAC, not Policy. Candidates confuse permission with configuration.
'Initiatives are used to assign a single policy to multiple scopes' — No, a single policy can be assigned to multiple scopes. Initiatives group multiple policies for a common goal.
'The Audit effect blocks resource creation' — Audit only logs the violation; it does not block. Deny blocks.
'Policies apply only at resource group scope' — They can be assigned at management group, subscription, or resource group.
Specific Numbers and Terms
Compliance scan interval: 24 hours for existing resources.
Effects: Deny, Audit, Append, AuditIfNotExists, DeployIfNotExists, Disabled.
Built-in initiatives: 'ISO 27001', 'PCI-DSS v3.2.1', 'NIST SP 800-53'.
Scope inheritance: Policies assigned at a management group apply to all child subscriptions and resource groups.
Edge Cases
Exclusions: You can exclude specific scopes from a policy assignment. The exam may present a scenario where a policy is assigned to a management group but a specific subscription should be excluded.
Policy conflict: If two policies conflict, the most restrictive effect wins. For example, if one policy denies and another audits, the deny takes precedence.
Remediation: Only policies with 'DeployIfNotExists' effect can be remediated automatically. 'Deny' and 'Audit' require manual action.
How to Eliminate Wrong Answers
If the question mentions 'who can' or 'permissions', the answer is RBAC, not Policy.
If the question mentions 'prevent creation', look for 'Deny' effect.
If the question mentions 'alert without blocking', look for 'Audit'.
If the question mentions 'multiple policies grouped', the answer is 'Initiative'.
Always check the scope: if the requirement is for all subscriptions, assign at management group.
Azure Policy enforces rules on resource configuration, not user permissions.
Policy effects include Deny, Audit, Append, AuditIfNotExists, DeployIfNotExists, and Disabled.
Initiatives group multiple policy definitions together for comprehensive compliance.
Policies are assigned at management group, subscription, or resource group scope.
Compliance evaluation for existing resources occurs every 24 hours by default.
The most restrictive effect (Deny > Audit > Append) takes precedence when multiple policies apply.
Remediation is only available for policies with DeployIfNotExists effect.
Exclusions can be applied to specific child scopes within a policy assignment.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy
Controls resource configuration (e.g., allowed locations, required tags).
Uses policy definitions with conditions and effects.
Evaluates resources for compliance, not user actions.
Can deny or audit resource creation/update.
Assigned to scopes (management group, subscription, resource group).
Azure RBAC
Controls user permissions (who can create, read, update, delete resources).
Uses role definitions with actions and notActions.
Evaluates user identity and role assignments.
Grants or denies access to operations.
Assigned to users or groups at scopes (management group, subscription, resource group, resource).
Mistake
Azure Policy is the same as Azure RBAC but for resources.
Correct
Azure RBAC controls user permissions (who can do what), while Azure Policy controls resource configuration (what resources are allowed). They are complementary but distinct services.
Mistake
Policies with effect 'Audit' block non-compliant resources from being created.
Correct
The 'Audit' effect only logs a warning in the activity log; it does not block the operation. Only 'Deny' prevents creation or update.
Mistake
Initiatives are used to assign a single policy to multiple subscriptions.
Correct
A single policy definition can be assigned to multiple scopes directly. Initiatives are collections of multiple policy definitions grouped for a common goal, like a compliance framework.
Mistake
Azure Policy can only be applied at the resource group level.
Correct
Azure Policy can be assigned at management group, subscription, resource group, or even individual resource scope (though resource-level assignment is less common).
Mistake
Once a policy is assigned, it immediately evaluates all existing resources.
Correct
New resources are evaluated in near real-time, but existing resources are evaluated during periodic compliance scans, which occur every 24 hours by default.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Policy controls the configuration of resources (e.g., ensuring all VMs are in a specific region), while Azure RBAC controls who can perform actions on resources (e.g., who can create VMs). Policy uses conditions and effects to enforce rules; RBAC uses role assignments to grant permissions. They are complementary: RBAC allows a user to create a VM, but Policy can deny the creation if the VM doesn't meet requirements.
Yes, if the policy effect is 'Deny'. When a resource creation or update operation triggers a policy with Deny effect, the operation is blocked and an error message is returned. Other effects like 'Audit' do not block but log the violation.
An initiative, also called a policy set, is a collection of policy definitions that are grouped together to achieve a specific compliance goal, such as 'ISO 27001' or 'PCI-DSS'. Initiatives allow you to assign multiple policies as a single unit and track overall compliance.
For existing resources, a full compliance scan runs every 24 hours. For new or updated resources, evaluation occurs in near real-time during the resource creation or update operation. You can also trigger an on-demand scan using Azure CLI or PowerShell.
Yes, when creating a policy assignment, you can specify exclusions at the scope level. For example, you can assign a policy to a subscription but exclude a specific resource group. Exclusions are defined as an array of scope strings in the assignment.
The 'Append' effect is used to add additional fields to a resource during creation or update. For example, you can automatically add a required tag if it is missing. Append does not block the operation; it modifies the resource request before it is applied.
Azure Policy evaluates all applicable policies and applies the most restrictive effect. For example, if one policy denies a resource and another audits it, the deny effect takes precedence and the resource is blocked. If two policies have different append values, the order of assignment determines which one is applied (last writer wins).
You've just covered Azure Policy and Initiatives — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?