Table of Contents
- Azure Policy
- Azure Management Groups
- Azure Cost Management
- Azure Blueprints (Deprecated)
- Azure Resource Graph
- Summary and Key Points
1. Azure Policy
1.1 Policy Definitions
An Azure Policy is a JSON rule that evaluates Azure resources and applies an action based on their compliance status.
Structure of a policy definition:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field": "location",
"in": ["eastus", "westus"]
}
}
]
},
"then": {
"effect": "Deny"
}
}
Two types of policies:
- Built-in: provided by Microsoft (hundreds available)
- Custom: created by the organization for specific needs
1.2 Assigning a Policy
An assignment binds a policy definition to a scope.
Possible scopes (from broadest to narrowest):
Tenant Root Group (root Management Group)
└── Management Group
└── Subscription
└── Resource Group
└── Resource (individual)
Via Portal:
Portal → Policy → Assignments → Assign Policy
→ Scope: select subscription or RG
→ Policy definition: search and select
→ Parameters: configure parameters
→ Remediation: optional
→ Review + Create
Via PowerShell:
New-AzPolicyAssignment `
-Name 'allowed-locations-assignment' `
-PolicyDefinition (Get-AzPolicyDefinition -Name 'allowed-locations') `
-Scope '/subscriptions/{subscriptionId}/resourceGroups/app-rg' `
-PolicyParameterObject @{ listOfAllowedLocations = @('eastus', 'westus') }
1.3 Initiatives (Policy Groups)
An initiative is a grouping of multiple policy definitions to achieve a common goal.
Example: The “CIS Azure Foundations Benchmark” initiative groups ~100 security policies.
Benefits of initiatives:
- Manage multiple policies as a single unit
- Assign a group of rules in a single operation
- Simplify compliance with a framework (CIS, ISO, NIST)
Initiative "Security Baseline"
├── Policy: "Require HTTPS on storage accounts"
├── Policy: "Require encryption at rest"
├── Policy: "Restrict allowed VM sizes"
└── Policy: "Require tag: environment"
1.4 Policy Effects
| Effect | Description | When to use |
|---|---|---|
| Deny | Blocks creation/modification of non-compliant resources | Strict rules to enforce |
| Audit | Marks as non-compliant but does not block | Visibility without blocking |
| Modify | Adds or modifies properties | Force tag addition |
| DeployIfNotExists | Deploys an associated resource if missing | Auto-remediation (e.g., add diagnostics) |
| Append | Adds properties to the resource | Add fields during creation |
| AuditIfNotExists | Audits if an associated resource does not exist | Check dependencies |
Effect evaluation order:
Disabled → Append → Deny → Audit → Modify → AuditIfNotExists → DeployIfNotExists
1.5 Demo: Assign a Location Policy
Goal: Restrict resources in a Resource Group to the East US and West US regions.
Steps:
Portal → Policy → Assignments → Assign Policy
→ Scope: /subscriptions/.../resourceGroups/app-rg
→ Policy Definition: "Allowed locations" (built-in)
→ Parameters:
listOfAllowedLocations: ["eastus", "westus"]
→ Review + Create
Test compliance:
Portal → Policy → Compliance
→ View the % of compliant resources
→ Non-compliant resources listed with details
2. Azure Management Groups
2.1 Hierarchy and Inheritance
Management Groups allow you to organize subscriptions into a tree structure for centralized governance.
Tenant Root Group (root)
├── Management Group: "Corp"
│ ├── Management Group: "IT"
│ │ ├── Subscription: "IT-Prod"
│ │ └── Subscription: "IT-Dev"
│ └── Management Group: "Finance"
│ └── Subscription: "Finance-Prod"
└── Management Group: "External"
└── Subscription: "Partner-Sandbox"
Policy inheritance:
- Policies assigned to a Management Group apply to all subscriptions below
- “Trickle-down” principle: parent → children
- Children cannot override inherited policies (except with explicit exemptions)
Benefits:
- Unified governance across multiple subscriptions
- Group subscriptions by department, region, or environment
- Simplify RBAC (one role assignment at the MG level covers everything below)
3. Azure Cost Management
3.1 Analyzing and Controlling Costs
Azure Cost Management + Billing allows you to:
- Visualize spending by service, region, tag, subscription
- Identify anomalies and spending spikes
- Get optimization recommendations (Azure Advisor)
Access:
Portal → Cost Management + Billing → Cost Analysis
Available filters:
- Scope: subscription, resource group, resource
- Period: day, week, month, years
- Granularity: daily, monthly
- Grouping: by service, by region, by tag, by resource group
Azure Advisor — cost recommendations:
- Stop unused VMs (underutilized)
- Resize oversized VMs
- Delete unattached disks
- Use Reserved Instances for stable workloads
3.2 Budgets and Alerts
Create a budget:
Cost Management → Budgets → + Add
→ Scope → Amount → Reset period
→ Alert conditions: % of budget
→ Alert recipients: email(s)
Types of alerts:
- Actual cost alerts: triggered when actual spending exceeds a threshold
- Forecast alerts: triggered when forecasts indicate an overage
Example configuration:
| Threshold | Action |
|---|---|
| 50% of budget | Email alert to the team |
| 80% of budget | Email alert to the manager |
| 100% of budget | Urgent alert + optional: disable resources |
4. Azure Blueprints (Deprecated)
⚠️ Deprecation planned for July 2026.
Blueprints allowed grouping several “artifacts”:
- Role assignments
- Policy assignments
- ARM templates
- Resource groups
Migration to:
- Template Specs: store and version ARM templates
- Deployment Stacks: manage the lifecycle of a resource group as a unit
Recommended replacement:
Before (Blueprints) → After
────────────────────────────────────────
Blueprint definition → Template Spec
Blueprint assignment → Deployment Stack
Artifact: ARM template → Template Spec
Artifact: RBAC → Role Assignment in Template
Artifact: Policy → Policy Assignment in Template
5. Azure Resource Graph
5.1 KQL Queries
Azure Resource Graph allows you to run KQL (Kusto Query Language) queries against the Azure resource inventory at scale across multiple subscriptions.
Access:
Portal → Resource Graph Explorer
Example KQL queries:
// List all VMs with their status
Resources
| where type == "microsoft.compute/virtualmachines"
| project name, location, properties.hardwareProfile.vmSize,
properties.provisioningState
// Count resources by type
Resources
| summarize count() by type
| order by count_ desc
// Find resources without an "environment" tag
Resources
| where isnull(tags.environment)
| project name, type, resourceGroup, location
// Check compliance of storage accounts (HTTPS only)
Resources
| where type == "microsoft.storage/storageaccounts"
| project name,
httpsOnly = properties.supportsHttpsTrafficOnly
| where httpsOnly == false
Characteristics:
- Near real-time: near real-time inventory
- Cross-subscription: queries across all subscriptions in the tenant
- Resource Graph Explorer: web interface to test queries
- API: available via REST, SDK, CLI
Via Azure CLI:
az graph query -q "Resources | where type == 'microsoft.compute/virtualmachines' | project name, location"
6. Summary and Key Points
| Concept | Description |
|---|---|
| Azure Policy | JSON rules to evaluate and control resources |
| Policy Effect | Deny, Audit, Modify, DeployIfNotExists, Append |
| Initiative | Group of policies for a common objective |
| Assignment | Linking a policy to a scope |
| Management Group | Subscription hierarchy for governance |
| Trickle-down | Policy inheritance from parent → children |
| Cost Management | Visualize, alert on, and optimize spending |
| Budget | Spending limit with configurable alerts |
| Azure Blueprints | DEPRECATED in July 2026 → Template Specs + Deployment Stacks |
| Resource Graph | Cross-subscription KQL queries on Azure inventory |
Recommended governance pipeline:
Management Groups (structure)
↓
Initiatives (compliance objectives)
↓
Policies (specific rules)
↓
Assignments (apply to scopes)
↓
Compliance Reports (tracking)
↓
Cost Management (financial control)
↓
Resource Graph (audit and inventory)
Advanced Sections – Deep Dives
Section A – Azure Policy: Complete Deep Dive
A.1 Policy Lifecycle
flowchart TD
DEF["Create a definition\n(JSON)"]
INIT["Group into initiative\n(optional)"]
ASSIGN["Assign to a scope\n(MG / Sub / RG)"]
EVAL["Resource evaluation\n(immediate + cyclic)"]
EFFECT["Apply effect\n(Deny / Audit / Modify...)"]
REPORT["Compliance report\n(Compliance dashboard)"]
REMED["Remediation\n(deploy / fix)"]
REFINE["Refine definition\n(iteration)"]
DEF --> INIT --> ASSIGN --> EVAL --> EFFECT --> REPORT --> REMED --> REFINE --> DEF
Note: Evaluation triggers on resource creation/update AND cyclically (approximately every 24 hours).
A.2 Exemptions and Exclusions
Exclusions (during assignment): exclude a specific scope from policy enforcement.
# Create an assignment with a resource group exclusion
New-AzPolicyAssignment `
-Name 'deny-non-allowed-locations' `
-PolicyDefinition (Get-AzPolicyDefinition -Name 'allowed-locations') `
-Scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' `
-NotScope @('/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/exempt-rg') `
-PolicyParameterObject @{ listOfAllowedLocations = @('eastus', 'westus') }
Exemptions: grant a temporary waiver to a specific resource, with an expiration date.
{
"type": "Microsoft.Authorization/policyExemptions",
"name": "legacy-app-exemption",
"properties": {
"policyAssignmentId": "/subscriptions/.../policyAssignments/deny-non-allowed-locations",
"exemptionCategory": "Waiver", // Waiver or Mitigated
"expiresOn": "2026-12-31T00:00:00Z",
"displayName": "Exemption for legacy app migration",
"description": "Legacy app currently being migrated"
}
}
| Category | Usage |
|---|---|
| Waiver | The policy cannot be applied for justified reasons |
| Mitigated | The risk is mitigated by other controls |
A.3 Automatic Remediation
Policies with DeployIfNotExists and Modify effects can automatically fix non-compliant resources.
flowchart LR
POLICY["Policy\nDeployIfNotExists"] --> EVAL["Evaluation\nNon-compliant resource"]
EVAL --> TASK["Remediation Task\n(created manually or automatically)"]
TASK --> FIX["Deployment\nof missing resource"]
FIX --> COMP["Compliant resource ✓"]
Example: Policy to automatically deploy diagnostic settings on VMs.
{
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": { ... }
}
}
}
}
}
# Trigger a remediation task via CLI
az policy remediation create \
--name 'remediate-diagnostics' \
--policy-assignment '/subscriptions/{sub}/providers/Microsoft.Authorization/policyAssignments/{name}' \
--resource-group 'prod-rg'
A.4 Policy-as-Code (GitOps)
The best practice is to manage policies as code in Git.
flowchart TD
DEV["Developer\ncreates/modifies policy JSON"]
GIT["Git Repository\n(Azure DevOps / GitHub)"]
PR["Pull Request\n+ JSON schema validation"]
PIPE["CI/CD Pipeline\n(Azure Pipelines)"]
TEST["Test in staging\nenvironment"]
PROD["Deploy to production\n(az policy definition create)"]
DEV --> GIT --> PR --> PIPE --> TEST --> PROD
Recommended folder structure:
policies/
├── definitions/
│ ├── allowed-locations.json
│ ├── require-tags.json
│ └── deny-public-storage.json
├── initiatives/
│ ├── security-baseline.json
│ └── cost-optimization.json
└── assignments/
├── management-group-root.json
├── subscription-prod.json
└── rg-finance.json
# Deploy a policy definition from CI/CD
az policy definition create \
--name 'require-environment-tag' \
--display-name 'Require environment tag' \
--description 'All resources must have an environment tag' \
--rules @policies/definitions/require-tags.json \
--params @policies/definitions/require-tags-params.json \
--mode All
A.5 Custom Policy: Complete Example
Scenario 1: Deny creation of Storage Accounts that do not use HTTPS only.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": false
}
]
},
"then": {
"effect": "Deny"
}
},
"parameters": {}
}
Scenario 2: Force the addition of a costCenter tag to all resources that don’t have one.
{
"mode": "Indexed",
"policyRule": {
"if": {
"field": "tags['costCenter']",
"exists": false
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "tags['costCenter']",
"value": "[parameters('defaultCostCenter')]"
}]
}
}
},
"parameters": {
"defaultCostCenter": {
"type": "String",
"defaultValue": "UNKNOWN",
"metadata": { "displayName": "Default Cost Center" }
}
}
}
A.6 Compliance Score
The compliance dashboard in Azure Policy shows the percentage of compliant resources.
Compliance Dashboard:
Initiative "Security Baseline"
├── Policy "Require HTTPS on storage" → 95% compliant (38/40)
├── Policy "Require encryption at rest" → 100% compliant
├── Policy "Restrict allowed VM sizes" → 87% compliant (46/53)
└── Policy "Require tag: environment" → 72% compliant (145/201)
Overall score: 88% compliant
Non-compliant: 15 resources to fix
Section B – Compliance Initiatives and Security Frameworks
B.1 Microsoft Cloud Security Benchmark (MCSB)
The Microsoft Cloud Security Benchmark is the reference security framework for Azure. It groups controls organized by domain.
| Domain | Description |
|---|---|
| NS – Network Security | Segmentation, firewalls, Private Endpoints |
| IM – Identity Management | MFA, RBAC, Privileged Identity Management |
| PA – Privileged Access | JIT, bastion, admin workstations |
| DP – Data Protection | Encryption at rest, in transit, classification |
| AM – Asset Management | Inventory, tagging, lifecycle |
| LT – Logging and Threat Detection | Diagnostics, SIEM, alerts |
| IR – Incident Response | Response plans, Microsoft contact |
| PV – Posture and Vulnerability Management | Patch, scans, Defender for Cloud |
| ES – Endpoint Security | AV, EDR, endpoint management |
| BR – Backup and Recovery | RPO/RTO, backup policies, testing |
| DS – DevOps Security | Secrets management, code scanning |
| GS – Governance and Strategy | Policies, CSPM, organization |
B.2 Built-in Regulatory Compliance Initiatives
Azure Policy provides initiatives corresponding to major regulatory frameworks:
mindmap
root((Regulatory\nCompliance\nAzure))
IT Security
CIS Azure Foundations
Microsoft Cloud Security Benchmark
NIST SP 800-53
Financial Industry
PCI DSS
SOX
Healthcare
HIPAA/HITRUST
Government
FedRAMP
CMMC
International
ISO 27001
SOC 2
GDPR
CIS Azure Foundations Benchmark
Initiative: "CIS Microsoft Azure Foundations Benchmark v2.0.0"
Number of policies: ~150+
Example controls:
1.1 - Ensure MFA is enabled for all users with write permission
2.1 - Ensure that Microsoft Defender for Servers is set to On
3.1 - Ensure that "Secure transfer required" is enabled for Storage Accounts
4.1 - Ensure that "Auditing" is set to On for SQL Server
5.1 - Ensure that Azure AD Authentication is configured for SQL Server
PCI DSS
Initiative: "PCI DSS v4"
Key requirements:
Req 1 : Firewall → properly configured NSGs
Req 2 : No default passwords → Azure Policy + Defender
Req 3 : Cardholder data protection → TDE, Always Encrypted
Req 6 : Secure development → Azure DevOps, SAST
Req 7 : Access control → RBAC, PIM
Req 10 : Logging → Azure Monitor, Log Analytics
Req 11 : Security testing → Microsoft Defender for Cloud
ISO 27001
Initiative: "ISO 27001:2013"
Annex A controls covered:
A.5 - Security policies
A.6 - Organization of security
A.9 - Access control (RBAC)
A.10 - Cryptography (TDE, Key Vault)
A.12 - Operations security (monitoring, backups)
A.13 - Communications security (NSG, TLS)
A.16 - Incident management
A.18 - Regulatory compliance
B.3 Microsoft Defender for Cloud and Secure Score
Microsoft Defender for Cloud (formerly Azure Security Center) integrates compliance recommendations.
flowchart TD
DFC["Microsoft Defender for Cloud"]
DFC --> SS["Secure Score\n(0-100%)"]
DFC --> COMP["Regulatory Compliance\n(frameworks)"]
DFC --> REC["Recommendations\n(corrective actions)"]
DFC --> ALERTS["Security Alerts\n(detected threats)"]
SS --> IMPROV["Improve score\nby applying recommendations"]
COMP --> MCSB["Microsoft Cloud\nSecurity Benchmark"]
COMP --> PCI["PCI DSS"]
COMP --> ISO["ISO 27001"]
COMP --> NIST["NIST SP 800-53"]
Secure Score calculation:
Secure Score = (Points earned / Maximum possible points) × 100
Example:
Control "Enable MFA" : 10/10 points
Control "Enable endpoint protection" : 3/8 points
Control "Restrict network access" : 6/6 points
Total : 19/24 = 79%
Section C – Azure Management Groups: Enterprise Architecture
C.1 Limits and Constraints
| Limit | Value |
|---|---|
| Maximum hierarchy levels | 6 (not counting root) |
| Management Groups per tenant | 10,000 |
| Subscriptions per Management Group | Unlimited (practically) |
| Inheritable policies | Yes, cascades downward |
| Policies blockable by children | No (except exemption) |
C.2 Recommended Architecture (Cloud Adoption Framework)
Microsoft recommends a hierarchical structure aligned with the Cloud Adoption Framework (CAF):
flowchart TD
ROOT["Tenant Root Group"]
ROOT --> PLAT["Platform MG\n(central infrastructure)"]
ROOT --> LAND["Landing Zones MG\n(application workloads)"]
ROOT --> SAND["Sandboxes MG\n(isolated dev/test)"]
ROOT --> DECOMM["Decommissioned MG\n(decommissioned resources)"]
PLAT --> MGMT["Management MG\n(monitoring, SIEM)"]
PLAT --> CONN["Connectivity MG\n(hub VNet, firewall)"]
PLAT --> IDEN["Identity MG\n(AD DS, Entra)"]
LAND --> CORP["Corp MG\n(hub-connected apps)"]
LAND --> ONLINE["Online MG\n(public apps, DMZ)"]
CORP --> PROD["Subscription: Prod"]
CORP --> DEV["Subscription: Dev"]
ONLINE --> WEB["Subscription: Web"]
Advantages of this structure:
- Clear separation between platform and application teams.
- Security policies applied differently (Online = more restrictive for internet access).
- Sandbox fully isolated from the rest (less restrictive policies for experimentation).
C.3 RBAC on Management Groups
Assigning a role to a Management Group = automatic inheritance to all child subscriptions.
# Assign the Reader role to an entire Management Group
New-AzRoleAssignment `
-ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ` # AAD Group or User Object ID
-RoleDefinitionName "Reader" `
-Scope "/providers/Microsoft.Management/managementGroups/Corp-MG"
# Assign Contributor to a team for the entire dev MG
New-AzRoleAssignment `
-ObjectId "dev-team-group-object-id" `
-RoleDefinitionName "Contributor" `
-Scope "/providers/Microsoft.Management/managementGroups/Dev-MG"
C.4 Moving a Subscription Between Management Groups
# Move a subscription via CLI
az account management-group subscription add \
--name 'DestinationMG' \
--subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
# Remove from a MG
az account management-group subscription remove \
--name 'SourceMG' \
--subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Important: Moving inherits policies from the destination MG automatically. Verify compatibility before moving production subscriptions.
Section D – Azure Cost Management: Full Control
D.1 Azure Pricing Models
flowchart LR
PAYG["Pay-As-You-Go\n(PAYG)\n~actual consumption"]
DEV["Dev/Test\n(discounted rates\nfor MSDN subscriptions)"]
SPOT["Spot VMs\n(up to 90% discount\ninterruptible)"]
RI["Reserved Instances\n(1 or 3 years)\n40-72% discount"]
SP["Savings Plans\n(flexible, by family)\n15-65% discount"]
HUB["Azure Hybrid Benefit\n(SQL/Windows licenses\non-premises)"]
PAYG --> RI
PAYG --> SP
PAYG --> SPOT
| Model | Discount | Constraint | Use case |
|---|---|---|---|
| Pay-As-You-Go | 0% | None | Unpredictable workloads |
| Reserved Instances (1 year) | ~40% | 1-year commitment, fixed region | Stable VMs, SQL, Cosmos DB |
| Reserved Instances (3 years) | ~72% | 3-year commitment | Very stable workloads |
| Savings Plans (1 year) | ~15-25% | Hourly spend commitment | More flexible than RI |
| Spot VMs | up to 90% | Interruptible at any time | Batch, CI/CD, dev/test |
| Azure Hybrid Benefit | up to 40% | Valid on-prem licenses | SQL Server, Windows migration |
| Dev/Test | ~40-55% | MSDN/Visual Studio subscription | Development environments |
D.2 Cost Analysis – Spending Analysis
Available views:
Cost Management → Cost Analysis
Accumulated cost (month-to-date cumulative)
Daily costs
By service (Azure service)
By resource (individual resource)
By resource group
By tag (by costCenter, environment, etc.)
By subscription (for MGs)
Example of advanced filtering:
Filter by:
Period : Last month
Group : Service Name
Filter : Service = Virtual Machines
Sub-filter : Resource Group = prod-rg
Result: exact cost of VMs in prod-rg the previous month
→ Identify the most expensive VMs
→ Compare with previous months
→ Decide on rightsizing or reserved instances
D.3 Budgets and Advanced Alerts
flowchart TD
BUDGET["Azure Budget\n(amount + period)"]
BUDGET --> A50["50% Alert\n→ Email to team"]
BUDGET --> A80["80% Alert\n→ Email to manager"]
BUDGET --> A90["90% Forecast Alert\n→ Create ticket"]
BUDGET --> A100["100% Alert\n→ Action Group\n(disable test VMs)"]
Create a budget with automated action via CLI:
az consumption budget create \
--budget-name 'monthly-prod-budget' \
--amount 10000 \
--time-grain Monthly \
--start-date '2025-01-01' \
--end-date '2026-12-31' \
--resource-group 'prod-rg' \
--notifications '{
"actual_80": {
"enabled": true,
"operator": "GreaterThan",
"threshold": 80,
"contactEmails": ["finance@company.com", "manager@company.com"],
"contactRoles": ["Owner", "Contributor"],
"thresholdType": "Actual"
},
"forecasted_100": {
"enabled": true,
"operator": "GreaterThan",
"threshold": 100,
"contactEmails": ["finance@company.com"],
"thresholdType": "Forecasted"
}
}'
D.4 Tags for Chargeback and Showback
Tagging strategy for cost allocation:
Required tags (enforced by Azure Policy):
costCenter : Cost center (e.g., "IT-INFRA-001")
environment : Environment (prod, dev, staging, test)
application : Application name (e.g., "erp-sap")
owner : Owner (e.g., "john.smith@company.com")
businessUnit : Business unit (e.g., "finance", "hr", "it")
Allocation models:
Chargeback : Costs are directly billed to the department
Showback : Costs are shown but not billed (visibility only)
Resource Graph query for cost report by tag:
Resources
| where isnotempty(tags.costCenter)
| summarize count() by tostring(tags.costCenter), type
| order by tags_costCenter asc
D.5 Azure Advisor – Cost Recommendations
Azure Advisor analyzes your environment and provides recommendations in 6 categories:
mindmap
root((Azure Advisor))
Cost
Underutilized VMs
Suggested Reserved Instances
Unattached disks
Unused public IP addresses
Security
MFA not enabled
Open ports
Outdated certificates
Reliability
Backup not configured
Missing Availability Zones
Traffic Manager
Operational Excellence
Service Health alerts
Log Analytics not enabled
Performance
Premium SSD recommended
Insufficient Redis cache size
Well-Architected
Well-Architected Framework score
Example of typical cost recommendations:
| Recommendation | Potential savings |
|---|---|
| 3 underutilized VMs → reduce size | -$450/month |
| 5 unattached Premium disks → delete | -$120/month |
| 2 unused public IPs → delete | -$15/month |
| Reserved Instances for 8 stable VMs | -$2,100/month (3 years) |
| Total potential | -$2,685/month |
D.6 Exports and Power BI Integration
Cost Management → Exports → Create Export
Type : Daily export of month-to-date costs
Format : CSV
Destination: Azure Blob Storage Container
Frequency : Daily
Power BI Integration:
Power BI Desktop → Get Data → Azure Cost Management
→ Select subscription or Management Group
→ Build custom reports and dashboards
Section E – Template Specs and Deployment Stacks
E.1 Template Specs: Blueprint ARM Replacement
Template Specs allow storing and versioning ARM or Bicep templates in Azure as a reusable artifact.
flowchart LR
BICEP["Bicep Template\n(or ARM JSON)"]
TS["Template Spec\n(Azure Resource)"]
DEPLOY["Deployment\n(subscription, RG, MG)"]
REUSE["Cross-subscription\nreuse"]
BICEP --> TS
TS --> DEPLOY
TS --> REUSE
Create a Template Spec:
# Create a Template Spec from a Bicep file
az ts create \
--name 'standard-webapp-template' \
--version '1.0.0' \
--resource-group 'governance-rg' \
--location 'eastus' \
--template-file 'webapp-template.bicep' \
--display-name 'Standard Web App Template' \
--description 'Standardized template for all web apps'
# Deploy from a Template Spec
az deployment group create \
--resource-group 'target-rg' \
--template-spec '/subscriptions/{sub}/resourceGroups/governance-rg/providers/Microsoft.Resources/templateSpecs/standard-webapp-template/versions/1.0.0' \
--parameters @params.json
Advantages over Blueprints:
- Native versioning (1.0.0, 1.1.0, 2.0.0…)
- Cross-subscription sharing via RBAC
- Full Azure DevOps/GitHub integration
- Native Bicep support (simpler syntax than ARM JSON)
E.2 Deployment Stacks: Lifecycle Management
Deployment Stacks allow managing a group of resources as a cohesive unit, with protection against accidental deletions.
flowchart TD
STACK["Deployment Stack\n(webapp-production)"]
STACK --> WEBAPP["App Service Plan"]
STACK --> DB["Azure SQL Database"]
STACK --> KV["Key Vault"]
STACK --> STORAGE["Storage Account"]
STACK --> NIC["Network Interface"]
UPDATE["Stack update\n(new template)"] --> STACK
DELETE["Stack deletion\n→ all resources deleted"] --> STACK
DENY["DenySettings\n(Deny Delete / Deny Write)"] --> STACK
// Create a Deployment Stack via Bicep
resource stack 'Microsoft.Resources/deploymentStacks@2024-03-01' = {
name: 'webapp-production-stack'
location: 'eastus'
properties: {
template: loadJsonContent('webapp-template.json')
parameters: {
appName: { value: 'my-production-app' }
sku: { value: 'P1v3' }
}
actionOnUnmanage: {
resources: 'delete' // Delete resources if removed from template
resourceGroups: 'delete'
}
denySettings: {
mode: 'denyDelete' // Prevent direct deletion of resources
applyToChildScopes: true
}
}
}
denySettings.mode parameter | Behavior |
|---|---|
none | No protection (default) |
denyDelete | Block direct deletions |
denyWriteAndDelete | Block deletions AND modifications |
E.3 Bicep: Modern IaC Syntax
// webapp-template.bicep
// Standard template for a web application with SQL Database
@description('Application name')
param appName string
@description('Target environment')
@allowed(['dev', 'staging', 'prod'])
param environment string = 'dev'
@description('App Service plan size')
param sku string = 'B1'
var location = resourceGroup().location
var planName = '${appName}-plan-${environment}'
var sqlServerName = '${appName}-sql-${environment}'
// App Service Plan
resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = {
name: planName
location: location
sku: {
name: sku
tier: sku == 'P1v3' ? 'PremiumV3' : 'Basic'
}
tags: {
environment: environment
application: appName
costCenter: 'IT-WEB-001'
}
}
// Web App
resource webApp 'Microsoft.Web/sites@2023-01-01' = {
name: appName
location: location
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true // HTTPS required
siteConfig: {
minTlsVersion: '1.2'
ftpsState: 'Disabled'
}
}
tags: {
environment: environment
application: appName
}
}
Section F – Tags and Resource Governance
F.1 Enterprise Tagging Strategy
A good tagging system is the backbone of financial and operational governance.
mindmap
root((Azure Tags))
Finance
costCenter
businessUnit
project
budget
Operational
environment
owner
team
ticketNumber
Technical
application
component
version
tier
Compliance
dataClassification
compliance
retention
Recommended required tags table:
| Tag | Description | Example values | Enforced by Policy |
|---|---|---|---|
environment | Environment | prod, staging, dev, test | Yes (Deny) |
costCenter | Cost center | DEPT-001, IT-INFRA-002 | Yes (Deny) |
owner | Owner email | john.smith@company.com | Yes (Deny) |
application | Business application | erp-sap, crm-salesforce | Yes (Deny) |
businessUnit | Business unit | finance, hr, it, marketing | Yes (Audit) |
dataClassification | Data classification | public, internal, confidential | Recommended |
F.2 Tag Inheritance with Azure Policy
By default, tags are not automatically inherited. Azure Policy can enforce inheritance:
// Policy: Inherit the "environment" tag from the Resource Group
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "tags['environment']",
"exists": false
},
{
"value": "[resourceGroup().tags['environment']]",
"exists": true
}
]
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "tags['environment']",
"value": "[resourceGroup().tags['environment']]"
}]
}
}
}
}
Section G – RBAC (Role-Based Access Control) and Access Control
G.1 Azure RBAC Model
Azure RBAC controls WHO can do WHAT on WHICH resource.
flowchart LR
PRINCIPAL["Security Principal\n(User / Group / SP / MI)"]
ROLE["Role\n(Role Definition)"]
SCOPE["Scope\n(MG / Sub / RG / Resource)"]
ASSIGN["Role Assignment\n(Association of the 3)"]
PRINCIPAL --> ASSIGN
ROLE --> ASSIGN
SCOPE --> ASSIGN
ASSIGN --> PERMISSION["Permissions granted\nwithin the scope"]
G.2 Essential Built-in Roles
| Role | Permissions | Use case |
|---|---|---|
| Owner | Everything, including RBAC | Subscription administrators |
| Contributor | Everything except RBAC | Development teams |
| Reader | Read-only | Auditors, finance |
| User Access Administrator | Manage RBAC only | Access managers |
| Security Admin | Defender for Cloud | Security team |
| Billing Reader | Bills and costs | Finance |
| Network Contributor | Network only | Network team |
| Storage Blob Data Contributor | Blobs in Storage | Applications, data engineers |
| Key Vault Secrets Officer | Key Vault secrets | Applications |
G.3 Custom Roles
// Custom role: VM Operator (start/stop, not create/delete)
{
"Name": "VM Operator",
"Description": "Can start and stop VMs but not create or delete them",
"Actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}
# Create the custom role
az role definition create --role-definition @vm-operator-role.json
# Assign the role to a group
az role assignment create \
--role "VM Operator" \
--assignee-object-id "group-object-id" \
--scope "/subscriptions/{sub}/resourceGroups/prod-vms-rg"
G.4 Privileged Identity Management (PIM)
Azure AD PIM (via Microsoft Entra ID) allows activating privileged roles on demand (Just-in-Time).
sequenceDiagram
participant USR as User
participant PIM as Azure PIM
participant APP as Azure Resource
participant MGR as Approver
USR->>PIM: Request "Owner" role activation (4 hours)
PIM->>MGR: Approval notification required
MGR->>PIM: Approves the request
PIM->>USR: Role activated for 4 hours
USR->>APP: Privileged access (audit trail)
Note over PIM,APP: After 4h, the role deactivates automatically
| PIM Benefit | Description |
|---|---|
| Just-in-Time | Privileged access only when needed |
| Time-bound | Configurable maximum duration (e.g., 1-8h) |
| Approval workflow | Manual approval required |
| Audit trail | All activations are logged |
| MFA enforcement | MFA required to activate |
| Access reviews | Periodic review of active assignments |
Section H – Microsoft Purview and Data Governance
H.1 Overview
Microsoft Purview is Microsoft’s unified data governance and compliance solution.
flowchart TD
subgraph PURVIEW["Microsoft Purview"]
DG["Data Governance\n(Unified Data Catalog)"]
COMP["Compliance\n(Compliance Manager, DLP, eDiscovery)"]
RISK["Risk & Compliance\n(Insider Risk, Communication Compliance)"]
INFO["Information Protection\n(Sensitivity Labels, MIP)"]
end
ON_PREM["(SQL Server\non-premises)"] --> DG
AZURE["(Azure Data Services)"] --> DG
M365["(Microsoft 365)"] --> DG
THIRD["(AWS, GCP,\nSaaS services)"] --> DG
H.2 Purview Data Map and Data Catalog
Data Map: automatic map of all data sources in the organization.
Supported sources:
├── Azure: SQL Database, Synapse, Blob Storage, Data Lake, Cosmos DB
├── On-premises: SQL Server, Oracle, SAP
├── Multi-cloud: AWS S3, RDS, Redshift; GCP BigQuery
└── SaaS: Salesforce, Power BI, SAP S/4HANA
Automated scan:
→ Discovery of tables, columns, schemas
→ Automatic classification (emails, credit cards, SSNs)
→ Data Lineage
→ Integration into Data Catalog
Data Lineage:
Azure Data Factory Pipeline:
SQL Database (source)
└─→ ADF Copy Activity
└─→ Data Lake Gen2 (landing zone)
└─→ Databricks Notebook (transformation)
└─→ Synapse Dedicated Pool (destination)
└─→ Power BI Dataset
└─→ Power BI Report
Purview displays this complete flow visually.
H.3 Sensitivity Labels and Classification
Sensitivity labels (example):
Public
Internal Only
Confidential
Highly Confidential / PII
Application:
→ Office files (Word, Excel, SharePoint)
→ Outlook emails
→ Teams messages
→ Azure SQL columns
→ Power BI datasets
Automatic actions:
Label "Confidential" → AIP encryption + watermark
Label "Highly Confidential / PII" → Encryption + sharing restrictions
H.4 Compliance Manager
Compliance Manager provides an aggregated compliance score based on completed actions.
Compliance Score:
Framework: GDPR
├── Action "Enable SQL auditing" : 15 pts (done ✓)
├── Action "Enable TDE on all DBs" : 10 pts (done ✓)
├── Action "Train employees on DLP" : 20 pts (in progress ⟳)
└── Action "Implement RoPA management" : 30 pts (not done ✗)
GDPR Score: 65/100
Suggested actions by priority:
1. High importance: implement RoPA (30 pts)
2. Medium: complete training (20 pts)
Section I – Azure Advisor: All Categories
I.1 Overview of 6 Categories
mindmap
root((Azure Advisor\nOverall Score))
Cost
Reserved Instances
Underutilized VMs
Orphaned resources
Security
Defender integration
MFA, RBAC
Open ports
Reliability
Backup enabled
Availability Zones
Zone-redundant
Operational Excellence
Service Health
Logs enabled
Compliant tags
Performance
Appropriate sizing
Redis cache
CDN
Well-Architected
WAF score
5 pillars
I.2 Advisor Score
Advisor Score = weighted average of 5 categories (Cost not included in overall score)
Security : 78% (high weight)
Reliability : 85%
Operational : 72%
Performance : 90%
Well-Arch : 68%
─────────────────────
Overall score : 78.6%
I.3 Advisor API for Automation
# List all unresolved recommendations
az advisor recommendation list \
--subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' \
--output table
# Filter by Cost category
az advisor recommendation list \
--category Cost \
--output json | jq '.[].properties.shortDescription.solution'
Section J – Azure Service Health and Platform Events
J.1 Service Health Components
flowchart TD
SH["Azure Service Health"]
SH --> STATUS["Azure Status\nstatus.azure.com\n(global incidents)"]
SH --> SHEALTH["Service Health\n(incidents impacting your sub)"]
SH --> RHEALTH["Resource Health\n(health of your individual resources)"]
SH --> ALERTS["Service Health Alerts\n(custom notifications)"]
| Component | Scope | Usage |
|---|---|---|
| Azure Status | Global, all services | General cloud monitoring |
| Service Health | Your subscription | Incidents specifically affecting you |
| Resource Health | Individual resource | Diagnose a specific VM, DB |
| Health Alerts | Configurable | Be proactively notified |
J.2 Create a Service Health Alert
# Alert for service interruptions in East US
az monitor activity-log alert create \
--name 'service-health-eastus-alert' \
--resource-group 'monitoring-rg' \
--condition category=ServiceHealth \
--condition level=error \
--condition operationName=Microsoft.ServiceHealth/incident/write \
--action-group '/subscriptions/{sub}/resourceGroups/monitoring-rg/providers/Microsoft.Insights/actionGroups/ops-team-ag'
Section K – Review Questions
15 Multiple Choice Questions
Question 1 You want to prevent the creation of Azure resources outside the East US and West US regions. Which policy effect do you use?
- A) Audit
- B) Modify
- C) Deny
- D) DeployIfNotExists
Answer: C — The Deny effect blocks the creation/modification of non-compliant resources. Audit would only flag non-compliance without blocking.
Question 2 Your organization must demonstrate ISO 27001 compliance to an external auditor. Where in Azure Policy do you find an initiative covering these controls?
- A) In Built-in Policy Definitions, under the “Regulatory Compliance” category
- B) In Azure Cost Management
- C) In Azure Resource Graph
- D) In Azure Advisor
Answer: A — Azure Policy provides built-in initiatives corresponding to major frameworks (ISO 27001, PCI DSS, NIST, CIS…) available under “Regulatory Compliance”.
Question 3 Your company has 15 Azure subscriptions. You want to apply a security policy to all of them in a single operation, while being able to make exceptions for certain subscriptions. Which service should you use?
- A) Azure Policy with one assignment per subscription
- B) Azure Management Groups with a policy assigned to the root group
- C) Azure Resource Graph
- D) Azure Blueprints
Answer: B — Management Groups allow assigning a policy once at the root level, and it applies to all child subscriptions. Exemptions can be defined for specific subscriptions.
Question 4
A policy with the DeployIfNotExists effect was assigned. It detects VMs without a monitoring agent. What additional action is needed to fix existing VMs?
- A) Reassign the policy
- B) Create a Remediation Task
- C) Redeploy the VMs
- D) Nothing, the effect applies automatically
Answer: B —
DeployIfNotExistsautomatically applies to new resources. For existing non-compliant resources, a Remediation Task must be explicitly created.
Question 5 What is the main difference between Azure Reservations (Reserved Instances) and Savings Plans?
- A) Reservations are only for VMs; Savings Plans cover all services
- B) Reservations apply to specific resources (region, size, service); Savings Plans apply to a service family with regional flexibility
- C) Savings Plans have a maximum duration of 1 year
- D) Reservations only work with the vCore model
Answer: B — Reserved Instances are tied to a specific resource (type, region). Savings Plans offer more flexibility on region and size in exchange for an hourly spend commitment.
Question 6 Azure Blueprints will be deprecated in July 2026. Which combination of services is recommended as a replacement?
- A) Azure Policy + Azure Resource Graph
- B) Template Specs + Deployment Stacks
- C) Azure DevOps + Azure Artifacts
- D) Terraform + Azure Resource Manager
Answer: B — Microsoft officially recommends Template Specs (to store/version templates) and Deployment Stacks (to manage deployment lifecycle) as the replacement for Azure Blueprints.
Question 7 A developer requests “Owner” access to the production subscription. Which security practice would allow granting this access securely, for only 4 hours, with manager approval?
- A) Create a time-limited custom role
- B) Use Azure PIM (Privileged Identity Management) with Just-in-Time activation
- C) Temporarily assign the Contributor role
- D) Use Azure Policy with a temporary exemption
Answer: B — Azure PIM enables JIT activation of privileged roles with: limited duration, approval workflow, MFA required, and a complete audit trail.
Question 8 Which KQL query in Azure Resource Graph finds all Storage Accounts without mandatory HTTPS?
A) Resources | where type == "storage/storageaccounts" | where httpsOnly == false
B) Resources | where type == "microsoft.storage/storageaccounts" | project name, httpsOnly = properties.supportsHttpsTrafficOnly | where httpsOnly == false
C) AzureActivity | where ResourceType == "storage" | where HTTPS == false
D) SecurityBaseline | where control == "HTTPS" | where compliant == false
Answer: B — This correct KQL syntax uses the full type name (
microsoft.storage/storageaccounts), projects the necessary properties, and filters onhttpsOnly == false.
Question 9 Your finance team wants to see Azure costs per department using tags, but does not want to be directly billed. Which cost allocation model fits this need?
- A) Chargeback (rebilling)
- B) Showback (visibility without billing)
- C) Reserved Instances
- D) Cost Allocation Rules
Answer: B — Showback provides cost visibility by tag/department without formally reallocating costs in accounting. Chargeback involves actual internal billing.
Question 10
A policy with the Modify effect is assigned to add the tag environment=prod to all resources in a Resource Group. Will an existing resource without this tag be automatically updated?
- A) Yes, immediately upon assignment
- B) No, the Modify effect only applies to new creations; a Remediation Task is needed
- C) Yes, within 24 hours of assignment
- D) No, Modify does not work with tags
Answer: B — Like
DeployIfNotExists,Modifyonly automatically applies to new resources or during an update. A Remediation Task is needed for existing non-compliant resources.
Question 11 Which Azure service allows querying resources across 50 subscriptions simultaneously with a structured query language, returning near real-time results?
- A) Azure Monitor
- B) Azure Log Analytics
- C) Azure Resource Graph
- D) Azure Service Health
Answer: C — Azure Resource Graph is designed for cross-subscription KQL queries on the Azure resource inventory, with near real-time results and without impacting standard ARM API performance.
Question 12
A company wants to ensure all its new resources automatically inherit the costCenter tag from their Resource Group. Which policy effect is appropriate?
- A) DeployIfNotExists
- B) Append
- C) Modify
- D) AuditIfNotExists
Answer: C — The Modify effect allows adding or modifying properties (including tags) during resource creation or update. It can read the tag from the parent Resource Group and apply it to the child resource.
Question 13 Which Microsoft Purview component visualizes the data flow from a SQL source to a Power BI report through Azure Data Factory and Synapse?
- A) Data Catalog
- B) Data Lineage (Data Map)
- C) Compliance Manager
- D) Sensitivity Labels
Answer: B — Data Lineage in Purview (exposed via the Data Map) automatically traces the journey of data through Azure services (ADF, Synapse, Power BI) and displays it visually.
Question 14 You need to restrict a developer to only starting and stopping VMs, without being able to create or delete them. Which approach is most appropriate?
- A) Assign the Contributor role with a Deny policy for Create and Delete
- B) Create a custom role with only start, restart, and deallocate actions
- C) Assign the Virtual Machine Contributor role
- D) Use Azure PIM to limit the Contributor role to 2 hours
Answer: B — A custom RBAC role allows precisely defining the allowed
Actions(start, restart, deallocate) without including Create or Delete actions. TheVirtual Machine Contributorrole includes too many permissions.
Question 15 What is the primary purpose of Deployment Stacks compared to simple ARM deployments?
- A) Speed up deployment by parallelizing resources
- B) Manage the complete lifecycle of a resource group as a unit, including protection against unauthorized modifications/deletions
- C) Provide a graphical interface for ARM templates
- D) Enable multi-region deployment with a single command
Answer: B — Deployment Stacks manage resources as a cohesive unit: atomic updates, grouped deletions, and protection via
denySettingsthat can prevent any direct modification of resources managed by the stack.
Section L – Summary Diagrams
L.1 Azure Governance Overview
flowchart TD
subgraph ORG["Azure Organization"]
TRG["Tenant Root Group"]
MG1["Corp Management Group"]
MG2["Dev Management Group"]
SUB1["Subscription Prod"]
SUB2["Subscription Dev"]
RG1["Resource Group App"]
RG2["Resource Group Data"]
end
subgraph GOV["Governance Tools"]
POLICY["Azure Policy\n(controls)"]
COST["Cost Management\n(financial)"]
RG_TOOL["Resource Graph\n(inventory)"]
RBAC_T["RBAC\n(access)"]
TAGS_T["Tags\n(organization)"]
PURVIEW_T["Purview\n(data)"]
ADVISOR_T["Advisor\n(optimization)"]
end
TRG --> MG1 --> SUB1 --> RG1
MG1 --> SUB1 --> RG2
TRG --> MG2 --> SUB2
POLICY --> TRG
COST --> SUB1
RG_TOOL --> TRG
RBAC_T --> MG1
TAGS_T --> RG1
PURVIEW_T --> RG2
ADVISOR_T --> SUB1
L.2 Decision Flow for Non-Compliance
flowchart TD
DETECT["Non-compliant resource\ndetected"] --> Q1{Type of\nnon-compliance?}
Q1 -- Critical security --> DENY["Policy Deny\nblock immediately"]
Q1 -- Missing configuration --> REMED["DeployIfNotExists\n+ Remediation Task"]
Q1 -- Missing tag --> MOD["Policy Modify\n+ Remediation Task"]
Q1 -- Observation only --> AUDIT["Policy Audit\ncompliance report"]
DENY --> REPORT["Compliance Dashboard\n+ Notifications"]
REMED --> REPORT
MOD --> REPORT
AUDIT --> REPORT
REPORT --> REVIEW["Review and\npolicy improvement"]
Glossary
| Term | Definition |
|---|---|
| Azure Policy | Azure service to create, assign, and manage compliance rules on resources |
| Initiative | Grouping of multiple policy definitions for a common objective |
| Assignment | Binding of a policy definition to a scope (MG, Sub, RG, resource) |
| Scope | Application scope of a policy or RBAC role |
| Effect | A policy’s action: Deny, Audit, Modify, DeployIfNotExists, Append, AuditIfNotExists |
| Exemption | Temporary waiver granted to a specific resource for a policy |
| Remediation Task | Task created to fix existing non-compliant resources |
| Management Group | Logical container grouping subscriptions for unified governance |
| Trickle-down | Inheritance of policies and RBAC roles from parent to all children in the hierarchy |
| Cost Management | Suite of tools for analyzing, alerting on, and optimizing Azure spending |
| Budget | Spending limit configured with alert thresholds (Actual and Forecasted) |
| Chargeback | Allocation model where costs are formally billed back to departments |
| Showback | Cost visibility model without formal rebilling |
| Reserved Instances | 1 or 3 year commitment on specific resources in exchange for discounts (40-72%) |
| Savings Plans | Hourly spend commitment on a service family, more flexible than RIs |
| Spot VMs | Interruptible VMs at a highly reduced price (up to 90%) for batch/CI-CD workloads |
| Azure Hybrid Benefit | Reuse of SQL Server or Windows Server on-premises licenses on Azure |
| Azure Advisor | Recommendation service in 6 categories (Cost, Security, Reliability, Perf, OE, WAF) |
| Template Specs | Azure artifact to store and version reusable ARM/Bicep templates |
| Deployment Stacks | Complete lifecycle management of a group of resources as an atomic unit |
| Bicep | Microsoft IaC language (simplified syntax, transpiled to ARM JSON) |
| RBAC | Role-Based Access Control — role-based access control |
| PIM | Privileged Identity Management — JIT activation of privileged roles with approval |
| Custom Role | RBAC role created with specific permissions |
| Azure Resource Graph | Cross-subscription KQL query service on near real-time Azure inventory |
| KQL | Kusto Query Language — query language used by Resource Graph, Log Analytics, Sentinel |
| Microsoft Purview | Data governance platform: cataloging, classification, lineage, compliance |
| Data Lineage | Traceability of data flow from source to report |
| Sensitivity Labels | Data classification labels (Public, Internal, Confidential, Highly Confidential) |
| Compliance Manager | Purview tool that calculates a compliance score for regulatory frameworks |
| CIS Benchmark | Center for Internet Security — security reference for Azure (150+ controls) |
| MCSB | Microsoft Cloud Security Benchmark — native Azure security framework |
| Secure Score | 0-100% score in Defender for Cloud representing security posture |
| Service Health | Azure service for tracking the health of Azure services impacting your subscription |
| Well-Architected Framework | Microsoft’s 5 pillars (Cost, Security, Reliability, Performance, Operational Excellence) |
| CAF | Cloud Adoption Framework — Microsoft guide for Azure migration and adoption |
| Trickle-down inheritance | Policies and roles applied to a Management Group are inherited throughout the entire hierarchy below |
Search Terms
azure · governance · compliance · core · infrastructure · microsoft · policy · management · groups · advisor · cost · cloud · health · initiatives · rbac · score · service · alerts · architecture · benchmark · budgets · built-in · categories · control