Intermediate

Azure Governance and Compliance

Azure Policy, management groups, cost management, RBAC, Purview and resource governance with tags.

Table of Contents

  1. Azure Policy
  2. Azure Management Groups
  3. Azure Cost Management
  4. Azure Blueprints (Deprecated)
  5. Azure Resource Graph
  6. Summary and Key Points

1. Azure Policy

1.1 Policy Definitions

An Azure Policy is a JSON rule that evaluates Azure resources and applies an action based on their compliance status.

Structure of a policy definition:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "not": {
          "field": "location",
          "in": ["eastus", "westus"]
        }
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

Two types of policies:

  • Built-in: provided by Microsoft (hundreds available)
  • Custom: created by the organization for specific needs

1.2 Assigning a Policy

An assignment binds a policy definition to a scope.

Possible scopes (from broadest to narrowest):

Tenant Root Group (root Management Group)
    └── Management Group
        └── Subscription
            └── Resource Group
                └── Resource (individual)

Via Portal:

Portal → Policy → Assignments → Assign Policy
→ Scope: select subscription or RG
→ Policy definition: search and select
→ Parameters: configure parameters
→ Remediation: optional
→ Review + Create

Via PowerShell:

New-AzPolicyAssignment `
  -Name 'allowed-locations-assignment' `
  -PolicyDefinition (Get-AzPolicyDefinition -Name 'allowed-locations') `
  -Scope '/subscriptions/{subscriptionId}/resourceGroups/app-rg' `
  -PolicyParameterObject @{ listOfAllowedLocations = @('eastus', 'westus') }

1.3 Initiatives (Policy Groups)

An initiative is a grouping of multiple policy definitions to achieve a common goal.

Example: The “CIS Azure Foundations Benchmark” initiative groups ~100 security policies.

Benefits of initiatives:

  • Manage multiple policies as a single unit
  • Assign a group of rules in a single operation
  • Simplify compliance with a framework (CIS, ISO, NIST)
Initiative "Security Baseline"
├── Policy: "Require HTTPS on storage accounts"
├── Policy: "Require encryption at rest"
├── Policy: "Restrict allowed VM sizes"
└── Policy: "Require tag: environment"

1.4 Policy Effects

EffectDescriptionWhen to use
DenyBlocks creation/modification of non-compliant resourcesStrict rules to enforce
AuditMarks as non-compliant but does not blockVisibility without blocking
ModifyAdds or modifies propertiesForce tag addition
DeployIfNotExistsDeploys an associated resource if missingAuto-remediation (e.g., add diagnostics)
AppendAdds properties to the resourceAdd fields during creation
AuditIfNotExistsAudits if an associated resource does not existCheck dependencies

Effect evaluation order:

Disabled → Append → Deny → Audit → Modify → AuditIfNotExists → DeployIfNotExists

1.5 Demo: Assign a Location Policy

Goal: Restrict resources in a Resource Group to the East US and West US regions.

Steps:

Portal → Policy → Assignments → Assign Policy
→ Scope: /subscriptions/.../resourceGroups/app-rg
→ Policy Definition: "Allowed locations" (built-in)
→ Parameters:
    listOfAllowedLocations: ["eastus", "westus"]
→ Review + Create

Test compliance:

Portal → Policy → Compliance
→ View the % of compliant resources
→ Non-compliant resources listed with details

2. Azure Management Groups

2.1 Hierarchy and Inheritance

Management Groups allow you to organize subscriptions into a tree structure for centralized governance.

Tenant Root Group (root)
├── Management Group: "Corp"
│   ├── Management Group: "IT"
│   │   ├── Subscription: "IT-Prod"
│   │   └── Subscription: "IT-Dev"
│   └── Management Group: "Finance"
│       └── Subscription: "Finance-Prod"
└── Management Group: "External"
    └── Subscription: "Partner-Sandbox"

Policy inheritance:

  • Policies assigned to a Management Group apply to all subscriptions below
  • “Trickle-down” principle: parent → children
  • Children cannot override inherited policies (except with explicit exemptions)

Benefits:

  • Unified governance across multiple subscriptions
  • Group subscriptions by department, region, or environment
  • Simplify RBAC (one role assignment at the MG level covers everything below)

3. Azure Cost Management

3.1 Analyzing and Controlling Costs

Azure Cost Management + Billing allows you to:

  • Visualize spending by service, region, tag, subscription
  • Identify anomalies and spending spikes
  • Get optimization recommendations (Azure Advisor)

Access:

Portal → Cost Management + Billing → Cost Analysis

Available filters:

  • Scope: subscription, resource group, resource
  • Period: day, week, month, years
  • Granularity: daily, monthly
  • Grouping: by service, by region, by tag, by resource group

Azure Advisor — cost recommendations:

  • Stop unused VMs (underutilized)
  • Resize oversized VMs
  • Delete unattached disks
  • Use Reserved Instances for stable workloads

3.2 Budgets and Alerts

Create a budget:

Cost Management → Budgets → + Add
→ Scope → Amount → Reset period
→ Alert conditions: % of budget
→ Alert recipients: email(s)

Types of alerts:

  • Actual cost alerts: triggered when actual spending exceeds a threshold
  • Forecast alerts: triggered when forecasts indicate an overage

Example configuration:

ThresholdAction
50% of budgetEmail alert to the team
80% of budgetEmail alert to the manager
100% of budgetUrgent alert + optional: disable resources

4. Azure Blueprints (Deprecated)

⚠️ Deprecation planned for July 2026.

Blueprints allowed grouping several “artifacts”:

  • Role assignments
  • Policy assignments
  • ARM templates
  • Resource groups

Migration to:

  • Template Specs: store and version ARM templates
  • Deployment Stacks: manage the lifecycle of a resource group as a unit

Recommended replacement:

Before (Blueprints)         →  After
────────────────────────────────────────
Blueprint definition        →  Template Spec
Blueprint assignment        →  Deployment Stack
Artifact: ARM template      →  Template Spec
Artifact: RBAC              →  Role Assignment in Template
Artifact: Policy            →  Policy Assignment in Template

5. Azure Resource Graph

5.1 KQL Queries

Azure Resource Graph allows you to run KQL (Kusto Query Language) queries against the Azure resource inventory at scale across multiple subscriptions.

Access:

Portal → Resource Graph Explorer

Example KQL queries:

// List all VMs with their status
Resources
| where type == "microsoft.compute/virtualmachines"
| project name, location, properties.hardwareProfile.vmSize,
          properties.provisioningState

// Count resources by type
Resources
| summarize count() by type
| order by count_ desc

// Find resources without an "environment" tag
Resources
| where isnull(tags.environment)
| project name, type, resourceGroup, location

// Check compliance of storage accounts (HTTPS only)
Resources
| where type == "microsoft.storage/storageaccounts"
| project name,
          httpsOnly = properties.supportsHttpsTrafficOnly
| where httpsOnly == false

Characteristics:

  • Near real-time: near real-time inventory
  • Cross-subscription: queries across all subscriptions in the tenant
  • Resource Graph Explorer: web interface to test queries
  • API: available via REST, SDK, CLI

Via Azure CLI:

az graph query -q "Resources | where type == 'microsoft.compute/virtualmachines' | project name, location"

6. Summary and Key Points

ConceptDescription
Azure PolicyJSON rules to evaluate and control resources
Policy EffectDeny, Audit, Modify, DeployIfNotExists, Append
InitiativeGroup of policies for a common objective
AssignmentLinking a policy to a scope
Management GroupSubscription hierarchy for governance
Trickle-downPolicy inheritance from parent → children
Cost ManagementVisualize, alert on, and optimize spending
BudgetSpending limit with configurable alerts
Azure BlueprintsDEPRECATED in July 2026 → Template Specs + Deployment Stacks
Resource GraphCross-subscription KQL queries on Azure inventory

Recommended governance pipeline:

Management Groups (structure)
    ↓
Initiatives (compliance objectives)
    ↓
Policies (specific rules)
    ↓
Assignments (apply to scopes)
    ↓
Compliance Reports (tracking)
    ↓
Cost Management (financial control)
    ↓
Resource Graph (audit and inventory)


Advanced Sections – Deep Dives


Section A – Azure Policy: Complete Deep Dive

A.1 Policy Lifecycle

flowchart TD
    DEF["Create a definition\n(JSON)"]
    INIT["Group into initiative\n(optional)"]
    ASSIGN["Assign to a scope\n(MG / Sub / RG)"]
    EVAL["Resource evaluation\n(immediate + cyclic)"]
    EFFECT["Apply effect\n(Deny / Audit / Modify...)"]
    REPORT["Compliance report\n(Compliance dashboard)"]
    REMED["Remediation\n(deploy / fix)"]
    REFINE["Refine definition\n(iteration)"]

    DEF --> INIT --> ASSIGN --> EVAL --> EFFECT --> REPORT --> REMED --> REFINE --> DEF

Note: Evaluation triggers on resource creation/update AND cyclically (approximately every 24 hours).

A.2 Exemptions and Exclusions

Exclusions (during assignment): exclude a specific scope from policy enforcement.

# Create an assignment with a resource group exclusion
New-AzPolicyAssignment `
  -Name 'deny-non-allowed-locations' `
  -PolicyDefinition (Get-AzPolicyDefinition -Name 'allowed-locations') `
  -Scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' `
  -NotScope @('/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/exempt-rg') `
  -PolicyParameterObject @{ listOfAllowedLocations = @('eastus', 'westus') }

Exemptions: grant a temporary waiver to a specific resource, with an expiration date.

{
  "type": "Microsoft.Authorization/policyExemptions",
  "name": "legacy-app-exemption",
  "properties": {
    "policyAssignmentId": "/subscriptions/.../policyAssignments/deny-non-allowed-locations",
    "exemptionCategory": "Waiver",          // Waiver or Mitigated
    "expiresOn": "2026-12-31T00:00:00Z",
    "displayName": "Exemption for legacy app migration",
    "description": "Legacy app currently being migrated"
  }
}
CategoryUsage
WaiverThe policy cannot be applied for justified reasons
MitigatedThe risk is mitigated by other controls

A.3 Automatic Remediation

Policies with DeployIfNotExists and Modify effects can automatically fix non-compliant resources.

flowchart LR
    POLICY["Policy\nDeployIfNotExists"] --> EVAL["Evaluation\nNon-compliant resource"]
    EVAL --> TASK["Remediation Task\n(created manually or automatically)"]
    TASK --> FIX["Deployment\nof missing resource"]
    FIX --> COMP["Compliant resource ✓"]

Example: Policy to automatically deploy diagnostic settings on VMs.

{
  "if": {
    "field": "type",
    "equals": "Microsoft.Compute/virtualMachines"
  },
  "then": {
    "effect": "DeployIfNotExists",
    "details": {
      "type": "Microsoft.Insights/diagnosticSettings",
      "roleDefinitionIds": [
        "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
      "deployment": {
        "properties": {
          "mode": "incremental",
          "template": { ... }
        }
      }
    }
  }
}
# Trigger a remediation task via CLI
az policy remediation create \
  --name 'remediate-diagnostics' \
  --policy-assignment '/subscriptions/{sub}/providers/Microsoft.Authorization/policyAssignments/{name}' \
  --resource-group 'prod-rg'

A.4 Policy-as-Code (GitOps)

The best practice is to manage policies as code in Git.

flowchart TD
    DEV["Developer\ncreates/modifies policy JSON"]
    GIT["Git Repository\n(Azure DevOps / GitHub)"]
    PR["Pull Request\n+ JSON schema validation"]
    PIPE["CI/CD Pipeline\n(Azure Pipelines)"]
    TEST["Test in staging\nenvironment"]
    PROD["Deploy to production\n(az policy definition create)"]

    DEV --> GIT --> PR --> PIPE --> TEST --> PROD

Recommended folder structure:

policies/
├── definitions/
│   ├── allowed-locations.json
│   ├── require-tags.json
│   └── deny-public-storage.json
├── initiatives/
│   ├── security-baseline.json
│   └── cost-optimization.json
└── assignments/
    ├── management-group-root.json
    ├── subscription-prod.json
    └── rg-finance.json
# Deploy a policy definition from CI/CD
az policy definition create \
  --name 'require-environment-tag' \
  --display-name 'Require environment tag' \
  --description 'All resources must have an environment tag' \
  --rules @policies/definitions/require-tags.json \
  --params @policies/definitions/require-tags-params.json \
  --mode All

A.5 Custom Policy: Complete Example

Scenario 1: Deny creation of Storage Accounts that do not use HTTPS only.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
          "equals": false
        }
      ]
    },
    "then": {
      "effect": "Deny"
    }
  },
  "parameters": {}
}

Scenario 2: Force the addition of a costCenter tag to all resources that don’t have one.

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "field": "tags['costCenter']",
      "exists": false
    },
    "then": {
      "effect": "Modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [{
          "operation": "addOrReplace",
          "field": "tags['costCenter']",
          "value": "[parameters('defaultCostCenter')]"
        }]
      }
    }
  },
  "parameters": {
    "defaultCostCenter": {
      "type": "String",
      "defaultValue": "UNKNOWN",
      "metadata": { "displayName": "Default Cost Center" }
    }
  }
}

A.6 Compliance Score

The compliance dashboard in Azure Policy shows the percentage of compliant resources.

Compliance Dashboard:
  Initiative "Security Baseline"
    ├── Policy "Require HTTPS on storage"      → 95% compliant (38/40)
    ├── Policy "Require encryption at rest"    → 100% compliant
    ├── Policy "Restrict allowed VM sizes"     → 87% compliant (46/53)
    └── Policy "Require tag: environment"      → 72% compliant (145/201)

  Overall score: 88% compliant
  Non-compliant: 15 resources to fix

Section B – Compliance Initiatives and Security Frameworks

B.1 Microsoft Cloud Security Benchmark (MCSB)

The Microsoft Cloud Security Benchmark is the reference security framework for Azure. It groups controls organized by domain.

DomainDescription
NS – Network SecuritySegmentation, firewalls, Private Endpoints
IM – Identity ManagementMFA, RBAC, Privileged Identity Management
PA – Privileged AccessJIT, bastion, admin workstations
DP – Data ProtectionEncryption at rest, in transit, classification
AM – Asset ManagementInventory, tagging, lifecycle
LT – Logging and Threat DetectionDiagnostics, SIEM, alerts
IR – Incident ResponseResponse plans, Microsoft contact
PV – Posture and Vulnerability ManagementPatch, scans, Defender for Cloud
ES – Endpoint SecurityAV, EDR, endpoint management
BR – Backup and RecoveryRPO/RTO, backup policies, testing
DS – DevOps SecuritySecrets management, code scanning
GS – Governance and StrategyPolicies, CSPM, organization

B.2 Built-in Regulatory Compliance Initiatives

Azure Policy provides initiatives corresponding to major regulatory frameworks:

mindmap
  root((Regulatory\nCompliance\nAzure))
    IT Security
      CIS Azure Foundations
      Microsoft Cloud Security Benchmark
      NIST SP 800-53
    Financial Industry
      PCI DSS
      SOX
    Healthcare
      HIPAA/HITRUST
    Government
      FedRAMP
      CMMC
    International
      ISO 27001
      SOC 2
      GDPR

CIS Azure Foundations Benchmark

Initiative: "CIS Microsoft Azure Foundations Benchmark v2.0.0"
Number of policies: ~150+
Example controls:
  1.1  - Ensure MFA is enabled for all users with write permission
  2.1  - Ensure that Microsoft Defender for Servers is set to On
  3.1  - Ensure that "Secure transfer required" is enabled for Storage Accounts
  4.1  - Ensure that "Auditing" is set to On for SQL Server
  5.1  - Ensure that Azure AD Authentication is configured for SQL Server

PCI DSS

Initiative: "PCI DSS v4"
Key requirements:
  Req 1  : Firewall → properly configured NSGs
  Req 2  : No default passwords → Azure Policy + Defender
  Req 3  : Cardholder data protection → TDE, Always Encrypted
  Req 6  : Secure development → Azure DevOps, SAST
  Req 7  : Access control → RBAC, PIM
  Req 10 : Logging → Azure Monitor, Log Analytics
  Req 11 : Security testing → Microsoft Defender for Cloud

ISO 27001

Initiative: "ISO 27001:2013"
Annex A controls covered:
  A.5  - Security policies
  A.6  - Organization of security
  A.9  - Access control (RBAC)
  A.10 - Cryptography (TDE, Key Vault)
  A.12 - Operations security (monitoring, backups)
  A.13 - Communications security (NSG, TLS)
  A.16 - Incident management
  A.18 - Regulatory compliance

B.3 Microsoft Defender for Cloud and Secure Score

Microsoft Defender for Cloud (formerly Azure Security Center) integrates compliance recommendations.

flowchart TD
    DFC["Microsoft Defender for Cloud"]
    DFC --> SS["Secure Score\n(0-100%)"]
    DFC --> COMP["Regulatory Compliance\n(frameworks)"]
    DFC --> REC["Recommendations\n(corrective actions)"]
    DFC --> ALERTS["Security Alerts\n(detected threats)"]

    SS --> IMPROV["Improve score\nby applying recommendations"]
    COMP --> MCSB["Microsoft Cloud\nSecurity Benchmark"]
    COMP --> PCI["PCI DSS"]
    COMP --> ISO["ISO 27001"]
    COMP --> NIST["NIST SP 800-53"]

Secure Score calculation:

Secure Score = (Points earned / Maximum possible points) × 100

Example:
  Control "Enable MFA"                  : 10/10 points
  Control "Enable endpoint protection"  : 3/8 points
  Control "Restrict network access"     : 6/6 points
  Total                                 : 19/24 = 79%

Section C – Azure Management Groups: Enterprise Architecture

C.1 Limits and Constraints

LimitValue
Maximum hierarchy levels6 (not counting root)
Management Groups per tenant10,000
Subscriptions per Management GroupUnlimited (practically)
Inheritable policiesYes, cascades downward
Policies blockable by childrenNo (except exemption)

Microsoft recommends a hierarchical structure aligned with the Cloud Adoption Framework (CAF):

flowchart TD
    ROOT["Tenant Root Group"]
    ROOT --> PLAT["Platform MG\n(central infrastructure)"]
    ROOT --> LAND["Landing Zones MG\n(application workloads)"]
    ROOT --> SAND["Sandboxes MG\n(isolated dev/test)"]
    ROOT --> DECOMM["Decommissioned MG\n(decommissioned resources)"]

    PLAT --> MGMT["Management MG\n(monitoring, SIEM)"]
    PLAT --> CONN["Connectivity MG\n(hub VNet, firewall)"]
    PLAT --> IDEN["Identity MG\n(AD DS, Entra)"]

    LAND --> CORP["Corp MG\n(hub-connected apps)"]
    LAND --> ONLINE["Online MG\n(public apps, DMZ)"]

    CORP --> PROD["Subscription: Prod"]
    CORP --> DEV["Subscription: Dev"]
    ONLINE --> WEB["Subscription: Web"]

Advantages of this structure:

  • Clear separation between platform and application teams.
  • Security policies applied differently (Online = more restrictive for internet access).
  • Sandbox fully isolated from the rest (less restrictive policies for experimentation).

C.3 RBAC on Management Groups

Assigning a role to a Management Group = automatic inheritance to all child subscriptions.

# Assign the Reader role to an entire Management Group
New-AzRoleAssignment `
  -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `  # AAD Group or User Object ID
  -RoleDefinitionName "Reader" `
  -Scope "/providers/Microsoft.Management/managementGroups/Corp-MG"

# Assign Contributor to a team for the entire dev MG
New-AzRoleAssignment `
  -ObjectId "dev-team-group-object-id" `
  -RoleDefinitionName "Contributor" `
  -Scope "/providers/Microsoft.Management/managementGroups/Dev-MG"

C.4 Moving a Subscription Between Management Groups

# Move a subscription via CLI
az account management-group subscription add \
  --name 'DestinationMG' \
  --subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

# Remove from a MG
az account management-group subscription remove \
  --name 'SourceMG' \
  --subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

Important: Moving inherits policies from the destination MG automatically. Verify compatibility before moving production subscriptions.


Section D – Azure Cost Management: Full Control

D.1 Azure Pricing Models

flowchart LR
    PAYG["Pay-As-You-Go\n(PAYG)\n~actual consumption"]
    DEV["Dev/Test\n(discounted rates\nfor MSDN subscriptions)"]
    SPOT["Spot VMs\n(up to 90% discount\ninterruptible)"]
    RI["Reserved Instances\n(1 or 3 years)\n40-72% discount"]
    SP["Savings Plans\n(flexible, by family)\n15-65% discount"]
    HUB["Azure Hybrid Benefit\n(SQL/Windows licenses\non-premises)"]

    PAYG --> RI
    PAYG --> SP
    PAYG --> SPOT
ModelDiscountConstraintUse case
Pay-As-You-Go0%NoneUnpredictable workloads
Reserved Instances (1 year)~40%1-year commitment, fixed regionStable VMs, SQL, Cosmos DB
Reserved Instances (3 years)~72%3-year commitmentVery stable workloads
Savings Plans (1 year)~15-25%Hourly spend commitmentMore flexible than RI
Spot VMsup to 90%Interruptible at any timeBatch, CI/CD, dev/test
Azure Hybrid Benefitup to 40%Valid on-prem licensesSQL Server, Windows migration
Dev/Test~40-55%MSDN/Visual Studio subscriptionDevelopment environments

D.2 Cost Analysis – Spending Analysis

Available views:

Cost Management → Cost Analysis

  Accumulated cost (month-to-date cumulative)
  Daily costs
  By service (Azure service)
  By resource (individual resource)
  By resource group
  By tag (by costCenter, environment, etc.)
  By subscription (for MGs)

Example of advanced filtering:

Filter by:
  Period          : Last month
  Group           : Service Name
  Filter          : Service = Virtual Machines
  Sub-filter      : Resource Group = prod-rg

Result: exact cost of VMs in prod-rg the previous month
→ Identify the most expensive VMs
→ Compare with previous months
→ Decide on rightsizing or reserved instances

D.3 Budgets and Advanced Alerts

flowchart TD
    BUDGET["Azure Budget\n(amount + period)"]
    BUDGET --> A50["50% Alert\n→ Email to team"]
    BUDGET --> A80["80% Alert\n→ Email to manager"]
    BUDGET --> A90["90% Forecast Alert\n→ Create ticket"]
    BUDGET --> A100["100% Alert\n→ Action Group\n(disable test VMs)"]

Create a budget with automated action via CLI:

az consumption budget create \
  --budget-name 'monthly-prod-budget' \
  --amount 10000 \
  --time-grain Monthly \
  --start-date '2025-01-01' \
  --end-date '2026-12-31' \
  --resource-group 'prod-rg' \
  --notifications '{
    "actual_80": {
      "enabled": true,
      "operator": "GreaterThan",
      "threshold": 80,
      "contactEmails": ["finance@company.com", "manager@company.com"],
      "contactRoles": ["Owner", "Contributor"],
      "thresholdType": "Actual"
    },
    "forecasted_100": {
      "enabled": true,
      "operator": "GreaterThan",
      "threshold": 100,
      "contactEmails": ["finance@company.com"],
      "thresholdType": "Forecasted"
    }
  }'

D.4 Tags for Chargeback and Showback

Tagging strategy for cost allocation:

Required tags (enforced by Azure Policy):
  costCenter    : Cost center (e.g., "IT-INFRA-001")
  environment   : Environment (prod, dev, staging, test)
  application   : Application name (e.g., "erp-sap")
  owner         : Owner (e.g., "john.smith@company.com")
  businessUnit  : Business unit (e.g., "finance", "hr", "it")

Allocation models:
  Chargeback  : Costs are directly billed to the department
  Showback    : Costs are shown but not billed (visibility only)

Resource Graph query for cost report by tag:

Resources
| where isnotempty(tags.costCenter)
| summarize count() by tostring(tags.costCenter), type
| order by tags_costCenter asc

D.5 Azure Advisor – Cost Recommendations

Azure Advisor analyzes your environment and provides recommendations in 6 categories:

mindmap
  root((Azure Advisor))
    Cost
      Underutilized VMs
      Suggested Reserved Instances
      Unattached disks
      Unused public IP addresses
    Security
      MFA not enabled
      Open ports
      Outdated certificates
    Reliability
      Backup not configured
      Missing Availability Zones
      Traffic Manager
    Operational Excellence
      Service Health alerts
      Log Analytics not enabled
    Performance
      Premium SSD recommended
      Insufficient Redis cache size
    Well-Architected
      Well-Architected Framework score

Example of typical cost recommendations:

RecommendationPotential savings
3 underutilized VMs → reduce size-$450/month
5 unattached Premium disks → delete-$120/month
2 unused public IPs → delete-$15/month
Reserved Instances for 8 stable VMs-$2,100/month (3 years)
Total potential-$2,685/month

D.6 Exports and Power BI Integration

Cost Management → Exports → Create Export

  Type       : Daily export of month-to-date costs
  Format     : CSV
  Destination: Azure Blob Storage Container
  Frequency  : Daily

  Power BI Integration:
    Power BI Desktop → Get Data → Azure Cost Management
    → Select subscription or Management Group
    → Build custom reports and dashboards

Section E – Template Specs and Deployment Stacks

E.1 Template Specs: Blueprint ARM Replacement

Template Specs allow storing and versioning ARM or Bicep templates in Azure as a reusable artifact.

flowchart LR
    BICEP["Bicep Template\n(or ARM JSON)"]
    TS["Template Spec\n(Azure Resource)"]
    DEPLOY["Deployment\n(subscription, RG, MG)"]
    REUSE["Cross-subscription\nreuse"]

    BICEP --> TS
    TS --> DEPLOY
    TS --> REUSE

Create a Template Spec:

# Create a Template Spec from a Bicep file
az ts create \
  --name 'standard-webapp-template' \
  --version '1.0.0' \
  --resource-group 'governance-rg' \
  --location 'eastus' \
  --template-file 'webapp-template.bicep' \
  --display-name 'Standard Web App Template' \
  --description 'Standardized template for all web apps'

# Deploy from a Template Spec
az deployment group create \
  --resource-group 'target-rg' \
  --template-spec '/subscriptions/{sub}/resourceGroups/governance-rg/providers/Microsoft.Resources/templateSpecs/standard-webapp-template/versions/1.0.0' \
  --parameters @params.json

Advantages over Blueprints:

  • Native versioning (1.0.0, 1.1.0, 2.0.0…)
  • Cross-subscription sharing via RBAC
  • Full Azure DevOps/GitHub integration
  • Native Bicep support (simpler syntax than ARM JSON)

E.2 Deployment Stacks: Lifecycle Management

Deployment Stacks allow managing a group of resources as a cohesive unit, with protection against accidental deletions.

flowchart TD
    STACK["Deployment Stack\n(webapp-production)"]
    STACK --> WEBAPP["App Service Plan"]
    STACK --> DB["Azure SQL Database"]
    STACK --> KV["Key Vault"]
    STACK --> STORAGE["Storage Account"]
    STACK --> NIC["Network Interface"]

    UPDATE["Stack update\n(new template)"] --> STACK
    DELETE["Stack deletion\n→ all resources deleted"] --> STACK
    DENY["DenySettings\n(Deny Delete / Deny Write)"] --> STACK
// Create a Deployment Stack via Bicep
resource stack 'Microsoft.Resources/deploymentStacks@2024-03-01' = {
  name: 'webapp-production-stack'
  location: 'eastus'
  properties: {
    template: loadJsonContent('webapp-template.json')
    parameters: {
      appName: { value: 'my-production-app' }
      sku: { value: 'P1v3' }
    }
    actionOnUnmanage: {
      resources: 'delete'          // Delete resources if removed from template
      resourceGroups: 'delete'
    }
    denySettings: {
      mode: 'denyDelete'          // Prevent direct deletion of resources
      applyToChildScopes: true
    }
  }
}
denySettings.mode parameterBehavior
noneNo protection (default)
denyDeleteBlock direct deletions
denyWriteAndDeleteBlock deletions AND modifications

E.3 Bicep: Modern IaC Syntax

// webapp-template.bicep
// Standard template for a web application with SQL Database

@description('Application name')
param appName string

@description('Target environment')
@allowed(['dev', 'staging', 'prod'])
param environment string = 'dev'

@description('App Service plan size')
param sku string = 'B1'

var location = resourceGroup().location
var planName = '${appName}-plan-${environment}'
var sqlServerName = '${appName}-sql-${environment}'

// App Service Plan
resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = {
  name: planName
  location: location
  sku: {
    name: sku
    tier: sku == 'P1v3' ? 'PremiumV3' : 'Basic'
  }
  tags: {
    environment: environment
    application: appName
    costCenter: 'IT-WEB-001'
  }
}

// Web App
resource webApp 'Microsoft.Web/sites@2023-01-01' = {
  name: appName
  location: location
  properties: {
    serverFarmId: appServicePlan.id
    httpsOnly: true                // HTTPS required
    siteConfig: {
      minTlsVersion: '1.2'
      ftpsState: 'Disabled'
    }
  }
  tags: {
    environment: environment
    application: appName
  }
}

Section F – Tags and Resource Governance

F.1 Enterprise Tagging Strategy

A good tagging system is the backbone of financial and operational governance.

mindmap
  root((Azure Tags))
    Finance
      costCenter
      businessUnit
      project
      budget
    Operational
      environment
      owner
      team
      ticketNumber
    Technical
      application
      component
      version
      tier
    Compliance
      dataClassification
      compliance
      retention

Recommended required tags table:

TagDescriptionExample valuesEnforced by Policy
environmentEnvironmentprod, staging, dev, testYes (Deny)
costCenterCost centerDEPT-001, IT-INFRA-002Yes (Deny)
ownerOwner emailjohn.smith@company.comYes (Deny)
applicationBusiness applicationerp-sap, crm-salesforceYes (Deny)
businessUnitBusiness unitfinance, hr, it, marketingYes (Audit)
dataClassificationData classificationpublic, internal, confidentialRecommended

F.2 Tag Inheritance with Azure Policy

By default, tags are not automatically inherited. Azure Policy can enforce inheritance:

// Policy: Inherit the "environment" tag from the Resource Group
{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "tags['environment']",
          "exists": false
        },
        {
          "value": "[resourceGroup().tags['environment']]",
          "exists": true
        }
      ]
    },
    "then": {
      "effect": "Modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [{
          "operation": "addOrReplace",
          "field": "tags['environment']",
          "value": "[resourceGroup().tags['environment']]"
        }]
      }
    }
  }
}

Section G – RBAC (Role-Based Access Control) and Access Control

G.1 Azure RBAC Model

Azure RBAC controls WHO can do WHAT on WHICH resource.

flowchart LR
    PRINCIPAL["Security Principal\n(User / Group / SP / MI)"]
    ROLE["Role\n(Role Definition)"]
    SCOPE["Scope\n(MG / Sub / RG / Resource)"]
    ASSIGN["Role Assignment\n(Association of the 3)"]

    PRINCIPAL --> ASSIGN
    ROLE --> ASSIGN
    SCOPE --> ASSIGN
    ASSIGN --> PERMISSION["Permissions granted\nwithin the scope"]

G.2 Essential Built-in Roles

RolePermissionsUse case
OwnerEverything, including RBACSubscription administrators
ContributorEverything except RBACDevelopment teams
ReaderRead-onlyAuditors, finance
User Access AdministratorManage RBAC onlyAccess managers
Security AdminDefender for CloudSecurity team
Billing ReaderBills and costsFinance
Network ContributorNetwork onlyNetwork team
Storage Blob Data ContributorBlobs in StorageApplications, data engineers
Key Vault Secrets OfficerKey Vault secretsApplications

G.3 Custom Roles

// Custom role: VM Operator (start/stop, not create/delete)
{
  "Name": "VM Operator",
  "Description": "Can start and stop VMs but not create or delete them",
  "Actions": [
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId}"
  ]
}
# Create the custom role
az role definition create --role-definition @vm-operator-role.json

# Assign the role to a group
az role assignment create \
  --role "VM Operator" \
  --assignee-object-id "group-object-id" \
  --scope "/subscriptions/{sub}/resourceGroups/prod-vms-rg"

G.4 Privileged Identity Management (PIM)

Azure AD PIM (via Microsoft Entra ID) allows activating privileged roles on demand (Just-in-Time).

sequenceDiagram
    participant USR as User
    participant PIM as Azure PIM
    participant APP as Azure Resource
    participant MGR as Approver

    USR->>PIM: Request "Owner" role activation (4 hours)
    PIM->>MGR: Approval notification required
    MGR->>PIM: Approves the request
    PIM->>USR: Role activated for 4 hours
    USR->>APP: Privileged access (audit trail)
    Note over PIM,APP: After 4h, the role deactivates automatically
PIM BenefitDescription
Just-in-TimePrivileged access only when needed
Time-boundConfigurable maximum duration (e.g., 1-8h)
Approval workflowManual approval required
Audit trailAll activations are logged
MFA enforcementMFA required to activate
Access reviewsPeriodic review of active assignments

Section H – Microsoft Purview and Data Governance

H.1 Overview

Microsoft Purview is Microsoft’s unified data governance and compliance solution.

flowchart TD
    subgraph PURVIEW["Microsoft Purview"]
        DG["Data Governance\n(Unified Data Catalog)"]
        COMP["Compliance\n(Compliance Manager, DLP, eDiscovery)"]
        RISK["Risk & Compliance\n(Insider Risk, Communication Compliance)"]
        INFO["Information Protection\n(Sensitivity Labels, MIP)"]
    end

    ON_PREM["(SQL Server\non-premises)"] --> DG
    AZURE["(Azure Data Services)"] --> DG
    M365["(Microsoft 365)"] --> DG
    THIRD["(AWS, GCP,\nSaaS services)"] --> DG

H.2 Purview Data Map and Data Catalog

Data Map: automatic map of all data sources in the organization.

Supported sources:
  ├── Azure: SQL Database, Synapse, Blob Storage, Data Lake, Cosmos DB
  ├── On-premises: SQL Server, Oracle, SAP
  ├── Multi-cloud: AWS S3, RDS, Redshift; GCP BigQuery
  └── SaaS: Salesforce, Power BI, SAP S/4HANA

Automated scan:
  → Discovery of tables, columns, schemas
  → Automatic classification (emails, credit cards, SSNs)
  → Data Lineage
  → Integration into Data Catalog

Data Lineage:

Azure Data Factory Pipeline:
  SQL Database (source)
    └─→ ADF Copy Activity
        └─→ Data Lake Gen2 (landing zone)
            └─→ Databricks Notebook (transformation)
                └─→ Synapse Dedicated Pool (destination)
                    └─→ Power BI Dataset
                        └─→ Power BI Report

Purview displays this complete flow visually.

H.3 Sensitivity Labels and Classification

Sensitivity labels (example):
  Public
  Internal Only
  Confidential
  Highly Confidential / PII

Application:
  → Office files (Word, Excel, SharePoint)
  → Outlook emails
  → Teams messages
  → Azure SQL columns
  → Power BI datasets

Automatic actions:
  Label "Confidential" → AIP encryption + watermark
  Label "Highly Confidential / PII" → Encryption + sharing restrictions

H.4 Compliance Manager

Compliance Manager provides an aggregated compliance score based on completed actions.

Compliance Score:
  Framework: GDPR
    ├── Action "Enable SQL auditing"             : 15 pts (done ✓)
    ├── Action "Enable TDE on all DBs"           : 10 pts (done ✓)
    ├── Action "Train employees on DLP"          : 20 pts (in progress ⟳)
    └── Action "Implement RoPA management"       : 30 pts (not done ✗)

  GDPR Score: 65/100

  Suggested actions by priority:
    1. High importance: implement RoPA (30 pts)
    2. Medium: complete training (20 pts)

Section I – Azure Advisor: All Categories

I.1 Overview of 6 Categories

mindmap
  root((Azure Advisor\nOverall Score))
    Cost
      Reserved Instances
      Underutilized VMs
      Orphaned resources
    Security
      Defender integration
      MFA, RBAC
      Open ports
    Reliability
      Backup enabled
      Availability Zones
      Zone-redundant
    Operational Excellence
      Service Health
      Logs enabled
      Compliant tags
    Performance
      Appropriate sizing
      Redis cache
      CDN
    Well-Architected
      WAF score
      5 pillars

I.2 Advisor Score

Advisor Score = weighted average of 5 categories (Cost not included in overall score)

  Security      : 78%   (high weight)
  Reliability   : 85%
  Operational   : 72%
  Performance   : 90%
  Well-Arch     : 68%
  ─────────────────────
  Overall score : 78.6%

I.3 Advisor API for Automation

# List all unresolved recommendations
az advisor recommendation list \
  --subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' \
  --output table

# Filter by Cost category
az advisor recommendation list \
  --category Cost \
  --output json | jq '.[].properties.shortDescription.solution'

Section J – Azure Service Health and Platform Events

J.1 Service Health Components

flowchart TD
    SH["Azure Service Health"]
    SH --> STATUS["Azure Status\nstatus.azure.com\n(global incidents)"]
    SH --> SHEALTH["Service Health\n(incidents impacting your sub)"]
    SH --> RHEALTH["Resource Health\n(health of your individual resources)"]
    SH --> ALERTS["Service Health Alerts\n(custom notifications)"]
ComponentScopeUsage
Azure StatusGlobal, all servicesGeneral cloud monitoring
Service HealthYour subscriptionIncidents specifically affecting you
Resource HealthIndividual resourceDiagnose a specific VM, DB
Health AlertsConfigurableBe proactively notified

J.2 Create a Service Health Alert

# Alert for service interruptions in East US
az monitor activity-log alert create \
  --name 'service-health-eastus-alert' \
  --resource-group 'monitoring-rg' \
  --condition category=ServiceHealth \
  --condition level=error \
  --condition operationName=Microsoft.ServiceHealth/incident/write \
  --action-group '/subscriptions/{sub}/resourceGroups/monitoring-rg/providers/Microsoft.Insights/actionGroups/ops-team-ag'

Section K – Review Questions

15 Multiple Choice Questions


Question 1 You want to prevent the creation of Azure resources outside the East US and West US regions. Which policy effect do you use?

  • A) Audit
  • B) Modify
  • C) Deny
  • D) DeployIfNotExists

Answer: C — The Deny effect blocks the creation/modification of non-compliant resources. Audit would only flag non-compliance without blocking.


Question 2 Your organization must demonstrate ISO 27001 compliance to an external auditor. Where in Azure Policy do you find an initiative covering these controls?

  • A) In Built-in Policy Definitions, under the “Regulatory Compliance” category
  • B) In Azure Cost Management
  • C) In Azure Resource Graph
  • D) In Azure Advisor

Answer: A — Azure Policy provides built-in initiatives corresponding to major frameworks (ISO 27001, PCI DSS, NIST, CIS…) available under “Regulatory Compliance”.


Question 3 Your company has 15 Azure subscriptions. You want to apply a security policy to all of them in a single operation, while being able to make exceptions for certain subscriptions. Which service should you use?

  • A) Azure Policy with one assignment per subscription
  • B) Azure Management Groups with a policy assigned to the root group
  • C) Azure Resource Graph
  • D) Azure Blueprints

Answer: BManagement Groups allow assigning a policy once at the root level, and it applies to all child subscriptions. Exemptions can be defined for specific subscriptions.


Question 4 A policy with the DeployIfNotExists effect was assigned. It detects VMs without a monitoring agent. What additional action is needed to fix existing VMs?

  • A) Reassign the policy
  • B) Create a Remediation Task
  • C) Redeploy the VMs
  • D) Nothing, the effect applies automatically

Answer: BDeployIfNotExists automatically applies to new resources. For existing non-compliant resources, a Remediation Task must be explicitly created.


Question 5 What is the main difference between Azure Reservations (Reserved Instances) and Savings Plans?

  • A) Reservations are only for VMs; Savings Plans cover all services
  • B) Reservations apply to specific resources (region, size, service); Savings Plans apply to a service family with regional flexibility
  • C) Savings Plans have a maximum duration of 1 year
  • D) Reservations only work with the vCore model

Answer: BReserved Instances are tied to a specific resource (type, region). Savings Plans offer more flexibility on region and size in exchange for an hourly spend commitment.


Question 6 Azure Blueprints will be deprecated in July 2026. Which combination of services is recommended as a replacement?

  • A) Azure Policy + Azure Resource Graph
  • B) Template Specs + Deployment Stacks
  • C) Azure DevOps + Azure Artifacts
  • D) Terraform + Azure Resource Manager

Answer: B — Microsoft officially recommends Template Specs (to store/version templates) and Deployment Stacks (to manage deployment lifecycle) as the replacement for Azure Blueprints.


Question 7 A developer requests “Owner” access to the production subscription. Which security practice would allow granting this access securely, for only 4 hours, with manager approval?

  • A) Create a time-limited custom role
  • B) Use Azure PIM (Privileged Identity Management) with Just-in-Time activation
  • C) Temporarily assign the Contributor role
  • D) Use Azure Policy with a temporary exemption

Answer: BAzure PIM enables JIT activation of privileged roles with: limited duration, approval workflow, MFA required, and a complete audit trail.


Question 8 Which KQL query in Azure Resource Graph finds all Storage Accounts without mandatory HTTPS?

A) Resources | where type == "storage/storageaccounts" | where httpsOnly == false
B) Resources | where type == "microsoft.storage/storageaccounts" | project name, httpsOnly = properties.supportsHttpsTrafficOnly | where httpsOnly == false
C) AzureActivity | where ResourceType == "storage" | where HTTPS == false
D) SecurityBaseline | where control == "HTTPS" | where compliant == false

Answer: B — This correct KQL syntax uses the full type name (microsoft.storage/storageaccounts), projects the necessary properties, and filters on httpsOnly == false.


Question 9 Your finance team wants to see Azure costs per department using tags, but does not want to be directly billed. Which cost allocation model fits this need?

  • A) Chargeback (rebilling)
  • B) Showback (visibility without billing)
  • C) Reserved Instances
  • D) Cost Allocation Rules

Answer: BShowback provides cost visibility by tag/department without formally reallocating costs in accounting. Chargeback involves actual internal billing.


Question 10 A policy with the Modify effect is assigned to add the tag environment=prod to all resources in a Resource Group. Will an existing resource without this tag be automatically updated?

  • A) Yes, immediately upon assignment
  • B) No, the Modify effect only applies to new creations; a Remediation Task is needed
  • C) Yes, within 24 hours of assignment
  • D) No, Modify does not work with tags

Answer: B — Like DeployIfNotExists, Modify only automatically applies to new resources or during an update. A Remediation Task is needed for existing non-compliant resources.


Question 11 Which Azure service allows querying resources across 50 subscriptions simultaneously with a structured query language, returning near real-time results?

  • A) Azure Monitor
  • B) Azure Log Analytics
  • C) Azure Resource Graph
  • D) Azure Service Health

Answer: CAzure Resource Graph is designed for cross-subscription KQL queries on the Azure resource inventory, with near real-time results and without impacting standard ARM API performance.


Question 12 A company wants to ensure all its new resources automatically inherit the costCenter tag from their Resource Group. Which policy effect is appropriate?

  • A) DeployIfNotExists
  • B) Append
  • C) Modify
  • D) AuditIfNotExists

Answer: C — The Modify effect allows adding or modifying properties (including tags) during resource creation or update. It can read the tag from the parent Resource Group and apply it to the child resource.


Question 13 Which Microsoft Purview component visualizes the data flow from a SQL source to a Power BI report through Azure Data Factory and Synapse?

  • A) Data Catalog
  • B) Data Lineage (Data Map)
  • C) Compliance Manager
  • D) Sensitivity Labels

Answer: BData Lineage in Purview (exposed via the Data Map) automatically traces the journey of data through Azure services (ADF, Synapse, Power BI) and displays it visually.


Question 14 You need to restrict a developer to only starting and stopping VMs, without being able to create or delete them. Which approach is most appropriate?

  • A) Assign the Contributor role with a Deny policy for Create and Delete
  • B) Create a custom role with only start, restart, and deallocate actions
  • C) Assign the Virtual Machine Contributor role
  • D) Use Azure PIM to limit the Contributor role to 2 hours

Answer: B — A custom RBAC role allows precisely defining the allowed Actions (start, restart, deallocate) without including Create or Delete actions. The Virtual Machine Contributor role includes too many permissions.


Question 15 What is the primary purpose of Deployment Stacks compared to simple ARM deployments?

  • A) Speed up deployment by parallelizing resources
  • B) Manage the complete lifecycle of a resource group as a unit, including protection against unauthorized modifications/deletions
  • C) Provide a graphical interface for ARM templates
  • D) Enable multi-region deployment with a single command

Answer: BDeployment Stacks manage resources as a cohesive unit: atomic updates, grouped deletions, and protection via denySettings that can prevent any direct modification of resources managed by the stack.


Section L – Summary Diagrams

L.1 Azure Governance Overview

flowchart TD
    subgraph ORG["Azure Organization"]
        TRG["Tenant Root Group"]
        MG1["Corp Management Group"]
        MG2["Dev Management Group"]
        SUB1["Subscription Prod"]
        SUB2["Subscription Dev"]
        RG1["Resource Group App"]
        RG2["Resource Group Data"]
    end

    subgraph GOV["Governance Tools"]
        POLICY["Azure Policy\n(controls)"]
        COST["Cost Management\n(financial)"]
        RG_TOOL["Resource Graph\n(inventory)"]
        RBAC_T["RBAC\n(access)"]
        TAGS_T["Tags\n(organization)"]
        PURVIEW_T["Purview\n(data)"]
        ADVISOR_T["Advisor\n(optimization)"]
    end

    TRG --> MG1 --> SUB1 --> RG1
    MG1 --> SUB1 --> RG2
    TRG --> MG2 --> SUB2

    POLICY --> TRG
    COST --> SUB1
    RG_TOOL --> TRG
    RBAC_T --> MG1
    TAGS_T --> RG1
    PURVIEW_T --> RG2
    ADVISOR_T --> SUB1

L.2 Decision Flow for Non-Compliance

flowchart TD
    DETECT["Non-compliant resource\ndetected"] --> Q1{Type of\nnon-compliance?}
    Q1 -- Critical security --> DENY["Policy Deny\nblock immediately"]
    Q1 -- Missing configuration --> REMED["DeployIfNotExists\n+ Remediation Task"]
    Q1 -- Missing tag --> MOD["Policy Modify\n+ Remediation Task"]
    Q1 -- Observation only --> AUDIT["Policy Audit\ncompliance report"]

    DENY --> REPORT["Compliance Dashboard\n+ Notifications"]
    REMED --> REPORT
    MOD --> REPORT
    AUDIT --> REPORT
    REPORT --> REVIEW["Review and\npolicy improvement"]

Glossary

TermDefinition
Azure PolicyAzure service to create, assign, and manage compliance rules on resources
InitiativeGrouping of multiple policy definitions for a common objective
AssignmentBinding of a policy definition to a scope (MG, Sub, RG, resource)
ScopeApplication scope of a policy or RBAC role
EffectA policy’s action: Deny, Audit, Modify, DeployIfNotExists, Append, AuditIfNotExists
ExemptionTemporary waiver granted to a specific resource for a policy
Remediation TaskTask created to fix existing non-compliant resources
Management GroupLogical container grouping subscriptions for unified governance
Trickle-downInheritance of policies and RBAC roles from parent to all children in the hierarchy
Cost ManagementSuite of tools for analyzing, alerting on, and optimizing Azure spending
BudgetSpending limit configured with alert thresholds (Actual and Forecasted)
ChargebackAllocation model where costs are formally billed back to departments
ShowbackCost visibility model without formal rebilling
Reserved Instances1 or 3 year commitment on specific resources in exchange for discounts (40-72%)
Savings PlansHourly spend commitment on a service family, more flexible than RIs
Spot VMsInterruptible VMs at a highly reduced price (up to 90%) for batch/CI-CD workloads
Azure Hybrid BenefitReuse of SQL Server or Windows Server on-premises licenses on Azure
Azure AdvisorRecommendation service in 6 categories (Cost, Security, Reliability, Perf, OE, WAF)
Template SpecsAzure artifact to store and version reusable ARM/Bicep templates
Deployment StacksComplete lifecycle management of a group of resources as an atomic unit
BicepMicrosoft IaC language (simplified syntax, transpiled to ARM JSON)
RBACRole-Based Access Control — role-based access control
PIMPrivileged Identity Management — JIT activation of privileged roles with approval
Custom RoleRBAC role created with specific permissions
Azure Resource GraphCross-subscription KQL query service on near real-time Azure inventory
KQLKusto Query Language — query language used by Resource Graph, Log Analytics, Sentinel
Microsoft PurviewData governance platform: cataloging, classification, lineage, compliance
Data LineageTraceability of data flow from source to report
Sensitivity LabelsData classification labels (Public, Internal, Confidential, Highly Confidential)
Compliance ManagerPurview tool that calculates a compliance score for regulatory frameworks
CIS BenchmarkCenter for Internet Security — security reference for Azure (150+ controls)
MCSBMicrosoft Cloud Security Benchmark — native Azure security framework
Secure Score0-100% score in Defender for Cloud representing security posture
Service HealthAzure service for tracking the health of Azure services impacting your subscription
Well-Architected FrameworkMicrosoft’s 5 pillars (Cost, Security, Reliability, Performance, Operational Excellence)
CAFCloud Adoption Framework — Microsoft guide for Azure migration and adoption
Trickle-down inheritancePolicies and roles applied to a Management Group are inherited throughout the entire hierarchy below

Search Terms

azure · governance · compliance · core · infrastructure · microsoft · policy · management · groups · advisor · cost · cloud · health · initiatives · rbac · score · service · alerts · architecture · benchmark · budgets · built-in · categories · control

Interested in this course?

Contact us to book it or get a custom training plan for your team.