Domain 3 of 3 · Chapter 2 of 4

Governance & Compliance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Azure Fundamentals premium course — no separate purchase.

Included in this chapter:

  • What governance and compliance mean in Azure
  • Microsoft Purview: governing the data estate
  • Azure Policy: enforcing configuration standards at scale
  • Azure Policy is not RBAC: the exam boundary
  • Resource locks: protecting against accidental loss
  • Recognizing these questions on the exam

Azure Policy vs Azure RBAC vs resource locks: what each controls

AspectAzure PolicyAzure RBACResource locks
ControlsAllowed resource configurationsWho can perform actionsWhether a resource can be deleted/changed
Question it answersIs this configuration allowed?Is this user permitted to do this?Is this resource protected from accidental loss?
Typical useAllowed regions, SKUs, required tagsAssign roles like Reader, Contributor, OwnerCanNotDelete or ReadOnly on critical resources
Applied at scopeManagement group, subscription, RG, resourceManagement group, subscription, RG, resourceSubscription, resource group, resource
Overrides user role?Deny can block even an Owner's bad configDefines the role itselfYes, blocks even an Owner until removed

Decision tree

Governing the DATA itself(discover/classify)?YesNoMicrosoft Purviewdata catalog, classify, lineageAbout WHO can act(permissions)?YesNoAzure RBACroles: who can do whatProtect ONE resourcefrom accidental loss?YesNo: config ruleAzure Policyallowed regions/SKUs/tagsEdits still allowed,only block delete?YesNoCanNotDelete lockReadOnly lock

Cheat sheet

  • Match the governance scenario to Purview, Azure Policy, or resource locks
  • Use Microsoft Purview to govern the data itself, across clouds
  • Purview builds a Data Map and a searchable catalog of assets
  • Purview adds automatic classification and end-to-end data lineage
  • Use Azure Policy to enforce standards and assess compliance at scale
  • A policy definition is a single configuration rule
  • Bundle related policies into an initiative for one assignment
  • The policy effect decides what happens to a non-compliant resource
  • Azure Policy reports compliance on an aggregated dashboard
  • Azure Policy can auto-remediate existing non-compliant resources
  • Azure Policy governs configuration; Azure RBAC governs who can act
  • Apply a resource lock to prevent accidental delete or change
  • CanNotDelete allows read and modify but blocks deletion
  • ReadOnly allows only reads: no modify, no delete
  • Locks apply at subscription, RG, or resource scope and are inherited
  • A lock blocks even a Subscription Owner until it's removed
  • Choose CanNotDelete, not ReadOnly, when edits must stay allowed
  • Owner can assign roles, Contributor can't, Reader is view-only
  • RBAC is additive, so the most permissive assignment wins
  • Create a custom role when no built-in role fits
  • A role assignment = security principal + role definition + scope
  • Compliance Manager scores your posture by completed improvement actions

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
  2. https://learn.microsoft.com/en-us/purview/purview
  3. https://learn.microsoft.com/en-us/purview/data-governance-overview
  4. https://learn.microsoft.com/en-us/azure/governance/policy/overview
  5. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
  6. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources