Challenge 20: Governance — Azure Policy, Purview & Resource Locks
25-35 min | Cost: Free | Domain: Management & Governance (30-35%)
Exam skills covered
- Describe the purpose of Microsoft Purview
- Describe the purpose of Azure Policy
- Describe the purpose of resource locks
Overview
Governance ensures your Azure environment stays compliant, organized, and protected. Azure Policy enforces rules about what can be created and how. Resource locks prevent accidental deletion or modification. Microsoft Purview provides data governance across your entire estate.
Explore
Task 1: Understand Azure Policy
Azure Policy enforces organizational standards. Policies evaluate resources and mark non-compliant ones.
| Policy type | What it does | Example |
|---|---|---|
| Deny | Prevent non-compliant resource creation | "VMs must be in allowed regions only" |
| Audit | Flag existing non-compliant resources | "Storage accounts without encryption" |
| Modify | Add or update resource properties automatically | "Auto-add required tags" |
| DeployIfNotExists | Deploy a resource if it doesn't exist | "Enable diagnostic logging" |
Task 2: Explore Azure Policy in the Portal
- In Azure Portal, search for Policy
- Explore:
- Overview: Compliance status across your environment
- Definitions: Browse built-in policies
- Assignments: See what's assigned
- Click Definitions and browse categories:
- Compute, Storage, Network, Security Center, Tags
- Try searching for: "Allowed locations" — this popular policy restricts where resources can be created
Policy vs RBAC:
| Azure Policy | Azure RBAC | |
|---|---|---|
| Question answered | "What can be created?" | "Who can do what?" |
| Focus | Resource compliance | User permissions |
| Example | "Only Standard_D2s VMs allowed" | "Alice can create VMs" |
Task 3: Understand resource locks
Resource locks prevent accidental changes or deletion:
| Lock type | Can read? | Can modify? | Can delete? |
|---|---|---|---|
| No lock | ✅ | ✅ | ✅ |
| Read-only (ReadOnly) | ✅ | ❌ | ❌ |
| Delete (CanNotDelete) | ✅ | ✅ | ❌ |
Key facts:
- Locks are inherited (lock on RG applies to all resources)
- Even Owners cannot delete a locked resource without removing the lock first
- Locks override RBAC permissions
Task 4: Explore resource locks in the Portal
- Navigate to your
rg-az900-learningresource group (or any RG) - Click Locks in the left menu
- Click + Add to see lock options:
- Lock name, Lock type (Read-only or Delete)
- Notes explaining why the lock exists
- Optionally add a Delete (CanNotDelete) lock to your resource group
- Try to delete the RG — you'll be blocked!
Task 5: Understand Microsoft Purview
Microsoft Purview provides unified data governance:
| Feature | Description |
|---|---|
| Data Map | Automated discovery and classification of data across Azure, on-prem, and multi-cloud |
| Data Catalog | Search and discover data assets |
| Data Estate Insights | Analytics on data distribution and sensitivity |
| Data sharing | Securely share data across organizations |
When to use Purview:
- You need to know WHERE your sensitive data is
- You need to classify data (PII, financial, health)
- You need compliance reporting across multiple data stores
- You need a unified view of your data landscape
# List Azure Policy definitions (first 5)
az policy definition list --query "[0:5].{Name:displayName, Category:metadata.category}" --output table
# List policy assignments
az policy assignment list --output table
# Add a resource lock
az lock create --name DoNotDelete --resource-group rg-az900-learning --lock-type CanNotDelete 2>/dev/null || echo "Create the RG first"
# List locks
az lock list --resource-group rg-az900-learning --output table 2>/dev/null || echo "No RG found"
Key Concepts
| Concept | Description |
|---|---|
| Azure Policy | Enforce rules about resource creation and compliance |
| Policy initiative | Group of related policies applied together |
| Resource lock | Prevent accidental deletion or modification |
| CanNotDelete lock | Resources can be modified but not deleted |
| ReadOnly lock | Resources can only be read — no changes allowed |
| Microsoft Purview | Unified data governance, discovery, and classification |
| Compliance | Percentage of resources meeting policy requirements |
Knowledge Check
1. A company wants to ensure that all Azure resources are created only in specific regions. Which service should they use?
2. A production database must be protected from accidental deletion. What should be applied?
3. What is the purpose of Microsoft Purview?
4. An Owner of a resource group tries to delete it but receives an error. What is the most likely cause?
5. What is the difference between Azure Policy and Azure RBAC?