Governance: Policy, locks & tags

Management groups, Azure Policy, locks, cost.

Intermediate30 min · lesson 3 of 15

Beyond individual access, an administrator governs the whole estate — how subscriptions are organized, what configurations are allowed, and how spend is controlled. Management groups, Azure Policy, locks, and tags are the governance toolkit.

Hierarchy and Azure Policy

Azure organizes resources in a hierarchy: management groups contain subscriptions, subscriptions contain resource groups, and resource groups contain resources — with RBAC and Azure Policy inheriting down from the top. Management groups let you apply governance across many subscriptions at once. Azure Policy enforces or audits resource configuration: effects include deny (block non-compliant creation, a preventive guardrail), audit (flag without blocking), and deployIfNotExists (auto-deploy a missing control like diagnostic settings). Group related policies into initiatives and assign them at a scope so a whole branch of the hierarchy inherits the baseline — for example, deny public IPs, require tags, or mandate encryption org-wide.

a preventive policy at scale
# Deny effect: block storage accounts that allow public blob access.
# Assign an initiative (e.g. Azure Security Benchmark) at a management group
# so every subscription beneath it inherits the whole baseline at once.
az policy assignment create --name asb \
--policy-set-definition "Azure Security Benchmark" \
--scope /providers/Microsoft.Management/managementGroups/contoso-root
# deny = the misconfiguration cannot be created; audit = it is only flagged.

Locks, tags, and cost

Resource locks guard against accidents: a CanNotDelete lock prevents deletion while allowing changes, and a ReadOnly lock prevents modification — apply them to critical production resources. Tags (key–value pairs like owner, environment, cost-center) organize resources and, crucially, enable cost allocation and policy/automation targeting. For cost, Azure Cost Management and Budgets give visibility and alert before overspend, Reservations discount steady workloads, and Azure Advisor recommends savings and best practices. Governance is not bureaucracy — it is what keeps a growing Azure estate consistent, compliant, cost-controlled, and safe from accidental damage, all enforced automatically through the hierarchy rather than by hoping teams remember.

The governance toolkit
control config
management groups
inherit policy/RBAC down
Azure Policy
deny / audit / deployIfNotExists
resource locks
prevent accidental delete/change
organize + cost
tags
cost allocation + targeting
Cost Management + Budgets
visibility and alerts
Inherit policy from the top, guard critical resources with locks, and use tags + budgets to keep the estate compliant and cost-controlled.
Audit-only policy does not stop the misconfiguration
A policy in audit mode reports non-compliance but changes nothing — the public storage account still gets created. For the true non-negotiables use the deny effect so the bad configuration cannot exist, and deployIfNotExists to apply the secure default automatically; audit is for measuring, not enforcing.