Governance: Policy, locks & tags
Management groups, Azure Policy, locks, cost.
Beyond individual access, an administrator governs the whole estate — how subscriptions are organized, what configurations are allowed, and how spend is controlled. Management groups, Azure Policy, locks, and tags are the governance toolkit.
Hierarchy and Azure Policy
Azure organizes resources in a hierarchy: management groups contain subscriptions, subscriptions contain resource groups, and resource groups contain resources — with RBAC and Azure Policy inheriting down from the top. Management groups let you apply governance across many subscriptions at once. Azure Policy enforces or audits resource configuration: effects include deny (block non-compliant creation, a preventive guardrail), audit (flag without blocking), and deployIfNotExists (auto-deploy a missing control like diagnostic settings). Group related policies into initiatives and assign them at a scope so a whole branch of the hierarchy inherits the baseline — for example, deny public IPs, require tags, or mandate encryption org-wide.
# Deny effect: block storage accounts that allow public blob access.# Assign an initiative (e.g. Azure Security Benchmark) at a management group# so every subscription beneath it inherits the whole baseline at once.az policy assignment create --name asb \--policy-set-definition "Azure Security Benchmark" \--scope /providers/Microsoft.Management/managementGroups/contoso-root# deny = the misconfiguration cannot be created; audit = it is only flagged.
Locks, tags, and cost
Resource locks guard against accidents: a CanNotDelete lock prevents deletion while allowing changes, and a ReadOnly lock prevents modification — apply them to critical production resources. Tags (key–value pairs like owner, environment, cost-center) organize resources and, crucially, enable cost allocation and policy/automation targeting. For cost, Azure Cost Management and Budgets give visibility and alert before overspend, Reservations discount steady workloads, and Azure Advisor recommends savings and best practices. Governance is not bureaucracy — it is what keeps a growing Azure estate consistent, compliant, cost-controlled, and safe from accidental damage, all enforced automatically through the hierarchy rather than by hoping teams remember.