AZ-104T00A

Module 02: Governance

and Compliance

© Copyright Microsoft Corporation. All rights reserved.

Module Overview

Lesson 01: Subscriptions and Accounts

Lesson 02: Azure Policy

Lesson 03: Role-Based Access Control

Lesson 04: Module 02 Lab

© Copyright Microsoft Corporation. All rights reserved.

Lesson 01: Subscriptions and Accounts

© Copyright Microsoft Corporation. All rights reserved.

 Regions

Azure Subscriptions

Getting a Subscription

Subscriptions Subscription Usage

and Accounts
Overview Cost Management

Resource Tags

Cost Savings

Review
© Copyright Microsoft Corporation. All rights reserved.
Regions

A region represents a collection of datacenters

Provides flexibility and scale

Preserves data residency

Select regions close to your users

Be aware of region deployment availability

There are global services that are region

independent
Worldwide there are 60+ regions
Regions are paired for high availability representing 140 countries

© Copyright Microsoft Corporation. All rights reserved.

Azure Subscriptions

Only identities in Azure AD, or in a directory that is

trusted by Azure AD, can create a subscription

Logical unit of Azure services that is linked to an

Azure account

Security and billing boundary

© Copyright Microsoft Corporation. All rights reserved.

Getting a Subscription

Enterprise Agreement customers make an upfront

monetary commitment and consume services
throughout the year

Resellers provide a simple, flexible way to purchase

cloud services

Partners can design and implement your Azure

cloud solution

Personal free account – Start right away

© Copyright Microsoft Corporation. All rights reserved.

Subscription Usage

Subscription Usage
Includes a $200 credit for the first 30 days, free limited access for
Free
12 months

Pay-As-You-Go Charges you monthly

Agreement with possible discounts through a Microsoft Cloud Solutions

CSP
Provider Partner – typically for small to medium businesses

One agreement, with discounts for new licenses and Software

Enterprise
Assurance – targeted at enterprise-scale organizations

Student Includes $100 for 12 months – must verify student access

© Copyright Microsoft Corporation. All rights reserved.

Cost Management

Conduct cost analysis

Create a budget

Review recommendations

Export the data

© Copyright Microsoft Corporation. All rights reserved.

Resource Tags

Provides metadata for your Azure

resources 

Logically organizes resources into a

taxonomy 

Consists of a name-value pair

Very useful for rolling up billing

information

© Copyright Microsoft Corporation. All rights reserved.

Cost Savings

Azure Reservations – Helps you save money

by pre-paying for services

Azure Hybrid Benefits – Use Windows Server

and SQL Server on-premises licenses with
Software Assurance 

Azure Credits – Monthly credit benefit that

allows you to experiment with, develop, and
test new solutions on Azure

Regions – Choose low-cost locations and

regions

© Copyright Microsoft Corporation. All rights reserved.

Subscriptions and Accounts - Review

Knowledge Check Questions Microsoft Learn Modules (docs.microsoft.com/Learn)

Analyze costs and create budgets with Azure Cost Management

Predict costs and optimize spending for Azure

© Copyright Microsoft Corporation. All rights reserved.

Lesson 02: Azure Policy

© Copyright Microsoft Corporation. All rights reserved.

 Management Groups

Azure Policy

Implementing Azure Policy

Policy Definitions
Azure Policy
Create Initiative Definitions
Overview
Scope the Initiative Definition

Determine Compliance

Demonstration – Azure Policy

Review
© Copyright Microsoft Corporation. All rights reserved.
Management Groups

Provides a level of scope above

subscriptions

Targeting of policies and spend

budgets across subscriptions and
inheritance down the hierarchies

Compliance and cost reporting by

organization (business/teams)

© Copyright Microsoft Corporation. All rights reserved.

Azure Policy

Usage Cases
A service to create, assign, and Allowed resource types – Specify the resource types that
manage policies your organization can deploy

Allowed virtual machine SKUs – Specify a set of virtual

machine SKUs that your organization can deploy
Runs evaluations and scans for non-
compliant resources Allowed locations – Restrict the locations your
organization can specify when deploying resources

Advantages: Require tag and its value – Enforces a required tag and
its value
Enforcement and compliance
Apply policies at scale Azure Backup should be enabled for Virtual Machines –
Audit if Azure Backup service is enabled for all Virtual
Remediation machines

© Copyright Microsoft Corporation. All rights reserved.

Implementing Azure Policy

1. Browse Policy Definitions

2. Create Initiative Definitions

3. Scope the Initiative Definition

4. View Policy evaluation results

© Copyright Microsoft Corporation. All rights reserved.

Policy Definitions

Many policy definitions are available

You can import policies from GitHub

Policy Definitions have a specific

JSON format

You can create custom policy

definitions

© Copyright Microsoft Corporation. All rights reserved.

Create Initiative Definitions

Group policy definitions

Include one or more policies

Requires planning

© Copyright Microsoft Corporation. All rights reserved.

Scope the Initiative Definition

Select the subscription,

Assign the definition The scope enforces
and optionally the
to a scope the policy
resource group
© Copyright Microsoft Corporation. All rights reserved.
Determine Compliance

Non-compliant initiatives Non-compliant policies Non-compliant resources

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Azure Policy

Assign a policy

Create and assign an initiative definition

Check for compliance

Check for remediation tasks

Remove your policy and initiative

© Copyright Microsoft Corporation. All rights reserved.

Azure Policy - Review

Knowledge Check Questions Microsoft Learn Modules (docs.microsoft.com/Learn)

Apply and monitor infrastructure standards with Azure Policy

Build a cloud governance strategy

© Copyright Microsoft Corporation. All rights reserved.

Lesson 03: Role-Based Access Control

© Copyright Microsoft Corporation. All rights reserved.

 Role-Based Access Control

Role Definition

Role Assignment

Role-Based Azure RBAC Roles vs Azure AD Administrator Roles

Access Control
Overview RBAC Authentication

Azure RBAC Roles

Demonstration – RBAC Roles

Review
© Copyright Microsoft Corporation. All rights reserved.
Role-Based Access Control

Provides fine-grained access management

Concepts​
of resources in Azure​

Built on Azure Resource Manager Security principal. Object that represents

Segregate duties within your team ​ something that is requesting access to
resources​
Grant only the amount of access to users that
they need to perform their jobs​ Role definition. Collection of permissions that
lists the operations that can be performed​
Scope. Boundary for the level of access that is
requested​
Assignment. Attaching a role definition to a
security principal at a particular scope​:
• Users can grant access described in a role
definition by creating an assignment​
• Deny assignments are currently read-only and are
set by Azure Blueprints and Azure Managed Apps
© Copyright Microsoft Corporation. All rights reserved.
Azure RBAC Roles vs. Azure AD Roles
Azure and Azure AD offer two types of roles

Azure RBAC roles Azure AD roles

Manage access to Azure resources Manage access to Azure AD objects

Scope can be specified at multiple levels Scope is at the tenant level

Role information can be accessed in the Azure Role information can be accessed in Azure portal,
portal, Azure CLI, Azure PowerShell, Azure Microsoft 365 admin portal, Microsoft Graph,
Resource Manager templates, REST API Azure Active Directory PowerShell for Graph

Classic administrator roles should be avoided if using Azure Resource Manager

© Copyright Microsoft Corporation. All rights reserved.

Azure RBAC Roles

RBAC role in Azure Permissions Notes

The Service Administrator and
Has full access to all resources Co-Administrators are assigned the
Owner
and can delegate access to others Owner role at the subscription scope.
This applies to all resource types

Creates and manages all types of

Contributor Azure resources but cannot grant This applies to all resource types
access to others

Reader Views Azure resources This applies to all resource types

User Access Manages user access to This applies to managing access, rather
Administrator Azure resources than to managing resources

© Copyright Microsoft Corporation. All rights reserved.

Lab 02b – Manage Governance via Azure Policy

Lab scenario
To improve management of Azure resources in Contoso, you have been tasked with implementing
the following functionality:
• Tagging resource groups that include only infrastructure resources 
• Ensuring that only properly tagged infrastructure resources can be added to infrastructure
resource groups
• Remediating any non-compliant resources

Objectives
Task 1: Task 2: Task 3:
Create and assign tags via Enforce tagging via an Apply tagging via an
the Azure portal Azure Policy Azure Policy

Next slide for an architecture diagram

© Copyright Microsoft Corporation. All rights reserved.
Lab 02b – Architecture diagram

Task 1
Name: Role
Value: Infra Task 2

Azure policy
Cloud Shell Storage Require a tag and its value on resources
Resource Group

Cloud Shell Storage Account

Task 3
Azure policy
Inherit a tag from the resource group if
New Storage Account missing

© Copyright Microsoft Corporation. All rights reserved.

End of presentation

© Copyright Microsoft Corporation. All rights reserved.