Azure

Azure Policy Complete Guide: Effects, Built-in/Custom, Initiative, Remediation, Compliance

2026-05-24
NicheeLab Editorial Team

Azure Policy is the Microsoft-managed governance service that defines, enforces, and audits rules against Azure resources in your organization. Applied across the Management Group / Subscription / Resource Group hierarchy, it is the foundational service that automates Azure-wide control and sits at the heart of governance in enterprise Azure environments. This article comprehensively organizes Azure Policy's Effects, Built-in vs Custom, Initiatives, Assignment Scope, Remediation, and compliance use cases.

The 7 Effects

EffectBehaviorUse case
DenyBlocks creation of non-compliant resourcesMandatory enforcement
AuditOnly records violationsEvaluating existing environments
AuditIfNotExistsAudits when related resources are missinge.g. detect VMs without Backup configured
ModifyAuto-adds tags and fixes propertiesApply to existing resources via Remediation
DeployIfNotExistsAuto-deploys related resourcese.g. auto-configure Diagnostic Settings
AppendAuto-attaches propertiesAuto-add Network ACLs to Storage
DisabledTemporarily disables the policyEmergency exceptions

In production, the standard pattern is to introduce in Audit mode and switch to Deny once stable, never going straight to Deny and risking impact on production.

Built-in Policy vs Custom Policy

ItemBuilt-in PolicyCustom Policy
SourcePredefined by Microsoft (500+)Organization-defined (JSON)
Use caseTypical scenariosOrganization-specific requirements
UpdatesContinually added and updated by MicrosoftManaged by your organization
Example'Disable Storage Public Access''Enforce internal naming convention'
Recommended usePrimaryOnly for gaps

For new projects, maximize use of Built-in and customize only what is missing. The Azure Policy GitHub repository publishes many industry-standard Custom Policy samples that you can reuse as reference implementations.

Initiative (Policy Set)

An Initiative is a logical unit that groups multiple policies together.

Examples of Microsoft-provided Initiatives

  • Microsoft Cloud Security Benchmark (MCSB): Microsoft-recommended security baseline (successor to Azure Security Benchmark)
  • PCI DSS v3.2.1: Payment card industry security standard
  • ISO 27001:2013: International information security management
  • NIST SP 800-53: Security controls for U.S. government
  • HIPAA HITRUST: Healthcare information protection
  • Australian Government ISM: Australian government information security

Combining an Initiative with the Compliance dashboard visualizes regulatory status across your organization. In production, the standard architecture is to layer 'MCSB Initiative + organization custom Initiative' for hierarchical governance.

Assignment Scope hierarchy

Assignment is the act of attaching a Policy or Initiative to a Management Group, Subscription, or Resource Group, and the targeted range is the Scope.

Hierarchy

  • Tenant Root Management Group: Top of the organization
  • Management Group: Groups Subscriptions (by environment or department)
  • Subscription: Billing boundary
  • Resource Group: Logical group of resources
  • Resource: Individual Azure resource

Assignments cascade downward (assigning at a Management Group applies to every Subscription beneath it).

Enterprise patterns

  1. Assign the 'MCSB Initiative' at the root Management Group in Audit mode for organization-wide coverage
  2. Enforce 'Allowed Locations (Japan East only)' on production Subscriptions in Deny mode
  3. Apply 'Maximum VM SKU (up to D8s_v5)' to development Resource Groups in Deny mode for cost control

Exclusion lets you exempt specific Resource Groups or resources, providing flexible exception management.

Remediation

Remediation automatically corrects existing non-compliant resources. It is available for policies whose Effect is Modify or DeployIfNotExists.

Typical use cases

  1. Existing VMs missing Diagnostic Settings — a Remediation Task bulk-configures them
  2. Existing Storage Accounts missing encryption — Remediation applies Customer-Managed Keys in bulk
  3. Existing resources missing a CostCenter tag — Remediation auto-inherits the tag value from the Management Group

Remediation runs through a Managed Identity (a System-assigned MI is auto-created when the Policy Assignment is created) and needs Contributor permission against the Scope. In large environments, bulk remediation of thousands of resources can take several hours, so it must be planned.

Standard production policy set

Security

  • Storage Account Public Access Disable (Deny)
  • Storage Account Minimum TLS 1.2 (Deny)
  • VM Disk encryption required (Audit → Deny)
  • Enable SQL Database Auditing (DeployIfNotExists)
  • Enable NSG Flow Logs (DeployIfNotExists)
  • Key Vault Soft Delete + Purge Protection (Audit)

Cost and naming conventions

  • Allowed regions restriction (Deny)
  • Allowed VM SKU restriction (Deny)
  • Require CostCenter / Owner / Project tags (auto-attached via Modify)
  • Resource naming convention (Deny, Custom Policy)

Operations

  • Auto-configure Diagnostic Settings (DeployIfNotExists)
  • Auto-enable Azure Defender (DeployIfNotExists)
  • Auto-install Microsoft Defender for Endpoint extension (DeployIfNotExists)

Compliance use cases

The Azure Policy compliance dashboard visualizes your organization's regulatory posture.

  • Assign Built-in Initiatives such as MCSB, PCI DSS, HIPAA, ISO 27001, and NIST
  • Compliance percentages shown per control
  • Lists of non-compliant resources and remediation steps are also surfaced
  • Used as evidence in compliance audits (SOC2 Type II, ISO 27001 certification)
  • Substantially reduces the cost of reporting to auditors

Integrations with Microsoft Sentinel and Defender for Cloud also enable forwarding policy violation events to the SOC for automated response.

Integration with IaC

Manage Policy, Initiative, and Assignment as code with Bicep or Terraform.

Bicep example

resource policyDef 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
  name: 'require-tag-CostCenter'
  properties: {
    displayName: 'Require CostCenter tag'
    policyType: 'Custom'
    mode: 'Indexed'
    policyRule: {
      if: {
        field: 'tags.CostCenter'
        exists: 'false'
      }
      then: {
        effect: 'deny'
      }
    }
  }
}

resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = {
  name: 'require-costcenter-tag-assignment'
  properties: {
    policyDefinitionId: policyDef.id
    displayName: 'Require CostCenter tag on all resources'
  }
}

Operational best practices

  1. Introduce new policies in Audit mode and switch to Deny once stable
  2. Layer governance using the Management Group hierarchy
  3. Apply the Microsoft Cloud Security Benchmark (MCSB) Initiative organization-wide
  4. Address regulations with industry Initiatives (PCI DSS, HIPAA, etc.)
  5. Implement naming and tag enforcement with Custom Policy
  6. Use Remediation for incremental cleanup of existing environments
  7. Use Exclusion for exception management (emergency response, PoCs, etc.)
  8. Treat policy as code with Bicep or Terraform
  9. Forward policy violation events to Microsoft Sentinel
  10. Submit monthly compliance reports to leadership

Related certifications

Frequently Asked Questions

What is Azure Policy?

Azure Policy is a Microsoft-managed governance service that defines, enforces, and audits rules (policies) against Azure resources in your organization. Typical rules include 'Disable Public Access on every Storage Account', 'Allow VMs only in the Japan East region', and 'Require a CostCenter tag on every resource'. There are 7 main policy Effects: Deny (block creation), Audit (log violations only), Modify (auto-add tags), DeployIfNotExists (auto-create missing resources, e.g. Diagnostic Settings), Append (auto-attach properties), and more. Applied across the Management Group / Subscription / Resource Group hierarchy, it is the foundational service for automating Azure-wide governance.

What are the policy Effect types?

The 7 main Effects: 1) Deny: blocks creation of non-compliant resources for mandatory enforcement. 2) Audit: only records violations, ideal for evaluating existing environments. 3) AuditIfNotExists: audits the absence of related resources (e.g. detects VMs without Backup configured). 4) Modify: auto-adds tags or fixes properties, and can be applied to existing resources via Remediation. 5) DeployIfNotExists: auto-deploys related resources (e.g. auto-installs the Microsoft Defender for Endpoint extension when a VM is created). 6) Append: auto-attaches properties (e.g. adds Network ACLs to a new Storage Account). 7) Disabled: temporarily turns the policy off. The standard production pattern is to start in Audit and switch to Deny once stable, never going straight to Deny and risking impact on production.

When should I use Built-in Policy vs Custom Policy?

Built-in Policy: 500+ standard policies predefined by Microsoft, selectable from a list in the Azure Portal for typical scenarios such as 'Disable Public Access on every Storage Account'. Custom Policy: JSON-based definitions for organization-specific requirements, used to implement what Built-in does not cover (e.g. enforcing an internal naming convention like 'storage-{env}-{region}-{seq}'). For new projects, the practical approach is to lean on Built-in policies as much as possible and write Custom policies only for the gaps. Since Microsoft continually adds and updates Built-in policies, keeping organization customizations minimal is also better for operational overhead. The Azure Policy GitHub repository publishes many industry-standard Custom Policy samples that you can reuse as reference implementations.

What is an Initiative (Policy Set)?

An Initiative (Policy Set) is a logical unit that groups multiple policies together. For example, the 'PCI DSS compliance Initiative' packages 30+ policies that cover PCI DSS requirements, so assigning one Initiative to a Subscription applies all of them at once. Notable Microsoft-provided Initiatives include Microsoft Cloud Security Benchmark (MCSB), PCI DSS v3.2.1, ISO 27001, NIST SP 800-53, HIPAA HITRUST, and the Australian Government ISM. Combining an Initiative with the Compliance dashboard visualizes regulatory status across your organization. In production, the standard architecture is to layer 'MCSB Initiative + organization custom Initiative' for hierarchical governance. It is also extremely useful for producing evidence during compliance audits.

How are Policy Assignment and Scope structured?

Assignment is the act of attaching a Policy or Initiative to a Management Group, Subscription, or Resource Group, and the targeted range is the Scope. The hierarchy is: Management Group (umbrella over all Subscriptions) → Subscription → Resource Group → Resource. Assignments cascade downward (assigning at a Management Group applies to every Subscription beneath it). Typical enterprise patterns are: 1) assign the 'MCSB Initiative' at the root Management Group in Audit mode for organization-wide coverage, 2) enforce 'Allowed Locations (Japan East only)' on production Subscriptions in Deny mode, and 3) control costs by applying 'Maximum VM SKU (up to D8s_v5)' to development Resource Groups in Deny mode. The Exclusion feature lets you exempt specific Resource Groups or resources, providing flexible exception management.

How do you use Remediation?

Remediation is the feature that automatically corrects existing non-compliant resources. It is available for policies whose Effect is Modify or DeployIfNotExists. Typical use cases: 1) existing VMs missing Diagnostic Settings — a Remediation Task bulk-configures them, 2) existing Storage Accounts missing encryption — Remediation applies Customer-Managed Keys in bulk, and 3) existing resources missing a CostCenter tag — Remediation auto-inherits the tag value from the Management Group. Remediation runs through a Managed Identity (a System-assigned MI is auto-created when the Policy Assignment is created) and needs Contributor permission against the Scope. In large environments, bulk remediation of thousands of resources can take several hours, so it must be planned.

How is Azure Policy used for compliance?

The Azure Policy compliance dashboard visualizes your organization's regulatory posture. Assigning Built-in Initiatives such as Microsoft Cloud Security Benchmark (MCSB), PCI DSS, HIPAA, ISO 27001, and NIST surfaces compliance percentages per control along with the list of non-compliant resources and remediation steps. In compliance audits (SOC2 Type II, ISO 27001 certification), you can use it as evidence — 'this policy enforces MCSB compliance' — and substantially reduce the cost of reporting to auditors. Integrations with Microsoft Sentinel and Defender for Cloud also enable forwarding policy violation events to the SOC for automated response. In enterprise Azure environments, 'continuous compliance centered on Azure Policy' is the modern best practice.

Which certifications cover this area?

AZ-104 (Administrator) Domain 1 (Identity and Governance, 20-25%) tests Azure Policy in depth and is the primary certification for this area. AZ-305 (Solutions Architect Expert) Domain 1 covers overall governance design, SC-100 (Cybersecurity Architect Expert) covers policy enforcement as part of Zero Trust strategy, and AZ-400 (DevOps Engineer Expert) covers the IaC + Policy combination. AZ-104 requires solid understanding of Built-in Policy, Custom Policy, Initiative, Assignment Scope, and Remediation. For every engineer governing Azure, understanding Azure Policy is a foundational skill.

Related Articles and Deep Dives

Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】

Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。

Azure VMSS 完全ガイド|Uniform/Flexible・Auto Scale・Rolling Upgrade・Spot 混在【2026 年版】

Azure Virtual Machine Scale Sets (VMSS) の完全ガイド。Uniform vs Flexible Orchestration mode の使い分け、Auto Scale (Metric/Schedule/Custom)、Custom Image と Azure Compute Gallery、Rolling Upgrade Policy、Spot + Regular 混在パターン、関連認定試験 (AZ-104 / AZ-305 / AZ-400) を日本語で網羅。

Azure Backup 完全ガイド|RSV / Backup Vault・Backup Policy・Immutable Backup・コスト最適化【2026 年版】

Azure Backup の完全ガイド。Recovery Services Vault vs Backup Vault の使い分け、Backup Policy 設計、Azure VM / Files / SQL / Blob Backup の動作、Immutable Backup・Multi-User Authorization によるランサムウェア対策、コスト最適化、関連認定試験 (AZ-104 / AZ-305 / SC-100) を日本語で網羅。

Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】

Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Technical information in this article is based on the Azure Policy Documentation. This article is not an official product of Microsoft Corporation and has no affiliation or sponsorship relationship with them. Microsoft and Azure are trademarks of the Microsoft group of companies. Information reflects officially published materials as of May 24, 2026. Always confirm the latest information on the official pages.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.