Azure Policy is the Microsoft-managed governance service that defines, enforces, and audits rules against Azure resources in your organization. Applied across the Management Group / Subscription / Resource Group hierarchy, it is the foundational service that automates Azure-wide control and sits at the heart of governance in enterprise Azure environments. This article comprehensively organizes Azure Policy's Effects, Built-in vs Custom, Initiatives, Assignment Scope, Remediation, and compliance use cases.
| Effect | Behavior | Use case |
|---|---|---|
| Deny | Blocks creation of non-compliant resources | Mandatory enforcement |
| Audit | Only records violations | Evaluating existing environments |
| AuditIfNotExists | Audits when related resources are missing | e.g. detect VMs without Backup configured |
| Modify | Auto-adds tags and fixes properties | Apply to existing resources via Remediation |
| DeployIfNotExists | Auto-deploys related resources | e.g. auto-configure Diagnostic Settings |
| Append | Auto-attaches properties | Auto-add Network ACLs to Storage |
| Disabled | Temporarily disables the policy | Emergency exceptions |
In production, the standard pattern is to introduce in Audit mode and switch to Deny once stable, never going straight to Deny and risking impact on production.
| Item | Built-in Policy | Custom Policy |
|---|---|---|
| Source | Predefined by Microsoft (500+) | Organization-defined (JSON) |
| Use case | Typical scenarios | Organization-specific requirements |
| Updates | Continually added and updated by Microsoft | Managed by your organization |
| Example | 'Disable Storage Public Access' | 'Enforce internal naming convention' |
| Recommended use | Primary | Only for gaps |
For new projects, maximize use of Built-in and customize only what is missing. The Azure Policy GitHub repository publishes many industry-standard Custom Policy samples that you can reuse as reference implementations.
An Initiative is a logical unit that groups multiple policies together.
Combining an Initiative with the Compliance dashboard visualizes regulatory status across your organization. In production, the standard architecture is to layer 'MCSB Initiative + organization custom Initiative' for hierarchical governance.
Assignment is the act of attaching a Policy or Initiative to a Management Group, Subscription, or Resource Group, and the targeted range is the Scope.
Assignments cascade downward (assigning at a Management Group applies to every Subscription beneath it).
Exclusion lets you exempt specific Resource Groups or resources, providing flexible exception management.
Remediation automatically corrects existing non-compliant resources. It is available for policies whose Effect is Modify or DeployIfNotExists.
Remediation runs through a Managed Identity (a System-assigned MI is auto-created when the Policy Assignment is created) and needs Contributor permission against the Scope. In large environments, bulk remediation of thousands of resources can take several hours, so it must be planned.
The Azure Policy compliance dashboard visualizes your organization's regulatory posture.
Integrations with Microsoft Sentinel and Defender for Cloud also enable forwarding policy violation events to the SOC for automated response.
Manage Policy, Initiative, and Assignment as code with Bicep or Terraform.
resource policyDef 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'require-tag-CostCenter'
properties: {
displayName: 'Require CostCenter tag'
policyType: 'Custom'
mode: 'Indexed'
policyRule: {
if: {
field: 'tags.CostCenter'
exists: 'false'
}
then: {
effect: 'deny'
}
}
}
}
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = {
name: 'require-costcenter-tag-assignment'
properties: {
policyDefinitionId: policyDef.id
displayName: 'Require CostCenter tag on all resources'
}
}What is Azure Policy?
Azure Policy is a Microsoft-managed governance service that defines, enforces, and audits rules (policies) against Azure resources in your organization. Typical rules include 'Disable Public Access on every Storage Account', 'Allow VMs only in the Japan East region', and 'Require a CostCenter tag on every resource'. There are 7 main policy Effects: Deny (block creation), Audit (log violations only), Modify (auto-add tags), DeployIfNotExists (auto-create missing resources, e.g. Diagnostic Settings), Append (auto-attach properties), and more. Applied across the Management Group / Subscription / Resource Group hierarchy, it is the foundational service for automating Azure-wide governance.
What are the policy Effect types?
The 7 main Effects: 1) Deny: blocks creation of non-compliant resources for mandatory enforcement. 2) Audit: only records violations, ideal for evaluating existing environments. 3) AuditIfNotExists: audits the absence of related resources (e.g. detects VMs without Backup configured). 4) Modify: auto-adds tags or fixes properties, and can be applied to existing resources via Remediation. 5) DeployIfNotExists: auto-deploys related resources (e.g. auto-installs the Microsoft Defender for Endpoint extension when a VM is created). 6) Append: auto-attaches properties (e.g. adds Network ACLs to a new Storage Account). 7) Disabled: temporarily turns the policy off. The standard production pattern is to start in Audit and switch to Deny once stable, never going straight to Deny and risking impact on production.
When should I use Built-in Policy vs Custom Policy?
Built-in Policy: 500+ standard policies predefined by Microsoft, selectable from a list in the Azure Portal for typical scenarios such as 'Disable Public Access on every Storage Account'. Custom Policy: JSON-based definitions for organization-specific requirements, used to implement what Built-in does not cover (e.g. enforcing an internal naming convention like 'storage-{env}-{region}-{seq}'). For new projects, the practical approach is to lean on Built-in policies as much as possible and write Custom policies only for the gaps. Since Microsoft continually adds and updates Built-in policies, keeping organization customizations minimal is also better for operational overhead. The Azure Policy GitHub repository publishes many industry-standard Custom Policy samples that you can reuse as reference implementations.
What is an Initiative (Policy Set)?
An Initiative (Policy Set) is a logical unit that groups multiple policies together. For example, the 'PCI DSS compliance Initiative' packages 30+ policies that cover PCI DSS requirements, so assigning one Initiative to a Subscription applies all of them at once. Notable Microsoft-provided Initiatives include Microsoft Cloud Security Benchmark (MCSB), PCI DSS v3.2.1, ISO 27001, NIST SP 800-53, HIPAA HITRUST, and the Australian Government ISM. Combining an Initiative with the Compliance dashboard visualizes regulatory status across your organization. In production, the standard architecture is to layer 'MCSB Initiative + organization custom Initiative' for hierarchical governance. It is also extremely useful for producing evidence during compliance audits.
How are Policy Assignment and Scope structured?
Assignment is the act of attaching a Policy or Initiative to a Management Group, Subscription, or Resource Group, and the targeted range is the Scope. The hierarchy is: Management Group (umbrella over all Subscriptions) → Subscription → Resource Group → Resource. Assignments cascade downward (assigning at a Management Group applies to every Subscription beneath it). Typical enterprise patterns are: 1) assign the 'MCSB Initiative' at the root Management Group in Audit mode for organization-wide coverage, 2) enforce 'Allowed Locations (Japan East only)' on production Subscriptions in Deny mode, and 3) control costs by applying 'Maximum VM SKU (up to D8s_v5)' to development Resource Groups in Deny mode. The Exclusion feature lets you exempt specific Resource Groups or resources, providing flexible exception management.
How do you use Remediation?
Remediation is the feature that automatically corrects existing non-compliant resources. It is available for policies whose Effect is Modify or DeployIfNotExists. Typical use cases: 1) existing VMs missing Diagnostic Settings — a Remediation Task bulk-configures them, 2) existing Storage Accounts missing encryption — Remediation applies Customer-Managed Keys in bulk, and 3) existing resources missing a CostCenter tag — Remediation auto-inherits the tag value from the Management Group. Remediation runs through a Managed Identity (a System-assigned MI is auto-created when the Policy Assignment is created) and needs Contributor permission against the Scope. In large environments, bulk remediation of thousands of resources can take several hours, so it must be planned.
How is Azure Policy used for compliance?
The Azure Policy compliance dashboard visualizes your organization's regulatory posture. Assigning Built-in Initiatives such as Microsoft Cloud Security Benchmark (MCSB), PCI DSS, HIPAA, ISO 27001, and NIST surfaces compliance percentages per control along with the list of non-compliant resources and remediation steps. In compliance audits (SOC2 Type II, ISO 27001 certification), you can use it as evidence — 'this policy enforces MCSB compliance' — and substantially reduce the cost of reporting to auditors. Integrations with Microsoft Sentinel and Defender for Cloud also enable forwarding policy violation events to the SOC for automated response. In enterprise Azure environments, 'continuous compliance centered on Azure Policy' is the modern best practice.
Which certifications cover this area?
AZ-104 (Administrator) Domain 1 (Identity and Governance, 20-25%) tests Azure Policy in depth and is the primary certification for this area. AZ-305 (Solutions Architect Expert) Domain 1 covers overall governance design, SC-100 (Cybersecurity Architect Expert) covers policy enforcement as part of Zero Trust strategy, and AZ-400 (DevOps Engineer Expert) covers the IaC + Policy combination. AZ-104 requires solid understanding of Built-in Policy, Custom Policy, Initiative, Assignment Scope, and Remediation. For every engineer governing Azure, understanding Azure Policy is a foundational skill.
Related Articles and Deep Dives
Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】
Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。
Azure VMSS 完全ガイド|Uniform/Flexible・Auto Scale・Rolling Upgrade・Spot 混在【2026 年版】
Azure Virtual Machine Scale Sets (VMSS) の完全ガイド。Uniform vs Flexible Orchestration mode の使い分け、Auto Scale (Metric/Schedule/Custom)、Custom Image と Azure Compute Gallery、Rolling Upgrade Policy、Spot + Regular 混在パターン、関連認定試験 (AZ-104 / AZ-305 / AZ-400) を日本語で網羅。
Azure Backup 完全ガイド|RSV / Backup Vault・Backup Policy・Immutable Backup・コスト最適化【2026 年版】
Azure Backup の完全ガイド。Recovery Services Vault vs Backup Vault の使い分け、Backup Policy 設計、Azure VM / Files / SQL / Blob Backup の動作、Immutable Backup・Multi-User Authorization によるランサムウェア対策、コスト最適化、関連認定試験 (AZ-104 / AZ-305 / SC-100) を日本語で網羅。
Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】
Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Technical information in this article is based on the Azure Policy Documentation. This article is not an official product of Microsoft Corporation and has no affiliation or sponsorship relationship with them. Microsoft and Azure are trademarks of the Microsoft group of companies. Information reflects officially published materials as of May 24, 2026. Always confirm the latest information on the official pages.
Practice with certification-focused question sets
View Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...