Documentation: Compliance & Governance

This document provides further details and context for implementing compliance and governance practices across your Azure environment.

• Implement Azure Policy for guardrails

• Why: Without guardrails, teams may deploy resources that violate organizational standards—such as using unapproved regions, skipping encryption, or deploying oversized SKUs. Azure Policy lets you enforce rules at scale, preventing non-compliant resources from being created and continuously auditing existing resources for drift.
• How: Start with built-in policy definitions that cover common requirements such as allowed resource locations, required tags, and enforced encryption. Assign policies at the management group or subscription level. Use “Deny” effect for hard guardrails and “Audit” effect for visibility without blocking. Group related policies into initiatives for easier management and reporting.
• Resources:
  • What is Azure Policy?
  • Azure Policy built-in policy definitions
  • Tutorial: Create and manage policies to enforce compliance
  • Azure Policy best practices
• Quick check: Find storage accounts with public blob access enabled:

  az graph query -q "Resources | where type =~ 'microsoft.storage/storageaccounts' \
    | where properties.allowBlobPublicAccess != false \
    | project name, resourceGroup, subscriptionId" -o table
  

  Use the built-in policy “Storage accounts should disable public network access” for continuous enforcement.

• Organize resources with Management Groups

• Why: As your Azure footprint grows beyond a single subscription, you need a way to apply governance consistently across all subscriptions. Management groups provide a hierarchical structure above subscriptions, allowing you to apply policies, RBAC assignments, and budgets once and have them inherited across the entire organization.
• How: Design a management group hierarchy that reflects your organizational structure—for example, separate groups for production, development, and sandbox workloads. Apply policies and access controls at the appropriate management group level. Follow the Azure landing zone architecture recommendations for structuring your hierarchy.
• Resources:
  • What are Azure management groups?
  • Organize your resources with Azure management groups
  • Azure landing zone design area: Resource organization
  • CAF management group and subscription organization

• Understand your compliance obligations

• Why: Different industries and geographies have specific regulatory requirements (SOC 2, HIPAA, GDPR, PCI DSS, FedRAMP, etc.) that dictate how data must be stored, processed, and protected. Failing to meet these obligations can result in significant legal, financial, and reputational consequences. Understanding which frameworks apply to your organization is the first step toward building a compliant cloud environment.
• How: Identify the regulatory frameworks that apply to your business based on your industry, geography, and the type of data you handle. Use Microsoft’s compliance offerings documentation to understand which Azure services have been certified for specific standards. Leverage Azure compliance documentation and audit reports to support your own certification efforts.
• Resources:
  • Microsoft compliance offerings
  • Azure compliance documentation
  • Microsoft Trust Center
  • Shared responsibility in the cloud

• Enable Microsoft Defender for Cloud regulatory compliance

• Why: Tracking compliance posture manually across hundreds of Azure resources is impractical. Microsoft Defender for Cloud provides a regulatory compliance dashboard that continuously assesses your environment against industry standards, highlights gaps, and provides actionable remediation recommendations.
• How: Enable Microsoft Defender for Cloud’s enhanced security features on your subscriptions. Add the regulatory compliance standards relevant to your organization (e.g., SOC 2, PCI DSS, HIPAA, ISO 27001). Review the compliance dashboard regularly to identify non-compliant resources and follow the built-in remediation guidance. Export compliance data for auditors and stakeholders.
• Resources:
  • Regulatory compliance dashboard in Microsoft Defender for Cloud
  • Microsoft Defender for Cloud overview
  • Customize the set of standards in your regulatory compliance dashboard
  • Microsoft cloud security benchmark

• Implement data governance with Microsoft Purview

• Why: As data estates grow across databases, storage accounts, analytics platforms, and SaaS applications, it becomes difficult to understand what data you have, where it lives, how sensitive it is, and who has access to it. Without proper data governance, organizations risk regulatory violations, data breaches, and inability to derive value from their data assets.
• How: Deploy Microsoft Purview to scan and catalog data sources across your Azure environment and beyond. Use automated classification to identify sensitive data types (PII, financial data, health records). Define and enforce data access policies. Track data lineage to understand how data flows through your systems. Integrate Purview with Azure services such as Azure SQL, Azure Storage, Azure Synapse Analytics, and Azure Data Lake.
• Resources:
  • What is Microsoft Purview?
  • Microsoft Purview data governance
  • Microsoft Purview Data Catalog
  • Data classification in Microsoft Purview