Azure Compliance, Privacy and Governance – AZ 900 Notes

Azure Compliance, Privacy and Governance is one of the important topic in AZ 900 exam. In this article, we will look into Azure Compliance, Compliance Manager, Azure Data Privacy and Governance. This article is mainly designed for AZ 900 exam.

Azure Policy

It helps user to create , apply and manage policies to ensure that resources followed compliant with defined standards and SLAs.
You can manage compliance of resources across multiple subscription.

You can create a group of policies which is called Initiative (A group of Policies).

Azure offers few predefined initiatives for specific purposes – Azure Security Benchmark, UK Official, HIPAA etc.

To check the above initiatives here – Policy->Authoring->Definitions.

Some of the major example of Azure Policy

  • Allow creation of Virtual Machines of defined sizes only.
  • Allow creation of resources in a specific location only.
  • MFA should be mandatory for new user account.

Policy evaluation occurs once every hour.

Azure Blueprints

Official Definition - Blueprints enable quick creation of governed subscription. This allows Cloud Architect to design environments that comply with organizational standards and best practices enabling your app teams to get to production faster.

Azure Blueprints consists of one or more Policy, Role, ARM Template and resource group configuration. There are a number of pre-built blue print which users can utilize, also users are free to customize the pre-built blueprints to meet their company standards.

Blueprint can be helpful for –

  • To assign to individual subscription.
  • It can be helpful to setup resource group within subscriptions.
  • It also helps team to create environment in Azure as per their organization standards and policies.
  • With Blueprint, we can set up CI/ CD pipeline as well.

Resource Locks

Resource Lock prevent accidental deleteion and modification of resources. It can be applied at subscription level or at resource group or at individual resources.
It inherits Resource Lock from subscription or resource group.

Types of Resource Lock

  1. Read Only Lock– Authorize users can read but they can’t delete or update the locked resources.
  2. Delete Lock– Authorized users can read, modify but they can’t delete the resource.

In case you want to modify or delete a locked resource, in that case resource lock should be unlocked first and then you can change. It is applicable to resource owners as well.

You can apply Delete Lock to a resource already locked with Read Only and vice versa is also applicable. It means you can apply multiple locks at different level.

Azure Information Protection

Azure Information Protection (AIP) is the part of Microsoft Information Protection. AIP helps organization to discover, identify and protect emails and document by applying lebels to content.
It is mainly about, what Microsoft processes personal data, how Microsoft processes personal data for what purpose.

Azure Compliance

Compliance means to follow specified industry security standards, policies based on geo-location and nature of business.
Similarly Azure Compliance is there to adhere several industry rules and standards according to domain and azure regions.

You can check the standard and regulation in Azure Service Trust Portal.

Azure offers various Security and Compliance Blueprints such as PCI DSS, ISO:27001 etc.

Azure Compliance Manager (ACM)


It is the part of Azure Service Trust Portal. ACM helps user to automate the lifecycle fo Azure Compliance which includes manage risk, check compliance against standard policies and present reports to audit team.

Azure provides more than 90 compliance certificates, out of which more than 50 is specific to geo-location and regions such as US, European Union, Germany, India, China and more than 35 compliances for specific industry like, health, government, finance, education etc.

Some of the important Azure Compliances are

  • ISO:27001, ISO:27017 used for Global
  • Service Organization Compliance – SOC1, SOC2
  • GDPR – General Data Protection Regulation, new rules for organizations that offer goods and services to people in the European Union (EU)
  • HIPAA– Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of US healthcare laws that, among other provisions, establish requirements for the use, disclosure, and safeguarding of protected health information (PHI).
  • PCI DSS – The Payment Card Industry (PCI) Data Security Standards (DSS) is a global security standard to control the fraud in credit card data.
  • Azure Government – As per this compliance all data center is in US only because this compliance allows only US government and entities, contractor to utilize this service.
  • RBI and IRDAI (India) – The Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India (IRDAI), and the Ministry of Electronics and Information Technology (MeitY) comprise three of the key financial industry regulators overseeing banks, insurance organizations, and market infrastructure institutions. The purpose include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data.
  • Azure China – It is not operated by Microsoft instead it is operated by 21 Vianet and follows China Telecommunication Regulation.
If you are preparing for AZ 900 certification, then follow this link - Microsoft Azure Fundamentals (AZ-900) Certification Sample Questions

Hope you like this blog.

Please follow and like us:

Leave a Comment