AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Create, assign, and interpret policies and initiatives in Azure Policy

Implement and manage enforcement of cloud governance policies

Craft and Assign Custom Policy Definitions and Initiatives

Azure Policy helps you enforce governance and compliance across your Azure environment by letting you create custom policy definitions and group them into initiative definitions. A custom policy definition is a JSON document that sets conditions and effects on your resources. Initiatives (also called policy sets) let you bundle related policies together for easier management. By using initiatives, you can apply multiple rules at once and keep your Azure subscriptions consistent.

A JSON policy definition contains several key elements to guide evaluation.

  • displayName and description give the policy a human-readable name and purpose.
  • mode and metadata determine how Azure Policy evaluates resources and tracks versions.
  • parameters let you pass input values when you assign the policy, while the policyRule section defines:
    • field or value comparisons using built-in aliases
    • array aliases for properties nested in arrays
    • effect, such as deny, audit, or modify, to enforce or report on settings

Initiative definitions let you bundle related policies under a single umbrella. You create an initiative by defining:

  • properties.displayName and description, which describe the initiative’s purpose
  • An array of policyDefinitions, each pointing to a custom or built-in policy
  • Shared parameters that configure multiple policies at once
    Using initiatives simplifies large-scale governance by ensuring that groups of policies stay aligned and are assigned together.

To apply policies or initiatives, you set the scope and any exclusions using the notScopes property. Scopes can be:

  • Management groups
  • Subscriptions
  • Resource groups
  • Individual resources
    You can control enforcement with enforcementMode, choosing between Default, DoNotEnforce, or Enroll for Azure Policy for Kubernetes. After assignment, Azure Policy evaluates resources and records compliance results so you can see which resources are non-compliant.

When resources are non-compliant, you can create a remediation task to fix settings automatically. For example, you run:

  • Start-AzPolicyRemediation –Name –PolicyAssignmentId
    This command lets you pinpoint and automate corrections, such as deploying missing extensions or updating configurations. By reviewing compliance data and remediation tasks, you maintain a secure and standardized Azure environment.

Conclusion

In this section, you learned how to author custom policy definitions in JSON, specifying conditions and effects to control resource configurations. You saw how to bundle those policies into initiative definitions for easier bulk management. Finally, you covered the steps to assign policies or initiatives at the correct scope, handle exclusions, review compliance results, and run remediation tasks. Together, these practices help you enforce governance, ensure compliance, and automate the correction of non-compliant resources across your Azure subscriptions.

Recommend when to use Azure SQL Database Always EncryptedConfigure Azure Key Vault network settings