AZ-900 Module 9: Describe features and tools in Azure for governance and compliance


Justin Peterson

Securing Azure

Describe features and tools in Azure for governance and compliance

This is what I learned:

  • Describe the purpose of Microsoft Purview in Azure
  • Describe the purpose of Azure Policy
  • Describe the purpose of resource locks

Describe the purpose of Microsoft Purview in Azure

Microsoft Purview is a family of data governance, risk, and compliance solutions that helps you get a single, unified view into your data. Microsoft Purview brings insights about your on-premises, multicloud, and software-as-a-service data together.

Two main solution areas comprise Microsoft Purview: risk and compliance and unified data governance.

Microsoft Purview risk and compliance solutions

  • Microsoft 365 features as a core component of the Microsoft Purview risk and compliance solutions. Microsoft Teams, OneDrive, and Exchange are just some of the Microsoft 365 services that Microsoft Purview uses to help manage and monitor your data. Microsoft Purview, by managing and monitoring your data, is able to help your organization:
    • Protect sensitive data across clouds, apps, and devices.
    • Identify data risks and manage regulatory compliance requirements.
    • Get started with regulatory compliance.

Unified data governance

Microsoft Purview has robust, unified data governance solutions that help manage your on-premises, multicloud, and software as a service data. Microsoft Purview’s robust data governance capabilities enable you to manage your data stored in Azure, SQL and Hive databases, locally, and even in other clouds like Amazon S3.

Microsoft Purview’s unified data governance helps your organization:

  • Create an up-to-date map of your entire data estate that includes data classification and end-to-end lineage.
  • Identify where sensitive data is stored in your estate.
  • Create a secure environment for data consumers to find valuable data.
  • Generate insights about how your data is stored and used.
  • Manage access to the data in your estate securely and at scale.

Describe the purpose of Azure Policy

How do you ensure that your resources stay compliant? Can you be alerted if a resource's configuration has changed?

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across your resource configurations so that those configurations stay compliant with corporate standards.

What are Azure Policy initiatives?

An Azure Policy initiative is a way of grouping related policies together. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.

Describe the purpose of resource locks

A resource lock prevents resources from being accidentally deleted or changed.

Even with Azure role-based access control (Azure RBAC) policies in place, there's still a risk that people with the right level of access could delete critical cloud resources. Resource locks prevent resources from being deleted or updated, depending on the type of lock. Resource locks can be applied to individual resources, resource groups, or even an entire subscription. Resource locks are inherited, meaning that if you place a resource lock on a resource group, all of the resources within the resource group will also have the resource lock applied.

Types

There are two types of resource locks, one that prevents users from deleting and one that prevents users from changing or deleting a resource.

  • Delete means authorized users can still read and modify a resource, but they can't delete the resource.
  • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Securing Azure

Write-ups to share my knowledge as I continue my journey to become an Azure Security Engineer

Read more from Securing Azure

Justin Peterson Securing Azure Describe identity protection and governance capabilities of Microsoft Entra This is what I learned: Describe Azure distributed denial-of-service (DDoS) Protection Describe Azure Firewall Describe Web Application Firewall (WAF) Describe network segmentation with Azure virtual networks Describe network security groups (NSGs) Describe Azure Bastion Describe Azure Key Vault Describe Azure distributed denial-of-service (DDoS) Protection The aim of a Distributed...

Justin Peterson Securing Azure Describe identity protection and governance capabilities of Microsoft Entra This is what I learned: Describe Microsoft Entra ID Governance Describe access reviews Describe entitlement management Describe the capabilities of Microsoft Entra Privileged Identity Management Describe Microsoft Entra ID Protection Describe Microsoft Entra Permissions Management Describe Microsoft Entra Verified ID Describe Microsoft Entra integration with Microsoft Copilot for...

Justin Peterson Securing Azure Describe access management capabilities of Microsoft Entra ID This is what I learned: Describe Conditional Access Describe Global Secure Access in Microsoft Entra Describe Microsoft Entra roles and role-based access control (RBAC) Describe Conditional Access One of the main features of an identity platform is to verify, or authenticate, credentials when a user signs in to a device, application, or service. Microsoft Entra ID offers different methods of...