Azure Policy provides programmatic governance for Azure resources: enforcing naming conventions, requiring tags, preventing misconfigured resources, and auditing compliance across large, multi-team Azure environments.
Policy effects
Azure Policy effects determine what happens when a resource matches a policy rule. Deny: prevents the resource from being created or updated if it violates the policy. Audit: allows the resource but flags it as non-compliant in the compliance dashboard. DeployIfNotExists: deploys a related resource if it does not exist (deploy diagnostic settings when a resource is created, add a monitoring extension to a VM). Modify: adds or removes properties on resources. The combination of Deny and DeployIfNotExists covers most governance automation scenarios.
Policy initiatives
Policy initiatives group related policies into a single assignment. The Azure Security Benchmark initiative (formerly Azure Security Center's built-in initiative) contains 100+ policies for security best practices. The regulatory compliance initiatives (NIST SP 800-53, ISO 27001, SOC 2) map Azure policies to regulatory controls. Assigning an initiative to a management group applies all constituent policies at once. Custom initiatives group organisation-specific policies for consistent deployment.
Management groups and scope hierarchy
Management groups sit above subscriptions in the Azure hierarchy. Policies assigned to a management group apply to all subscriptions within it. The standard enterprise layout: a root management group for tenant-wide policies (required tags, diagnostics settings), platform management groups for landing zone subscriptions (network policies, security baseline), and application management groups for workload subscriptions with application-specific policies.
Remediation tasks
Policies with DeployIfNotExists or Modify effects can create remediation tasks that bring existing non-compliant resources into compliance retroactively. A policy requiring diagnostic settings on Storage Accounts can generate a remediation task that adds diagnostic settings to all existing Storage Accounts in scope. Remediation tasks require a managed identity with appropriate permissions on the resources being remediated.