🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-900 Domain 3
Domain 3 — Module 4 of 8 50%
22 of 26 overall

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights
Domain 3: Describe Azure Management and Governance Premium ⏱ ~11 min read

Azure Governance: Purview, Policy, and Locks

Governance keeps your Azure environment compliant and controlled. Microsoft Purview, Azure Policy, and resource locks work together to enforce rules automatically.

Keeping Azure under control

☕ Simple explanation

Governance is like the rules of a shared kitchen at work.

Microsoft Purview = the food safety inspector. They check what food is stored, where it came from, and whether it’s labelled correctly. In Azure, Purview discovers and classifies your data across all your services.

Azure Policy = the kitchen rules posted on the wall. “All food must be labelled.” “No personal items in the fridge.” These rules are enforced automatically — if you try to store unlabelled food, the policy rejects it.

Resource locks = padlocks on the expensive equipment. Even if you have permission to use the kitchen, you can’t throw away the espresso machine. Locks prevent accidental deletion of critical resources.

Microsoft Purview provides a unified data governance solution across on-premises, multi-cloud, and SaaS environments. It discovers, classifies, and manages data assets, creating a holistic data map and providing compliance and risk management capabilities.

Azure Policy creates, assigns, and manages policies that enforce rules on Azure resources. Policies evaluate resource configurations against organisational standards and can prevent non-compliant resources from being created or flag existing non-compliant resources.

Resource locks prevent accidental modification or deletion of critical resources. Two levels: CanNotDelete (can modify but not delete) and ReadOnly (cannot modify or delete).

Microsoft Purview

Purview is Azure’s data governance platform. In the context of AZ-900, it provides:

CapabilityWhat It Does
Data MapDiscovers and classifies data across Azure, on-prem, and SaaS
Data CatalogSearchable index of your organisation’s data assets
ComplianceTracks compliance against regulatory standards
Risk managementIdentifies sensitive data and potential risks

Harbour Health uses Purview to discover where patient data exists across their Azure environment — SQL databases, blob storage, and file shares. It automatically classifies data containing health records and flags any that lacks proper sensitivity labels.

Exam scope: AZ-900 only tests the PURPOSE of Purview in Azure — that it provides data governance, discovery, and classification. Deeper Purview features (like Data Loss Prevention) are covered in other exams.

Azure Policy

Azure Policy enforces rules on your Azure resources automatically:

Policy ActionWhat Happens
DenyBlocks resource creation if it doesn’t meet the policy
AuditAllows creation but flags it as non-compliant
AppendAdds settings to resources (e.g., automatically add a tag)
DeployIfNotExistsDeploys a required resource if it’s missing

Common policy examples

PolicyEffectExample
Allowed locationsDenyOnly allow resources in Australia East and Australia Southeast
Require tagsDenyAll resources must have an “Owner” tag
Allowed VM sizesDenyOnly allow B and D-series VMs (no expensive N-series)
Require encryptionAuditFlag storage accounts without encryption enabled

Policy initiatives

A policy initiative is a collection of related policies grouped together. Instead of assigning 10 individual policies, you assign one initiative.

Example: Harbour Health’s “Healthcare Compliance” initiative includes:

  • Require encryption on all storage
  • Require HTTPS on all web apps
  • Restrict resource creation to approved regions
  • Require sensitivity labels on databases
💡 Azure Policy vs RBAC

They’re different:

  • RBAC controls WHO can do things (users and permissions)
  • Azure Policy controls WHAT can be done (resource configurations)

A user with Contributor access can create any VM. But if an Azure Policy restricts VMs to D-series only, even a Contributor can’t create an N-series VM. Policy overrides individual permissions for resource configuration.

Resource locks

Resource locks prevent accidental changes to critical resources:

Resource lock types
FeatureCanNotDelete LockReadOnly Lock
Can read?YesYes
Can modify?YesNo
Can delete?NoNo
Use caseProtect production resources from deletionProtect critical configs from any changes

Key facts about locks:

  • Locks apply to ALL users, regardless of RBAC role — even Owners
  • Locks are inherited — a lock on a resource group applies to all resources inside
  • To delete a locked resource, you must first remove the lock (deliberate two-step process)
  • Locks protect against accidents, not malicious actors (an admin can remove the lock)

Summit Construction puts a CanNotDelete lock on their production database. Even if an admin accidentally tries to delete it, the lock prevents it. They’d have to intentionally remove the lock first.

🎬 Video walkthrough

🎬 Video coming soon

Azure Governance — AZ-900

Azure Governance — AZ-900

~9 min

Flashcards

Question

What is Microsoft Purview used for in Azure?

Click or press Enter to reveal answer

Answer

Data governance — discovering, classifying, and managing data assets across Azure, on-premises, and SaaS. It provides a data map, data catalog, compliance tracking, and risk management.

Click to flip back
Question

What is Azure Policy?

Click or press Enter to reveal answer

Answer

A service that creates and enforces rules on Azure resources. Policies can Deny (block), Audit (flag), Append (add settings), or DeployIfNotExists. Example: 'Only allow resources in approved regions.'

Click to flip back
Question

What are the two types of resource locks?

Click or press Enter to reveal answer

Answer

CanNotDelete — allows reading and modifying but prevents deletion. ReadOnly — allows reading only, prevents both modification and deletion. Locks apply to all users regardless of RBAC role.

Click to flip back
Question

What is the difference between Azure Policy and RBAC?

Click or press Enter to reveal answer

Answer

RBAC controls WHO can do things (user permissions). Azure Policy controls WHAT can be done (resource configurations). Policy can block actions even for users with full RBAC permissions.

Click to flip back

Knowledge Check

Knowledge Check

Harbour Health wants to ensure that no Azure resources can be created outside of Australia. Which Azure feature should they use?
Knowledge Check

Summit Construction's production SQL database must not be accidentally deleted, but admins still need to modify its settings. Which resource lock type should they apply?

Next up: The Azure Portal — your visual command centre for managing everything in Azure.

← Previous

Cost Management and Tags

Next →

The Azure Portal and Cloud Shell

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.