Azure Policy - Enforcing Security With Governance and Compliance

In this blog:

• Azure Policy dashboard.

• Assigning built-in security policies.

• Making a resource non-compliant.

• Fixing the resource.

• Triggering compliance.

This will be the final blog of my 4 week AZ-500 study series, and will explore Azure's method of enforcing security across the business with compliance and governance, using Azure Policies.

🎯 Goal:

Ensure your subscriptions and resource groups comply with security baselines by assigning Azure Policies, triggering compliance scans, and validating the results in the Azure Policy dashboard.

➡️Click here to see my blog on Azure Key Vaults.

🚨 Azure Policy dashboard

1️⃣ Navigate to Azure Policy:

1.         Go to portal.azure.com.

2.         In the search bar at the top, type “Policy”.

3.         Click Azure Policy.

4.         On the left menu, you should see:

o   Overview

o   Compliance

o   Definitions

o   Assignments

This is where Azure stores all governance and compliance controls. You’ll mainly use:

• Assignments → Where you apply policies

• Compliance → Where you see results once Azure evaluates your environment

🛡️ Assigning built-in security policies

1.         In Azure Policy, click Assignments (left menu)

2.         Click Assign policy (top left)

Now you’ll see a wizard

Then:

• Scope → Your subscription

• Policy definition → Search for:

  
  

🔍 Storage accounts should use customer-managed keys for encryption

Select it → Next

No parameters needed → Review + Create → Create

🚫 Making a resource non-compliant

Now we intentionally break the rule.

Go to:

Create a resource → Storage account

Fill in:

• Region: any

• Redundancy: LRS is fine

• Performance: Standard

Then THIS IS THE IMPORTANT PART:

🔥 In SECURITY+NETWORKING → ENCRYPTION:

• Set Encryption type → Microsoft-managed keys

This makes it NON-COMPLIANT on purpose.

After a few minutes, your storage account will appear:

❌ Non-compliant:

👷‍♂️ Fixing the resource

1.         Go back to Storage account → Blob storage → Encryption under Security+Networking

2.         Enable Customer-managed Keys

3.         Key selection → Encryption key → Select key from key vault

4.         Key vault and key → select your key vault and the key that you made inside it (for more on this visit my blog on Key vault configuration here:

➡️Click here to see my blog on Azure Key Vaults.

✅ Triggering compliance

• Policy → Assignments → Your policy

• Trigger evaluation

Within minutes, your resource should flip from:

❌ Non-compliant → ✔ Compliant (Mine took about 10mins to flip)

This shows the full lifecycle:

• Policy enforcement

• Detection

• Remediation

In a real world environment, this remediation would normally be automated using Azure Policy Remediation Tasks.

🥳 And that's the end of my 4-week AZ-500 study series!

This step demonstrated how critical continuous compliance monitoring is for maintaining a secure cloud posture. It also showed how Azure Policy enforces the rules that keep cloud environments secure, consistent, and auditable – an essential part of any security or compliance-driven organisation.