Manage governance via Azure Policy

About this guide

Scenario

Your organization’s cloud footprint has grown considerably in the last year. During a recent audit, you discovered a substantial number of resources that do not have a defined owner, project, or cost center. In order to improve management of Azure resources in your organization, you decide to implement the following functionality:

• Apply resource tags to attach important metadata to Azure resources
• Enforce the use of resource tags for new resources by using Azure policy
• Update existing resources with resource tags
• Use resource locks to protect configured resources

Job Skills

Task 1: Create and assign tags via the Azure portal
Task 2: Enforce tagging via an Azure Policy
Task 3: Apply tagging via an Azure Policy
Task 4: Configure and test resource locks

As organizations around the world migrate solutions to the cloud, the ability to implement, manage, and monitor cloud-based solutions is highly valued in numerous industries.

Architecture Diagram

Key Takeaways:

• Azure tags are metadata that consists of a key-value pair. Tags describe a particular resource in your environment. In particular, tagging in Azure enables you to label your resources in a logical manner.
• Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. There are many built-in policy definitions and you can customize the policies.
• The Azure Policy remediation task feature is used to bring resources into compliance based on a definition and assignment. Resources that are non-compliant to a modify or deployIfNotExist definition assignment, can be brought into compliance using a remediation task.
• You can configure a resource lock on a subscription, resource group, or resource. The lock can protect a resource from accidental user deletions and modifications. The lock overrides any user permissions.
• Azure Policy is pre-deployment security practice. RBAC and resource locks are post-deployment security practice.

Career Connections

With the increasing demand for expertise in cloud-based administration, professionals with the skills from this series can pursue job prospects in roles such as Azure Administrator, Cloud Engineer, Systems Administrator (Cloud Focus), DevOps Engineer, and Cloud Support Engineer.

As of 2025, average cloud-related salaries in the United States range from $68,215 for entry-level Azure Administrators to $130,000 for mid-career DevOps Engineers, with Cloud Engineers, Systems Administrators, and Cloud Support Engineers earning competitive pay based on experience and role demands. Please note that these figures are approximate, derived from online sources, and can vary based on factors such as location, industry, and company size.