Governance keeps a growing cloud estate consistent, compliant, and cost- controlled. The key Azure tools:

• Management groups — apply policy/access across many subscriptions
• Azure Policy — enforce rules (e.g. “only allowed regions”, “must have tags”) and audit or deny non-compliant resources
• RBAC — who can do what, where (covered in depth in AZ-104)
• Resource locks — prevent accidental delete/change (CanNotDelete, ReadOnly)
• Tags — key/value labels for cost allocation and organization

For compliance, the Microsoft Purview / Trust Center and Service Trust Portal document certifications. Microsoft Defender for Cloud scores your security posture.

Govern a multi-team subscription:
  Management group        → org-wide guardrails
  Azure Policy: "deny public IP on VMs in prod"
  Policy: "require 'costCenter' tag on all resources"
  Resource lock (CanNotDelete) on the shared network RG
  Tags: env=prod, owner=team-a, costCenter=1234

1. Write a plain-English Azure Policy rule for restricting deployment regions.
2. Explain the difference between Azure Policy and RBAC with an example of each.
3. Describe when you’d apply a CanNotDelete resource lock.
4. Propose a tagging scheme for tracking cost by team and environment.

• ↗ Microsoft — Azure governance