Governance and Compliance 102

Region is an area, geographical containing on or more datacenters.

Azure subscription, Logical unit of services linked to account, billing is by subscription, organize access to services.

Azure accounts, account is identity in AD. Types of account, enterprise, resellers, partners, personal. Free, wont be charged before you upgrade.

Cost Management

Pay for what you use, monitor and control spending and also optimize resource use.

Resource tags

Name:Value, Enviroment, Test etc. With tags you can retrieve all resources in the subscription with the name and value for tag. (Many tags, Powershell or CLI)

Cost savings

  • Reservations, pre-pay for 1 or 3 years for VM’s,SQL db capacity, get discount on resources.
  • Hybrid benefits, when you have licenses with software assurance, that helps existing on-premises win server/sql license migrating to Azure. A calculator for this
  • Credits
  • Regions, price can be different from region to region
  • Budget, plan, drive cost over time, and monitor

Pricing calculator


Management groups

If the company has many subscriptions, Management groups provide management on a level over subscription. Organize subscriptions in boxes(containers) and use governance to the groups.

  • Alignment of organization with hierarchies / groups
  • Policies / budget across subscriptions with inheritance ->
  • Cost report and compliance


Service for creating, assign and control the use with rules over resources. This forces the resources to stay compliant with standards and SLA


  • Built in or custom policies, real time scan
  • Apply policies to management groups, several or exclude policies
  • Reversing / stopping policies in real time


Role-bases access control

RBAC manage who has access to resources, and what action they can do.

RBAC is built on Azure Resource Manger authorization.


Allow access to all resources in a group for an application or user, allow one user to create VM’s and another to to create vnet’s, DBA to manage SQL.

The concepts are

  • Security principal, Objects (user, groups, identity) requesting access
  • Role definition, set of permissions that can be done (read, write contributor, etc)
  • Scope, Level of access, subscription, resources, management groups
  • Assignment, ad a role definition to a SP (Security principal) for a selected scope, users can grant access by making assigments.

Role definition

  • Is properties in a json file (Name, Id, Description, Actions,NotActions and scope (read, write etc))
  • The “*” is all actions, “/” is all scopes.

Role assignment

  • is the process of adding a role def to user, group , service principal, managed identity for a scope to grant access

Azure RBAC vs Azure AD

  • Subscription admin roles (classic)
  • RBAC roles
  • Azure AD admin roles

Azure RBAC roles control security/permis. to manage Azure resources, Azure AD admin roles controls security/permis. to Azure Active Directory resources.

Nb, subscription admin roles (classic) should not be used if using Azure Resource Manager.

RBAC Roles

  • Owner, 100% access and can delegate
  • Contributor, create/manage all types of resources, but cannot delegate
  • Reader, view all
  • User Access Administrator, manage user access to resources