02 - Administer Governance and Compliance

Configure Subscriptions

This area does not have a formal demonstration.

Reference: Create an additional Azure subscription

Configure Azure Policy

In this demonstration, we will work with Azure policies.

Reference: Tutorial: Build policies to enforce compliance - Azure Policy

Assign a policy

  1. Access the Azure portal.

  2. Search for and select Policy.

  3. Select Assignments and then Assign Policy.

  4. Discuss the Scope which determines what resources or grouping of resources the policy assignment is enforced on.

  5. Select the Policy definition ellipsis to open the list of available definitions. Take some time to review the built-in policy definitions.

  6. Search for and select the Allowed locations policy. This policy enables you to restrict the locations your organization can specify when deploying resources.

  7. Move the Parameters tab and using the drop-down select one or more allowed locations.

  8. Click Review + create and then Create to create the policy.

Create and assign an initiative definition

  1. Return to the Azure Policy page and select Definitions under Authoring.

  2. Select Initiative Definition at the top of the page.

  3. Provide a Name and Description.

  4. Create new Category.

  5. From the right panel Add the Allowed locations policy.

  6. Add one additional policy of your choosing.

  7. Save your changes and then Assign your initiative definition to your subscription.

Check for compliance

  1. Return to the Azure Policy service page.

  2. Select Compliance.

  3. Review the status of your policy and your definition.

Check for remediation tasks

  1. Return to the Azure Policy service page.

  2. Select Remediation.

  3. Review any remediation tasks that are listed.

  4. As you have time, remove the policy and the initiative.

Configure Role-Based Access Control

In this demonstration, we will learn about role assignments.

Reference: Tutorial: Grant a user access to Azure resources using the Azure portal - Azure RBAC

Reference: Quickstart - Check access for a user to Azure resources - Azure RBAC

Locate Access Control blade

  1. Access the Azure portal and select a resource group. Make a note of what resource group you use.

  2. Select the Access Control (IAM) blade.

  3. This blade will be available for many different resources so you can control permissions.

Review role permissions

  1. Select the Roles tab (top).

  2. Review the large number of built-in roles that are available.

  3. Double-click a role, and then select Permissions (top).

  4. Continue drilling into the role until you can view the Read, Write, and Delete actions for that role.

  5. Return to the Access Control (IAM) blade.

Add a role assignment

  1. Create a user or select an existing user.

  2. Select Add role assignment and select a role. For example, owner.

  3. Select Check access.

  4. Review the user permissions.

  5. Note that you can Deny assignments.