Governance and compliance make up 30โ35% of the AZ-900 exam under the Management and Governance domain. This guide covers Azure Policy, resource locks, Microsoft Purview, Azure Blueprints, Compliance Manager, and the Trust Center โ everything you need to know to pass the exam and understand how Microsoft helps organizations stay in control of their cloud environments.
Cloud governance is the set of policies, processes, and tools that ensure resources are used appropriately, costs are controlled, security standards are met, and regulatory obligations are fulfilled. For the AZ-900, Microsoft expects candidates to understand the purpose of each governance tool โ not deep configuration syntax, but which tool solves which problem.
The Management and Governance domain (30โ35%) is the largest single domain on the exam. Questions frequently ask you to match a scenario to the correct Azure service. For example: "Which service lets you enforce a naming convention across all Azure subscriptions?" (Azure Policy) or "Which tool provides a pre-packaged, repeatable environment definition?" (Azure Blueprints). Knowing the distinctions will earn you significant marks. Start your preparation with our AZ-900 practice test to benchmark your current knowledge, then revisit this guide to fill any gaps.
Governance in Azure operates at multiple levels of the management hierarchy: Management Groups โ Subscriptions โ Resource Groups โ Resources. Policies and locks applied at a higher level cascade downward, which is why governance tools are so powerful in enterprise environments. This hierarchy also appears in our AZ-900 complete guide alongside other foundational concepts.
Azure Policy is the primary tool for implementing governance rules across your Azure environment. A policy definition is a JSON document that describes the condition to evaluate and the effect to apply (Audit, Deny, Append, Modify, DeployIfNotExists, or AuditIfNotExists). Policies are assigned to a scope โ management group, subscription, or resource group โ and can be grouped into policy initiatives (also called policy sets) for easier management.
On the AZ-900 exam, key facts to remember: policies enforce standards continuously, not just at deployment time; a compliance dashboard shows the percentage of compliant resources; and the DeployIfNotExists effect can automatically remediate non-compliant resources by deploying supporting configurations. Unlike resource locks, which prevent user actions, policies evaluate resource properties. For hands-on practice, try our AZ-900 practice exam which includes scenario-based policy questions.
Resource locks protect critical resources from accidental deletion or modification, regardless of RBAC permissions. Even subscription owners cannot delete a locked resource without first removing the lock. Two lock types exist: CanNotDelete allows reads and updates but blocks deletion; ReadOnly blocks all writes including updates. Locks are inherited โ a lock on a resource group applies to all resources within it. The AZ-900 exam may present scenarios where a team accidentally deleted a production database, and the question is which control would have prevented it: the answer is a resource lock. Compare this with identity and security controls like RBAC, which manage who can act rather than preventing actions entirely.
Microsoft Purview (formerly Azure Purview combined with Microsoft 365 compliance tools) provides a unified platform for data governance, risk, and compliance. It scans data sources, automatically classifies sensitive data (PII, financial records, health data), and builds a searchable data catalog. For compliance, Purview includes Information Protection, Data Loss Prevention, eDiscovery, and audit capabilities. On the AZ-900, Purview questions focus on its role in understanding what data you have and ensuring data privacy regulations (GDPR, HIPAA) are met. See how networking controls complement data governance in the Azure networking guide.
Azure Blueprints allow you to define a repeatable set of Azure resources that implements and adheres to standards, patterns, and requirements. A blueprint can contain policy assignments, role assignments, resource groups, and ARM templates โ all versioned and tracked together. Unlike an ARM template alone, a Blueprint maintains a live connection between the blueprint definition and deployed resources, allowing updates to be pushed centrally. This is the key differentiator for exam questions: Blueprints track the relationship between the definition and the deployment. Use Blueprints when you need to rapidly stand up compliant environments at scale, for example, onboarding a new subsidiary to your enterprise standards. Storage compliance is another governance concern addressed in our storage services guide.
The Microsoft Compliance Manager (accessed via the Microsoft Purview compliance portal) helps organizations manage compliance activities. It provides a compliance score, pre-built regulatory templates (ISO 27001, SOC 2, GDPR, NIST), and action items broken into Microsoft-managed controls and customer-managed controls. The score reflects how well you've implemented recommended configurations.
The Microsoft Trust Center is a public website (microsoft.com/trust-center) that provides documentation about security, privacy, compliance, and transparency across Microsoft cloud services. It is the go-to resource for understanding Microsoft's commitments โ not a tool you configure, but a reference you consult. On the exam, if a question asks "Where can you find information about Microsoft's compliance certifications and data handling practices?", the answer is the Trust Center. For scenario questions requiring actual compliance tracking and scoring, the answer is Compliance Manager.
The most common question type in the governance domain gives you a scenario and asks which tool to use. Use this mental model:
Memorize which tool is active enforcement (Policy, Locks, Blueprints) versus visibility and guidance (Purview, Compliance Manager, Trust Center).