Introduction
As part of my journey to becoming an Azure Administrator, I recently completed Lab 02b - Manage Governance via Azure Policy from the AZ-104 certification series. This lab focused on implementing Azure Policy to enforce governance, apply resource tagging, and configure resource locks for better resource management and compliance in Azure.
Below, I document my learnings, key takeaways, and insights from this lab.
Lab Overview
This lab provided hands-on experience in managing governance policies in Azure. The scenario focused on improving resource management by ensuring that all resources are tagged correctly, enforcing policies to prevent non-compliant resource creation, and applying resource locks to prevent accidental deletions or modifications.
Skills Practiced:
✅ Creating and assigning tags via the Azure portal
✅ Enforcing tagging requirements via Azure Policy
✅ Applying tag inheritance to existing resources
✅ Configuring and testing resource locks
Task 1: Assigning Tags via the Azure Portal
Tags are key-value pairs assigned to Azure resources to help with categorization, cost management, and reporting.
Steps Taken:
1️⃣ Signed into the Azure Portal
2️⃣ Navigated to Resource Groups
3️⃣ Created a new Resource Group with the following settings:
Resource Group Name: az104-rg2
Location: East US
4️⃣ Assigned a tag to the Resource Group:
Name: Cost Center
Value: 000
5️⃣ Verified that the tag was successfully applied.
📌 Insight:
Tags help track ownership, costs, and resource classification.
Microsoft Well-Architected Framework recommends using tags for governance.
Best practice: Use consistent naming conventions for tags across all resources.
Task 2: Enforcing Tagging via an Azure Policy
Azure Policy allows organizations to enforce governance standards by ensuring that all resources comply with predefined rules.
Steps Taken:
1️⃣ Navigated to Azure Policy in the portal.
2️⃣ Selected Definitions and browsed built-in policy definitions.
3️⃣ Assigned the "Require a tag and its value on resources" policy to az104-rg2.
4️⃣ Configured the policy settings:
Assignment Name: Require Cost Center tag with Default value
Policy Enforcement: Enabled
Tag Name: Cost Center
Tag Value: 000
5️⃣ Verified that the policy prevented new resources from being created without the required tag.
📌 Insight:
Azure Policy enforces standards without manual intervention.
Policies can be applied at different scopes (Management Group, Subscription, Resource Group).
Non-compliant resources can be identified and remediated automatically.
Task 3: Applying Tagging via an Azure Policy
In this task, we remediated non-compliant resources by inheriting tags from the Resource Group.
Steps Taken:
1️⃣ Deleted the previous policy assignment for requiring a tag.
2️⃣ Assigned the "Inherit a tag from the resource group if missing" policy to az104-rg2.
3️⃣ Configured the policy settings:
Assignment Name: Inherit the Cost Center tag from the Resource Group
Tag Name: Cost Center
Policy Enforcement: Enabled
Created a remediation task to update existing resources.
4️⃣ Created a new Storage Account in the Resource Group without adding the tag manually.
5️⃣ Verified that the tag was automatically applied to the new Storage Account.
📌 Insight:
Tag inheritance policies ensure all resources comply without manual intervention.
Remediation tasks help bring existing resources into compliance.
Best practice: Implement tag inheritance to maintain consistency without user dependency.
Task 4: Configuring and Testing Resource Locks
Resource Locks prevent accidental deletion or modification of critical resources.
Steps Taken:
1️⃣ Navigated to az104-rg2 in the Azure portal.
2️⃣ Opened Settings > Locks and created a new lock:
Lock Name: rg-lock
Lock Type: Delete
3️⃣ Attempted to delete the Resource Group, but received a deletion failed notification due to the lock.
4️⃣ Removed the lock and successfully deleted the Resource Group.
📌 Insight:
Lock Types:
Read-only: Prevents modifications but allows deletions.
Delete: Prevents deletions but allows modifications.
Locks override RBAC permissions, meaning even Owners cannot delete locked resources.
Best practice: Use Delete Locks on critical resources like production VMs and databases.
Key Learnings
1️⃣ Understanding Azure Tags
Tags are metadata used for categorization, billing, and governance.
Tagging best practices include standardized naming conventions.
2️⃣ Enforcing Policies with Azure Policy
Azure Policy ensures consistent governance across all resources.
Built-in policies make enforcement easier without manual checks.
3️⃣ Applying Tag Inheritance for Compliance
Tag inheritance policies ensure new resources automatically receive required tags.
Remediation tasks help bring existing resources into compliance.
4️⃣ Protecting Resources with Locks
Resource Locks prevent accidental deletions or modifications.
Locks override RBAC permissions, ensuring additional security.
📌 Additional Fact:
Azure Policy is a pre-deployment security measure, while RBAC & Resource Locks are post-deployment security controls.
🔗 Pop Quiz: Validate Your Learning!
Test yourself with these Yes or No questions to reinforce your understanding of Azure Governance and Policy!
📝 Take the quiz here: 👉 https://1suleyman.github.io/az-104-lab-2b-quiz/
Conclusion
Completing this lab reinforced my understanding of Azure Policy and Governance. Learning how to enforce tagging, remediate non-compliant resources, and apply resource locks ensures better security and compliance in Azure environments.
🚀 Stay tuned for my next blog post on: Lab 03 - Manage Azure resources by using Azure Resource Manager Templates!
🔗 Follow my journey as I continue mastering Azure Administration! 🚀
Top comments (0)