Features and Tools on Azure Cloud for Governance and Compliance Implementation
Microsoft Purviewβ
Microsoft Purview is a solution for data governance, risk management, and compliance. Its goal is to provide insights into data across on-premises, multi-cloud, and SaaS (such as Microsoft 365).
Key Features of Microsoft Purview
| Feature | Function |
|---|---|
| π Data Discovery Automation | Automatically discover data sources |
| π Sensitive Data Classification | Identify and label sensitive data |
| 𧬠End-to-End Data Lineage | Track the origin and flow of data from start to finish (data lineage) |
Two Main Solution Areas of Microsoft Purview:β
1. Risk & Compliance
Directly integrated with Microsoft 365 apps like Teams, OneDrive, Exchange.
Purpose:
- Protect sensitive data across cloud, apps, and devices
- Identify data risks and meet regulatory requirements
- Help organizations start their compliance journey
2. Unified Data Governance
Helps manage data in:
- Azure
- SQL, Hive
- Amazon S3
- On-premises
Benefits:
- Centrally map all data assets and keep them up-to-date
- Know where sensitive data is stored
- Provide secure and controlled access to data consumers
- Generate insights from data usage patterns
- Manage access rights at scale securely
Azure Policyβ
Azure Policy is a service that enables users to:
- Create, assign, and manage policies
- Control resource configurations
- Ensure compliance with organizational standards
Purpose of Azure Policyβ
| π Azure Policy Function | π Description |
|---|---|
| β Ensure configuration compliance of resources | Prevents or flags resources that do not comply with rules |
| π΄ Prevent creation of non-compliant resources | Example: prevent creation of certain VM sizes |
| π οΈ Automatically remediate non-compliant configurations | Example: automatically add missing tags |
| π΅οΈ Monitor & evaluate resources continuously | Includes resources created before the policy was applied |
| π¦ Integration with Azure DevOps | Apply policies in CI/CD pipelines |
How Azure Policy Worksβ
Policies can be applied to:
- Resources
- Resource groups
- Subscriptions
- Management groups
Policies are inheritable
For example, a policy assigned at the subscription level applies to all resource groups and resources beneath it.
What is an Azure Policy Initiative?β
Initiative = A collection of policies with a common goal
Purpose: Simplifies management and compliance tracking at scale
Example: Enable Monitoring in Azure Security Center, which includes over 100 policies to monitor vulnerabilities, encryption, and server protection.
Using Resource Locksβ
Resource Lock is used to prevent accidental deletion or modification of important Azure resources.
Even with Azure RBAC, users with high permissions such as Owner can delete resources. Resource Locks provide extra protection in such cases.
Types of Resource Locksβ
| π Lock Type | π§ Function |
|---|---|
CanNotDelete | Users can read & modify, but cannot delete the resource |
ReadOnly | Users can only read. Cannot modify or delete |
Where Can Resource Locks Be Applied?
- Individual Resource
- Resource Group
- Subscription
Locks are inheritable:
If a lock is applied at the resource group level, all resources within it are also locked.
How to Manage Resource Locks
You can manage locks through:
- Azure Portal (Settings menu on the resource)
- PowerShell
- Azure CLI
- ARM Template (Azure Resource Manager)
How to Modify Locked Resources?
- Remove the lock first
- Perform the desired action (delete/modify resource)
Even as an Owner of a resource or resource group, you must remove the lock before making changes.
- Protection against accidental deletion or modification
- Ensures stability of critical services
- Provides peace of mind when multiple teams access the cloud
- Can be used alongside Azure Policy and RBAC
Using the Service Trust Portalβ
Service Trust Portal (STP) is Microsoftβs official portal providing access to:
- Security & compliance documents
- Data privacy information
- Compliance tools & resources
- Evidence of Microsoftβs controls and security standards
This portal helps organizations understand how Microsoft protects data and meets global compliance requirements.
Main Functions of the Service Trust Portalβ
| Function | Description |
|---|---|
| π Compliance Document Access | Provides audit reports, certifications, and Microsoft controls (such as ISO, SOC, NIST). |
| π Security Transparency | Explains how customer data is secured and managed in the Microsoft cloud. |
| π My Library | You can save important documents and receive notifications when documents are updated. |
| π₯ Download Documents | All reports can be downloaded for 12 months or until a new version is released. |
| π Privacy & NDA | Some documents are only accessible after logging in and accepting an NDA (Non-Disclosure Agreement). |
- Visit: https://servicetrust.microsoft.com
- Sign in with a Microsoft Entra account (formerly Azure AD)
- Helps security & compliance teams demonstrate Microsoft Cloud meets international standards
- Builds greater trust with customers and internal auditors
- Facilitates faster and more accurate internal & external audits for organizations