Governance Architecture
Management GroupsGovernance containers above subscriptions in the Azure hierarchy. Policies and Azure RBAC assigned at a management group cascade to all nested subscriptions. Support up to 6 levels of nesting (excluding root). Used for policy enforcement, not billing.Azure PolicyA declarative governance service that enforces, audits, or remediates resource configurations across Azure. Policy effects: Deny (block non-compliant), Audit (log without blocking), Modify (auto-append tags), DeployIfNotExists (create missing resources). Assign at management group for enterprise-wide enforcement.Privileged Identity Management (PIM)An Entra ID feature for just-in-time (JIT) access to elevated roles. Users are "Eligible" for a role and must request and receive approval to activate it. Activations expire automatically. Provides audit trails for all privilege escalations. Required for regulatory compliance.Resource TagsKey-value metadata attached to Azure resources for organization, cost allocation, and automation. Tags are metadata only — they do NOT enforce security or compliance. Security requires RBAC, encryption, and network controls. Enforce mandatory tags via Azure Policy with Modify effect.Management Group Hierarchy (Recommended Pattern)
Root Management Group
├── Platform (shared infrastructure)
│ ├── Management (monitoring, automation)
│ ├── Identity (Entra ID, domain controllers)
│ └── Connectivity (ExpressRoute, hub VNets)
├── Landing Zones (application workloads)
│ ├── Production
│ ├── Non-Production
│ └── Sandbox
└── Decommissioned
Best Practice: Keep hierarchy to 3 levels maximum (excluding root). Deep nesting (>4 levels) increases policy debugging complexity without adding meaningful control.
Subscription as Management Boundary
Subscriptions provide:
- Billing boundary: Costs roll up to subscription
- Quota limits: Per-subscription limits (e.g., 250 storage accounts)
- Policy boundary: Can have different policies than peers
- Scale boundary: Separate subscriptions for production vs. non-production
Policy Effects Deep Dive
| Effect | Behavior | When to Use |
|---|---|---|
Deny | Blocks resource creation/modification | Strict enforcement (after testing) |
Audit | Logs non-compliance, doesn't block | Visibility without disruption |
Modify | Appends/changes tags or properties | Auto-tag resources at creation |
DeployIfNotExists | Creates missing resources | Ensure monitoring agents installed |
AuditIfNotExists | Audits if dependent resource missing | Detect missing security configs |
Phased Enforcement Strategy:
- Audit — measure scope of non-compliance without disrupting workflows
- Deploy/Modify — automatically fix new resources as they're created
- Deny — block after existing resources are brought into compliance
Resource Tagging Strategy
Mandatory Tags (5–7 maximum)
| Tag Key | Example Values | Purpose |
|---|---|---|
Application | ecommerce, payroll | Application owner |
Environment | prod, dev, test | Lifecycle filtering |
Owner | team-platform, user@corp.com | Responsibility |
CostCenter | FC-1001, ENG-042 | Chargeback |
DataClassification | Confidential, Internal | Compliance |
Enforcement: Assign Azure Policy with Modify effect to auto-append a default tag value. Use Deny to block resources missing mandatory tags after baseline is established.
Access Reviews and PIM
Access Reviews: Periodic certifications of who has what access. Remove unused roles automatically. Generate audit reports for compliance. Typically run quarterly.
Subscription Design Patterns
| Scenario | Recommended Design |
|---|---|
| Small organization (fewer than 50 workloads) | 2–4 subscriptions (production, non-production, identity, connectivity) |
| Enterprise with compliance domains | Separate subscriptions per compliance scope (HIPAA, PCI, General) |
| Multi-region data residency | Region-specific subscriptions under separate MGs |
| SaaS multi-tenant | Dedicated subscription per major tenant or tenant group |
Hands-On: Create Management Group Hierarchy and Assign Policy
Step 1: Create Management Group Hierarchy
- Open Azure portal > Management groups
- Click Create management group
- Enter ID (e.g.,
platform) and display name - Make Root Management Group the parent
- Create child groups:
management,identity,connectivity - Create
landing-zonesgroup with children:production,non-production,sandbox
Step 2: Move Subscriptions to Management Groups
- Open Management groups > target management group
- Click Subscriptions tab
- Click Add existing subscription and search for subscription name
- Click Save — subscription inherits parent's policies
Step 3: Create and Assign Azure Policy
- Open Azure portal > Policy > Definitions
- Search for
Require a tag on resources - Click Assign and select scope (management group recommended)
- Set parameters: Required tag names (e.g.,
Environment,Owner) - Choose effect: Audit first, then Deny after validating impact
- Submit; existing non-compliant resources appear in Compliance view
Step 4: Configure Privileged Identity Management
- Open Entra ID > Privileged Identity Management > Azure resources
- Click Discover resources to onboard subscriptions
- Click subscription > select a role (e.g., Owner)
- Change from Permanent to Eligible
- Set Maximum activation duration (e.g., 8 hours)
- Require Approval and set approvers
- Users must now request activation before using the elevated role
Step 5: Apply Tags at Scale
- Open Azure portal > Policy > Definitions
- Search for
Inherit a tag from the resource group if missing - Assign with Modify effect at subscription or management group scope
- Resources created without the tag automatically inherit it from their resource group
AZ-305 Exam Focus
AZ-305 governance questions test your ability to design enterprise-scale hierarchy and select the right policy effect for a given compliance scenario. The exam frequently tests understanding of what management groups do vs. subscriptions, and the difference between policy effects.
Exam Trap
Management Groups Are Not Subscriptions: Management groups are policy and RBAC containers — they cannot contain resources directly and are not billing boundaries. Subscriptions are the billing and resource containers. Management groups organize subscriptions and cascade governance.
Exam Trap
Tags Are Not Security Controls: Tagging a resource "Confidential" does not restrict access to it. Tags are metadata for organization, cost allocation, and automation. Security requires RBAC for access control, network rules for isolation, and encryption for data protection.
Exam Trap
Don't Start with Deny Effect: Immediately using Deny policy effect blocks workflows for existing non-compliant resources. The correct phased approach is Audit → Modify → Deny, giving teams time to remediate before enforcement.
Exam Trap
Deep Management Group Hierarchy: More than 4 levels of nesting creates policy inheritance debugging challenges. Azure best practices recommend 3 levels maximum. Use policies to differentiate governance rather than hierarchy depth.
Exam Tip
PIM for Time-Limited Access: When a scenario mentions temporary access, contractor access, or access that must expire automatically — the answer is PIM with an eligible role assignment and activation duration. Regular RBAC assignments are permanent; PIM adds time-limited and approval-gated access.
Must Memorize
Policy Effect Selection: Deny = strict enforcement; Audit = visibility without disruption; Modify = auto-append tags; DeployIfNotExists = ensure companion resources (monitoring agents, locks) exist. The exam will give scenarios where you must select the correct effect.
Question — click to flip
Q: What is the difference between a management group and a subscription in Azure governance?
Question — click to flip
Q: What Azure Policy effect should you use to automatically append a required tag to resources at creation time?
Question — click to flip
Q: What does Privileged Identity Management (PIM) provide that standard RBAC does not?
Question — click to flip
Q: A policy assigned at a management group uses the Deny effect. A developer in a child subscription tries to create a VM without required tags. What happens?
Question — click to flip
Q: An organization has HIPAA workloads in East US and GDPR workloads in West Europe. How should management groups be structured?
Question — click to flip
Q: What is the maximum recommended depth for a management group hierarchy?