AZ-305 Governance solutions

Azure Recommendations for Governance Solutions

Below are the recommended Azure solutions for governance as aligned with the AZ-305 exam objectives.

Azure Governance Design Recommendations

1. Structure for Management Groups, Subscriptions, and Resource Groups

Management Groups

• Hierarchy Design:
  • Root Management Group: Apply organization-wide policies (e.g., regional restrictions, security baselines)¹².
  • Platform Management Group: Host shared services (networking, identity, logging)².
  • Landing Zones: Group subscriptions by workload type (e.g., Corp for hybrid resources, Online for internet-facing apps)².
  • Sandbox: Isolate experimental subscriptions with relaxed policies².
  • Decommissioned: Temporarily hold subscriptions before deletion².

Example Structure:

Root  
├── Platform  
│   ├── Connectivity  
│   └── Identity  
├── Landing Zones  
│   ├── Corp  
│   └── Online  
└── Sandbox  

Best Practices:

• Limit hierarchy depth to 3–4 levels².
• Assign Azure Policies at the highest applicable scope (e.g., enforce TLS 1.2 at the root)²³.

Subscriptions

• Segmentation Strategy:
  • By Environment: Separate production, development, and testing⁴⁵.
  • By Workload: Dedicate subscriptions to critical applications (e.g., ERP, CRM)⁴.
  • By Compliance: Isolate regulated workloads (e.g., PCI DSS, HIPAA)⁶².

Resource Groups

• Logical Grouping:
  • Group resources by application (e.g., App1-Frontend, App1-Database) or lifecycle (e.g., temporary analytics clusters)⁴⁵.
  • Use resource groups for RBAC delegation (e.g., grant Contributor to a team for a specific app)⁷⁵.

2. Resource Tagging Strategy

Key Tags:

Implementation:

• Automation: Enforce tags via Azure Policy (e.g., deny resource creation without Environment tag)¹¹⁸.
• Governance: Use Azure Policy’s Modify effect to append missing tags¹¹⁸.
• Cost Management: Export tagged data to Cost Management + Billing for granular reporting⁹.

3. Solution for Managing Compliance

Azure Policy + Initiatives

• Built-in Policies: Enforce standards (e.g., Allowed locations, Enforce HTTPS)¹¹¹⁰.
• Custom Initiatives: Bundle policies for regulations like GDPR or HIPAA¹¹³.
• Continuous Monitoring: Use Azure Monitor to alert on non-compliant resources⁶³.

Microsoft Purview Compliance Manager

• Prebuilt Templates: Accelerate compliance with 320+ templates (e.g., SOC 2, ISO 27001)¹²¹³.
• Risk Scoring: Prioritize gaps using AI-driven insights¹²¹³.

Azure Blueprints

• Environment Templates: Deploy preconfigured, compliant environments (e.g., PCI-compliant web apps)⁶³.
• Scheduled for deprecation on July 11, 2026. Microsoft recommends migrating existing blueprint definitions and assignments to Template Specs and Deployment Stacks. Blueprint artifacts should be converted to ARM JSON templates or Bicep files for future deployments

4. Solution for Identity Governance

Microsoft Entra ID Governance

• Lifecycle Management:
  • Automate user provisioning/deprovisioning from HR systems (e.g., Workday)¹⁴¹⁵.
  • Use entitlement management to grant time-bound access to apps/resources¹⁴¹⁵.
• Access Reviews:
  • Schedule periodic reviews for user/guest access¹⁵¹⁶.
  • Integrate with Azure AD Privileged Identity Management (PIM) for just-in-time admin access¹⁵¹⁶.

Privileged Access

• Least Privilege: Assign Azure RBAC roles at the management group/subscription level⁷².
  • Example: Grant VM Contributor to DevOps teams instead of full subscription access⁷.
• Service Principals:
  • Use for CI/CD pipelines (e.g., Terraform deployments) with scoped RBAC roles¹⁷.
  • Rotate credentials via Managed Identities to avoid hardcoded secrets¹⁷.

Summary Table

By combining these strategies, organizations achieve a secure, compliant, and scalable Azure governance framework aligned with Microsoft best practices.

Summarised with Perplexity.