Enforce security governance and regulatory compliance

Enforce security standards before resources reach production using Azure Policy. Assign built-in policy definitions and initiatives at management group scope, author custom definitions with automated remediation tasks, and protect critical resources from deletion using Azure resource locks.

Configure Defender for Cloud security standards at management group scope and systematically deploy security controls to remediate recommendations. Manage custom security standards, assign recommendation ownership using governance rules, and remediate at scale using Fix, Azure Policy remediation tasks, and structured exemptions.

In this module, you use Microsoft Defender for Cloud to assess your organization's compliance posture against security frameworks. You explore the regulatory compliance dashboard, investigate control gaps, assign regulatory standards, and generate audit-ready reports that communicate compliance status to stakeholders.

Implement least-privilege access governance across Azure and Microsoft Entra ID. Assign built-in roles at appropriate scope, create custom roles for Azure resources and Microsoft Entra directory operations. Then identify and remediate overprivileged access using Microsoft Entra access reviews and Defender for Cloud Security Posture Management (CSPM) identity insights.

Protect Azure Backup data against ransomware, accidental deletion, and rogue administrators. Configure enhanced soft delete, vault immutability, Multi-User Authorization with Resource Guard, and RBAC controls to achieve an Excellent security posture rating across Recovery Services vaults.

Embed security controls into infrastructure as code pipelines to prevent noncompliant Azure resources from reaching production. Integrate IaC security scanning using Microsoft Defender for DevOps and the Microsoft DevOps (MSDO) extension, and configure Azure Policy in a policy-as-code workflow to enforce security compliance at deployment time.