Part 1: Governance Fundamentals

Source: John Savill's Azure Master Class v3 - Part 3: Governance
Video Timestamps: 0:00 - 12:50
AZ-104 Relevance: Understanding governance is foundational - not heavily tested directly, but understanding WHY we have policies, RBAC, and budgets makes everything else click.

---

Table of Contents

1. Why Governance Matters
2. The On-Premises Model
3. The Cloud Model - Direct Access Problem
4. Guard Rails Concept
5. Understanding Your Requirements
6. Microsoft Trust Center & Service Trust Portal
7. Purview Compliance Manager
8. Mitigating Risk
9. Mental Model & Key Takeaways
10. Practical Exercises

---

Why Governance Matters

Governance in the cloud is absolutely critical.

This isn't just a nice-to-have - it's the difference between a well-managed environment and chaos. But why is cloud different from on-premises?

The answer lies in who stands between the request and the resource.

---

The On-Premises Model

In traditional on-premises environments, there's a human gatekeeper:

How It Works:

1. App Owner needs something (VM, container, database)
2. They submit a request - could be:
   • A nice form/ticketing system
   • An email
   • Old school: pick up the phone or knock on a door
3. Operations Team receives the request
4. They consult organizational guidelines:
   • Company policies
   • Regulatory requirements (industry/country)
   • Security standards
5. They may modify the request to comply
6. They provision the resource correctly

The Key Point:

The operations person is the enforcement point. They stand between the app owner and the resource, ensuring things are done the RIGHT way.

---

The Cloud Model - Direct Access Problem

Now everything changes:

What Changed:

Aspect	On-Premises	Cloud
Access	Indirect (through Ops)	Direct
Enforcement	Human gatekeeper	None by default!
Speed	Slow (tickets, approvals)	Instant
Knowledge Required	Ops team knows rules	App owner may NOT know rules

The Problem:

• App owners have direct access to create resources
• No human in between to enforce rules
• They can use:
  • Azure Portal (GUI)
  • Azure CLI / PowerShell
  • Infrastructure as Code (Terraform, Bicep, ARM)
  • CI/CD Pipelines

Every app owner is NOT going to know all the particular requirements:

• Company policies
• Regulatory requirements (HIPAA, GDPR, PCI-DSS)
• Industry standards
• Country-specific rules

---

Guard Rails Concept

This is where governance comes in - we need automated guard rails:

What Governance Controls:

Control Type	What It Governs	Example
Amount	How much they create	Budget limits, resource quotas
Types	What types of resources	"No public IPs allowed"
Configurations	How resources are configured	"Storage must use encryption"
Locations	Where resources can be created	"Only West Europe and East US"

Critical Point:

Governance needs to protect NO MATTER HOW the app owner interacts with the cloud.
Portal, CLI, IaC, Pipeline - it doesn't matter. The governance layer catches everything.

Real-World Dangers Without Governance:

• Public-facing resources created by people who don't understand the implications
• Data exposure - S3 bucket / Storage Account made public accidentally
• Attack surface - Open ports, no encryption, weak configurations
• Cost explosion - Spinning up expensive resources without limits
• Compliance violations - Breaking regulations = fines + reputation damage

---

Understanding Your Requirements

First step: BEFORE designing any governance solution, understand what you're trying to meet.

Types of Standards:

Shared Responsibility Model (Quick Recap):

Service Model	Microsoft Responsible	You Responsible
IaaS (VMs)	Physical, Network, Hypervisor	OS, Apps, Data, Identity
PaaS (App Service)	Above + OS, Runtime	Apps, Data, Identity
SaaS (M365)	Almost everything	Data, Identity, Access

The more you move towards SaaS, the less YOU are responsible for - but you still have responsibilities!

---

Microsoft Trust Center & Service Trust Portal

Microsoft holds a massive number of compliance certifications. You don't need to verify everything yourself - you leverage their attestations.

Trust Center (trust.microsoft.com)

The Trust Center is your starting point for understanding Microsoft's compliance posture:

What You Can Find:

Section	What It Contains
Compliance Offerings	List of ALL standards Microsoft meets (HIPAA, SOC, ISO, FedRAMP, etc.)
Audit Reports	Actual attestation reports from auditors
Regional Compliance	Country-specific requirements
Service-Specific	Filter by Azure, M365, Dynamics

Service Trust Portal (servicetrust.microsoft.com)

Go deeper - get the actual audit reports and attestations:

• SOC 1, SOC 2, SOC 3 reports
• ISO 27001, 27017, 27018 certificates
• FedRAMP packages
• PCI-DSS attestations
• Penetration test reports

AZ-104 Tip: You don't need to memorize all certifications, but know that:

1. Microsoft maintains extensive compliance
2. Trust Center and Service Trust Portal are where you find proof
3. This is part of the shared responsibility - Microsoft handles platform compliance, you handle your configuration

---

Purview Compliance Manager

Now we get to tracking YOUR compliance - not Microsoft's.

What Is It?

Microsoft Purview Compliance Manager (formerly Compliance Manager in the M365 Compliance Center) helps you:

• Track your compliance posture
• See what YOU need to do vs what Microsoft does
• Get actionable improvement steps
• Assign owners to tasks

Requirements:

• Microsoft 365 / Office 365 license
• Special assessments for USG/DOD clouds

The Compliance Score:

The score shows:

• Points Microsoft earned - Things they've implemented
• Points YOU need to earn - Things you need to implement
• Key Improvement Actions - Prioritized list of what to fix

Assessments:

You can add assessments for different frameworks:

• Data Protection Baseline (default)
• GDPR
• HIPAA
• ISO 27001
• NIST 800-53
• And many more...

For Each Control:

Field	Purpose
Owner	Assign someone responsible
Implementation Status	Not started, In progress, Implemented, Alternative, Out of scope
Test Status	Not tested, Passed, Failed
Test Date	When it was verified
Notes	Additional context

Visual Overview:

Pro Tip: Purview Compliance Manager is FANTASTIC for organizations that need to prove compliance to auditors. It's your single pane of glass for compliance tracking.

---

Mitigating Risk

All governance ultimately comes down to mitigating risk.

Types of Risk Governance Addresses:

The Honest Truth:

John Savill mentions "risk of being fired if you do a bad job of implementing these things" - and he's not wrong! Poor governance leads to:

• Security breaches that make the news
• Compliance failures that result in fines
• Cost overruns that blow budgets
• Outages that impact business

---

Mental Model & Key Takeaways

🧠 The Mental Model: "The Bouncer"

Think of governance like a bouncer at a club:

On-Premises: Human bouncer (Ops team) checks everyone at the door
Cloud: No bouncer by default - anyone with a key walks in
Cloud + Governance: Automated bouncer (Policy, RBAC, Budget) checks EVERYONE

The bouncer doesn't care HOW you try to get in (portal, CLI, IaC) - they check your credentials and whether you're following the rules.

🎯 AZ-104 Key Points:

Topic	Remember
Why Governance	Cloud = direct access, need automated controls
Guard Rails	Policy (what), RBAC (who), Budget (how much)
Shared Responsibility	Microsoft handles platform, you handle configuration
Trust Center	Where to find Microsoft's compliance proof
Purview Compliance Manager	Where to track YOUR compliance
Risk	Governance = risk mitigation

📝 Quick Recall:

1. On-prem: Human gatekeeper enforces rules
2. Cloud: Direct access = need automated governance
3. Three pillars: Policy, RBAC, Budgets
4. Microsoft's proof: Trust Center, Service Trust Portal
5. Your tracking: Purview Compliance Manager
6. Bottom line: It's all about mitigating risk

---

Practical Exercises

These are meant to build familiarity, not certification prep. Do them at your own pace.

Exercise 1: Explore the Trust Center (10 min)

1. Go to trust.microsoft.com
2. Navigate to Compliance → Compliance Offerings
3. Filter by Azure
4. Find certifications relevant to your industry:
   • Healthcare? Look for HIPAA
   • Finance? Look for PCI-DSS, SOC 2
   • Government? Look for FedRAMP
5. Question to answer: How many compliance certifications does Azure hold?

Exercise 2: Access Service Trust Portal (10 min)

1. Go to servicetrust.microsoft.com
2. Sign in with your Microsoft account
3. Navigate to Audit Reports
4. Download an ISO 27001 certificate for Azure
5. Question to answer: When was the last audit conducted?

Exercise 3: Explore Purview Compliance Manager (15 min)

Requires M365 license

1. Go to compliance.microsoft.com
2. Navigate to Compliance Manager
3. View your Compliance Score
4. Look at the Data Protection Baseline assessment
5. Questions to answer:
   • What's your current score?
   • What's the top improvement action recommended?
   • How many points is Microsoft responsible for vs you?

Exercise 4: Identify Your Requirements (Think Exercise)

No portal needed - just think and write:

1. List 3 internal policies your organization has (or should have)
2. List any regulatory requirements that apply to you
3. For each, write one Azure control that could enforce it:
   • Example: "No public storage accounts" → Azure Policy

---

What's Next?

In Part 2: Organizational Hierarchy, we'll dive into:

• Management Groups (the hierarchy above subscriptions)
• Subscriptions (billing, limits, trust relationships)
• Resource Groups (lifecycle management)
• How governance INHERITS down through these levels

This is where the architecture of Azure governance really takes shape! 🏗️

---

End of Part 1