Azure Policy is a service you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements.

• https://docs.microsoft.com/en-us/azure/governance/policy/overview

• Azure Policy is a free service
• Multiple Azure Policies can be group together to form a policy initiative
• By default policies apply to the scope where they are applied and all child scopes, but scopes can be excluded
• Policies can be applied at all levels of scope supported by Azure (i.e. management group, subscription, resource group, resource). but the policies themselves are defined at either a subscription of management group level.
• Azure Policy is the mechanism that powers Azure Security Center findings

• real-time enforcement and compliance assessment
• applying policies at scale
• remediation by leveraging a remediation policy
  • Remediation policies will bring resources into compliance; existing resources will be flagged and not remediated to avoid adverse effects to the environment.

• Ensure only VMs of certain type are created
• Ensure resources are not created in certain regions
• To add tags to resources that need for tracking purposes

• Deny the resource change
• Log the change to the resource
• Alter the resource before the change
• Alter the resource after the change
• Deploy related compliant resources

• Append—Adds fields to a resource during the creation/updating of the resource
• Audit—Audit is used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.
• Deny—The deny action prevents the creation/updating of a resource that does not meet specified conditions.
• DeployIfNotExists—A template deployment occurs if there are no related resources or if the resources defined by ExistenceCondition don't evaluate to true.