AZ-104-MicrosoftAzureAdministrator/Instructions/Demos/02 - Administer Governance and Compliance.md

---

demo:
    title: 'Demonstration 02: Administer Governance and Compliance'
    module: 'Administer Governance and Compliance'
---

# 02 - Administer Governance and Compliance

## Configure Subscriptions

This area does not have a formal demonstration. 

**Reference**: [Create an additional Azure subscription](https://docs.microsoft.com/azure/cost-management-billing/manage/create-subscription)

## Configure Azure Policy

In this demonstration, we will work with Azure policies.

**Reference**: [Tutorial: Build policies to enforce compliance - Azure Policy](https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage)

**Assign a policy**

1.  Access the Azure portal.

2.  Search for and select **Policy**.

3.  Select **Assignments** on the left side of the Azure Policy page.

4.  Select **Assign Policy** from the top of the Policy - Assignments page.

5.  Notice the **Scope** which determines what resources or grouping of resources the policy assignment is enforced on.

6.  Select the **Policy definition ellipsis** to open the list of available definitions. Take some time to review the built-in policy definitions.

7.  Search for and select **Allowed locations**. This policy enables you to restrict the locations your organization can specify when deploying resources.

8.  Move the **Parameters** tab and using the drop-down select one or more allowed locations.

9.  Click **Review + create** and then **Create** to create the policy.

**Create and assign an initiative definition**

1.  Return to the Azure Policy page and select **Definitions** under Authoring.

2.  Select **Initiative Definition** at the top of the page.

3.  Provide a **Name** and **Description**.

4.  **Create new** Category.

5.  From the right panel **Add** the **Allowed locations** policy.

6.  Add one additional policy of your choosing.

7.  **Save** your changes and then **Assign** your initiative definition to your subscription.

**Check for compliance**

1.  Return to the Azure Policy service page.

2.  Select **Compliance**.

3.  Review the status of your policy and your definition.

**Check for remediation tasks**

1.  Return to the Azure Policy service page.

2.  Select **Remediation**.

3.  Review any remediation tasks that are listed.

**Remove your policy and initiative (optional)**

1.  Return to the Azure Policy service page.

2.  Select **Assignments**.

3.  Select your **Allowed locations** policy.

4.  Click **Delete assignment**.

5.  Return to the Azure Policy service page.

6.  Select **Initiatives**.

7.  Select your new initiative.

8.  Click **Delete initiative**.

## Configure Role-Based Access Control

In this demonstration, we will learn about role assignments.

**Reference**: [Tutorial: Grant a user access to Azure resources using the Azure portal - Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)

**Reference**: [Quickstart - Check access for a user to Azure resources - Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control/check-access)

**Locate Access Control blade**

1.  Access the Azure portal and select a resource group. Make a note of what resource group you use.

2.  Select the **Access Control (IAM)** blade.

3.  This blade will be available for many different resources so you can control permissions.

**Review role permissions**

1.  Select the **Roles** tab (top).

1.  Review the large number of built-in roles that are available.

1.  Double-click a role, and then select **Permissions** (top).

1.  Continue drilling into the role until you can view the **Read, Write, and Delete** actions for that role.

1.  Return to the **Access Control (IAM)** blade.

**Add a role assignment**

1.  Create a user.

1.  Select **Add role assignment** and pick a role. For exmaple, *owner*.

1.  Select **Check access**.

1.  Select the user.

1.  Notice the user is part of the **Managers** group and is an **Owner**.

1.  Notice that you can **Deny assignments**.