Azure Policy: Governance and Compliance Enforcement for Small Business in Berlin
As Azure environments grow, so does the risk of configuration drift. A developer provisions a storage account without encryption. A resource group is created without a cost centre tag. A virtual machine is deployed with a public IP. Without a governance layer, these deviations accumulate silently until a security audit, a cost spike, or a compliance review surfaces them weeks or months later. Azure Policy is the native governance engine that prevents configuration drift before it happens: it evaluates every resource deployment against a defined set of rules and can deny, audit, or automatically remediate non-compliant configurations. For a Berlin small business running production workloads in Azure, Azure Policy is the difference between a governed, auditable environment and an ad-hoc one that creates compliance exposure.
How Azure Policy Works
Azure Policy operates through policy definitions — JSON rules that describe a compliance condition and the enforcement effect. Policy definitions are grouped into policy initiatives (also called policy sets). Initiatives are assigned to a scope: a management group, subscription, or resource group. Every resource within that scope is evaluated against all assigned policy definitions. The evaluation cycle runs continuously — new resources are evaluated at deployment, and existing resources are scanned every 24 hours for drift.
Policy Effects
| Effect | Behaviour | Use Case |
|---|---|---|
| Deny | Blocks the resource deployment if the condition is not met | Enforce encryption, block public IPs, restrict allowed regions |
| Audit | Allows deployment but logs non-compliance; shows in compliance dashboard | Report on existing resources without blocking deployments |
| Append | Adds fields to a resource at deployment (e.g., a tag) | Auto-tag resources with cost centre or environment label |
| Modify | Adds or updates properties on existing and new resources | Enable diagnostic settings, apply tags across an existing fleet |
| DeployIfNotExists | Deploys a companion resource if it does not exist | Auto-deploy Log Analytics agent, enable Defender for Cloud on new VMs |
| AuditIfNotExists | Audits a resource if a related resource is missing | Report VMs without Defender for Endpoint or Log Analytics extension |
Built-In Policy Initiatives for Security and Compliance
Azure provides hundreds of built-in policy definitions and several pre-packaged initiatives relevant to security and compliance. Key initiatives for a Berlin small business:
- Microsoft Cloud Security Benchmark (MCSB): The default initiative assigned by Defender for Cloud. Covers storage encryption, network exposure, identity, logging, and key management — the foundational security baseline. Assigning this initiative provides the compliance view in Defender for Cloud’s regulatory compliance blade.
- ISO 27001:2013: Maps Azure controls to ISO 27001 requirements. Useful for businesses pursuing ISO 27001 certification or needing to demonstrate ISO alignment to enterprise customers.
- GDPR: Maps Azure configurations to GDPR obligations — particularly relevant for data residency, encryption, and access control requirements under Articles 25 and 32.
- Azure Security Benchmark: Predecessor to MCSB; still widely used. Covers 12 control domains including network security, logging, identity, and incident response.
Practical Policy Configuration for a Small Azure Environment
- Assign the Microsoft Cloud Security Benchmark initiative: In the Azure portal → Policy → Assignments → Assign initiative. Select the Microsoft Cloud Security Benchmark initiative. Assign it at the subscription scope. Set the effect to Audit for the first 30 days to establish a baseline without blocking deployments. Review the compliance dashboard to identify the most common non-compliant configurations.
- Enforce data residency: Assign the built-in policy Allowed locations at the subscription level with effect Deny and allowed locations set to West Europe and North Europe (the Azure regions serving Germany and Berlin). This prevents resources from being provisioned outside EU regions — directly relevant to GDPR data residency obligations.
- Enforce storage account encryption and HTTPS: Assign Storage accounts should use customer-managed key for encryption (if CMEK is required) and Secure transfer to storage accounts should be enabled (effect: Deny). These two policies prevent the two most common storage misconfigurations in small Azure environments.
- Enforce resource tagging: Create a custom policy definition (or use built-in Require a tag and its value on resources) to require specific tags — CostCentre, Environment, Owner — on all resource groups. Use the Append effect to auto-tag new resources where the tag is missing.
- Auto-enable Defender for Cloud on new subscriptions: Assign the Configure Azure Defender to be enabled on subscriptions initiative using the DeployIfNotExists effect. This ensures any new subscription in your tenant automatically has Defender for Cloud enabled at the Standard tier without manual configuration.
- Monitor and remediate: Review the Policy → Compliance blade weekly. For non-compliant existing resources, use the Remediation task feature to apply a remediation policy (Modify or DeployIfNotExists effects support automated remediation tasks). Compliance reports can be exported for audit evidence.
Azure Policy vs. Defender for Cloud Recommendations
Defender for Cloud surfaces recommendations based on Azure Policy evaluations — the two systems are tightly coupled. Every Defender for Cloud recommendation is backed by a policy definition. Assigning the Microsoft Cloud Security Benchmark initiative directly in Azure Policy gives you the same compliance view as the Defender for Cloud regulatory compliance blade, but with more control over scope, exemptions, and enforcement effects. For small businesses already using Defender for Cloud, the practical starting point is to review which Defender recommendations are most critical, find the corresponding policy definitions, and switch their effects from Audit to Deny for the highest-risk configurations.
IT Experts Berlin configures Azure Policy governance baselines as part of Azure infrastructure builds for Berlin businesses. Request a free IT assessment to review your current Azure governance and compliance posture.