After Lab 5.2 — Recap
After Lab 5.2 — Recap
You assigned Azure Policies to your Day 5 environment — a Deny policy for public blob access and a Require Tags policy. These policies will now enforce rules automatically, preventing violations before they happen.
What you should have done
| Policy | Effect | Scope | What it does |
|---|---|---|---|
| Deny public blob access | Deny | Subscription | Blocks storage accounts with public blob access at creation |
| Require tags | Deny (or Modify) | Resource group | Enforces required tags on resources at creation |
Why only Deny? Before Lab 5.2 showed all four policy effects, but in this lab we used Deny for both policies. This is because Deny is the most common effect for enforcing compliance — it blocks non-compliant resources at creation time. The Audit effect would also work (allowing creation but flagging non-compliance), and DeployIfNotExists or Modify could be used for corrective actions, but Deny is the simplest starting point for preventive enforcement.
Why this matters
Policies are the difference between reactive and proactive compliance:
But policies have two important limitations:
- Evaluation delay — policies evaluate asynchronously, so there's a lag between assignment and compliance reporting (typically minutes to hours, depending on subscription size)
- Existing violations — policies prevent new violations but don't automatically fix old ones
That's why the next step is adding human judgment — automation that asks before it acts.
Main takeaway
Policies are preventive controls — they stop violations before they happen. But they don't fix what already exists.
You now have a policy guardrail. The next step is deciding how to fix violations — with or without human approval.
Bridge to Lab 5.3
In the next lab, you will connect Azure Policy to Power Automate — building a flow that detects violations, asks the resource owner for approval, and then auto-remediates on their behalf. This teaches the Auto-Remediate vs Alert-Only decision: when should automation act blindly, and when should it ask first? Before starting, review the Security Automation theory page which explains the three approaches to fixing problems and the Auto-Remediate vs Alert-Only decision framework.