AzureToZ
← Back to writing

Azure

Azure Policy at Scale Without Losing Your Mind

Feb 26 2026 · 7 min read · AzureGovernance

Governance that scales is a design problem, not a compliance checkbox. The teams that struggle with Azure Policy almost always treat it as a pile of individual rules. The teams that thrive treat it as an architecture.

Think in initiatives, not policies

A single policy is a rule. An initiative is a coherent set of rules with a shared intent — “UK regulated baseline,” say. Assign initiatives at the management group level and you govern by design intent, not by whack-a-mole.

Make exemptions a feature, not a leak

Every exemption should be:

  • Time-bound — it expires, forcing a review.
  • Documented — a reason and an owner, in the resource itself.
  • Visible — surfaced in compliance reporting, not buried.

Remediate, don’t just report

DeployIfNotExists  →  closes the gap automatically
Modify             →  fixes tags and config in place
Audit              →  tells you, and only you

The mistake I see most is stopping at Audit. A dashboard full of red that nobody acts on is worse than no dashboard — it trains people to ignore the signal. Wire up remediation tasks so the platform fixes drift itself, and keep human attention for the genuinely hard calls.

Thanks for reading. — Dennis
Up next

FortiGate Meets Azure: Securing the Hub-and-Spoke Edge

Azure-native firewalls are great until a client has standardised on Fortinet everywhere else. Here's how I drop a FortiGate into a hub-and-spoke without fighting the platform.

Feb 4 2026 · 9 min read · NetworkingSecurityAzure
Browse the archive →