az policy assignment list --scope <scope> --output tableGovernance baseline
A governance baseline is the minimum set of policies, access controls, tags, logging, security, and compliance requirements that Azure environments must meet before workloads are trusted for production.
Source: Microsoft Learn - Azure governance design area Reviewed 2026-05-14
- Exam trap
- Treating the baseline as a slide deck instead of enforceable Azure Policy, RBAC, tags, logs, and remediation tasks.
- Production check
- Verify owner, scope, enabled state, diagnostics, access model, and linked resources before changing Governance baseline.
Article details and learning context
- Aliases
- Azure governance baseline, cloud governance baseline, landing zone governance baseline
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-14
Understand the concept
In plain English
Governance baseline means the minimum set of Azure rules and controls a workload must satisfy before it is treated as governed. It helps teams discuss policy requirements, access rules, tags, logging, Defender coverage, and compliance evidence without confusing it with one optional checklist owned by a single project team. You care about it when a landing zone is created, a subscription is onboarded, or auditors ask how production workloads meet enterprise standards. In practice, operators should confirm the owner, scope, logs, dependencies, and rollback path before relying on it in production.
Why it matters
Governance baseline matters because it turns enterprise requirements into repeatable Azure controls that every subscription and workload can inherit. When teams skip it, new environments drift apart, security exceptions become invisible, teams argue about ownership, and audit evidence is rebuilt manually after incidents. In production, it influences who can deploy, which regions are allowed, what tags are required, whether logs are captured, and which resources are blocked or remediated. It also connects architecture decisions to operational evidence: policies, logs, access reviews, runbooks, metrics, or cost reports. That shared language helps teams decide whether a problem is misconfiguration, missing ownership, weak monitoring, or a real service failure. The result is faster triage, safer releases, and clearer accountability when a workload is under pressure.
Official wording and source
A governance baseline is the minimum set of policies, access controls, tags, logging, security, and compliance requirements that Azure environments must meet before workloads are trusted for production. In practice, teams should confirm live configuration, ownership, dependencies, and operational evidence before relying on it in production.
Technical context
Technically, Governance baseline sits in Azure landing zone governance across management groups, subscriptions, resource groups, policies, locks, tags, RBAC, and monitoring. Azure shows policy assignments, initiatives, management group hierarchy, role assignments, tag standards, diagnostic settings, security recommendations, and documented exceptions. Engineers inspect with Azure Policy compliance views, Resource Graph queries, Activity Log, Defender for Cloud, Cost Management, and read-only Azure CLI checks. It interacts with management groups, subscriptions, resource groups, identity, networking, diagnostics, cost controls, and workload deployment pipelines; compare live state with documented intent before production changes.
Exam context
Compare with
Where it is used
Where you see it
- Azure Policy compliance pages, management group assignments, landing zone review boards, and resource group tag reports all expose whether the governance baseline is actually enforced.
- Deployment pipelines and template reviews show baseline requirements as allowed regions, required diagnostics, tag rules, locks, role assignments, and deny or deployIfNotExists policies. during design, release, audit, and incident review.
- Audit packages and incident reviews reference the baseline when teams prove ownership, logging, least privilege, cost accountability, and approved exceptions for production subscriptions. during design, release, audit, and incident review.
Common situations
- Onboard a new subscription with required policies, tags, diagnostics, and Defender plans before application teams deploy production resources.
- Give auditors a consistent evidence trail for access, logging, allowed regions, encryption, exceptions, and policy compliance.
- Reduce drift across business units by applying inherited controls at management group and subscription scope.
- Help incident commanders decide whether a production problem is a workload issue or a missing baseline control.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Governance baseline in action for regional bank subscription onboarding Scenario, objectives, solution, measured impact, and takeaway.
Contoso Bank, a finance organization, had to onboard twenty analytics subscriptions without losing control of encryption, diagnostics, and privileged access.
- Onboard subscriptions within five business days
- Keep policy compliance above 95 percent
- Require owner and cost center tags
- Capture audit evidence automatically
The cloud platform team defined a governance baseline at the management group level. Azure Policy initiatives required approved regions, diagnostic settings, tag inheritance, Defender plans, and deny rules for public storage. Azure RBAC groups separated platform owners from workload contributors, and policy exemptions needed an owner and expiry date. Deployment templates were tested against the baseline before application teams received subscriptions, and Resource Graph queries fed a weekly compliance dashboard. Runbooks recorded the baseline version, allowed exceptions, remediation steps, and CLI checks for release reviews. The change record included resource IDs, owner approval, rollback triggers, monitoring signals, and security review notes. Operators used read-only CLI checks before any change and captured command output for the evidence package. A deliberately scoped nonproduction test confirmed the runbook, access model, and rollback assumptions. After rollout, the team watched production metrics, support feedback, access logs, and cost signals for two weeks. Lessons learned were converted into standards so later projects could reuse the pattern instead of rebuilding it from scratch.
- Subscription onboarding time fell from three weeks to four days
- Policy compliance stayed at 97 percent after the first month
- Audit evidence preparation dropped by 55 percent
- Unowned resources fell by 80 percent
A governance baseline works when it is enforceable, measurable, and close to the deployment path.
Scenario 02 Governance baseline in action for healthcare landing zone audit Scenario, objectives, solution, measured impact, and takeaway.
Pine Valley Health, a healthcare organization, needed consistent controls for patient-data workloads across research, billing, and clinical reporting subscriptions.
- Prove logging coverage for regulated workloads
- Block unsupported regions
- Review exceptions every thirty days
- Reduce manual audit sampling
Architects used the governance baseline as the control map for Azure Policy, Defender for Cloud, diagnostic settings, private endpoint requirements, and tag standards. The baseline was assigned through management groups so inherited controls covered new subscriptions automatically. Security teams configured policy remediation for missing diagnostics and used access reviews for privileged groups. A small exception process allowed research teams to request temporary policy waivers, but every waiver included scope, business owner, expiration, and compensating controls. Compliance dashboards showed which workloads met the baseline and which required remediation. The change record included resource IDs, owner approval, rollback triggers, monitoring signals, and security review notes. Operators used read-only CLI checks before any change and captured command output for the evidence package. A deliberately scoped nonproduction test confirmed the runbook, access model, and rollback assumptions. After rollout, the team watched production metrics, support feedback, access logs, and cost signals for two weeks. Lessons learned were converted into standards so later projects could reuse the pattern instead of rebuilding it from scratch.
- Manual audit sampling decreased by 48 percent
- All patient-data subscriptions used approved regions
- Expired exceptions were removed within one review cycle
- Security teams gained one consistent evidence package
The baseline gives regulated teams a repeatable way to prove controls instead of rebuilding evidence every audit.
Scenario 03 Governance baseline in action for retail acquisition integration Scenario, objectives, solution, measured impact, and takeaway.
Fabrikam Retail, a retail organization, acquired a smaller brand and needed to bring inherited Azure subscriptions under corporate governance quickly.
- Identify noncompliant subscriptions in two weeks
- Apply minimum logging and tag rules
- Avoid blocking holiday-release workloads
- Create remediation plans by risk level
The enterprise architecture team compared the acquired subscriptions against the existing governance baseline. They first used read-only policy, role assignment, tag, and diagnostic checks, then assigned audit-only policies before moving high-risk controls to deny or deployIfNotExists effects. Workload owners received a remediation backlog ranked by data sensitivity and customer impact. The baseline also created a standard language for release managers, security reviewers, and finance analysts, who could approve temporary exceptions without weakening controls for the entire hierarchy. The change record included resource IDs, owner approval, rollback triggers, monitoring signals, and security review notes. Operators used read-only CLI checks before any change and captured command output for the evidence package. A deliberately scoped nonproduction test confirmed the runbook, access model, and rollback assumptions. After rollout, the team watched production metrics, support feedback, access logs, and cost signals for two weeks. Lessons learned were converted into standards so later projects could reuse the pattern instead of rebuilding it from scratch.
- Ninety-two percent of critical resources were classified in ten days
- Missing diagnostic settings were remediated on 340 resources
- Release blocks during peak season were avoided
- Finance recovered cost-center ownership for all migrated subscriptions
A baseline can accelerate integration when rollout is staged, evidenced, and risk-based.
Azure CLI
CLI checks make Governance baseline review repeatable because they capture scoped evidence before anyone changes production. Start with read-only commands to confirm tenant, subscription, resource IDs, owners, current settings, and related dependencies. Mutating commands should run only after approval, rollback steps, customer impact, security impact, and cost impact are understood.
Useful for
- Confirm the current Azure configuration, owner, scope, and dependencies for Governance baseline before a release or incident change.
- Collect repeatable evidence for audit, troubleshooting, access review, cost review, or architecture approval involving Governance baseline.
- Compare environments and detect drift before approving a mutating command related to Governance baseline.
Before you run a command
- Confirm tenant, subscription, resource group, management group, account, identity, or application scope before trusting output.
- Run list and show commands first, save evidence, and only then consider create, update, failover, delete, or permission changes.
- Check whether the command affects customer traffic, data access, credentials, policy enforcement, regional recovery, billing, or compliance evidence.
What the output tells you
- Names, object IDs, resource IDs, locations, SKUs, states, and parent scopes show whether you inspected the intended target.
- Assignments, settings, identities, endpoints, diagnostics, regions, or deployment properties explain how the workload behaves today.
- Timestamps, health states, metrics, compliance summaries, and logs help separate Azure configuration issues from application failures.
Mapped commands
Governance baseline operational checks
directaz policy state summarize --management-group <management-group-id>az role assignment list --scope <scope> --output tableaz monitor diagnostic-settings list --resource <resource-id>Architecture context
Architects should place Governance baseline in the workload design beside ownership, scope, dependencies, monitoring, security controls, cost assumptions, and rollback procedures. The term becomes useful when the diagram matches live Azure evidence.
- Security
- From a security perspective, Governance baseline should be treated as part of the access and trust boundary. It affects policy enforcement, privileged access, logging requirements, Defender recommendations, regulatory controls, and exception handling. Review who can create, update, assign, or bypass it, and confirm changes are logged. Use least privilege, private access where relevant, managed identities instead of shared secrets, and policy guardrails for production. The main risk is assuming it is harmless because it looks administrative; misconfiguration can expose data, overgrant access, weaken audit evidence, or let untrusted input influence a critical workflow. Keep review evidence close to the ticket so approvals can be repeated.
- Cost
- Cost impact comes from mandatory diagnostics, Defender plans, retention settings, tagging accuracy, unused-resource cleanup, policy remediation work, and premium governance tooling. Some costs are direct, such as higher redundancy tiers, logs, service capacity, query volume, or premium licenses; others are indirect, such as manual reviews, failed deployments, or incident time. Tag owners, capture baseline usage, and check Advisor, Cost Management, and service metrics before scaling or enabling features. The goal is not to avoid the feature, but to match spend to risk, compliance, and expected business value. Separate production requirements from dev/test assumptions so expensive controls are not copied blindly across environments.
- Reliability
- Reliability depends on keeping baseline controls enforced without blocking emergency recovery, region failover, or required platform remediation. Treat the term as a control point in the runbook, not just as a portal label. Operators should know expected healthy state, failure modes, regional or tenant dependencies, and recovery steps before an incident. Monitor metrics, logs, policy compliance, and downstream symptoms together. The common failure is changing configuration to fix one issue while creating another because ownership, propagation time, limits, or failover behavior were not understood. Confirm alert thresholds, escalation paths, and nonproduction test evidence before an outage forces rushed decisions. Review recovery assumptions after major platform changes.
- Performance
- Performance is affected by how quickly teams can get compliant environments, how much policy evaluation overhead exists, and how fast operators can find governance evidence. For interactive systems, operators should measure latency, throughput, cache behavior, query cost, and downstream dependencies rather than assuming the Azure setting is neutral. For governance and identity terms, performance often means reduced approval friction and faster access evaluation. Tune with live measurements, capacity limits, and representative workload tests; otherwise a safe-looking configuration can slow users, overload backend services, or produce noisy operations. Record baseline measurements so later regressions can be tied to a specific change instead of guesswork. Test changes with representative traffic before production rollout.
- Operations
- Operationally, Governance baseline needs clear ownership, naming, change control, and evidence. Put it in runbooks, deployment templates, access reviews, and dashboards so the next engineer can see current state quickly. Start with read-only CLI or portal checks, compare against standards, save output, and only then approve mutating changes. Operations teams should track drift, failed deployments, policy exceptions, metrics, alerts, and audit logs. Good operations makes the term boring: predictable enough to review during releases and clear enough to troubleshoot during incidents. Review stale resources, exceptions, and owner changes on a scheduled cadence so temporary decisions do not become permanent. Keep evidence linked to the owning team and current runbook.
Common mistakes
- Treating the baseline as a slide deck instead of enforceable Azure Policy, RBAC, tags, logs, and remediation tasks.
- Applying deny policies before testing whether approved deployment templates can still create required resources.
- Forgetting exception ownership, review dates, and evidence, which turns temporary waivers into permanent blind spots.
- Assuming all subscriptions need identical controls instead of documenting risk-based differences by environment and workload.