Azure Policy: Modern Governance with Practical Recommendations
Azure Policy is one of Microsoft Azure’s most effective governance tools. It helps organizations enforce standards automatically, detect configuration issues early, and keep cloud environments aligned with internal policies and external regulatory requirements. For organizations that value security, predictability, and cost control—especially nonprofits—Azure Policy provides essential guardrails without relying on manual oversight. This guide explains why Azure Policy matters, how it works, and recommended best practices for using it effectively, with a practical example and step‑by‑step guidance. 📘 Official Azure Policy overview Why Azure Policy Matters Azure Policy allows you to define rules that Azure evaluates continuously. These rules ensure resources stay compliant during creation and over time. Policies can block, audit, modify, or remediate resource configurations automatically—reducing risk and operational overhead. Common governance scenarios include: Restricting which Azure regions can be used Requiring resource tags for cost tracking Enforcing encryption and security baselines Auditing misconfigurations Preventing unsupported or high‑risk deployments ✅ Recommendation Adopt Azure Policy early, before environments scale. Governance is far easier—and less disruptive—to maintain than to retrofit after sprawl occurs. Recommended Approach: Built‑In Policies First Microsoft maintains hundreds of built‑in policies that cover common governance scenarios, including region restrictions, security controls, and compliance baselines. One of the most widely used policies is: Allowed locations – Restricts where resources can be deployed (Deny or Audit) ✅ Recommendation Use built‑in policies whenever possible. They are: Maintained and updated by Microsoft Aligned with Azure platform changes Easier to audit, document, and explain to stakeholders Create custom policies only when built‑in options cannot meet specific business requirements. Why Region Restriction Policies Are Useful Restricting deployment regions is one of the most impactful governance controls an organization can apply. Key Benefits 🔐 Stronger security - Limits deployments to trusted, reviewed regions. 📜 Regulatory compliance - Supports data residency requirements (HIPAA, GDPR, donor data protections). ⚡ Performance optimization - Keeps workloads closer to users and connected systems. 💰 Cost governance - Prevents accidental deployment in higher‑cost regions. 🧭 Operational consistency - Establishes clear boundaries for teams and automation pipelines. ✅ Recommendation Apply region restrictions at the management group or subscription level to ensure consistent enforcement across environments. Step‑by‑Step: Assigning an Azure Policy (Portal) Step 1 — Open Azure Policy Sign in to <https://portal.azure.com> Search for Policy Open the Policy service Step 2 — Explore Policy Definitions Azure provides built‑in policies for: Tag enforcement Encryption requirements Diagnostic and activity logging Resource configuration and restrictions Security and compliance baselines ✅ Recommendation Group related policies into Initiatives (policy sets) for easier management—especially for compliance or nonprofit governance standards. 📘 List of built in policy definitions: Step 3 — Assign the Policy In the left menu, expand Authoring Select Assignments Select Assign Policy Select scope (management group, subscription, or resource group) Choose the policy definition during the assignment wizard Configure parameters Review and create Azure begins evaluating resources automatically. 📘 Assigning policies via the portal Compliance Reporting in Azure Policy Azure Policy includes a built‑in Compliance Dashboard that shows: Overall compliance percentage across assigned policies and initiatives Compliant vs. non‑compliant resources, aggregated by scope (management group, subscription, or resource group) Non‑compliant initiatives and policies, helping identify which policy sets are failing Individual policy evaluation results, showing exactly why a resource is non‑compliant Exemptions, errors, and not‑applicable states, including resources excluded from enforcement or failing evaluation Note: Compliance data is generated during evaluation cycles and may not be real‑time; results are updated periodically based on policy or resource changes. 📘 Compliance reporting documentation Why Azure Policy Is Especially Valuable for Nonprofits Nonprofits often manage sensitive donor, beneficiary, and financial data while operating under tight budgets. Azure Policy helps by: Enforcing security without increasing staffing Preventing costly configuration mistakes Supporting audit readiness Protecting donor trust Reducing operational waste Final Recommendations ✅ Start with built‑in policies ✅ Apply policies at the management group level when possible ✅ Use Deny for hard requirements; Audit for learning phases ✅ Group policies into initiatives ✅ Review compliance dashboards regularly ✅ Document governance decisions for transparency and audits Conclusion Azure Policy is a foundation of strong cloud governance. Whether you’re restricting deployment regions, enforcing security baselines, or preparing for audits, it delivers automated, consistent, and scalable enforcement. For nonprofits and mission‑driven organizations, Azure Policy ensures every cloud resource supports security, compliance, and responsible stewardship—without increasing operational burden.Building Intelligent Apps With Azure
Technology is changing fast, and apps today can do far more than they used to. With artificial intelligence (AI) becoming part of everyday tools, organizations of all sizes are looking for ways to build smarter, more helpful apps. Microsoft Azure makes this easier by giving teams the tools and training they need to learn, experiment, and create with confidence. What Makes an App “Intelligent”? An intelligent app uses AI to make experiences feel more natural and responsive — like understanding language, recognizing images, or offering helpful suggestions. You can build these apps from scratch or modernize the ones you already have using Microsoft Azure. Cloud technology plays a big role because it keeps everything fast, secure, and easy to scale. Helping Teams Build With Confidence Working with AI can feel overwhelming at first. Teams often face challenges like: Not having much experience with AI Feeling unsure about which tools to use Wanting to make sure AI is used responsibly Azure supports teams with hands‑on learning, expert guidance, and built‑in responsible AI tools through frameworks like Microsoft Responsible AI, helping teams build safely and confidently. Start With the Basics Before building intelligent apps, it helps to understand where your team is today and what skills they may need. Azure and Microsoft Learn offer simple, practical resources to get started: AI fundamentals – Learn the basics of how AI works https://learn.microsoft.com/ai Generative AI – Explore tools like AI copilots and how to write effective prompts Craft effective prompts for Microsoft 365 Copilot - Training | Microsoft Learn Cloud‑native development – Build apps designed to run smoothly in the cloud Create cloud native apps with Azure and open-source software - Training | Microsoft Learn Modernizing older apps: Azure application modernization overview - Assess, plan, and modernize existing workloads Microsoft App Modernization Guidance for Azure - App Modernization Guidance | Microsoft Learn Power Platform modernization - Rebuild or extend legacy apps using low-code tools. Modernize applications with Power Platform - Power Platform | Microsoft Learn Azure & .NET modernization – Upgrade ASP.NET apps to modern .NET and deploy to Azure Modernize ASP.NET and ASP.NET Core web applications - App Modernization Guidance | Microsoft Learn These resources help teams learn at their own pace and build confidence as they go. Deploying Apps the Right Way Once your app is ready, you need a smooth way to launch it. Azure provides tools and best practices to help teams: Set up the right environment Build and test apps quickly Use containers and DevOps to speed up delivery Azure DevOps | Microsoft Azure Containers on Azure | Microsoft Azure Deploy AI features safely using Azure’s governance and security tools As many developers have noted, “What used to take weeks now takes hours.” Keep Improving Over Time Building an intelligent app isn’t a one‑time project. Teams need to monitor performance, keep apps secure, and make improvements as technology evolves. Azure offers resources to help with: Scaling apps as usage grows — Automatically adjust resources to meet demand while maintaining performance and reliability. Protecting apps from security threats — Use built‑in security, identity, and compliance tools to safeguard data and reduce risk. Improving accuracy and performance — Monitor models and applications to fine‑tune quality, responsiveness, and user experience. Managing costs — Track usage, optimize resources, and control spending as apps grow and evolve. Create a Culture of Continuous Learning The most successful organizations treat learning as an ongoing investment. As Forbes notes, helping people understand new technologies builds trust and prepares teams for the future. Microsoft offers a wide range of learning paths, tutorials, and hands‑on experiences to support your team as they explore AI and intelligent app development: https://learn.microsoft.com/ https://www.microsoft.com/nonprofits/offers-for-nonprofits https://learn.microsoft.com/industry/nonprofit/microsoft-for-nonprofits/Shared Data and Collective Resolve Are Advancing ALS Research
Answer ALS shows what becomes possible when people come together to share data in service of something bigger than themselves—and why that mindset matters far beyond ALS research. That spirit is reflected in the journey of former New Orleans Saints player Steve Gleason, who was diagnosed with ALS in 2011 just months before he and his wife were expecting their first child. Rather than allowing the diagnosis to define his future, Gleason founded Team Gleason to support people living with ALS through assistive technology, equipment, and care services. In 2013, he challenged the scientific community to push beyond conventional thinking, declaring, “The status quo is not acceptable.” That call helped spark the founding of Answer ALS, a nonprofit organization dedicated to understanding ALS at unprecedented depth. Today, that collaboration continues through Neuromine, the world’s largest ALS research hub, built in collaboration with Microsoft and powered by Microsoft Azure. Neuromine brings together anonymized biological and clinical data from more than 2,500 individuals who have chosen to share their information to accelerate progress. Why this matters for nonprofits: when organizations prioritize collaboration, trust, and responsible data sharing, they unlock insights that no single institution could achieve alone. This story is a powerful reminder that technology—used thoughtfully—can help nonprofits move faster, work smarter, and drive impact at scale. Learn more on Microsoft for Nonprofits LinkedInDiscontinuation of M365 Business Premium Grant Deeply Disappointing,Harmful to Small Nonprofits
As a Microsoft CSP partner supporting multiple nonprofit organizations, I am extremely disappointed by the decision to discontinue the Microsoft 365 Business Premium grant. This change disproportionately affects small nonprofits that rely on these tools to fulfill their missions with limited resources. The justification that this is about “alignment” or “sustainability” is disingenuous. Let’s be honest—this is a revenue-driven decision that undermines Microsoft’s long-standing commitment to empowering nonprofits. Removing access to essential tools like Office desktop apps and Intune from the grant program forces small organizations into paid plans they cannot afford, jeopardizing their operations and security. Microsoft has built goodwill in the nonprofit sector over the years. This move erodes that trust. I urge you to reconsider this decision or at least provide a longer transition period and more flexible options for small nonprofits. Please do better. The nonprofit sector deserves more than a corporate cost-cutting maneuver disguised as a strategic realignment.How to Re-Register MFA
Working closely with nonprofits every day, I often come across a common challenge faced by MFA users. Recently, I worked with a nonprofit leader who faced an issue after getting a new phone. She was unable to authenticate into her Microsoft 365 environment because her MFA setup was tied to her old device. This experience highlighted how important it is to have a process in place for MFA re-registration. Without it, even routine changes like upgrading a phone can disrupt access to your everyday tools and technologies, delaying important work such as submitting a grant proposal. Why MFA is Essential for Nonprofits Before we discuss how to reset MFA, let’s take a step back and discuss why MFA is a necessity for nonprofits the way it is important for any organization. In the nonprofit world, protecting sensitive or confidential data—like donor information, financial records, and program details—is a top priority. One of the best ways to step up your security game is by using Multi-Factor Authentication (MFA). MFA adds an extra layer of protection on top of passwords by requiring something you have (like a mobile app or text message) or something you are (like a fingerprint). This makes it a lot harder for cybercriminals to get unauthorized access. If your nonprofit uses Azure Active Directory (AAD), or Microsoft Entra (as it is now called), with Microsoft 365, MFA can make a big difference in keeping your work safe. Since Microsoft Entra is built to work together with other Microsoft tools, it’s easy to set up and enforce secure sign-in methods across your whole organization. To make sure this added protection stays effective, it’s a good idea to occasionally ask users to update how they verify their identity. What Does MFA Re-Registration Mean for Nonprofits? MFA re-registration is just a fancy way of saying users need to update or reset how they authenticate, or verify, themselves. This might mean setting up MFA on a new phone (like the woman in the scenario above), adding an extra security option (like a hardware token), or simply confirming their existing setup. It’s all about making sure the methods and devices your users rely on for MFA are secure and under their control. When and Why Should Nonprofits Require MFA Re-Registration? Outside of getting a new phone, there may be other situations that raise cause for reason to re-register your MFA. A few scenarios include: Lost or Stolen Devices: Similar to the scenario above, if someone loses their phone or it gets stolen, you will have to re-register the new device. Role Changes: If someone’s responsibilities change, their MFA setup can be adjusted to match their new access needs. Security Enhancements: Organizations may require users to re-register for MFA to adopt more secure authentication methods, such as moving from SMS-based MFA to an app-based MFA like Microsoft Authenticator Policy Updates: When an organization updates its security policies, it might require all users to re-register for MFA to comply with new standards Account Compromise: If there is a suspicion that an account has been compromised, re-registering for MFA can help secure the account by ensuring that only the legitimate user has access With Microsoft Entra, managing MFA re-registration is straightforward and can be done with an administrator to the organization’s tenant. How to require re-registration of MFA To reset or require re-registration of MFA in Microsoft Entra, please follow the steps below. Navigate to portal.azure.com with your nonprofit admin account. Select Microsoft Entra ID Select the drop-down for Manage In the left-hand menu bar select Users > Select the user's name that you want to reregister to MFA (not shown). Once in their profile, select Manage MFA authentication methods Select Require re-register multifactor authentication Congratulations! The user will now be required to re-register the account in the Microsoft Authentication app.Don’t Get Locked Out: Why Every Organization Needs Emergency Access Accounts
When systems fail—or when administrators suddenly lose access—the ability to regain control quickly can determine whether your nonprofit continues delivering essential services or faces major disruption. Emergency Access Accounts (also known as break‑glass accounts) give you a crucial safety net, ensuring your team can restore services, manage users, and adjust security settings even when normal admin access is unavailable. This updated guide explains why these accounts are vital, how to configure them correctly, and how nonprofits can secure them within Microsoft Entra ID. Why Emergency Access Accounts Matter In our previous discussion, we highlighted that resilience starts with preparation. If your primary admin accounts become locked out due to MFA issues, Conditional Access misconfigurations, outages, or human error, break‑glass accounts are your only guaranteed path to recovery. To function safely and effectively, these accounts must be: Highly secure Isolated from daily operations Able to bypass standard access controls Protected with passwordless authentication (Passkeys/FIDO2, certificates, Windows Hello) And every organization—nonprofit or otherwise—should maintain at least two for redundancy and continuity. Best Practices for Nonprofits Creating Emergency Access Accounts Before setting up a break‑glass account, review these nonprofit‑aligned security practices: 1. Use Non‑Obvious Naming Avoid predictable names like "breakglass" or "emergencyadmin." Use neutral, coded names known only to trusted administrators. 2. Create Cloud‑Only Accounts Do not sync these accounts from on‑premises directories. Cloud‑only accounts remain available even if local infrastructure goes down. 3. Don’t Assign Licenses Licenses add unnecessary exposure. Break‑glass accounts should not use email, Teams, or any cloud workloads. 4. Don’t Link the Account to a Real Person These accounts belong to the organization, not an individual. Avoid personal MFA methods like individual phones or emails. 5. Enforce Strong Password Standards 32‑character complex password (minimum) Rotate securely twice per year Do not reuse passwords Store them under a tightly governed, documented process 6. Disable Password Expiration If passwords auto‑expire, the account can break at the worst time. Rotate manually under a secure, audited process. 7. Exclude From Conditional Access Policies Break‑glass accounts must still work even when Conditional Access doesn’t. Exclude them from any policy that might block sign‑in. 8. Assign Permanent Global Administrator Role Emergency accounts need always‑on permissions. Do not use PIM‑eligible roles or time‑restricted activation. How to Create an Emergency Access Account in Microsoft Entra ID Step 1 — Create the Account Open Microsoft Entra Admin Center. Navigate to Entra ID → Users → All users. Select + New user → Create new user. Use the .onmicrosoft.com domain. Ensure Account enabled is selected. Set the Usage location. 7. Assign the Global Administrator role. 8. Review and create. Repeat the steps to establish a second emergency account as needed. Step 2 — Enable Passwordless Authentication Break‑glass accounts should always be secured using passwordless methods: Passkeys (FIDO2) Certificate‑based authentication (CBA) How to Enable FIDO2 Passkeys Go to: Entra ID → Security → Authentication methods → Policies → FIDO2 Security Key Enable FIDO2 if not already enabled and click Save. How to Enable Certificate‑Based Authentication (CBA) Step 1 — Upload Your Certificate Authority Entra Admin Center → Entra ID → Certificate authorities Upload your Root CA Mark as Root CA (if applicable) Add any intermediate CAs Provide the CRL (Certificate Revocation List) URL for revocation checks This is required so Entra can check for revoked certificates Step 2 — Turn on Certificate‑Based Authentication Go to: Entra ID → Authentication methods → Policies Choose Certificate‑based authentication 3. Switch Enable → On 4. Under Include, target only your break‑glass accounts Conclusion Emergency access accounts aren’t just a security measure—they’re an operational safeguard that protects your mission. When the unexpected happens, these accounts ensure your organization can recover quickly and continue serving your community.How Cloud + AI Solutions Empower Nonprofits to Do More with Less
Nonprofits play a vital role in our communities—delivering essential services, supporting vulnerable groups, and driving social change. Yet many face familiar hurdles: limited budgets, outdated systems, rising data demands, and the need to stay connected with donors, volunteers, and the people they serve. Cloud technology and artificial intelligence (AI) are helping nonprofits overcome these challenges. Solutions like Microsoft Azure make it easier to modernize, stay secure, and expand impact. The Cloud + AI Advantage for Nonprofits Cloud computing provides secure storage, flexible computing power, and modern tools without costly infrastructure. AI builds on that foundation—analyzing data, automating tasks, understanding language, and making predictions that help teams work smarter. Together, cloud and AI help nonprofits: Reduce manual work Improve staff and volunteer efficiency Personalize communications Gain deeper data insights Build more responsive, effective programs In short, AI becomes a digital copilot that frees teams to focus on their mission. Secure Data, Stronger Trust Nonprofits manage sensitive information and complex compliance needs. Azure offers built‑in security, encryption, and access controls—allowing organizations to protect data with enterprise‑grade safeguards, without needing a large IT team. Modernize Without Overspending Aging servers and disconnected systems slow organizations down. Azure enables nonprofits to: Move files and apps to the cloud Scale storage as needed Avoid expensive hardware upgrades Reduce downtime and crashes This flexibility stretches budgets while improving reliability. Unlock Better Insights With AI Data is powerful only when it’s usable. Azure AI helps nonprofits analyze trends, measure impact, forecast needs, and improve engagement—turning raw data into actionable insights. Do More With Limited Resources Small teams often juggle many roles. Cloud automation and AI‑enhanced workflows streamline processes, reduce manual tasks, and boost productivity—so more time goes toward serving communities. Ready to Explore Azure? Cloud and AI don’t replace human effort—they amplify it. With the right foundation, nonprofits can become more agile, secure, and impactful. Register for the eBook: The cloud + AI: Microsoft Azure solutions for nonprofitsAI in Care Services: Restoring the Human Touch
Frontline care workers are the heart of our communities—but many are overwhelmed by paperwork, policies, and burnout. In Australia alone, the care sector faces a 344,000-worker shortage. The question isn’t just how to meet demand—it’s how to care for the caregivers. Two nonprofits—Uniting NSW.ACT in Australia and Parlan in the Netherlands—are showing how AI can do just that. Uniting NSW.ACT: Meet Buddy, the AI Sidekick Serving 148,000 clients annually, Uniting needed a smarter way to work. Enter Buddy, an AI assistant built on Microsoft Azure. What Buddy Delivers: Case notes in 2 minutes (down from 15) Voice-to-text documentation, even in remote areas Instant access to 1,600 policies More time for personal, compassionate care Buddy uses Azure OpenAI Service and a Retrieval Augmented Generation (RAG) approach to surface accurate policy guidance and streamline compliance. It saves frontline workers nearly an hour per day, improves onboarding, and helps attract and retain staff in a tight labor market. By reducing administrative burdens, Buddy empowers carers to focus on what matters most—human connection. Parlan: Copilot for Mental Health Dutch nonprofit Parlan provides mental health care to children and families with complex needs. To reduce paperwork and improve care, Parlan adopted Microsoft 365 Copilot. What Copilot Delivers: Therapy reports in minutes Faster prep for complex cases Real-time translation in Teams Easy creation of therapeutic tools Copilot helps staff summarize hundreds of pages of client history, draft reports quickly, and even translate conversations during live sessions. It also assists in creating therapeutic stories—tasks that once took hours now take minutes. By streamlining administrative work, Copilot gives practitioners more time for direct care. Why It Matters This isn’t just about speed—it’s about wellness. Less admin means: Lower stress Reduced burnout Higher job satisfaction Better client outcomes The Big Picture AI isn’t replacing care—it’s restoring time, trust, and connection. Tools like Buddy and Copilot help workers do what they do best: care deeply, and serve with purpose. To learn more about their story, please visit Microsoft for Nonprofits: (21) How Technology Is Boosting Worker Wellness and Restoring the Human Touch | LinkedInHow AI Is Helping Patients Access Life-Saving Treatments Faster
Every day counts when patients are waiting for critical medications. For NSF, audits of new drugs are essential to ensure safety and compliance—but these processes can take weeks, slowing time-to-market for therapies that could change lives. NSF partnered with the Cloud Accelerate Factory to build an Azure AI-powered solution that automates document review, compliance checks, and summary generation. The result? Audit times cut by 50%, freeing experts to focus on strategy and enabling treatments to reach patients sooner. With near-perfect accuracy and scalable design, this AI tool is transforming how NSF works—reducing inefficiencies, minimizing human error, and unlocking capacity for global impact. This isn’t just about technology—it’s about accelerating hope. By embracing AI, NSF is proving how nonprofits can leverage innovation to amplify their mission and improve lives worldwide. To learn more about how NSF, an independent, science-based organization, is using AI and to join the conversation, please read their full story on Microsoft for Nonprofits LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:7406363128894160896Want to Avoid Accidently Deleting your Resources in Azure? It's Easier Than You Think
Sometimes, knowingly or unknowingly you might delete a resource group in Azure. In this article let's talk about how to configure Azure Resource Locking in order to protect them from being deleted or modified accidentally.
