Azure Security Center (now part of Microsoft Defender for Cloud) leverages Azure Policy to enforce security configurations. To deploy a security policy, you must first define the scope of its assignment. While policies can be assigned to individual subscriptions, the best practice for managing policies across an organization is to use management groups. Creating a management group allows you to apply policies, access controls, and compliance settings to a collection of subscriptions efficiently. Therefore, the foundational step, especially for a structured deployment of a new policy like "SecPol1," is to create the management group that will serve as the target scope for the policy assignment.

A. Enable Azure Defender: Azure Defender (now Microsoft Defender for Cloud plans) provides advanced threat protection. Basic security policy management is available in the free tier and does not require enabling paid plans first.

C. Create an initiative: An initiative (or policy set) is a definition of a collection of policies. While you might need to create a custom initiative, you cannot assign or "deploy" it without first having a scope (like a management group or subscription) to assign it to.

D. Configure continuous export: Continuous export is a feature for streaming security alerts and recommendations to external tools like a SIEM. It is unrelated to deploying or assigning security policies.

1. Microsoft Learn

"Organize your resources with Azure management groups": "If your organization has many subscriptions

you may need a way to efficiently manage access

policies

and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions... You can apply governance conditions like policies... at the management group level." This document establishes that management groups are the primary tool for organizing subscriptions to apply policies.

2. Microsoft Learn

"What is Azure Policy?": Under the "Assignment" section

it states

"An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to a resource group." This confirms that a scope

such as a management group

is a prerequisite for policy assignment (deployment).

3. Microsoft Learn

"Security policy and compliance": "Defender for Cloud uses Azure Policy to set policies and to check for compliance... To apply a security policy to a group of resources

you can assign the policy to a management group

a subscription

or a resource group." This highlights that the assignment process

which is the deployment of the policy

requires a target scope

and management groups are a primary option for this.