Microsoft Azure Security Technologies (AZ-500): Enterprise Governance
Shared Responsibility in the Cloud 
Azure Policy 
This allows administrator to specify certain policy for certain user/group to ensure that Azure resources are properly restricted or managed.
How to define Azure Policy? Search “Policy” → Select “Definitions”.
For example, you can configure a policy to only allow users from certain countries to create a resource group.
Or to force all VMs in a subscription to use SSH private/public key instead of username/password for authentication.
Azure Role Based Access Control (RBAC) 
RBAC can be applied on subscription level, resource group level or resource level.
Do take note that RBAC access is inherited. If Tom is being given owner rights at Subscription level, he will have owner rights at resource group level and resource level as well.
Azure Resource Locks 
Go to the specific resource → Select “Lock”.
Administrator can apply two types of locks to Azure resources:
All critical resources should be applied with a lock.
 Shared responsibility in the cloud — Microsoft Azure | Microsoft Docs
 Overview of Azure Policy — Azure Policy | Microsoft Docs
 What is Azure role-based access control (Azure RBAC)? | Microsoft Docs
 Lock resources to prevent changes — Azure Resource Manager | Microsoft Docs