Enterprise Policy at Scale: Part 1 - Unwrapping Azure Policy Governance

Stephen Tulp
December 17, 2025

3 minutes to read

Overview

When it comes to managing Azure Policy at scale, organisations face the challenge of maintaining consistency, governance, and compliance across hundreds or even thousands of resources spanning multiple subscriptions and management groups. While Azure Policy is a powerful governance tool, implementing and maintaining policies manually quickly becomes unsustainable as your Azure estate grows.

Over the years, several approaches have emerged to tackle this challenge, each with its own strengths and trade-offs:

Via the portal - Quick for initial exploration but doesn’t scale and lacks version control.
Via Bicep - Whether this was using the ALZ Bicep accelerator or custom Bicep modules, it involved wrapping the underlying .json files in Bicep using the loadJsonContent() function. With all the moving parts and dependencies, this approach could become complex and hard to maintain, let alone the challenges with the 4MB size limit as outlined in the ALZ Bicep Repo.
Via Terraform - Similar challenges to Bicep, with the added complexity of managing Terraform state and modules.

I mentioned earlier in the month that as much as people want one IaC language to solve all deployment challenges, the reality is that different tools excel in different scenarios. When it comes to policy governance at scale, removing the complexity of wrapping the underlying JSON files in Bicep or HCL and focusing on a purpose-built framework can make all the difference. the Enterprise Policy as Code solution may seem daunting at first, but there is extensive documentation, multiple deployment options and it is highly configurable with a strong community backing with regular updates and improvements.

What is new with version 11

Version 11 of EPAC introduces several enhancements;

Improved and updated outputs for the core EPAC commands.
Changes to the ALZ sync process to simplify and improve reliability.
Azure Lighthouse updates.

We will focus on the first two points across the next 2 days.

Getting Started

First things first, we need to get familiar with the Getting Started guide, this is important as it outlines the prerequisites and initial setup steps required before diving into EPAC. I highly recommend going through this guide to ensure you have the necessary tools and permissions in place.

Run the Hydration Kit

Use the Install-HydrationEpac cmdlet to start the Hydration Kit Installer, specifying the TenantIntermediateRoot

$tenantIntermediateRoot = "mg-alz" # Replace with your Management Group ID
Install-HydrationEpac -TenantIntermediateRoot $tenantIntermediateRoot

https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/settings-global-setting-file.md#Define-EPAC-Environments-in-%60pacEnvironments%60

New-ALZPolicyDefaultStructure -DefinitionsRootFolder .\src/lib -Type ALZ -PacEnvironmentSelector "epac-canary"

New-ALZPolicyDefaultStructure -DefinitionsRootFolder .\src/lib -Type ALZ -PacEnvironmentSelector "epac-tenant"

Fill in the details - Update the _managementGroupNameMappings_ to reflect your management group structure - EnforcementMode_ to `Default` or `DoNotEnforce` as required - enforceGuardrails for workload deployments ## Conclusion In this first part of our deep dive into Enterprise Policy as Code version 11, we've explored the challenges of managing Azure Policy at scale and introduced the EPAC framework as a robust solution. We've also outlined the initial steps to get started with EPAC, including setting up the necessary folder structures and configuration files.