 Many questions come to mind when I'm managing a large backup estate. Is the way backup has been configured in adherence with the compliance goals of my organization? How do I know how many resources are out of compliance? And how do I configure backups at scale? Azure Backup provides integrated experiences with Azure Policy to help me enforce backup governance at scale. I can navigate to the backup center dashboard in the Azure portal and click on Azure Policies for Backup to discover all the built-in and custom policy definitions available for me to use. Azure Backup provides a range of built-in policies to auto-enable backup for any VM present in a given scope. Depending on how my resources and backup teams are organized, I can choose to use any of the supported policies. For example, if my organization has a central backup team that manages backups across application teams, I can use a policy to configure backup to an existing central recovery services vault in the same subscription and locations as the VMs being governed. On the other hand, if my application teams have dedicated resource groups and need to manage their own backups in their own vaults, I can use a policy that creates new walls in the same resource group and location as the VMs for which backups are required. Additionally, I have the flexibility to include or exclude VMs based on their tags. To assign an Azure policy to a desired scope, I click on the policy definition and select Assign. I choose the scope for which the policy should be applied, which could either be a subscription or a resource group within a subscription. Next, I choose the parameters. I first choose the location of the VMs that I want to protect. Note that if I have VMs spread across multiple locations, I would need to create multiple assignments, since Azure backup requires the VMs and the vault to be in the same location. Next, I can optionally select the inclusion tag. If I specify values for the inclusion tag parameter, only VMs which have those tags will fall under the scope of the policy assignment. Here, I specify that all VMs which have the tag name environment and tag value of production will be applicable. Next, I specify the vault and the backup policy that should be applied to these VMs. Once I assign a policy, any new VM that is created under its scope automatically gets enabled for backup. But what if I also want to backup existing VMs in scope that were created before the policy assignment? To do this, I can create a remediation task which will make the existing VMs compliant. Finally, I click Create and the policy assignment gets created. Note that it could take up to 30 minutes for the policy assignment to take effect. To evaluate which of my VMs are compliant as per the policy, I can visit the backup compliance blade in Backup Center which shows me the compliance metrics of all the built-in policies that I am using. I can get more detailed reports by clicking a given row. Evaluation of policy compliance happens once a day at a minimum ensuring that the data here is up to date. What's more, I can also evaluate the compliance on demand via PowerShell, CLI or REST API and also trigger a remediation task programmatically. In summary, Azure Backup and Azure Policy make sure that I am at peace knowing that I have protected my most critical resources and data.