Enforces deployment to only approved Azure regions → Azure Policy; Provides continuous compliance verification → Microsoft Defender for Cloud
Why Azure Policy is correct
The requirement is to enforce that Azure OpenAI resources can be deployed only in approved Azure regions .
That is exactly what Azure Policy is designed to do. Azure Policy allows organizations to create and assign rules that govern resource deployment and configuration. For regional restrictions, you can define a policy that permits deployments only in allowed locations and denies deployments elsewhere.
From an AI business solutions and cloud governance perspective, Azure Policy is the right preventive control because it acts at deployment time. It helps enforce organizational standards before noncompliant resources are created.
Typical policy use cases include:
restricting allowed Azure regions
enforcing approved SKUs
requiring tags
limiting resource types
ensuring security configuration standards
This is especially important for AI deployments where geography may affect:
Why Microsoft Defender for Cloud is correct
The second requirement is to provide continuous compliance verification of the resources.
That points to Microsoft Defender for Cloud .
Defender for Cloud continuously assesses Azure resources against security and compliance standards. It provides visibility into resource posture, identifies misconfigurations, and tracks compliance status over time.
This makes it well suited for ongoing verification because it supports:
continuous assessment
compliance dashboards
security posture monitoring
recommendations for remediation
regulatory standard mapping
In enterprise AI deployments, this is critical because governance is not only about blocking bad deployments. It is also about continuously validating that deployed resources remain compliant as environments evolve.
Why the other options are incorrect
Azure Monitor
Azure Monitor is used for telemetry, logging, metrics, and observability. It is not the primary service for enforcing allowed regions or for formal continuous compliance governance.
Microsoft Purview
Microsoft Purview focuses on data governance, data cataloging, classification, and compliance across data estates. It is not the main control for Azure resource deployment region enforcement.
Microsoft Sentinel
Microsoft Sentinel is a SIEM/SOAR platform for security analytics and threat detection. It is not the service used to enforce deployment locations, and it is not the primary tool for continuous Azure resource compliance verification.
Azure Policy for continuous verification
Azure Policy does provide compliance views, but in this question, the stronger mapping for continuous compliance verification is Microsoft Defender for Cloud , which is specifically designed for continuous security posture and compliance assessment across resources.
Expert reasoning
Use this exam pattern:
Prevent or restrict how Azure resources are deployed → Azure Policy
Continuously assess and verify cloud compliance posture → Microsoft Defender for Cloud
