A security policy defines the set of controls, which are recommended for resources within the specified subscription or resource group. In Security Center, you define policies for your Azure subscriptions or resource group according to your company security needs and the type of applications or sensitivity of the data in each subscription.
For example, resources that are used for development or test might have different security requirements from resources that are used for production applications. Likewise, applications that use regulated data like personally identifiable information might require a higher level of security. Security policies that are enabled in Azure Security Center drive security recommendations and monitoring to help you identify potential vulnerabilities and mitigate threats.
By default, when you enable Security Center and data collection, all of the security policies will be enabled by default. The policies inherit from the subscription down to the resource groups. However, you can individually control the security policies at the resource group level, if desired. In the following screen capture, notice that some of the resource groups have inheritance turned on and some are set to be unique (which means that the security policy settings might differ from the subscription).
| Note | To modify a security policy at the subscription level or resource group level, you must be an Owner or Contributor of that subscription. |
Mai Ali's Technical Blog 