When should I use a policy mitigation or exception?

OpsCompass allows you to log reasoning for why a resource is being identified as a problem if you don't plan to immediately follow the steps to remediate.

Use a policy mitigation when you are confident that your organization has taken an action to resolve this problem in a way other than suggested by the framework you have enabled in OpsCompass. 

• Example: A user is out of compliance for not encrypting data in transit in the cloud, but knows that all of their data is already encrypted before it is ever in the cloud thus meeting the requirements of the rule. 
Use a policy exception when you have decided to temporarily accept the risk for the time being. 
Example: A user may place a policy exception on MFA enforcement if they do not plan to roll it out until next quarter. In this situation OpsCompass would pause the problem notifications until the expiration date. 
Example: A cloud shell storage account can not have its default network access set to deny or it will not work properly in the Azure portal. This is an exception to a rule that will never be remediated, so leaving the date empty in OpsCompass will leave it paused unless you manually remove it. 
Additional Resources: