I recently delivered a session at Microsoft Ignite The Tour in London around governance in Azure. One of the critical points in this session is that before you try and implement any controls around resources, cost or security you need to have a good understanding of what your Azure estate currently looks like and what resources you are making use of, so you know where to focus your effort.
There is no point spending lots of time implementing policies to restrict which size web apps you can deploy if no one is using them.