Can be applied at the management group level, subscription level or resource group level. Evaluate rules on resource properties and then alter, audit or deny creation of a resource (concept: effects). Typically you start of by auditing and then enforcement.
Policies can be grouped into Initiatives.
For background information: Microsoft Docs. There’s a huge library of Azure policies and subscriptions. They are just not automatically assigned to the management group, subscription or resource group level. As an example you have the initiative ASC Default for Azure Securtiy Center Default with about 100 policies. You will get the json, but sometimes you will have to specify parameters, like the Allowed SKU’s.