Exam AZ-900 topic 1 question 419 discussion

YNY is correct "Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives. Azure Policy evaluates your resources and highlights resources that aren't compliant with the policies you've created. Azure Policy can also prevent noncompliant resources from being created." https://learn.microsoft.com/en-us/training/modules/build-cloud-governance-strategy-azure/6-control-audit-resources-azure-policy

https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/3-describe-purpose-azure-policy Azure Policies can be set at each level, enabling you to set policies on a specific resource, resource group, subscription, and so on.

NNY is correct. Assigning Policies to VMs: Azure policies are assigned to scopes like management groups, subscriptions, or resource groups, not directly to individual resources like virtual machines.

NNY Option 1: NO. I cannot assign a policy directly to a specific resource (Ex, Virtual Machine). The policy is assigned to a resource group that includes the resource, in this case a VM. Policies are assigned at group level - not resource level. Option 2: NO. Non-compliant resources are flagged as such but never automatically removed. They can be remediated later on and will be blocked access until remediated. This happens when the VM was already there when the policy was assigned to the group Option 3: YES. Final answer: Azure Policy prevents the creation of non-compliant resources without manual evaluation. So I cannot create NEW NON-COMPLIEANR resources (in this case a VM) into a group if the Policy is already in place

Answer is NNY - CoPilot: You can't assign an Azure Policy directly to a single virtual machine (VM). Instead, you assign policies to the scope of a subscription, resource group, or management group. These policies then enforce rules on all resources within that scope, including VMs.

Looking at the contents in this link "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/recommended-policies" it appears, Azure policy can be assigned to VM. So, it appears the published answer is correct.

It should be NNY Azure Policy assignments are typically made at the management group, subscription, or resource group level, not directly to individual resources like virtual machines. Refer - https://learn.microsoft.com/en-us/answers/questions/1086208/assign-policy-to-specific-resource-in-azure

You can assign an Azure policy to a virtual machine. Answer: Yes (Azure policies can be assigned to various resources, including virtual machines, to enforce compliance with specific rules.) If an Azure policy is assigned to a resource group, noncompliant resources are removed from the group. Answer: No (Azure policies do not automatically remove noncompliant resources. Instead, they prevent the deployment of new noncompliant resources or can be used to audit existing resources.) If an Azure policy is assigned to a resource group, only compliant resources can be deployed to the group. Answer: Yes (When an Azure policy is assigned to a resource group, it can enforce compliance by preventing the deployment of noncompliant resources.)

Although Microsoft writes the folowing: Assignments An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment. It does not mean what we think what it means, when it mentions "resources". Scope has to be understood. A policy is first defined and then assigned to a scope (but not directly a resource e.g. VM) . Only when a resource is created afterwards, will there be an evaluation and if a parameter does not match, the resource will not be created. I spent lots of time on this and I think I kinda get it. I will answer N if I get this question

it's NO , NO, YES

I believe the answer is Y N N.

you can assign Azure policy to VM directly, the option policy is at the left pane. The A is correct.

On January 25th, 2024. 1. Yes. "Azure Policies can be set at each level, enabling you to set policies on a specific resource, resource group, subscription, and so on". 2. No. "In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources. [...] However, you still retain full control of your environment." 3. Yes. "For example, if you define a policy that allows only a certain size for the virtual machines (VMs) to be used in your environment, that policy is invoked when you create a new VM and whenever you resize existing VMs." https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/3-describe-purpose-of-azure-policy?ns-enrollment-type=learningpath&ns-enrollment-id=learn.wwl.describe-azure-management-governance

1. It is NO. I have tried to assign to a virtual machine in my private Azure Portal and the section is not there, so it is not possible to assign policies to virtual machines

To restrict VM sizes with Azure Policy, you can create a policy definition that specifies the allowed VM sizes. You can then assign this policy definition to your Azure subscription or resource group. This policy definition denies the deployment of VMs that are not of the allowed sizes. So I think N N Y is the answer.

By referring this this paragraph, i see It's Y for A.....Assign the definition to resources To implement your policy definitions, you assign definitions to resources. A policy assignment is a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group.

1 is No, you cannot assign a policy definition to a single resource, such as a VM. You can only assign a policy definition to a management group, subscription, or resource group.