Should be Append imho Effect Azure Policy supports the following types of effect: Append: adds the defined set of fields to the request Audit: generates a warning event in activity log but doesn't fail the request AuditIfNotExists: generates a warning event in activity log if a related resource doesn't exist Deny: generates an event in the activity log and fails the request DeployIfNotExists: deploys a related resource if it doesn't already exist Disabled: doesn't evaluate resources for compliance to the policy rule EnforceOPAConstraint (preview): configures the Open Policy Agent admissions controller with Gatekeeper v3 for self-managed Kubernetes clusters on Azure (preview) EnforceRegoPolicy (preview): configures the Open Policy Agent admissions controller with Gatekeeper v2 in Azure Kubernetes Service Modify: adds, updates, or removes the defined tags from a resource

Guys there is "not" mentioned under if statement. answer should be deny.

During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.

It's append. The logic reads if the Resource Group Field does not equal Contoso then 'Append' Organisation field with Contoso. The 1st pre-req was to ensure that any new resource group is tagged with Contoso.

am I reading the script correctly: if the field type is RG and field tag not equal to Contoso then 1. append tag contoso 2. deny tag contoso 3. deploy resource if not exist with field tag contoso

Well, guys, it's "Append" for sure, and the reason is simple : the syntax for each effect has to follow some rules. For Deny : "For a Resource Manager mode, the deny effect doesn't have any additional properties for use in the then condition of the policy definition." It has for a "Resource Provider mode of Microsoft.Kubernetes.Data", but this is not the topic here. -> https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny-properties For DeployIfNotExists : It requires "Type", "roleDefinitionIds" and "Deployment" in the then condition. -> https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists-properties So, even if MS recommend to use Modify effect instead of Append, it is the ONLY ONE here that have a CORRECT SYNTAX.

I would also say Append could be the answer. The DeployIfNotExists example in the docs has a 'deployment to be executed'. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

i will go for given answer...3.resource,3.does not exist

The first bullet "Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso" is the focus of the policy. The first part says "if the resource group doesn't have the tag Organization:Contoso". The second part says "then do this" which is to add the tag of Organization:Contoso to RGs. If the result was to Deny anything you wouldn't need any more details. The policy is just enforcing this Organization:Contoso tag onto all new RGs created. Seems straightforward logic.

Its says New Resource group hence effect should be append

It should be Append. DeployIfNotExists requires "Deployment" property: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#append Append should be the ans for 2nd box

in reference to this link, it says that the each type of 'effect' must have the required properties associated to it. So far, it seems that only the 'Append' effect has the 'Details' as the required 'property', whereas 'Deny' effect for resource manager mode, as per this link, doesn't need any other property after the 'Deny'. Let me know your thoughts. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#append

Hi all, just want to highlight one point. If the effect would be 'deny', would there be a need for the 'details' section at the end of json? I am wondering whether that hints towards using 'Append'. Cause Append would more meet the login of having the 'details' of what to do following the effect. Let me know your thoughts.

Answer should be Deny! Checke there is a 'NOT' mentioned in the IF block

There is a policy definition for adding a tag to resource groups on Azure, the answer is very obvious

Add a tag to resources (Modify): Applies a required tag and its default value if it's not specified by the deploy request. https://docs.microsoft.com/en-us/azure/governance/policy/overview Policy Definition part.