Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-103 topic 1 question 27 discussion

Actual exam question from Microsoft's AZ-103
Question #: 27
Topic #: 1
[All AZ-103 Questions]

HOTSPOT -
You have an Azure subscription.
You need to implement a custom policy that meets the following requirements:
✑ Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso
✑ Ensures that resource groups can be created from the Azure portal
✑ Ensures that compliance reports in the Azure portal are accruable
How should you complete the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: "Microsoft.Resources/subscriptions/resourceGroups"

Box 2: DeployifNotExists -
DeployIfNotExists: deploys a resource if it does not already exist.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Exam103
Highly Voted 4 years ago
Should be Append imho Effect Azure Policy supports the following types of effect: Append: adds the defined set of fields to the request Audit: generates a warning event in activity log but doesn't fail the request AuditIfNotExists: generates a warning event in activity log if a related resource doesn't exist Deny: generates an event in the activity log and fails the request DeployIfNotExists: deploys a related resource if it doesn't already exist Disabled: doesn't evaluate resources for compliance to the policy rule EnforceOPAConstraint (preview): configures the Open Policy Agent admissions controller with Gatekeeper v3 for self-managed Kubernetes clusters on Azure (preview) EnforceRegoPolicy (preview): configures the Open Policy Agent admissions controller with Gatekeeper v2 in Azure Kubernetes Service Modify: adds, updates, or removes the defined tags from a resource
upvoted 15 times
Quanster
3 years, 10 months ago
Agree. Append. Requirement is "Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso" https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#append "While Append can add tags to a resource during a create or update request, it's recommended to use the Modify". other threads talk to the need of Remediation Task if DeployifNotExists is used.
upvoted 3 times
...
...
hukhalid
Highly Voted 3 years, 12 months ago
Guys there is "not" mentioned under if statement. answer should be deny.
upvoted 13 times
car9202
3 years, 8 months ago
Agree wuth hukhalid. It says "Ensure" and not append. So it should deny.
upvoted 1 times
KrisJin
11 months ago
You want to "ensure" that you kid goes to a good university. Instead of helping him to improve, you just deny him if he is only enrolled in a bad university.
upvoted 1 times
...
...
cucuff
3 years, 9 months ago
Not sure, but i think that "not" means "if that's is NOT present, then do the following". Like a conditional
upvoted 5 times
...
...
tashakori
Most Recent 1 week, 2 days ago
- "Microsoft.Resources/subscriptions/resourceGroups" - „Append“
upvoted 1 times
...
Lkk51
2 years, 9 months ago
During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.
upvoted 1 times
...
mashk19
2 years, 10 months ago
It's append. The logic reads if the Resource Group Field does not equal Contoso then 'Append' Organisation field with Contoso. The 1st pre-req was to ensure that any new resource group is tagged with Contoso.
upvoted 1 times
...
JBinuya
3 years, 1 month ago
am I reading the script correctly: if the field type is RG and field tag not equal to Contoso then 1. append tag contoso 2. deny tag contoso 3. deploy resource if not exist with field tag contoso
upvoted 2 times
...
vince60370
3 years, 2 months ago
Well, guys, it's "Append" for sure, and the reason is simple : the syntax for each effect has to follow some rules. For Deny : "For a Resource Manager mode, the deny effect doesn't have any additional properties for use in the then condition of the policy definition." It has for a "Resource Provider mode of Microsoft.Kubernetes.Data", but this is not the topic here. -> https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny-properties For DeployIfNotExists : It requires "Type", "roleDefinitionIds" and "Deployment" in the then condition. -> https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists-properties So, even if MS recommend to use Modify effect instead of Append, it is the ONLY ONE here that have a CORRECT SYNTAX.
upvoted 2 times
vince60370
3 years, 2 months ago
Finally, "An append effect only has a details array, which is required. As details is an array, it can take either a single field/value pair or multiples. Refer to definition structure for the list of acceptable fields." -> https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#append-properties
upvoted 1 times
...
GokuUI
3 years, 1 month ago
Append it is
upvoted 1 times
...
...
PT16
3 years, 3 months ago
I would also say Append could be the answer. The DeployIfNotExists example in the docs has a 'deployment to be executed'. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
upvoted 2 times
...
Thi
3 years, 4 months ago
i will go for given answer...3.resource,3.does not exist
upvoted 2 times
...
[Removed]
3 years, 5 months ago
The first bullet "Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso" is the focus of the policy. The first part says "if the resource group doesn't have the tag Organization:Contoso". The second part says "then do this" which is to add the tag of Organization:Contoso to RGs. If the result was to Deny anything you wouldn't need any more details. The policy is just enforcing this Organization:Contoso tag onto all new RGs created. Seems straightforward logic.
upvoted 3 times
...
pugazh25in
3 years, 6 months ago
Its says New Resource group hence effect should be append
upvoted 2 times
...
Xila
3 years, 7 months ago
It should be Append. DeployIfNotExists requires "Deployment" property: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists
upvoted 3 times
...
Rajottam
3 years, 7 months ago
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#append Append should be the ans for 2nd box
upvoted 2 times
...
tm_knight86
3 years, 7 months ago
in reference to this link, it says that the each type of 'effect' must have the required properties associated to it. So far, it seems that only the 'Append' effect has the 'Details' as the required 'property', whereas 'Deny' effect for resource manager mode, as per this link, doesn't need any other property after the 'Deny'. Let me know your thoughts. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#append
upvoted 1 times
ujj
3 years, 2 months ago
Refer the below URL , the "detail" segment is followed after append, just like add or remove followed after modify. that detail definition works well with append effect. Also if we choose "deny" we have to make sure to assign tags manually while creating resource-groups through Portal, doesn't that defeat the purpose of the policy to make things easier for us. Why to use deny the resource, when we can create resouce with policy either modifying or appending the tag . I tested below url, this works https://stackoverflow.com/questions/56074872/appending-tag-policy-isnt-working-for-some-resources
upvoted 1 times
ujj
3 years, 2 months ago
append is the correct answer with detail section , if it would be deny , no detail section is required.
upvoted 1 times
...
...
...
tm_knight86
3 years, 7 months ago
Hi all, just want to highlight one point. If the effect would be 'deny', would there be a need for the 'details' section at the end of json? I am wondering whether that hints towards using 'Append'. Cause Append would more meet the login of having the 'details' of what to do following the effect. Let me know your thoughts.
upvoted 1 times
...
SilNilanjan
3 years, 7 months ago
Answer should be Deny! Checke there is a 'NOT' mentioned in the IF block
upvoted 4 times
chaoscreater
3 years, 6 months ago
THIS should be upvoted more.
upvoted 1 times
...
...
AustinY
3 years, 7 months ago
There is a policy definition for adding a tag to resource groups on Azure, the answer is very obvious
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...