Exam AZ-400 topic 4 question 33 discussion

"The company requires that all resource groups in the subscription have a tag named organization set to a value of Contoso." - This means also the existing resource groups need to have a tag. For that reason: 1. Microsoft.Resources/subscriptions/resourceGroups 2. Append There is a pre-built policy in Azure for this, called: Append a tag and its value to resource groups

take my word back, if you are denying you dont need to specify tag name and value, but it is defined in the question, so it should be append. my bad.

Final correct answer, verified 1. Microsoft.Resources/subscriptions/resourceGroups 2. Append

2 is append. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-append

Microsoft.Resources/subscriptions/resourceGroups DeployIfNotExists That ensures that all resource groups are tagged

For a deny policy the field and value properies wouldn't be neccessary and append is not for Tag as mentioned in other commends. Therefore I would go for "DeployIfNotExists". Any thoughts on this?

I think it's Append, because in the template, the effect is followed by the tag details, so that makes sense only if it's going to do an Append operation. If it's a deny, then what is the point of providing the tag details?

looks correct, many suggest append or deployIfnotExist. but that should not work since there is no configuration in the example that points to an managed identity or service principal with permission to do this action

{ "name": "Tagging policy", "description": "Policy to require all resource groups to have a tag named organization set to a value of Contoso.", "scope": { "type": "Subscription" }, "policyRule": { "ruleType": "Tag", "resourceType": "Microsoft.Resources/resourceGroups", "tagSpecs": [ { "tagName": "organization", "tagValue": "Contoso" } ], "effect": "Deny" } }

GPT4 This policy will deny any resource group creation or update that does not include a tag named 'organization' with a value 'Contoso'.

In the policy definition, the "then" block defines the action that will be taken when the conditions specified in the "if" block are met. In this case, the action is "effect": "deny". The "deny" effect means that if the conditions in the "if" block are met (i.e., the resource group does not have the required tag or the tag value is not "Contoso"), the policy will deny the creation or update of the resource group. As a result, the user attempting the action will receive an error message indicating that the operation is not allowed due to the policy. In summary, the "then" block with the "effect": "deny" is used to enforce the policy by disallowing the creation or update of resource groups that do not meet the specified tagging requirements.

You can create and assign a custom Azure Policy to enforce the required tagging for all resource groups in the subscription. Here's an example of the policy definition: { "properties": { "displayName": "Require organization tag", "policyType": "Custom", "mode": "Indexed", "description": "Enforces the existence of the 'organization' tag with the value 'Contoso' on resource groups.", "metadata": { "version": "1.0.0", "category": "Tags" }, "parameters": {}, "policyRule": { "if": { "allof": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "not": { "field": "tags['organization']", "equals": "Contoso" } } ] }, "then": { "effect": "deny" } } } }

The answer is append here is the reference: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F49c88fc8-6fd1-46fd-a676-f12d1d3a4c71

The given answer is correct. The question clearly states that the resourcegroups must have tags as a requirement. If they do not have tags it doesn't say that tags should be automatically added. It is thus logical that the resourcegroup creation should be denied.

If you were going to use a deny policy then you wouldn't need the details. It should be append.

I think the given answer is correct. 1. Microsoft.Resources/subscriptions/resourceGroups 2. Deny According to this link (https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#tags.) there are eight options with regards to assigning tags to resource groups. This particular case states the tag VALUE 'Contoso' is REQUIRED, hence we are looking for "Require a tag and its value on resource groups". When opening the link belonging to this tag, the policy says: "displayName": "Require a tag and its value on resource groups", "policyType": "BuiltIn", "mode": "All", "description": "Enforces a required tag and its value on resource groups." [...] "then": { "effect": "deny"

Answer is append. Keyword is "requires." Append will set the value of what is specified in the details. I've done this before with hybrid benefit options on vm builds using a policy in the past.