ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 2 question 33 discussion

Actual exam question from Microsoft's AZ-304
Question #: 33
Topic #: 2
[All AZ-304 Questions]

HOTSPOT -
You need to design an Azure policy that will implement the following functionality:
✑ For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed.
✑ For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources.
✑ For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Modify -
Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations.
Incorrect Answers:
✑ The following effects are deprecated: EnforceOPAConstraint, EnforceRegoPolicy
✑ Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
Box 2: A managed identity with the Contributor role
✑ Managed identity
How remediation security works: When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure
Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity.
✑ Contributor role
The Contributor role grants the required access to apply tags to any entity.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
by securitynija at March 14, 2021, 8:53 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hkmikemak
Highly Voted 4 years, 4 months ago
Correct: Modify https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#modify remediation task is only mention in MODIFY section, not in APPEND section
upvoted 30 times
...
TOM1000
Highly Voted 4 years, 4 months ago
Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it's recommended to use the Modify effect for tags instead. so answers provided are correct.
upvoted 7 times
...
tim_27_us
Most Recent 2 years, 9 months ago
Box1: Modify Box 2: Contributor role
upvoted 1 times
...
Teringzooi
3 years, 3 months ago
Today in AZ-305 exam. I picked these. Passed.
upvoted 4 times
...
IndrasenR
3 years, 4 months ago
This came in 305 on 25-Mar-2022
upvoted 6 times
...
plmmsg
3 years, 5 months ago
answer is correct
upvoted 2 times
...
Dpejic
3 years, 7 months ago
Appere on exam 23-dec-2021
upvoted 3 times
...
syu31svc
3 years, 10 months ago
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#modify Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. 1st Drop down is Modify least privilege so 2nd drop down is managed identity with contributor role
upvoted 3 times
OCHT
3 years, 2 months ago
I have seen this on AZ-104 . Correct answer.
upvoted 1 times
...
...
dkltruong88
3 years, 10 months ago
Was in exam today 1-10-2021. I passed with score 896. I chose provided answer
upvoted 3 times
...
JavaTechi
3 years, 12 months ago
provided answer is correct. Why Modify? Existing non-compliant resources can be remediated. As per the question, remediation is expected for existing resources. As per the the documentation here: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects EnforceOPAConstraint & EnforceRegoPolicy is deprecated
upvoted 2 times
...
gssd4scoder
4 years, 2 months ago
Given answers are correct
upvoted 2 times
...
fromage
4 years, 4 months ago
Append looks enough for me.
upvoted 3 times
examineezer
3 years, 7 months ago
"Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it's recommended to use the Modify effect for tags instead." https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects What "should" you include.... you should follow Microsoft's advice and choose Modify.
upvoted 1 times
...
...
securitynija
4 years, 5 months ago
correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel