ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 8 question 6 discussion

Actual exam question from Microsoft's AZ-304
Question #: 6
Topic #: 8
[All AZ-304 Questions]

DRAG DROP -
You need to configure an Azure policy to ensure that the Azure SQL databases have TDE enabled. The solution must meet the security and compliance requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Scenario: All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
Step 1: Create an Azure policy definition that uses the deployIfNotExists identity.
The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully deploy the content of your included template.
Step 2: Create an Azure policy assignment
When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles defined in roleDefinitionIds.
Step 3: Invoke a remediation task
Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.
During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-compliant resources or subscriptions. When non- compliant resources or subscriptions are found, the details are provided on the Remediation page.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
by pentium75 at Sept. 1, 2021, 5:36 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
nkv
Highly Voted 3 years, 7 months ago
came in exam on 20-sep-21, I passed, I choose given one
upvoted 14 times
...
pentium75
Highly Voted 3 years, 8 months ago
Sounds correct. Example in MS docs, to find SQL instances with TDS disabled, uses the "auditIfNotExists" effect. So "deployIfNotExists" would then be used to enable it.
upvoted 10 times
MrClumsy
3 years, 3 months ago
agreed, answer seems correct!
upvoted 1 times
...
...
JayBee65
Most Recent 2 years, 10 months ago
Working through possible answers: DeployIfNotExists is definitely required, for new or existing resources. Every MS link mentions this. Creating a user-assigned managed identity - a managed identity is required, but can be system or user, and a system managed id will be created automatically if one doesn't exist Invoke remediation - this is definitely required to remediate existing resources. We are not told that the resources do not yet exist so have to assume that some may exist Policy assignment - obviously required Policy def for modify effect impacts tags, so not required. Given this, the order must be policy definition, policy assignment, remediation task
upvoted 3 times
...
AberdeenAngus
2 years, 11 months ago
I'm going with: 1. Create a user-assigned managed identity 2. Create an Azure policy definition that uses the deployIfNotExists effect 3. Create an Azure policy assignment The policy uses the identity to authenticate and change the resource, see https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#identity
upvoted 2 times
AberdeenAngus
2 years, 9 months ago
I think after a reread I should go with the given answer, I think they mean that the managed identity is created during the policy creation
upvoted 2 times
...
...
[Removed]
3 years, 4 months ago
Given answer is correct. Policy create > assign > invoke or execute
upvoted 2 times
...
bugimachi
3 years, 4 months ago
I am not convinced... Remediation of a policy would enable TDE for a database, which had been deployed without TDE before, right? But assuming, we are currently planning the migration, there is no database and remediation would have no effect. On the other hand, we need an identity for a deployIfNotExist policy -- it need not necessarily be a user managed identity as it could be created as system-managed identity when creating the assignment, but it could be one. I think I'd go with Create Policy > Create User-Managed Identity > Create Assignment. Your thoughts...?
upvoted 2 times
MrClumsy
3 years, 3 months ago
It looks like that you only aloud to use managed identity. Try to create policy assignment in portal or read here: https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources#how-remediation-security-works
upvoted 1 times
...
...
syu31svc
3 years, 7 months ago
Provided link supports answer given
upvoted 3 times
...
jjdevine
3 years, 7 months ago
This policy would achieve the effect required: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Deploy.json Details about remediation: https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago