Exam AZ-500 topic 4 question 1 discussion

The answer should be No, Yes, No. Reference: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects After the Resource Provider returns a success code on a Resource Manager mode request, AuditIfNotExists and DeployIfNotExists evaluate to determine whether additional compliance logging or action is required. So overall order of evaluation: Disabled -> Append/Modify -> Deny -> Audit -> AuditIfNotExists/DeployIfNotExists. 1st: No. DeployIfNotExists will be triggered after a configurable delay when a Resource Provider handles a create or update subscription or resource request and has returned a success code. In this scenario, because SQL1 is already deployed so it can not be enabled automatically. 2nd: Yes. Deny is processed first so can't be deployed 3rd: No. Deny is processed first

Correcting typo in fonte explanation: #1: SQL1 belongs in RG3, Policy #2, but DeployIfNotExists no apply (SQL1 was running before the policies were deployed.). SQL will be marked as not compliante. #2: SQL2 is to be deployed in RG2, Policy #1 will apply, SQL2 will not be deployed. #3: SQL3 is to be deployed in RG1, Policy #1 will apply, SQL3 will not be deployed. FYI: The order in which policies are applied is: Disabled Append and Modify Deny Audit AuditIfNotExists and DeployIfNotExists https://joefecht.com/posts/azure-policy-effects-and-paramters/

SQL1 resides in RG3, which has Policy2 (effect = DeployIfNotExists for TDE). After evaluation, Azure Policy automatically deploys Transparent Data Encryption on SQL1 since it was disabled SQL2 is being created in RG2 with TDE disabled, but RG2 is covered by Policy1 (effect = Deny when TDE isn’t enabled). The deny effect blocks the ARM deployment outright, causing SQL2’s creation to fail. (deny wins over deployifnotexists) SQL3 same as SQL2- (deny wins over audit). sql3 creation will fail. Y Y N

yny : https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics#policy-rule-evaluation

Deny is processed first No Yes No

NO, YES, NO

After the Resource Provider returns a success code on a Resource Manager mode request, AuditIfNotExists and DeployIfNotExists evaluate to determine whether additional compliance logging or action is required. So overall order of evaluation: Disabled -> Append/Modify -> Deny -> Audit -> AuditIfNotExists/DeployIfNotExists. 1st: No. DeployIfNotExists will be triggered after a configurable delay when a Resource Provider handles a create or update subscription or resource request and has returned a success code. In this scenario, because SQL1 is already deployed so it can not be enabled automatically. 2nd: Yes. Deny is processed first so can't be deployed 3rd: No. Deny is processed first

NO YES NO

@fonte, SQL1 belongs in RG3, not RG1.

No, Yes, No. #1: SQL1 belongs in RG1, Policy #1 and #3 apply, but the deny is not retroactive. SQL will be marked as not compliante. #2: SQL2 is to be deployed in RG2, Policy #1 will apply, SQL2 will not be deployed. #3: SQL3 is to be deployed in RG1, Policy #1 will apply, SQL3 will not be deployed.

Correct answer is No, Yes, No

No Yes No Policy will not be applied to already created resources, it might mark them as incopliant for SQL1 we need to run remediation task to add TDE

Y - Deny will not take effect, but "deployifnotexist" will. Y - Will not be created "Deny" will be evaluated N - Will not be created "Deny" will be evaluated https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects

So what is the correct answer

All answers are wrong: 1st: SQL1 is already deployed so cannot be denied, then deployifNotExist enables TDE 2nd: Deny is processed first so no chance to be deployed (end) 3rd: Deny again, same reason of the 2nd

I was confused about SQL1, at an initial glance I thought it looked liked it should be enabled automatically. However deployifNotExist policies are not retroactive. They only apply to resources that are created after the policy is assigned When creating a DINE policy assignment in the Az Portal a pop up reads: "By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned"

SQL3 should be denied, since it falls under deny and audit policy. Definitely deny is more restrictive..