ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 7 question 83 discussion

Actual exam question from Microsoft's AZ-400
Question #: 83
Topic #: 7
[All AZ-400 Questions]

You have an Azure subscription named Subscription1 that contains a custom Azure policy named Policy1. Policy1 is an audit policy that monitors naming convention compliance for the resources deployed to Subscription1.
You have a pipeline named Pipeline1 in Azure Pipelines. Pipeline1 deploys Azure Resource Manager (ARM) resources to Subscription1.
You need to ensure that the resources deployed by Pipeline1 comply with Policy1.
What should you add to Pipeline1?

  • A. a pre-deployment task that runs a security and compliance assessment
  • B. a post-deployment task that runs a security and compliance assessment
  • C. an ARM template deployment task to assign Policy1 to Subscription1
  • D. an ARM template deployment task to deploy Policy1 to Subscription1
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by syu31svc at Sept. 1, 2022, 10:19 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MallonoX_111
Highly Voted 2 years, 8 months ago
This would be a post deployment gate? I don't know how a policy to that checks naming standards could do that before the resources are deployed.
upvoted 10 times
Dankho
5 months, 3 weeks ago
Exactamundo
upvoted 1 times
...
mfawew223
1 year, 7 months ago
I went back and forth on pre or post deployment gate. On one hand, shouldnt you be preventing the deployment in the first place if the name doesnt pass policy? that would be done in a pre-deployment gate. However, when setting up a pre-deployment gate, you specify the subscription, resource group, and resource in which to test policy. Azure would then run all policy checks in the subscription for that type of resource. Well, as MallonoX said, you cant select to test a resource that has yet to be deployed. So it must be B, Post-deployment.
upvoted 2 times
...
...
vsvaid
Highly Voted 1 year, 5 months ago
Selected Answer: A
Policy can be applied in Pre-Deployment gate. Here is an example https://devblogs.microsoft.com/devops/controlling-release-pipelines-with-gates-and-azure-policy-compliance/
upvoted 6 times
hardinxcore
1 year, 5 months ago
This reference convinced me.
upvoted 2 times
...
...
Dankho
Most Recent 5 months, 3 weeks ago
Selected Answer: B
Post deployment makes the most sense and it's an "audit" policy, not meant to stop the deployment of resources.
upvoted 1 times
...
MrAZ105
7 months, 2 weeks ago
Selected Answer: B
Since Policy1 is an audit policy, it monitors compliance but doesn’t enforce restrictions on resources being deployed. To check compliance, you need to perform an assessment after the resources are deployed. Adding a post-deployment task that runs a security and compliance assessment will allow you to verify if the resources deployed by Pipeline1 comply with Policy1 after deployment.
upvoted 1 times
...
FeriAZ
1 year, 3 months ago
Selected Answer: A
Preventive Approach: Running the security and compliance assessment (SCA) as a pre-deployment task allows you to identify any potential violations of Policy1 before the resources are actually deployed to Subscription1. This proactive approach prevents non-compliant deployments and saves time by avoiding the need to redeploy resources later. Catching Issues Early: By performing the SCA pre-deployment, you can address any naming convention issues early in the development lifecycle. This minimizes the risk of introducing non-compliant resources into your Azure environment.
upvoted 1 times
...
hardinxcore
1 year, 5 months ago
Selected Answer: A
Answer is a as per https://devblogs.microsoft.com/devops/controlling-release-pipelines-with-gates-and-azure-policy-compliance/
upvoted 4 times
...
varinder82
1 year, 6 months ago
FInal Answer based on below comments - B - Postdeployment task No bakwas
upvoted 2 times
...
gabo
1 year, 8 months ago
Selected Answer: B
"You need to ensure that the resources deployed by Pipeline1 comply with Policy1" - Implies that the deployment is already done and then you want to check the compliance, so it's a post deployment gate.
upvoted 2 times
...
xRiot007
1 year, 10 months ago
A - predeployment task. You could do security checks in post deployment too, but it is recommended to shift security, compliance and testing as LEFT as possible, meaning as close as possible to the build phase or even before.
upvoted 1 times
...
zeaimen
1 year, 11 months ago
Selected Answer: B
If we want to ensure that deployed resource is complying, so it's post task. i am confused by the answers
upvoted 3 times
...
zellck
2 years ago
Selected Answer: A
A is the answer. https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/policy-devops-pipelines?view=azure-devops
upvoted 2 times
gabo
1 year, 8 months ago
As per the link, the Gate is actually setup in the Post Deployment part. Please check again.
upvoted 1 times
...
...
Fal991l
2 years, 2 months ago
Selected Answer: C
GTP: To ensure that the resources deployed by Pipeline1 comply with Policy1, you need to assign Policy1 to Subscription1. The easiest way to do this is to add an ARM template deployment task to Pipeline1 that assigns Policy1 to Subscription1. To do this, create an ARM template that includes a policy assignment resource that references Policy1. Then, add an ARM template deployment task to Pipeline1 that deploys this template to Subscription1. The task should be configured to only deploy the policy assignment resource, rather than the entire ARM template, to reduce the impact on other resources in Subscription1. Once the policy assignment is deployed, Policy1 will begin monitoring naming convention compliance for the resources deployed by Pipeline1.
upvoted 2 times
Fal991l
2 years, 2 months ago
By adding a pre- or post-deployment condition that includes the Check Azure Policy compliance task as a gate, you can enforce compliance policies on your Azure resources before and after deployment with Azure Pipelines. This task will evaluate the compliance of resources against the specified policies, including Policy1, and block the pipeline if any non-compliant resources are found. This approach can be used to ensure that all resources deployed by Pipeline1 comply with Policy1. However, it should be noted that this approach requires that Policy1 is already assigned to the subscription being deployed to. If Policy1 has not yet been assigned, you will still need to use an ARM template deployment task to assign it to the subscription before the Check Azure Policy compliance task can be used to enforce compliance.
upvoted 1 times
Fal991l
2 years, 2 months ago
Option A, adding a pre-deployment task that runs a security and compliance assessment, can help identify non-compliant resources before they are deployed, and allow the necessary remediation actions to be taken. This approach can help ensure that the resources deployed by Pipeline1 comply with Policy1, regardless of whether the policy already exists or not. Option C, adding an ARM template deployment task to assign Policy1 to Subscription1, can ensure that the policy is assigned to the subscription before deploying any resources. This approach can be useful if you want to ensure that all resources deployed to the subscription in the future will comply with Policy1. Therefore, the choice between A and C will depend on the specific needs of your deployment process. If you want to ensure that all resources deployed to the subscription in the future will comply with Policy1, option C may be a better choice. However, if you want to identify non-compliant resources before they are deployed, option A may be a better choice.
upvoted 2 times
...
...
...
smariussorin
2 years, 4 months ago
Selected Answer: A
Since you want to ensure, so you don`t deploy something wrong. "Add a pre- or post-deployment condition that includes the Check Azure Policy compliance task as a gate. More details." - PRE or POST
upvoted 3 times
...
basiltomato
2 years, 4 months ago
Selected Answer: B
Have a look at the link - it's Post-deployment
upvoted 3 times
...
kinkekin
2 years, 5 months ago
Selected Answer: A
A Correct. check the given link.
upvoted 2 times
...
alec123
2 years, 7 months ago
Selected Answer: B
i think the keyword is deployED, which means that the deployment is done.
upvoted 4 times
Dani_ac7
1 year, 10 months ago
best answer here
upvoted 1 times
...
Bear_Polar
1 year, 8 months ago
this is passive voice, and "deployed resources" means "resources which are deployed"
upvoted 2 times
...
...
malakZou
2 years, 8 months ago
Selected Answer: A
correct answer because it checks for naming convention compliance so pre deployment
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel