Technical Lab: Implement and manage Azure Policy
Questionsβ
Question 1 β Multiple Choiceβ
A governance team needs to ensure that all resources created in a subscription automatically receive the CostCenter tag with a default value when the user doesn't provide it explicitly. The team doesn't want to block resource creation without the tag; they just want the default value to be applied silently.
Which Azure Policy effect meets this requirement?
A) Deny
B) Audit
C) Modify
D) Append
Question 2 β Technical Scenarioβ
An administrator assigned the following policy to a subscription scope:
{
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/<GUID>"
]
}
}
}
After assignment, the administrator notices that existing VMs are not receiving the extension, although new VMs receive it correctly.
What is the most likely cause of this behavior?
A) The DeployIfNotExists effect never applies to existing resources; it's necessary to switch to the Modify effect.
B) The remediation task was not created; existing resources require an explicit remediation task to be corrected.
C) The policy needs to be assigned at the resource group scope where the VMs reside, not at the subscription.
D) The roleDefinitionIds is incomplete and prevents the evaluation mechanism from processing pre-existing resources.
Question 3 β True or Falseβ
A resource that is in a non-compliance state with an Audit effect policy is automatically blocked after 24 hours without correction, until the administrator manually remediates it.
True or False?
Question 4 β Multiple Choiceβ
An organization needs to apply a cohesive set of policies that prevents resource creation outside the brazilsouth and eastus regions, in addition to requiring specific SKUs for storage accounts. These rules must be assigned together, as a unit, to multiple resource groups.
What is the most appropriate approach in Azure Policy?
A) Create an initiative (policy set definition) containing both policies and assign it to the resource groups.
B) Assign each policy individually to each resource group, repeating the process to maintain consistency.
C) Create a custom policy with multiple conditions combined in a single if block using logical operators.
D) Use Azure Blueprints exclusively, as individual policies cannot be grouped without this feature.
Question 5 β Technical Scenarioβ
A security team created and assigned a policy with Deny effect to prevent creation of storage accounts with public access enabled. During a test, a developer tries to create the account with the following command and receives a rejection error:
az storage account create \
--name storageteste01 \
--resource-group rg-dev \
--location brazilsouth \
--allow-blob-public-access true
The developer argues that the policy shouldn't apply because the assignment was made in the rg-prod resource group, and they are creating the resource in rg-dev. However, the resource continues to be blocked.
What is the correct explanation for the blocking?
A) The Deny effect ignores the assignment scope and applies globally to the entire subscription by default.
B) The policy was assigned at a broader parent scope, such as the subscription or a management group, which encompasses rg-dev.
C) The --allow-blob-public-access true parameter automatically triggers an internal Microsoft policy independent of the assignment.
D) The az storage account create command always checks policies from all resource groups in the subscription before executing.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
The Modify effect allows adding, replacing or removing tags and properties on resources during creation or update, without blocking the operation. It's the correct effect for applying a default value silently.
The Append effect might seem equivalent, but its semantics are different: it appends fields to array or object properties, such as IP rules in an NSG, and isn't designed for tag management the way Modify does. Choosing Append would result in inconsistent behavior or errors depending on the target field.
Deny would block creation, contradicting the requirement. Audit only logs non-compliance without acting.
Answer Key β Question 2β
Answer: B
The DeployIfNotExists effect is automatically evaluated and executed for new resources during creation. For resources already existing at the time of policy assignment, Azure Policy doesn't correct them automatically: it's necessary to create an explicit remediation task in the portal, via CLI, or via API.
Alternative A is incorrect because DeployIfNotExists can indeed act on existing resources, as long as remediation is triggered. Alternative C confuses assignment scope with effect coverage. Alternative D is a plausible technical distractor, but missing or incorrect roleDefinitionIds would prevent deployment execution, not compliance evaluation of existing resources.
Answer Key β Question 3β
Answer: False
The Audit effect never blocks or modifies resources. Its only behavior is to log an event in the activity log and mark the resource as non-compliant in the Azure Policy compliance dashboard. No automatic blocking action is taken at any time.
This distinction is fundamental: Audit is a visibility and tracking effect, not a control effect. Confusing Audit with Deny is one of the most common errors in governance scenarios, and can lead a team to mistakenly believe they are protected when they are only observing.
Answer Key β Question 4β
Answer: A
An initiative (policy set definition) is exactly the Azure Policy mechanism for grouping multiple policies into a cohesive unit that can be assigned once to a scope. This simplifies management, compliance tracking, and maintenance.
Alternative B is operationally viable, but not the recommended approach: individual assignments multiplied by resource groups create unnecessary complexity and risk of divergence. Alternative C mixes evaluation logic within a single policy definition, which doesn't solve the requirement for joint assignment as a unit. Alternative D is incorrect: Azure Blueprints can include policies, but aren't a prerequisite for grouping; initiatives exist exactly for this purpose within Azure Policy itself.
Answer Key β Question 5β
Answer: B
Azure Policy respects scope hierarchy: a policy assigned at a parent scope, such as a subscription or management group, applies to all child scopes, including all resource groups in that subscription. The developer incorrectly assumed that the assignment in rg-prod would be limited to that resource group, but the assignment may have been made at the entire subscription level.
Alternative A describes behavior that doesn't exist: the Deny effect strictly respects the scope defined in the assignment. Alternative C invents a mechanism that doesn't exist in Azure. Alternative D describes fictitious CLI behavior. The key to correct reasoning is understanding that the blocking occurs because the actual scope of the assignment is broader than the developer presumed.