Exam AZ-305 topic 1 question 61 discussion

Box 1: DeployIfNotExists DeployIfNotExists policy definition executes a template deployment when the condition is met. Policy assignments with effect set as DeployIfNotExists require a managed identity to do remediation. Box 2: The role-based access control (RABC) roles required to perform the remediation task The question is what you have to "Include in the definition:" of the policy. Refer to list of DeployIfNotExists properties, among them is roleDefinitionIds (required) - This property must include an array of strings that match role-based access control role ID accessible by the subscription. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists

The question is what you have to "Include in the definition:" of the policy. The Managed Identity is linked after, during the remediation process phase, it's not included in the definition. That restrict the possible answers two the scope or the RBAC Roles (roleDefinitionIds). Because the "roleDefinitionIds" field is required while "scope" is optional, the correct answer is "roleDefinitionIds". In detail, for the specific question, the property to be include is as follows: "roleDefinitionIds": [ "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}", "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}" ] Correctly mentioned by the other guys at the link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists-example

on todays exam

2. Should be RBAC. I've checked it in the Azure portal - you can try to assign any "Enable [feature] on [resource]" policy. On the remediation tab, you will see an error box if the definition doesn't include a role. The managed identity type is selected later during policy assignment, not as part of the definition.

Identity required to perform remediation tasks: Azure Policy requires a managed identity or user-assigned identity to apply remediation tasks like deploying an ARM template to enforce TDE. The identity will execute the deployment defined in the policy for non-compliant resources. Role-Based Access Control (RBAC) roles are not defined directly in the policy definition but are assigned to the managed identity separately. so the box 2 is : The identity required to perform the remediation task.

Today's exam question

WRONG 1. DeployIfNotExists 2. The role-based access control (RABC) roles required to perform the remediation task

1 box . DeployIfNotExists 2 box . The role-based access control (RBAC) roles required to perform the remediation task

This question was in the exam, August 2024. I answered Box1 with DeployIfNotExists and I answered box 2 with The role-based access control (RABC) roles required to perform the remediation task. I scored 870

DeployIfNotExists: This effect checks if the resource (in this case, TDE) exists and if it does not, it deploys it using the specified ARM template. RBAC roles required to perform the remediation task: Ensures that the necessary permissions are in place to allow the policy to remediate noncompliant resources by enabling TDE.

in the Exam April 2024

I would agree with given answer is correct as per below findings Here is from this article => see image of create managed identity and you can test yourself on Azure portal as i did "Policies with deployIfNotExists and modify effect types need ability to deploy resources and edit tags on existing resources respectively" If the managed identity does not have the permissions needed to execute the required remediation task, it will be granted permissions automatically only through the portal. You may skip this step if creating a managed identity through the portal. https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal

Final Answer: 1. DeployIfNotExists 2. The role-based access control (RABC) roles required to perform the remediation task

correct answers: 1. DeployIfNotExists 2. The role-based access control (RABC) roles required to perform the remediation task The question is asking for the policy definition and not the policy assignment. The article clearly states, that for the policy definition the "roleDefinitionIds" are required whereas the policy assignment will require a Managed Identity for the remediation task having the required permissions. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists

Provided answers are correct. 1. DeployifNotExists 2. The required identity RERENCE: " Exam Ref AZ-305 Designing Microsoft Azure Infrastructure Solutions by Ashish Agrawal" Page 71 DeployIfNotExists This effect is similar to AuditIfNotExists, except that this effect executes a template to deploy needed resources for the identified noncompliant resource rather than marking the resource as noncompliant. The policy assignment of a policy having the DeployIfNotExists effect requires managed identity to take remediation action.

What is the correct answer for Second Point?

EnforceRegoPolicy (deprecated): configures the Open Policy Agent admissions controller with Gatekeeper v2 in Azure Kubernetes Service