Exam AZ-305 topic 1 question 65 discussion

my experience on Azure Policy alert: box1: CLI is correct. I use powershell command to do this box2: I first set the diagnostic setting on activity log so that all policy related messages are sent to log analytic workspace. And then on log analytic workspace setup alert rules that send alert whenever non-informative messages are found. Simply speaking, diagnostic setting is on activity log, alert rule setup is on log analytic workspace.

Provided answers look correct: To trigger the compliance scans, use Azure CLI > https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. This scan is an asynchronous process. An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. This scan is an asynchronous process. To generate alerts, configure diagnostic settings for the Azure activity logs > https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule

To meet your requirements efficiently, I recommend the following solutions: Trigger on-demand Azure Policy compliance scans Use the Azure Policy 'Evaluate Compliance' action in the Azure Portal or PowerShell command: powershell Invoke-AzPolicyComplianceScan -ResourceGroupName <ResourceGroupName> This forces an immediate compliance assessment of your storage accounts instead of waiting for the scheduled evaluation cycle. Raise Azure Monitor non-compliance alerts using Log Analytics Configure Azure Monitor alerts based on Azure Policy compliance logs stored in Log Analytics. Use Kusto Query Language (KQL) to query non-compliant resources: kql PolicyResources | where ComplianceState == "NonCompliant" Create an Azure Monitor alert rule based on this query to notify administrators whenever a storage account violates policy.

Box 1: CLI https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#azure-cli Box 2: Log Analytics Workspace If you have a Log Analytics workspace with AzureActivity from the Activity Log Analytics solution tied to your subscription, you can also view non-compliance results from the evaluation of new and updated resources using Kusto queries and the AzureActivity table. With details in Azure Monitor logs, alerts can be configured to watch for non-compliance. https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#azure-monitor-logs

box1: CLI box2: log analytic workspace I guess it's like configuring diagnostics IN the activity log FOR the log analytic workspace, in which we can query logs to find non-compliance and generate alerts.

To Trigger the Compliance Scans: The Azure Command-Line Interface (CLI): Why: The Azure CLI provides a straightforward way to manually trigger on-demand compliance scans. It allows for automation and scripting, which can be incorporated into your existing workflows with minimal administrative effort. Why Not Other Options: An Azure template: Primarily used for deploying resources, not ideal for triggering compliance scans. The Azure portal: While you can manually trigger scans, it does not support automation and scripting as effectively as the CLI.

CHTAGPT response:Triggering Compliance Scans: The Azure Command-Line Interface (CLI): Use the Azure CLI to trigger on-demand compliance scans. The command az policy state trigger-scan initiates a compliance evaluation for your policies. Generating Non-Compliance Alerts: Azure Activity Logs: Configure diagnostic settings for the Azure activity logs. Activity logs provide information about operations on resources in your subscription. By sending these logs to a Log Analytics workspace, you can query and create alerts based on policy non-compliance events. Correct Selections: To trigger the compliance scans, use: The Azure Command-Line Interface (CLI) To generate the non-compliance alerts, configure diagnostic settings for the: Azure activity logs This configuration ensures that you can manually trigger policy compliance scans and monitor policy compliance through the activity logs, which can then be queried in Log Analytics for alerting purposes.

This question appeared in my exam on 13th May 2024. The given answer is correct.

I would say 1- Powershell CLI 2- Storage account for diagnostic setting

Final Answer: 1- CLI 2- Storage account

1- CLI 2- Storage account -1- For the 1st question as others pointed out, you have to use CLI - you cannot trigger them from the Portal, and the 3rd option (Templates) doesn't make any sense. Source: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan -2- This is tricky, I actually changed my mind after going through the docs. If you read the article 'Create diagnostic settings in Azure Monitor' (link below), you will see that the guide explicitly states (with screenshots) that within Azure Monitor, you have to select a resource (that is the Storage account in our case), select the Diagnostic settings, and then you can add a new or edit the existing diagnostic settings. Source: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings?tabs=portal

Here how you can do it: 1. Create a log workspace 2. Create a policy reffereing to Storage Account which will be violated .i.e Storage accounts should restrict network access or Storage accounts should disable public network access 3. Go to Monitor => Activity Log and see an option Export Activity Logs and click it 4. Add diagnostic setting for Policy and send it to newly created workspace. Now all policy alerts should go to log worspace.

1- CLI 2- Log analytics https://medium.com/azure-architects/using-log-analytics-alerts-for-non-compliant-azure-policies-8d99f74089d9

First option is correct, for second, the diagnostic log blade for azure monitor shows all the storage accounts with their diagnostic settings on or off, is second answer still correct ?

It does indeed look like Activity Logs don't have the necessary information to create the required alerts. See https://techcommunity.microsoft.com/t5/fasttrack-for-azure/generate-azure-policy-compliance-alerts-by-sending-custom-data/ba-p/3671119

box 2 - Azure Activity logs are no longer supported: https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-create-azure-monitor-alerts-for-non-compliant-azure/ba-p/713466

You should setup using workflow automation in the portal. With continuous export set to the correct workspace.