Exam AZ-104 topic 2 question 48 discussion

N, N, N 1st No: Azure policy was created before the RG1 was assigned tag, which means when RG1 was manually assigned tag Tag2:IT, the policy will take action to append Tag4:vaule4 to RG1. Note that policy action is to "append", that means whatever else tag RG1 is given won't be taken away. As such RG1 will have two tags, Tag2:IT and Tag4:value4 2nd No: Remember tags are not inheritable, whatever tag assigned to RG1 won't be applied to any resources under it. As such the Storage1 should be Tag3:value1 and Tag4:vaule4. 3rd No: vNet1 is excluded from the Azure policy, hence the policy won't do anything to it. As such vNet1 should only have the tag manually assigned: Tag3:value2. PS, I take that "Exclusions: Sub1/RG1/VNET1" does not mean both RG1 & vNet1 are excluded, only vNet1 is excluded, the Sub1/RG1/VNET1 is merely a path to the object that is excluded.

Wouldn't it be Y-N-N? Y - RG1 is excluded thus retain as it is N - Storage1 will have Tag3:value1 and Tag4:value4 N - VNET1 is excluded as well so only have Tag3:value2

NNN, Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups.

YNN Police only add tags if you set the remediation option. Tags remain the same whether the police apply them or not. Test it out if you don't believe me

Y, N, N Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies So this policy - never applies to resource groups - Exclusion: "Optionally select resources to exclude from the policy assignment." - the resource group is already there By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. For modify policies, the remediation task will edit tags on the existing resources.

NO --- RG1 created > policy with scope Sub1 assigned > path excludes only VNET1 > so RG1 is a resource of Sub1 > tag2+tag4 NO --- storage created > carries tag3 > tag4 policy enforced > other tags are not inherited NO --- VNET1 is excluded > no tag4 > only tag3 remains my thoughts...

how can it be a path and not a list?? a path would be /subscriptions/Sub1/resourceGroups/RG1/providers/Microsoft.Network/virtualNetworks/VNET1 very confusing...

there seems to be alot of confusion on the first options: i believe it to be a N. RG1 is not excluded from the policy and the policy will add Tag4 to the already existing Tag2. The policy ONLY excludes Vnet1

Wrong Yes No No

1) RG1 has the Tag2: IT tag assigned only. Since RG1 is not excluded and the policy applies to all resources in Sub1, the policy will add Tag4: value4 to RG1. So, RG1 will have Tag2: IT and Tag4: value4. Answer: No 2) storage1 has the Tag1: subscription, Tag2: IT, Tag3: value1, and Tag4: value4 tags assigned. storage1 is under the Sub1 and not excluded from the policy. Initially, it has Tag3: value1. The policy will append Tag4: value4. It is not specified that Tag1: subscription or Tag2: IT is applied to storage1. Only the tags mentioned in the table and policy enforcement apply. Answer: No 3) VNET1 has the Tag2: IT and Tag3: value2 tags assigned only. VNET1 is specifically excluded from the policy. It already has Tag3: value2 and no other tags from the table or policy are applied. There is no mention of Tag2: IT being assigned to VNET1. Answer: No

YNN! Remember: Even if enforce policy might think is enforced for everything, it doesn't mean this way! To apply a tag to pre-existence resource with azure policy, the only way is to do a remediation task, nothing else. The meaning of enforce policy is what azure policy will do. In this case, if you disable enforce policy it will put the resource in "Non compliant state" and send a custom message. If you enable enforce policy, it will force what it has to do, so in this case apply a tag.

I dont know why subs1 will get tag4. When you assign the policy you have this warning: By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned

Y,n,n. IT tag already exists and policy has append action so will not remove the existing tag

ChatGPT4 - NNY

Y-N-N, the policy excluded RG1, meaning it has no tag(the tag4), all good now? then it said you assign a tag1 to RG1, which you can because it has nothing to do with the policy

Two things to notice: "Sub1/RG1/VNET1" reads as a path not a list, so it only applies to VNET1 and not RG1 and Sub1 The tag does not appliy to RG1 because it is a resource group and the policy specifies "Append a tag and its value to resources" so it will only apply to resources, no resource groups. Therfore, answer is. Y N N

"Exclusions: Sub1/RG1/VNET1": IT MEANS : "the virtual network called VNet1 (which is inside Resource Group RG1, and inside Subscription called Sub1) is excluded from the policy" IT DOES NOT MEAN: "Sub1 _and_ RG1 _and_ VNet1 are excluded from the policy"