Exam AZ-500 topic 4 question 68 discussion

If I understood correctly this goal is accomplishled by adding a policy to a custom initiative, then the non-compliant resources could be displayed on the dashboard. See: https://docs.microsoft.com/en-us/azure/defender-for-cloud/custom-security-policies "you can add your own custom initiatives. You'll then receive recommendations if your environment doesn't follow the policies you create. Any custom initiatives you create will appear alongside the built-in initiatives in the regulatory compliance dashboard." In my opinion the option D is wrong as the policy has been already assigned (to Tenant Root Group) - "As discussed in the Azure Policy documentation, when you specify a location for your custom initiative, it must be a management group or a subscription."

D. Assign Policy1 to Sub1: Azure Security Center shows noncompliant resources that are evaluated against policies assigned to the subscription or management group. The policy must be assigned to Sub1 (the subscription) to ensure that noncompliant resources are displayed in the Azure Security Center dashboard. This option ensures that the policy is active and that its compliance data is made available for Security Center. By assigning Policy1 to Sub1, you'll ensure that the resources in Sub1 are evaluated for compliance with Policy1, and the noncompliant resources will be listed in the Azure Security Center dashboard.

I think it is B, question is what to do FIRST. We can assign initiatives, not policies. So yes, we must assign the policy (as D says), but we do this in two steps: FIRST add the policy to a custom initiative THEN assign the initiative to the subscription

This is one of those ones where D makes sense on my head but why the mojority is with B?????

A- By changing the category of Azure policy, we will not get anything as it is just metadata is being used for management and govern purpose by Administrators. It does not matter in defender side if add policy’s category to something – there will not be any change category for the policy. B- by adding policy to the custom initiative we cannot say we already assigned it to the Subscription we can add it to initiative, but we cannot say, whether this initiative already assigned to Subscription or not. C- If we see question carefully it shows the settings of policy and definition location just shows where policy has been applied, this does not tell us policy already assigned it just shows the location of policy in case we will apply it, it will be applied to Tenant Root Group which contains all objects. I think D is the option here since we assign policy1 we can see results in the defender for cloud as we know defender for cloud works based on assigned policies, in the option A, B,C we cannot tell the policy has been assigned or not. That is why I would go with D.

B. When you create a custom initiative the policy get automatically assigned to the scope. In the Azure policy page you can find those custom initiative named [Assigned by MDC]

**This is very interesting quesion with bias:** To ensure that resources noncompliant with Policy1 are listed in the Azure Security Center dashboard, you should follow these steps: Assign Policy1 to Sub1: You should assign the policy to a scope that includes the resources you want to monitor. In this case, you want to monitor resources within Sub1. So, you should assign Policy1 to Sub1. This will enforce the policy on resources within Sub1 and report compliance status to Azure Security Center. Option A ("Change the Category of Policy1 to Security Center") is not the correct action to take. Changing the category of the policy won't directly impact its enforcement or reporting to Azure Security Center. Option B ("Add Policy1 to a custom initiative") is not necessary to achieve the goal. Initiatives are used to group multiple policies together for assignment but won't change the scope of enforcement. Option C ("Change the Definition location of Policy1 to Sub1") is not needed. The policy's definition location doesn't affect the scope of enforcement or reporting to Azure Security Center. So when we take approach of less effort then D is correct

INITIATIVES GROUP POLICIES TOGETHER WHICH NOT EVEN THE PREMISE OF THIS QUESTION. REGARDLESS, THEY MUST STILL BE APPLIED.

D. Assign Policy1 to Sub1. To ensure that resources noncompliant with Policy1 are listed in the Azure Security Center dashboard, you should assign Policy1 to a scope that includes the resources you want to evaluate. In this case, the policy definition is already created, so you need to assign it to an appropriate scope. This will ensure that Policy1 is applied to the resources within the Sub1 scope, and any non-compliant resources will be listed in the Azure Security Center dashboard.

Adding Policy1 to a custom initiative will not directly enable the listing of noncompliant resources in the Azure Security Center dashboard.

B is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/custom-security-policies?pivots=azure-portal With this feature, you can add your own custom initiatives. Although custom initiatives aren't included in the secure score, you'll receive recommendations if your environment doesn't follow the policies you create. Any custom initiatives you create are shown in the list of all recommendations and you can filter by initiative to see the recommendations for your initiative. They're also shown with the built-in initiatives in the regulatory compliance dashboard.

B. Add Policy1 to a custom initiative.

B is correct, you need to assign a custom policy for it to be in the regulatory compliance blade in Defender for Cloud.

Given answer is correct We need to assign the policy to sub. first

It seems you can assign policies at the root management group: "Each Azure AD tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level." ref:https://learn.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles

After adding the policy initiative, it will be listed as a recommendation in the Recommendations blade, and to have it added in the Regulatory compliance dashboard

Vote for D I think we need to understand policy - definition location here. Reference: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure The definition location must be a management group or a subscription. This location determines the scope to which the initiative or policy can be assigned. Definition Location points to Tenant Root Group does not mean policy is assigned. It just means that policy 1 can be assigned to resources under Tenant Root Group. Policy 1 still needs to be assigned to sub1.