You are evaluating an Azure environment for compliance. You need to design an Azure Policy implementation that can be used to evaluate compliance without changing any resources. Which effect should you use in Azure Policy?
The question is misleadingly worded. The question asks which effect can be used to report on compliance without changing anything. The Azure Policy "effect" used to do this is "Audit", which is not one of the provided options. There isn't an "effect" setting in the choices that matches the criteria.
However, "Disabled" and "Enabled" are the two Azure Policy "enforcement" setting options. If an Azure Policy's "enforcement" is set to "Disabled", any "effect" set on this Azure Policy will report but will not make changes.
"Disabled" is the best answer available, although technically incorrect because "Disabled" isn't an Azure Policy "effect".
This is the correct answer. If you set enforcementMode to disabled resources are still evaluated but log activity isn't created. audit works as well. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-disabled
1. You're confused between "effect" and an "enforcement mode".
2. Policy definitions that use the Disabled effect have the default compliance state Compliant after assignment.
The only possible answer is A - Deny.
The correct effect to use in Azure Policy for evaluating compliance without changing any resources is D. Disabled.
When a policy is set to the "Disabled" effect, it will not enforce any changes but can still be used to evaluate and report on the compliance state of the resources. This allows you to monitor compliance without making any modifications to the resources.
A: Deny makes the most sense. The questions states you need to evaluate compliance. D: Disabled has a default compliance state of "compliant". From an auditing perspective this wouldn't make sense.
Key word without changing resources. I think it has to be Append because of this. append effect in Azure Policy can be used to evaluate compliance. When a policy definition using the append, effect is evaluated, it doesn’t modify existing resources. Instead, it marks any resource that meets the specified conditions as non-compliant. This allows you to identify resources that do not meet your policy requirements without making immediate changes to them.
Deny marks resources as non-compliant during evaluation but does not make changes to existing resources. It enforces compliance by preventing the creation or modification of non-compliant resources but can be used for evaluation purposes as well, without altering existing resources.
Modify changes the resource, so it's not applicable when you don't want to make any changes.
Append adds fields to the resource during creation or update, but its main function is to enforce certain configurations, and it's not solely for compliance evaluation.
Disabled doesn't evaluate compliance at all and marks everything as compliant by default, which doesn't fulfill the goal of evaluating compliance.
Thus, Deny is the best option for evaluating compliance without modifying any resource
Disabled (effect): Completely stops policy evaluation and marks everything as compliant.
enforcementMode (assignment setting): Keeps the policy evaluating compliance but doesn’t enforce any action, logging, or modification to resources.
To go back to your original question, the Disabled effect would mark everything as compliant and wouldn’t evaluate compliance at all. The enforcementMode (disabled) is a different setting entirely, used to evaluate compliance without enforcement, which seems closer to what you're looking for in some situations but isn't one of the options in your question.
Since enforcementMode isn't an effect, in the context of your question, A. Deny remains the correct answer, as it evaluates compliance and marks non-compliant resources without changing existing ones.
Deny. "During evaluation of existing resources, resources that match a deny policy definition are marked as non-compliant." https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny-evaluation
The key words from this question are "evaluating compliance".
This can be done with DENY, because it doesn't allow any resource change but blocks it before happening with a 403 error and logs the block for a later review to see the non-compliant activity.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny-evaluation
MS words it like below, fulfilling the requirements of the given question while checking if an Azure environment IS or NOT compliant.
"During evaluation of existing resources, resources that match a deny policy definition are marked as non-compliant."
You guys are hallucinating.
The question clearly asks which EFFECT (not an enforcement mode) should be used to evaluate resources without changing them.
The only option available is DENY.
The effect "Disabled" will always show as compliant:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#disabled
The questions is NOT asking for enforcement mode:
"Policy definitions that use the Disabled effect have the default compliance state Compliant after assignment."
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#enforcement-mode
"Disabled" effect ensures that the policy is applied for evaluation purposes but does not enforce any specific actions or modifications on the resources themselves. This allows you to gather compliance data and assess the configuration of resources in your Azure environment without impacting their current state.
D is Correct , Using the "Disabled" effect in Azure Policy is particularly useful for scenarios where you want to assess compliance and gather information without making any immediate changes or disruptions to the resources
D is the answer.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#disabled
This effect is useful for testing situations or for when the policy definition has parameterized the effect. This flexibility makes it possible to disable a single assignment instead of disabling all of that policy's assignments.
D as you stated is correct. What the question is missing is a reference to the enforcement mode. You can use the enforcement mode Disabled (DoNotEnforce) on your policy assignment to prevent the effect from triggering or activity log entries from being created.
This step gives you a chance to evaluate the compliance results of the new policy on existing resources without impacting work flow.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/evaluate-impact#audit-existing-resources
ChatGPT: If you have to choose only one between Disabled and Deny, and the question does not provide any further details or constraints, then the best answer would be Deny.
The Deny effect is a more appropriate and specific choice for evaluating compliance without changing any resources in an Azure environment, as it explicitly blocks non-compliant resources from being created or modified while not modifying any existing resources. This can help ensure that the environment remains in compliance and does not drift away from the desired state.
This section is not available anymore. Please use the main Exam Page.SC-100 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 2 years, 4 months agoAWSPro24
3 months, 1 week agoFal991l
2 years, 1 month agoepomatti
1 year, 2 months agoJoanale
1 year, 3 months agoGar23
Highly Voted 2 years, 7 months agoBlackZeros
1 year, 9 months agosweetykaur
Most Recent 2 months, 2 weeks agoDan91
6 months agoBrainrot
6 months, 1 week agoariania
7 months, 2 weeks agoariania
7 months, 2 weeks agooreoale
1 year agokazaki
1 year, 1 month agoPierreTang
1 year, 2 months agocris_exam
1 year, 2 months agoepomatti
1 year, 2 months agoArockia
1 year, 3 months agoUberTech_1888
1 year, 9 months agoArio
1 year, 9 months agozellck
1 year, 11 months agoNinjaSchoolProfessor
1 year, 9 months agoalifrancos
2 years agoFal991l
2 years, 1 month ago