exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam

Exam AZ-305 topic 1 question 20 discussion

Actual exam question from Microsoft's AZ-305
Question #: 20
Topic #: 1
[All AZ-305 Questions]

HOTSPOT -
You need to design an Azure policy that will implement the following functionality:
✑ For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed.
✑ For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources.
✑ For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Modify -
Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation.
Incorrect:
* The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy
* Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it's recommended to use the
Modify effect for tags instead.
Box 2: A managed identity with the Contributor role
The managed identity needs to be granted the appropriate roles required for remediating resources to grant the managed identity.
Contributor - Can create and manage all types of Azure resources but can't grant access to others.
Incorrect:
User Access Administrator: lets you manage user access to Azure resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
manubust
Highly Voted 2 years, 3 months ago
Question #33 in AZ-304. Right answer
upvoted 30 times
...
zellck
Highly Voted 1 year, 9 months ago
1. Modify 2. Managed identity with Contributor role https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#modify Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation.
upvoted 15 times
zellck
1 year, 9 months ago
Got this in Feb 2023 exam.
upvoted 9 times
...
zellck
1 year, 9 months ago
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#how-remediation-access-control-works When Azure Policy starts a template deployment when evaluating deployIfNotExists policies or modifies a resource when evaluating modify policies, it does so using a managed identity that is associated with the policy assignment. Policy assignments use managed identities for Azure resource authorization. You can use either a system-assigned managed identity that is created by the policy service or a user-assigned identity provided by the user. The managed identity needs to be assigned the minimum role-based access control (RBAC) role(s) required to remediate resources. If the managed identity is missing roles, an error is displayed in the portal during the assignment of the policy or an initiative.
upvoted 3 times
...
...
SeMo0o0o0o
Most Recent 3 weeks, 2 days ago
CORRECT
upvoted 1 times
...
frostgiant
3 weeks, 3 days ago
I got this question in November 2024. Still used.
upvoted 3 times
...
MeisAdriano
1 month, 2 weeks ago
RIGHT answer for Artificial Int.: Azure Policy Effect to Use: Modify: Use the "Modify" effect to ensure that new resources inherit the tags and values from their respective resource groups, allows you to add or change properties of resources during their creation, ensuring they comply with your tagging policy. not others: - Append: Useful for adding tags, but it doesn't allow for changes if the tags already exist. - EnforceOPAConstraint and EnforceRegoPolicy: Are used in kubernetes Scenario. Azure Active Directory (Azure AD) Object and Role-Based Access Control (RBAC) Role to Use for the Remediation Tasks: -A managed identity with the Contributor role: The Contributor role has the necessary permissions to modify existing resources and apply tags, aligning with the principle of least privilege. Managed identities are ideal for this task because they provide a secure way to grant access without requiring explicit credentials.
upvoted 1 times
MeisAdriano
1 month, 2 weeks ago
Not others: - Managed identity with the User Access Administrator role: This role is not required for tagging; it's primarily for managing user access. - Service principal with the Contributor role: While this would work, managed identities are generally preferred for automation and security. - Service principal with the User Access Administrator role: Same as above, unnecessary for tagging tasks.
upvoted 1 times
...
...
23169fd
5 months, 2 weeks ago
given answer is correct. Modify:The Modify effect can enforce changes to existing resources to make them compliant with the policy, including adding or updating tags. It can also handle new resources and ensure they comply with the required tags, fulfilling all the specified requirements. A managed identity with the Contributor role is the best choice for the RBAC role, as it provides the necessary permissions to perform the required tasks while adhering to the principle of least privilege
upvoted 1 times
...
jcxxxxx2020
1 year, 1 month ago
This question appeared on my Exam today 10/22/2023
upvoted 2 times
...
Darkeh
1 year, 3 months ago
an updated version of this question is now on the test. Essentially asks you to deploy a template via policy and the suggested answers are Modify, Deployifnotists and enforceregopolicy. Other dropdown is what do you place in within the policy definition? scopes of the role assignments, identity of the remediation task or the RBAC of the remediation task. I chose modify and identity of the remediation task, but I'm not sure if that's the correct answer.
upvoted 4 times
souvikdeb
1 year, 3 months ago
is this questions tll now valid?? the entire series?? plz comment @darkeh
upvoted 1 times
...
Horus123
1 year, 1 month ago
I think you are referring to Question #61, Topic 1.
upvoted 2 times
...
Elecktrus
1 year, 2 months ago
Based only on the new wording of the question you indicate, I think the correct answers are: 1- Modify 2- RBAC of the remediation task Microsoft says: "As a prerequisite, the policy definition must define the roles that deployIfNotExists and modify need to successfully deploy the content of the included template. " https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-policy-definition The managed identiy used is not included in the template
upvoted 2 times
...
...
sankuro
1 year, 7 months ago
Got this on 5/7/2023 exam.
upvoted 4 times
...
ZUMY
1 year, 8 months ago
1. Modify 2. Managed identity with Contributor role
upvoted 1 times
...
johnD16
1 year, 8 months ago
Showed in exam 18.03.2023. correct passed 940/1000
upvoted 7 times
...
jj22222
1 year, 9 months ago
modify managed identity with contributor role
upvoted 1 times
...
lanntt
1 year, 9 months ago
In exam 14/2/2023
upvoted 3 times
jj22222
1 year, 9 months ago
thanks for confirming
upvoted 1 times
...
...
Sarvy
1 year, 9 months ago
In exam 2/12/2023
upvoted 1 times
...
ITboy8
1 year, 9 months ago
Modify MIC correct ans
upvoted 1 times
...
OPT_001122
1 year, 10 months ago
Box 1:Modify Box 2: A managed identity with the Contributor role Correct ans
upvoted 1 times
...
Maxime666
1 year, 10 months ago
Not easy. I tough "Append" was to good answer because no modification where done directly on the tags but only ADD - READ - TriggerAction But if the last "Trigger" action need the right to modify then it will be the right answer i suppose.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...