Azure Policy

Azure Policy

Last updated on July 3, 2023

Azure Policy Cheat Sheet

  • Ensure resources are compliant with a set of rules.
  • Manage your policies in a centralized location where you can track their compliance status and verify the non-compliant resources.
  • Select between built-in policies and custom policies.
  • Implement proper guardrails and assess compliance across the organization
  • Policy vs. RBAC
    • A policy maintains compliance with the resource state, while RBAC focuses on controlling user actions at different scopes.
    • Even if the user has access to perform an action, if the result is a non-compliant resource, the policy will still block the create or update option.
  • JSON format is used to create a policy.
  • You can manage the evaluation and outcome with resource provider, and the results are reported to Azure Policy.
  • Tutorials dojo strip
  • Policy order of evaluation: Disabled, Append/Modify, Deny and Audit
  • Azure Policy effects:
    • Append – add additional fields to the requested resource.
    • Audit – a warning event for a non-compliant resource.
    • AuditIfNotExists – audit the resources when the condition is met.
    • Deny – prevents the request before being sent to the Resource Provider.
    • DeployIfNotExists – if the condition is met, it allows you to execute a template deployment.
    • Disabled – allows you to disable a single assignment, rather than disabling all assignments under that policy.
    • Modify – manage tags of resources.
  • Determine the assigned resources with policy assignments.

Azure Policy vs Azure Role-Based Access Control (RBAC):
https://tutorialsdojo.com/azure-policy-vs-azure-role-based-access-control-rbac/

Validate Your Knowledge

Question 1

Question Type: Single choice

Your company created a new Azure policy. You need to interpret the permissions that are allowed or denied by the policy shown below:

What is the effect of this policy?

  1. A user is restricted from creating any Azure Virtual Networks in TD Subscription.
  2. A user is allowed to create Azure Virtual Networks in TD-RG only.
  3. A user is restricted from creating Azure Virtual Networks in TD-RG.
  4. A user is allowed to create Azure Virtual Networks in any resource group within TD Subscription.

Correct Answer: 2

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Policy evaluates resources in Azure by comparing the properties of resources to the business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative.

In the given policy, the resource group TD-RG is excluded in the effect of the policy. This means that you are allowed to create Virtual Networks in TD-RG. A policy exclusion allows you to assign a policy at a high level and then exclude scopes within it. For example, in an environment with applications and a central network, you want to have a policy for all the application resource groups but not the network resource group.

Hence, the correct answer is: A user is allowed to create Azure Virtual Networks in TD-RG.

The option that says: A user is restricted from creating any Azure Virtual Networks in TD-RG is incorrect. You are not prevented from creating Virtual Networks in the TD-RG resource group because it is excluded in the given policy.

The option that says: A user is restricted from creating any Azure Virtual Networks in TD Subscription is incorrect. Just like the option above, you are allowed to create Virtual Networks in the excluded resource group.

The option that says: A user is allowed to create Azure Virtual Networks in any resource group within TD Subscription is incorrect because you can only create Virtual Networks in the TD-RG resource group.

References:
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
https://docs.microsoft.com/en-us/azure/governance/policy/overview

Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo

Azure Policy Cheat References:

https://azure.microsoft.com/en-us/services/azure-policy/
https://docs.microsoft.com/en-us/azure/governance/policy/overview

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?