Ends in

SITEWIDE SALE! $3 OFF All Reviewers!

Azure Policy

Azure Policy

Azure Policy Cheat Sheet

  • Ensure resources are compliant with a set of rules.
  • Manage your policies in a centralized location where you can track their compliance status and verify the non-compliant resources.
  • Select between built-in policies and custom policies.
  • Implement proper guardrails and assess compliance across the organization
  • Policy vs. RBAC
    • A policy maintains compliance with the resource state, while RBAC focuses on controlling user actions at different scopes.
    • Even if the user has access to perform an action, if the result is a non-compliant resource, the policy will still block the create or update option.
  • JSON format is used to create a policy.
  • You can manage the evaluation and outcome with resource provider, and the results are reported to Azure Policy.
  • Policy order of evaluation: Disabled, Append/Modify, Deny and Audit
  • Tutorials dojo strip
  • Azure Policy effects:
    • Append – add additional fields to the requested resource.
    • Audit – a warning event for a non-compliant resource.
    • AuditIfNotExists – audit the resources when the condition is met.
    • Deny – prevents the request before being sent to the Resource Provider.
    • DeployIfNotExists – if the condition is met, it allows you to execute a template deployment.
    • Disabled – allows you to disable a single assignment, rather than disabling all assignments under that policy.
    • Modify – manage tags of resources.
  • Determine the assigned resources with policy assignments.

Azure Policy vs Azure Role-Based Access Control (RBAC):

Validate Your Knowledge

Question 1

Question Type: Multiple-choice

Your company created a new Azure policy. You need to interpret the permissions that are allowed or denied by the policy shown below:

What is the effect of this policy?

  1. A user is restricted from creating any Azure Virtual Networks in TD Subscription.
  2. A user is allowed to create Azure Virtual Networks in TD-RG only.
  3. A user is restricted from creating Azure Virtual Networks in TD-RG.
  4. A user is allowed to create Azure Virtual Networks in any resource group within TD Subscription.

Correct Answer: 2

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Policy evaluates resources in Azure by comparing the properties of resources to the business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative.

In the given policy, the resource group TD-RG is excluded in the effect of the policy. This means that you are allowed to create Virtual Networks in TD-RG. A policy exclusion allows you to assign a policy at a high level and then exclude scopes within it. For example, in an environment with applications and a central network, you want to have a policy for all the application resource groups but not the network resource group.

Hence, the correct answer is: A user is allowed to create Azure Virtual Networks in TD-RG.

The option that says: A user is restricted from creating any Azure Virtual Networks in TD-RG is incorrect. You are not prevented from creating Virtual Networks in the TD-RG resource group because it is excluded in the given policy.

The option that says: A user is restricted from creating any Azure Virtual Networks in TD Subscription is incorrect. Just like the option above, you are allowed to create Virtual Networks in the excluded resource group.

The option that says: A user is allowed to create Azure Virtual Networks in any resource group within TD Subscription is incorrect because you can only create Virtual Networks in the TD-RG resource group.


Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo

Azure Policy Cheat References:


Tutorials Dojo portal

Enroll Now – Our AWS Certification Exam Reviewers

AWS Practice Exams Tutorials Dojo

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?