Exam AZ-305 All QuestionsBrowse all questions from this exam
Go to Exam
Question 65

HOTSPOT

-

You have an Azure subscription that contains multiple storage accounts.

You assign Azure Policy definitions to the storage accounts.

You need to recommend a solution to meet the following requirements:

• Trigger on-demand Azure Policy compliance scans.

• Raise Azure Monitor non-compliance alerts by querying logs collected by Log Analytics.

What should you recommend for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
godchild

my experience on Azure Policy alert: box1: CLI is correct. I use powershell command to do this box2: I first set the diagnostic setting on activity log so that all policy related messages are sent to log analytic workspace. And then on log analytic workspace setup alert rules that send alert whenever non-informative messages are found. Simply speaking, diagnostic setting is on activity log, alert rule setup is on log analytic workspace.

mmarkiew

Adding a reference supporting Azure CLI for box 1: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan It doesn't appear that on-demand scans can be initiated from Azure Portal.

mykola_yakovliev

Provided answers look correct: To trigger the compliance scans, use Azure CLI > https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. This scan is an asynchronous process. An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. This scan is an asynchronous process. To generate alerts, configure diagnostic settings for the Azure activity logs > https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule

mykola_yakovliev

Also, note that on-demand evaluation scan can be triggered not only by Azure CLI, but also using Azure PowerShell, REST API call and Azure Policy Compliance Scan GitHub action.

matanzpl

box 2 - Azure Activity logs are no longer supported: https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-create-azure-monitor-alerts-for-non-compliant-azure/ba-p/713466

StixxNSnares

I'd say look into the MS Learn resource as it has the most updated information: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell

StixxNSnares

The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI. This article provides information on how to view the activity log and send it to different destinations. For more functionality, create a diagnostic setting to send the activity log to one or more of these locations for the following reasons: Send to Azure Monitor Logs for more complex querying and alerting and for longer retention, up to two years. Send to Azure Event Hubs to forward outside of Azure. Send to Azure Storage for cheaper, long-term archiving.

rtsh06

This question appeared in my exam on 13th May 2024. The given answer is correct.

Fidel_104

1- CLI 2- Storage account -1- For the 1st question as others pointed out, you have to use CLI - you cannot trigger them from the Portal, and the 3rd option (Templates) doesn't make any sense. Source: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan -2- This is tricky, I actually changed my mind after going through the docs. If you read the article 'Create diagnostic settings in Azure Monitor' (link below), you will see that the guide explicitly states (with screenshots) that within Azure Monitor, you have to select a resource (that is the Storage account in our case), select the Diagnostic settings, and then you can add a new or edit the existing diagnostic settings. Source: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings?tabs=portal

kodathedog

It does indeed look like Activity Logs don't have the necessary information to create the required alerts. See https://techcommunity.microsoft.com/t5/fasttrack-for-azure/generate-azure-policy-compliance-alerts-by-sending-custom-data/ba-p/3671119

TonySuccess

Replaced by the Diagnostic Setting: https://azure.microsoft.com/en-us/updates/azure-activity-logs-legacy-solution-is-replaced-by-diagnostic-settings/#:~:text=Azure%20Activity%20Logs%20Legacy%20solution,settings%20%7C%20Azure%20updates%20%7C%20Microsoft%20Azure

23169fd

To Trigger the Compliance Scans: The Azure Command-Line Interface (CLI): Why: The Azure CLI provides a straightforward way to manually trigger on-demand compliance scans. It allows for automation and scripting, which can be incorporated into your existing workflows with minimal administrative effort. Why Not Other Options: An Azure template: Primarily used for deploying resources, not ideal for triggering compliance scans. The Azure portal: While you can manually trigger scans, it does not support automation and scripting as effectively as the CLI.

23169fd

To Generate the Non-Compliance Alerts: Log Analytics workspace: Why: By configuring diagnostic settings to send logs to a Log Analytics workspace, you can leverage Azure Monitor to query these logs and set up alerts for non-compliance. This integrates well with your existing monitoring solutions and ensures comprehensive log management and alerting. Why Not Other Options: Azure activity logs: While useful for auditing, they do not provide the detailed compliance information needed for triggering specific alerts. Storage accounts: Used for storing raw data and logs but not for querying and setting up detailed alerts without additional processing.

OlehT

Question is not about where to send logs, but about where you should configure diagnosing settings. 1.) You have an Azure subscription that contains multiple storage accounts. 2.) You assign Azure Policy definitions to the storage accounts. 3.) You trigger on-demand Azure Policy compliance scans. Where do you configure diagnostic settings? Answer: Storage Account

OlehT

Plus we already know what we what to store and query them: - Raise Azure Monitor non-compliance alerts by querying logs collected by Log Analytics.

Lazylinux

I would say 1- Powershell CLI 2- Storage account for diagnostic setting

varinder82

Final Answer: 1- CLI 2- Storage account

profesorklaus

Here how you can do it: 1. Create a log workspace 2. Create a policy reffereing to Storage Account which will be violated .i.e Storage accounts should restrict network access or Storage accounts should disable public network access 3. Go to Monitor => Activity Log and see an option Export Activity Logs and click it 4. Add diagnostic setting for Policy and send it to newly created workspace. Now all policy alerts should go to log worspace.

profesorklaus

7. Select or create an action group to email you about policy violation 8. Last final step. Add storage account and wait until alert is triggered. You should see it in ibox or any target you specified. Enjoy!

profesorklaus

5. Run policy scan by az policy state trigger-scan. This is manual run and should show a policy compliance violation 6. Go to Monitor => Alerts => Create alert rule. You need to choose Custom Log search with a query which triggers alert i.e. AzureActivity | where CategoryValue == "Policy" and Level == "Warning" | count and triggers when count > 0

amirGA

CHTAGPT response:Triggering Compliance Scans: The Azure Command-Line Interface (CLI): Use the Azure CLI to trigger on-demand compliance scans. The command az policy state trigger-scan initiates a compliance evaluation for your policies. Generating Non-Compliance Alerts: Azure Activity Logs: Configure diagnostic settings for the Azure activity logs. Activity logs provide information about operations on resources in your subscription. By sending these logs to a Log Analytics workspace, you can query and create alerts based on policy non-compliance events. Correct Selections: To trigger the compliance scans, use: The Azure Command-Line Interface (CLI) To generate the non-compliance alerts, configure diagnostic settings for the: Azure activity logs This configuration ensures that you can manually trigger policy compliance scans and monitor policy compliance through the activity logs, which can then be queried in Log Analytics for alerting purposes.

Risto83

1- CLI 2- Log analytics https://medium.com/azure-architects/using-log-analytics-alerts-for-non-compliant-azure-policies-8d99f74089d9

GSChoff

First option is correct, for second, the diagnostic log blade for azure monitor shows all the storage accounts with their diagnostic settings on or off, is second answer still correct ?

serget12

You should setup using workflow automation in the portal. With continuous export set to the correct workspace.

kecskesajt

Is it correct?