AZ-305 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-305 Exam - Question 20

HOTSPOT -

You need to design an Azure policy that will implement the following functionality:

✑ For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed.

✑ For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources.

✑ For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.

The solution must use the principle of least privilege.

What should you include in the design? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Exam AZ-305 Question 20
Show Answer
Correct Answer:
Exam AZ-305 Question 20

Box 1: Modify -

Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation.

Incorrect:

* The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy

* Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.

Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it's recommended to use the

Modify effect for tags instead.

Box 2: A managed identity with the Contributor role

The managed identity needs to be granted the appropriate roles required for remediating resources to grant the managed identity.

Contributor - Can create and manage all types of Azure resources but can't grant access to others.

Incorrect:

User Access Administrator: lets you manage user access to Azure resources.

Reference:

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Discussion

20 comments
Sign in to comment
manubust
Aug 31, 2022

Question #33 in AZ-304. Right answer

abrakadabra200
Apr 15, 2025

Is it hard to put correct answer here?

zellck
Feb 26, 2023

1. Modify 2. Managed identity with Contributor role https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#modify Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation.

zellck
Feb 26, 2023

https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#how-remediation-access-control-works When Azure Policy starts a template deployment when evaluating deployIfNotExists policies or modifies a resource when evaluating modify policies, it does so using a managed identity that is associated with the policy assignment. Policy assignments use managed identities for Azure resource authorization. You can use either a system-assigned managed identity that is created by the policy service or a user-assigned identity provided by the user. The managed identity needs to be assigned the minimum role-based access control (RBAC) role(s) required to remediate resources. If the managed identity is missing roles, an error is displayed in the portal during the assignment of the policy or an initiative.

zellck
Feb 28, 2023

Got this in Feb 2023 exam.

johnD16
Mar 18, 2023

Showed in exam 18.03.2023. correct passed 940/1000

sankuro
May 9, 2023

Got this on 5/7/2023 exam.

Darkeh
Aug 25, 2023

an updated version of this question is now on the test. Essentially asks you to deploy a template via policy and the suggested answers are Modify, Deployifnotists and enforceregopolicy. Other dropdown is what do you place in within the policy definition? scopes of the role assignments, identity of the remediation task or the RBAC of the remediation task. I chose modify and identity of the remediation task, but I'm not sure if that's the correct answer.

souvikdeb
Aug 25, 2023

is this questions tll now valid?? the entire series?? plz comment @darkeh

Elecktrus
Sep 11, 2023

Based only on the new wording of the question you indicate, I think the correct answers are: 1- Modify 2- RBAC of the remediation task Microsoft says: "As a prerequisite, the policy definition must define the roles that deployIfNotExists and modify need to successfully deploy the content of the included template. " https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-policy-definition The managed identiy used is not included in the template

Horus123
Oct 14, 2023

I think you are referring to Question #61, Topic 1.

frostgiant
Nov 10, 2024

I got this question in November 2024. Still used.

Parmjeet
Jan 2, 2023

deprecated options ---> EnforceOPAConstraint , EnforceRegoPolicy

lanntt
Feb 18, 2023

In exam 14/2/2023

jj22222
Feb 26, 2023

thanks for confirming

mufflon
Sep 16, 2022

Modify and managed identity with contributor role. The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

jcxxxxx2020
Oct 22, 2023

This question appeared on my Exam today 10/22/2023

MeisAdriano
Oct 21, 2024

RIGHT answer for Artificial Int.: Azure Policy Effect to Use: Modify: Use the "Modify" effect to ensure that new resources inherit the tags and values from their respective resource groups, allows you to add or change properties of resources during their creation, ensuring they comply with your tagging policy. not others: - Append: Useful for adding tags, but it doesn't allow for changes if the tags already exist. - EnforceOPAConstraint and EnforceRegoPolicy: Are used in kubernetes Scenario. Azure Active Directory (Azure AD) Object and Role-Based Access Control (RBAC) Role to Use for the Remediation Tasks: -A managed identity with the Contributor role: The Contributor role has the necessary permissions to modify existing resources and apply tags, aligning with the principle of least privilege. Managed identities are ideal for this task because they provide a secure way to grant access without requiring explicit credentials.

MeisAdriano
Oct 21, 2024

Not others: - Managed identity with the User Access Administrator role: This role is not required for tagging; it's primarily for managing user access. - Service principal with the Contributor role: While this would work, managed identities are generally preferred for automation and security. - Service principal with the User Access Administrator role: Same as above, unnecessary for tagging tasks.

most_lenyora
Sep 5, 2022

Correct

Maxime666
Jan 25, 2023

Not easy. I tough "Append" was to good answer because no modification where done directly on the tags but only ADD - READ - TriggerAction But if the last "Trigger" action need the right to modify then it will be the right answer i suppose.

OPT_001122
Jan 25, 2023

Box 1:Modify Box 2: A managed identity with the Contributor role Correct ans

ITboy8
Feb 14, 2023

Modify MIC correct ans

Sarvy
Feb 14, 2023

In exam 2/12/2023

jj22222
Feb 26, 2023

modify managed identity with contributor role

ZUMY
Mar 31, 2023

1. Modify 2. Managed identity with Contributor role

23169fd
Jun 20, 2024

given answer is correct. Modify:The Modify effect can enforce changes to existing resources to make them compliant with the policy, including adding or updating tags. It can also handle new resources and ensure they comply with the required tags, fulfilling all the specified requirements. A managed identity with the Contributor role is the best choice for the RBAC role, as it provides the necessary permissions to perform the required tasks while adhering to the principle of least privilege

[Removed]
Nov 11, 2024

CORRECT