Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 88

HOTSPOT -

You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.

You assign an Azure policy that has the following settings:

✑ Scope: Sub1

✑ Exclusions: Sub1/RG1/VNET1

✑ Policy definition: Append a tag and its value to resources

✑ Policy enforcement: Enabled

✑ Tag name: Tag4

✑ Tag value: value4

You assign tags to the resources as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: No -

    The Azure Policy will add Tag4 to RG1.

    Box 2: No -

    Tags applied to the resource group or subscription aren't inherited by the resources although you can enable inheritance with Azure Policy. Storage1 has Tag3:

    Value1 and the Azure Policy will add Tag4.

    Box 3: No -

    Tags applied to the resource group or subscription aren't inherited by the resources so VNET1 does not have Tag2.

    VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET1.

    Reference:

    https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json

Discussion
Lionred

N, N, N 1st No: Azure policy was created before the RG1 was assigned tag, which means when RG1 was manually assigned tag Tag2:IT, the policy will take action to append Tag4:vaule4 to RG1. Note that policy action is to "append", that means whatever else tag RG1 is given won't be taken away. As such RG1 will have two tags, Tag2:IT and Tag4:value4 2nd No: Remember tags are not inheritable, whatever tag assigned to RG1 won't be applied to any resources under it. As such the Storage1 should be Tag3:value1 and Tag4:vaule4. 3rd No: vNet1 is excluded from the Azure policy, hence the policy won't do anything to it. As such vNet1 should only have the tag manually assigned: Tag3:value2. PS, I take that "Exclusions: Sub1/RG1/VNET1" does not mean both RG1 & vNet1 are excluded, only vNet1 is excluded, the Sub1/RG1/VNET1 is merely a path to the object that is excluded.

S3ktar

Not true, if the RG1 exists before the policy is in place, it will not apply the tags. This is even true if you go into the resource to add the tags as mentioned in the question, it will not apply the policy rules just because you are adding a tag. The result of this will be that the resources will only be tagged as not compliant until it is fixed. Source: I tested it in the portal

S3ktar

Correct answer is y-n-n

mufflon

Are you sure? When you are updating the resources with tags according to "You assign tags to the resources as shown in the following table" then , dont you update the resource and the policy activates? A policy adds the by the policy specified tag and value when any resource missing the tag is created or updated, so it vill add Tag4 with value: value4

albergd

The trick is not there, the trick is in the policy: "Append a tag and its value to resources" : this policy does not apply to Resource Groups. You can check here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies To apply the policy to a RG you need to use "Append a tag and its value to resource groups". The answer is Y-N-N

Abdou001

@Albergd, you convinced me. Thanks !

marioZuo

I tested also, but the tag is appended automatically on my side.

juniorccs

this is just wron

Pear7777

#1 is YES, since the RG1 is in the exclusions of the azure policy, so Tag4_Value4 is not applied.

steel72

Agreed

buzzerboy

disagree, only RG1/VNET is in exclusion,

Zeppoonstream

it has nothing to do with the exclusion. It has something to do with how Azure applies Tags via policies to existing resources. Tags for/of existing resources will only be added/modified when you also run a remidiation job. It will not happen automatically. As there is no remediation job mentioned in the question, the answer of the first question is YES Read this article: https://sandervandevelde.wordpress.com/2022/03/19/enforce-tag-usage-on-azure-resources-using-tag-policies/

RougePotatoe

Just in case anyone is still confused. RG1 was listed as a resource group before the policy was assigned. According to the way the question is structured.

dimsok

Y-N-N, RG1 is exluded

testmobile18

Wouldn't it be Y-N-N? Y - RG1 is excluded thus retain as it is N - Storage1 will have Tag3:value1 and Tag4:value4 N - VNET1 is excluded as well so only have Tag3:value2

Edward2021

I think the same!!! Y N N

olsenOnS

Correct, Y - RG1 has its own tag, and is excluded from policy N N

gofto

doubt that this explanation is correct

maatksle

Dude, you're wrong. Please refer to Lionred's answer. RG1 has already a tag to it and the policy appends the tag not take away and add. Guys, please upvote his answer.

mufflon

First you have the resources specified, they you assign a policy that says Tag name: Tag4 and Tag value: value4. Then you assign tags to the resources as shown in the table. When assigning tags to the resources, the resources gets updated and the policy gets activated and adds its tag. https://www.examtopics.com/exams/microsoft/az-104/view/9/#

promartyr

"Exclusions: Sub1/RG1/VNET1": IT MEANS : "the virtual network called VNet1 (which is inside Resource Group RG1, and inside Subscription called Sub1) is excluded from the policy" IT DOES NOT MEAN: "Sub1 _and_ RG1 _and_ VNet1 are excluded from the policy"

Aadhithya

This is the best explanation for the exclusion criteria

18c2076

Too all of you who are just as confused as I was reading this question, specifically this bit: "Exclusions: Sub1/RG1/VNET1" PLEASE BE AWARE: This is a PATH. A PATH to VNET1... Sub1 contains RG1, which contains VNET1. The "exclusion" here is VNET1 and NOT all 3 resources. This took me far longer than I care to admit to figure out. The answer makes much more sense when you view it this way lol. Happy studying.

ICTZaakwaarnemer

Thanks!

ric2020

Correction2: I ran a test for this and the result is: 1. YES: RG1 will have tag2:it the policy at the subscription level, it is not applied to resource groups, only to the subscription resources. 2. NOT: tag3:value1 and tag4:value4. Adding a label manually Azure considers it an edit, and applies the policy to it. 3. NO: tag3:value2 only since it is excluded

vsvaid

Y-N-N Tags are applied during create and update of resource or we can run a remediation task to apply tag. So here in this case Tag4:value4 will not be applied to any.option

mkhlszf

Two things to notice: "Sub1/RG1/VNET1" reads as a path not a list, so it only applies to VNET1 and not RG1 and Sub1 The tag does not appliy to RG1 because it is a resource group and the policy specifies "Append a tag and its value to resources" so it will only apply to resources, no resource groups. Therfore, answer is. Y N N

edurakhan

on the exam today 6/6/2024

tashakori

Given answer is right

jacksparrowtabali

yes no no

Amir1909

Correct No No No

OpOmOp

I dont know why subs1 will get tag4. When you assign the policy you have this warning: By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned

2dc6125

Y,n,n. IT tag already exists and policy has append action so will not remove the existing tag

3c5adce

ChatGPT4 - NNY

Wassel_Laouini

Y-N-N, the policy excluded RG1, meaning it has no tag(the tag4), all good now? then it said you assign a tag1 to RG1, which you can because it has nothing to do with the policy

tashakori

Given answer is right

bacana

No one says anything about remediation, YNN