AZ-500 · Question #142
AZ-500 Question #142: Real Exam Question with Answer & Explanation
The correct answer is D: DeployIfNotExist. Azure Policy Effects – Managed Identity Requirement DeployIfNotExists (D) is correct because this effect actively deploys resources or configurations when a non-compliant resource is detected. Since it performs a remediation task (essentially running an ARM template deployment),
Question
You have to configure an Azure policy as part your subscription. You have to assign policies that would make use of different types of effects. Which of the following type of effect would require a managed identity for assignment purpose?
Options
- AAuditIfNotExist
- BAppend
- CDeny
- DDeployIfNotExist
Explanation
Azure Policy Effects – Managed Identity Requirement
DeployIfNotExists (D) is correct because this effect actively deploys resources or configurations when a non-compliant resource is detected. Since it performs a remediation task (essentially running an ARM template deployment), Azure Policy needs a managed identity with appropriate permissions to take that action on your behalf - it must authenticate and act as a principal within your subscription.
AuditIfNotExists (A) only evaluates and logs non-compliance without making any changes, so no identity is needed to take action. Append (B) simply adds fields or properties to a resource during creation/update and works inline with the request - no separate identity required. Deny (C) merely blocks non-compliant requests at the point of submission, requiring no deployment action and therefore no managed identity.
💡 Memory Tip: Think "Deploy = Do" - any effect with the word "Deploy" in it (DeployIfNotExists) is actively doing something in Azure, which requires an identity with permissions. If the effect only watches, logs, or blocks, no identity is needed.
Topics
Community Discussion
No community discussion yet for this question.