AZ-500 · Question #31
AZ-500 Question #31: Real Exam Question with Answer & Explanation
The correct answer is C: DeployIfNotExist. DeployIfNotExist requires a managed identity because it actively deploys or modifies resources when they are found to be non-compliant - this remediation action requires Azure Policy to authenticate and have permissions to make changes on your behalf, which is handled through a m
Question
From the Azure portal, you are configuring an Azure policy. You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects. Which effect requires a managed identity for the assignment?
Options
- AAuditIfNotExist
- BAppend
- CDeployIfNotExist
- DDeny
Explanation
DeployIfNotExist requires a managed identity because it actively deploys or modifies resources when they are found to be non-compliant - this remediation action requires Azure Policy to authenticate and have permissions to make changes on your behalf, which is handled through a managed identity (specifically a system-assigned managed identity).
Why the distractors are wrong:
- AuditIfNotExist (A): This effect only checks for the existence of a related resource and logs non-compliance - it never takes action, so no identity is needed.
- Append (B): This effect adds fields to a resource during creation or update as part of the request itself, not as a separate deployment action, so no managed identity is required.
- Deny (D): This simply blocks non-compliant resource requests from being created or modified - it doesn't deploy anything, requiring no identity.
Memory Tip: Think of it this way - if the policy does something (deploys resources), it needs an identity to act as an "actor." The word "Deploy" in DeployIfNotExist is your clue: deploying = acting = needs a managed identity. Similarly, Modify (another effect not listed here) also requires a managed identity since it also takes remediation action.
Topics
Community Discussion
No community discussion yet for this question.