A team wants to enforce that all Azure resource groups in a subscription are tagged with 'CostCenter' and 'Environment'. They need a solution that automatically applies these tags to any new resource group and ensures compliance without manual intervention. What should they use?
Trap 1: Azure RBAC
RBAC controls permissions, not resource configuration like tags.
Trap 2: Azure Blueprints
Azure Blueprints deploy environments but do not enforce tags in real-time during resource group creation.
Trap 3: Azure Resource Graph
Resource Graph is a query tool, not a compliance enforcement mechanism.
- A
Azure Policy
Azure Policy can enforce tagging rules via 'deny' or 'append' effects on resource groups.
- B
Azure RBAC
Why wrong: RBAC controls permissions, not resource configuration like tags.
- C
Azure Blueprints
Why wrong: Azure Blueprints deploy environments but do not enforce tags in real-time during resource group creation.
- D
Azure Resource Graph
Why wrong: Resource Graph is a query tool, not a compliance enforcement mechanism.