Question 237 of 1,031
Describe Azure management and governancemediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to create a remediation task for the policy assignment. This is correct because a DeployIfNotExists policy effect automatically handles new resources, but it does not retroactively scan or fix existing non-compliant VMs. A remediation task explicitly triggers the policy engine to evaluate all pre-existing resources in the scope, identify those missing the Azure Monitor agent, and deploy the extension automatically, closing the compliance gap without manual intervention. On the AZ-900 exam, this scenario tests your understanding that DeployIfNotExists policies require a separate remediation step for existing resources, which is a common trap—many candidates assume the effect applies to everything automatically. Remember the key distinction: DeployIfNotExists covers new resources, while remediation tasks handle the backlog of existing non-compliant VMs. A useful memory tip is "New gets Deploy, Old needs Remediate"—if it existed before the policy assignment, you must run a remediation task to make it compliant.

AZ-900 Describe Azure management and governance Practice Question

This AZ-900 practice question tests your understanding of describe azure management and governance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses Azure Policy to enforce that all virtual machines must have the Azure Monitor agent extension installed. The policy is assigned to a subscription and uses the 'DeployIfNotExists' effect, which automatically installs the agent on new VMs. However, the security team notices that several existing VMs are non-compliant because they were provisioned before the policy was assigned. The team wants to automatically make these existing VMs compliant without manual intervention. What should the team do?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a remediation task for the policy assignment.

Option A is correct because a remediation task on a 'DeployIfNotExists' policy assignment triggers the policy engine to evaluate existing non-compliant resources and automatically deploy the required extension (Azure Monitor agent) to those VMs. This is the designed mechanism to bring pre-existing resources into compliance without manual intervention.

Key principle: Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create a remediation task for the policy assignment.

    Why this is correct

    Correct: A remediation task automatically scans existing resources and applies the 'DeployIfNotExists' effect to bring them into compliance. This is the intended mechanism for remediating non-compliant resources that existed before the policy was assigned.

    Related concept

    Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.

  • Change the policy effect to 'Deny'.

    Why it's wrong here

    Incorrect: Changing the effect to 'Deny' would block creation of non-compliant new VMs but would not remediate existing non-compliant VMs. It does not deploy the agent automatically.

  • Assign the policy at the management group scope.

    Why it's wrong here

    Incorrect: Changing the assignment scope to a management group does not trigger remediation of existing resources. It only expands the group of subscriptions and resource groups where the policy is applied to new resources.

  • Use Azure Automation Update Management.

    Why it's wrong here

    Incorrect: Azure Automation Update Management is designed to manage operating system updates and patches, not to deploy extensions or enforce Azure Policy compliance. It does not install the Azure Monitor agent.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse 'Deny' (which blocks future non-compliant actions) with 'DeployIfNotExists' (which requires a remediation task to fix existing resources), leading them to incorrectly choose option B thinking it will enforce compliance retroactively.

Detailed technical explanation

How to think about this question

Under the hood, a 'DeployIfNotExists' policy uses a linked template deployment to install the agent, and the remediation task re-evaluates the policy assignment's compliance state for existing resources, triggering the deployment for each non-compliant VM. The remediation task can be run on-demand or scheduled, and it respects the policy's defined deployment template and parameters. In real-world scenarios, this is critical for large-scale environments where hundreds of pre-existing VMs must be brought into compliance without manual scripting or RDP access.

KKey Concepts to Remember

  • Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.
  • They are initiated manually or via API/CLI after a policy assignment.
  • A remediation task scans resources and triggers deployments to achieve compliance.
  • Remediation is essential for retroactive application of policies to existing infrastructure.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.

Real-world example

How this comes up in practice

An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.

What to study next

Got this wrong? Here's your next step.

Review remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources., then practise related AZ-900 questions on the same topic to reinforce the concept.

Related practice questions

Related AZ-900 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-900 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-900 question test?

Describe Azure management and governance — This question tests Describe Azure management and governance — Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources..

What is the correct answer to this question?

The correct answer is: Create a remediation task for the policy assignment. — Option A is correct because a remediation task on a 'DeployIfNotExists' policy assignment triggers the policy engine to evaluate existing non-compliant resources and automatically deploy the required extension (Azure Monitor agent) to those VMs. This is the designed mechanism to bring pre-existing resources into compliance without manual intervention.

What should I do if I get this AZ-900 question wrong?

Review remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources., then practise related AZ-900 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

8 more ways this is tested on AZ-900

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company uses Azure Policy to enforce that all virtual machines must be from an approved list of SKUs. They want to ensure that any non-compliant VMs that already exist are automatically remediated by changing the VM size to a compliant SKU. Which policy effect should they use?

hard
  • A.Deny
  • B.Audit
  • C.Append
  • D.Modify

Why D: The Modify effect is correct because it allows Azure Policy to automatically change non-compliant resources to a compliant state during evaluation. In this scenario, it can alter the VM size to an approved SKU without manual intervention, ensuring continuous compliance.

Variation 2. A company has multiple Azure subscriptions. They need to enforce a rule that only specific virtual machine sizes (e.g., Standard_D2s_v3) can be used across all subscriptions. They also want this rule to automatically apply to any future subscriptions created. Which Azure service should they use?

medium
  • A.Azure Policy
  • B.Azure Blueprints
  • C.Azure Role-Based Access Control (RBAC)
  • D.Azure Resource Manager

Why A: Azure Policy is the correct service because it allows you to create, assign, and manage policies that enforce specific rules (such as allowed virtual machine SKUs) across your Azure environment. By assigning a built-in or custom policy definition (e.g., 'Allowed virtual machine SKUs') at the management group scope, the rule automatically applies to all existing and future subscriptions within that management group, ensuring consistent governance without manual intervention.

Variation 3. A company wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. They want to automatically apply the tag to new resources, and also to existing resources that are missing it. Which Azure service should they use?

easy
  • A.Azure Policy
  • B.Azure Blueprints
  • C.Azure Resource Manager
  • D.Azure Cost Management

Why A: Azure Policy is the correct service because it can enforce tagging rules by evaluating resources against a policy definition and automatically applying the 'CostCenter' tag to new resources via the 'deployIfNotExists' effect. It can also remediate existing non-compliant resources by triggering a remediation task that applies the missing tag. This makes Azure Policy the ideal tool for governance and compliance at scale.

Variation 4. A company wants to ensure that all resources in their Azure environment are created with mandatory tags for cost tracking. They have already assigned a policy to append tags, but existing resources are still missing tags. They want to automatically add the tags to existing resources without manual intervention. What should they do?

medium
  • A.Modify the policy effect to 'deny' instead of 'append'.
  • B.Create a remediation task for the policy.
  • C.Use Azure Resource Graph to identify and manually tag.
  • D.Reassign the policy with a new scope.

Why B: A remediation task is the correct solution because Azure Policy's 'append' effect only applies to new or updated resources. To automatically add the missing tags to existing non-compliant resources, you must create a remediation task that triggers a deployment to apply the policy's 'deployIfNotExists' or 'modify' effect. This task runs on demand or on a schedule to bring existing resources into compliance without manual intervention.

Variation 5. A company needs to ensure that all Azure resources have a mandatory 'CostCenter' tag. If a resource is created without this tag, the resource creation should be blocked. Which Azure Policy effect should they use?

easy
  • A.Append
  • B.Deny
  • C.Audit
  • D.DeployIfNotExists

Why B: The Deny effect is correct because it actively blocks any resource creation or update that does not comply with the policy rule, such as missing the mandatory 'CostCenter' tag. This ensures that non-compliant resources are never provisioned, enforcing governance at the point of creation.

Variation 6. A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?

easy
  • A.A) deny
  • B.B) audit
  • C.C) append
  • D.D) deployIfNotExists

Why A: The 'deny' effect is correct because it actively blocks any resource creation request that does not include the required 'CostCenter' tag. Azure Policy with the 'deny' effect evaluates the resource against the policy rule at creation or update time and rejects the request if the condition is not met, ensuring compliance before the resource is provisioned.

Variation 7. A company wants to ensure that all Azure resources are tagged with metadata such as 'Environment' and 'Department'. They have created an Azure Policy that appends the required tags and their values when a resource is created. However, they notice that some resources created before the policy assignment are missing tags. They want to automatically add those tags without manual effort. What should they do?

medium
  • A.Create a remediation task for the policy
  • B.Create a new policy with DeployIfNotExists effect
  • C.Use Azure Resource Graph to query and update
  • D.Create an Azure Automation runbook

Why B: Option B is correct because the DeployIfNotExists (DINE) policy effect can automatically remediate non-compliant resources, including those created before the policy assignment. When combined with a managed identity, DINE triggers a deployment task that adds the required tags without manual intervention, addressing the gap left by the 'append' effect which only acts on new resources.

Variation 8. A company has a governance requirement that every Azure virtual machine must have a tag named 'CostCenter' with the value 'Unassigned'. If a user creates a VM without the tag, or with a different value for that tag, the tag should be automatically corrected to 'Unassigned' immediately upon resource creation. The IT team is writing an Azure Policy definition to enforce this. Which Policy effect should they use?

medium
  • A.Deny
  • B.Audit
  • C.Modify
  • D.DeployIfNotExists

Why C: The Modify effect is correct because it automatically corrects non-compliant tags (missing or wrong value) to the specified value ('Unassigned') during resource creation or update, without blocking the deployment. This satisfies the requirement for immediate, automatic remediation without denying the VM creation entirely.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.