- A
Create a remediation task for the policy assignment.
Correct: A remediation task automatically scans existing resources and applies the 'DeployIfNotExists' effect to bring them into compliance. This is the intended mechanism for remediating non-compliant resources that existed before the policy was assigned.
- B
Change the policy effect to 'Deny'.
Why wrong: Incorrect: Changing the effect to 'Deny' would block creation of non-compliant new VMs but would not remediate existing non-compliant VMs. It does not deploy the agent automatically.
- C
Assign the policy at the management group scope.
Why wrong: Incorrect: Changing the assignment scope to a management group does not trigger remediation of existing resources. It only expands the group of subscriptions and resource groups where the policy is applied to new resources.
- D
Use Azure Automation Update Management.
Why wrong: Incorrect: Azure Automation Update Management is designed to manage operating system updates and patches, not to deploy extensions or enforce Azure Policy compliance. It does not install the Azure Monitor agent.
Quick Answer
The answer is to create a remediation task for the policy assignment. This is correct because a DeployIfNotExists policy effect automatically handles new resources, but it does not retroactively scan or fix existing non-compliant VMs. A remediation task explicitly triggers the policy engine to evaluate all pre-existing resources in the scope, identify those missing the Azure Monitor agent, and deploy the extension automatically, closing the compliance gap without manual intervention. On the AZ-900 exam, this scenario tests your understanding that DeployIfNotExists policies require a separate remediation step for existing resources, which is a common trap—many candidates assume the effect applies to everything automatically. Remember the key distinction: DeployIfNotExists covers new resources, while remediation tasks handle the backlog of existing non-compliant VMs. A useful memory tip is "New gets Deploy, Old needs Remediate"—if it existed before the policy assignment, you must run a remediation task to make it compliant.
AZ-900 Describe Azure management and governance Practice Question
This AZ-900 practice question tests your understanding of describe azure management and governance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses Azure Policy to enforce that all virtual machines must have the Azure Monitor agent extension installed. The policy is assigned to a subscription and uses the 'DeployIfNotExists' effect, which automatically installs the agent on new VMs. However, the security team notices that several existing VMs are non-compliant because they were provisioned before the policy was assigned. The team wants to automatically make these existing VMs compliant without manual intervention. What should the team do?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Create a remediation task for the policy assignment.
Option A is correct because a remediation task on a 'DeployIfNotExists' policy assignment triggers the policy engine to evaluate existing non-compliant resources and automatically deploy the required extension (Azure Monitor agent) to those VMs. This is the designed mechanism to bring pre-existing resources into compliance without manual intervention.
Key principle: Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Create a remediation task for the policy assignment.
Why this is correct
Correct: A remediation task automatically scans existing resources and applies the 'DeployIfNotExists' effect to bring them into compliance. This is the intended mechanism for remediating non-compliant resources that existed before the policy was assigned.
Related concept
Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.
- ✗
Change the policy effect to 'Deny'.
Why it's wrong here
Incorrect: Changing the effect to 'Deny' would block creation of non-compliant new VMs but would not remediate existing non-compliant VMs. It does not deploy the agent automatically.
- ✗
Assign the policy at the management group scope.
Why it's wrong here
Incorrect: Changing the assignment scope to a management group does not trigger remediation of existing resources. It only expands the group of subscriptions and resource groups where the policy is applied to new resources.
- ✗
Use Azure Automation Update Management.
Why it's wrong here
Incorrect: Azure Automation Update Management is designed to manage operating system updates and patches, not to deploy extensions or enforce Azure Policy compliance. It does not install the Azure Monitor agent.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse 'Deny' (which blocks future non-compliant actions) with 'DeployIfNotExists' (which requires a remediation task to fix existing resources), leading them to incorrectly choose option B thinking it will enforce compliance retroactively.
Detailed technical explanation
How to think about this question
Under the hood, a 'DeployIfNotExists' policy uses a linked template deployment to install the agent, and the remediation task re-evaluates the policy assignment's compliance state for existing resources, triggering the deployment for each non-compliant VM. The remediation task can be run on-demand or scheduled, and it respects the policy's defined deployment template and parameters. In real-world scenarios, this is critical for large-scale environments where hundreds of pre-existing VMs must be brought into compliance without manual scripting or RDP access.
KKey Concepts to Remember
- Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.
- They are initiated manually or via API/CLI after a policy assignment.
- A remediation task scans resources and triggers deployments to achieve compliance.
- Remediation is essential for retroactive application of policies to existing infrastructure.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.
Real-world example
How this comes up in practice
An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.
What to study next
Got this wrong? Here's your next step.
Review remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources., then practise related AZ-900 questions on the same topic to reinforce the concept.
- →
Describe Azure management and governance — study guide chapter
Learn the concepts, then practise the questions
- →
Describe Azure management and governance practice questions
Targeted practice on this topic area only
- →
All AZ-900 questions
1,031 questions across all exam domains
- →
Microsoft Azure Fundamentals AZ-900 study guide
Full concept coverage aligned to exam objectives
- →
AZ-900 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-900 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Describe cloud concepts practice questions
Practise AZ-900 questions linked to Describe cloud concepts.
Describe Azure architecture and services practice questions
Practise AZ-900 questions linked to Describe Azure architecture and services.
Describe Azure management and governance practice questions
Practise AZ-900 questions linked to Describe Azure management and governance.
AZ-900 Azure services practice questions
Practise AZ-900 questions linked to AZ-900 Azure services.
AZ-900 pricing and support practice questions
Practise AZ-900 questions linked to AZ-900 pricing and support.
AZ-900 security and compliance practice questions
Practise AZ-900 questions linked to AZ-900 security and compliance.
AZ-900 governance practice questions
Practise AZ-900 questions linked to AZ-900 governance.
Practice this exam
Start a free AZ-900 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-900 question test?
Describe Azure management and governance — This question tests Describe Azure management and governance — Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources..
What is the correct answer to this question?
The correct answer is: Create a remediation task for the policy assignment. — Option A is correct because a remediation task on a 'DeployIfNotExists' policy assignment triggers the policy engine to evaluate existing non-compliant resources and automatically deploy the required extension (Azure Monitor agent) to those VMs. This is the designed mechanism to bring pre-existing resources into compliance without manual intervention.
What should I do if I get this AZ-900 question wrong?
Review remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources., then practise related AZ-900 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Remediation tasks apply 'DeployIfNotExists' or 'Modify' effects to existing non-compliant resources.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
8 more ways this is tested on AZ-900
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company uses Azure Policy to enforce that all virtual machines must be from an approved list of SKUs. They want to ensure that any non-compliant VMs that already exist are automatically remediated by changing the VM size to a compliant SKU. Which policy effect should they use?
hard- A.Deny
- B.Audit
- C.Append
- ✓ D.Modify
Why D: The Modify effect is correct because it allows Azure Policy to automatically change non-compliant resources to a compliant state during evaluation. In this scenario, it can alter the VM size to an approved SKU without manual intervention, ensuring continuous compliance.
Variation 2. A company has multiple Azure subscriptions. They need to enforce a rule that only specific virtual machine sizes (e.g., Standard_D2s_v3) can be used across all subscriptions. They also want this rule to automatically apply to any future subscriptions created. Which Azure service should they use?
medium- ✓ A.Azure Policy
- B.Azure Blueprints
- C.Azure Role-Based Access Control (RBAC)
- D.Azure Resource Manager
Why A: Azure Policy is the correct service because it allows you to create, assign, and manage policies that enforce specific rules (such as allowed virtual machine SKUs) across your Azure environment. By assigning a built-in or custom policy definition (e.g., 'Allowed virtual machine SKUs') at the management group scope, the rule automatically applies to all existing and future subscriptions within that management group, ensuring consistent governance without manual intervention.
Variation 3. A company wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. They want to automatically apply the tag to new resources, and also to existing resources that are missing it. Which Azure service should they use?
easy- ✓ A.Azure Policy
- B.Azure Blueprints
- C.Azure Resource Manager
- D.Azure Cost Management
Why A: Azure Policy is the correct service because it can enforce tagging rules by evaluating resources against a policy definition and automatically applying the 'CostCenter' tag to new resources via the 'deployIfNotExists' effect. It can also remediate existing non-compliant resources by triggering a remediation task that applies the missing tag. This makes Azure Policy the ideal tool for governance and compliance at scale.
Variation 4. A company wants to ensure that all resources in their Azure environment are created with mandatory tags for cost tracking. They have already assigned a policy to append tags, but existing resources are still missing tags. They want to automatically add the tags to existing resources without manual intervention. What should they do?
medium- A.Modify the policy effect to 'deny' instead of 'append'.
- ✓ B.Create a remediation task for the policy.
- C.Use Azure Resource Graph to identify and manually tag.
- D.Reassign the policy with a new scope.
Why B: A remediation task is the correct solution because Azure Policy's 'append' effect only applies to new or updated resources. To automatically add the missing tags to existing non-compliant resources, you must create a remediation task that triggers a deployment to apply the policy's 'deployIfNotExists' or 'modify' effect. This task runs on demand or on a schedule to bring existing resources into compliance without manual intervention.
Variation 5. A company needs to ensure that all Azure resources have a mandatory 'CostCenter' tag. If a resource is created without this tag, the resource creation should be blocked. Which Azure Policy effect should they use?
easy- A.Append
- ✓ B.Deny
- C.Audit
- D.DeployIfNotExists
Why B: The Deny effect is correct because it actively blocks any resource creation or update that does not comply with the policy rule, such as missing the mandatory 'CostCenter' tag. This ensures that non-compliant resources are never provisioned, enforcing governance at the point of creation.
Variation 6. A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?
easy- ✓ A.A) deny
- B.B) audit
- C.C) append
- D.D) deployIfNotExists
Why A: The 'deny' effect is correct because it actively blocks any resource creation request that does not include the required 'CostCenter' tag. Azure Policy with the 'deny' effect evaluates the resource against the policy rule at creation or update time and rejects the request if the condition is not met, ensuring compliance before the resource is provisioned.
Variation 7. A company wants to ensure that all Azure resources are tagged with metadata such as 'Environment' and 'Department'. They have created an Azure Policy that appends the required tags and their values when a resource is created. However, they notice that some resources created before the policy assignment are missing tags. They want to automatically add those tags without manual effort. What should they do?
medium- A.Create a remediation task for the policy
- ✓ B.Create a new policy with DeployIfNotExists effect
- C.Use Azure Resource Graph to query and update
- D.Create an Azure Automation runbook
Why B: Option B is correct because the DeployIfNotExists (DINE) policy effect can automatically remediate non-compliant resources, including those created before the policy assignment. When combined with a managed identity, DINE triggers a deployment task that adds the required tags without manual intervention, addressing the gap left by the 'append' effect which only acts on new resources.
Variation 8. A company has a governance requirement that every Azure virtual machine must have a tag named 'CostCenter' with the value 'Unassigned'. If a user creates a VM without the tag, or with a different value for that tag, the tag should be automatically corrected to 'Unassigned' immediately upon resource creation. The IT team is writing an Azure Policy definition to enforce this. Which Policy effect should they use?
medium- A.Deny
- B.Audit
- ✓ C.Modify
- D.DeployIfNotExists
Why C: The Modify effect is correct because it automatically corrects non-compliant tags (missing or wrong value) to the specified value ('Unassigned') during resource creation or update, without blocking the deployment. This satisfies the requirement for immediate, automatic remediation without denying the VM creation entirely.
Last reviewed: Jun 11, 2026
This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.