A company uses Azure Policy to enforce governance. They want to prevent users from creating virtual machines of the Standard_DS3_v2 SKU in their subscription, and they also want to log any attempt to create such a VM (whether successful or not) for audit purposes. What is the minimum number of Azure Policy assignments required to meet both requirements?
Trap 1: One – assign a policy definition with the Deny effect.
A single Deny effect prevents creation but does not produce a separate compliance state for audit purposes; it only logs a denial event. The requirement explicitly asks for logging attempts for audit, which is more clearly satisfied by an Audit effect.
Trap 2: One – assign a policy definition with the Audit effect.
An Audit effect logs the attempt and shows compliance state, but it does not block the creation of the VM. The requirement also includes preventing the VM from being created.
Trap 3: Two – assign one policy definition with the Deny effect and another…
The Append effect adds tags or settings but does not log attempts for audit. Combining Deny with Append still does not address the logging/audit requirement.
- A
One – assign a policy definition with the Deny effect.
Why wrong: A single Deny effect prevents creation but does not produce a separate compliance state for audit purposes; it only logs a denial event. The requirement explicitly asks for logging attempts for audit, which is more clearly satisfied by an Audit effect.
- B
One – assign a policy definition with the Audit effect.
Why wrong: An Audit effect logs the attempt and shows compliance state, but it does not block the creation of the VM. The requirement also includes preventing the VM from being created.
- C
Two – assign one policy definition with the Deny effect and another with the Audit effect.
Assigning two policies, one with Deny and one with Audit, simultaneously blocks forbidden VM SKU creation and provides a clear compliance view of all attempts (both successful and blocked) for auditing. This is the minimum configuration to satisfy both requirements.
- D
Two – assign one policy definition with the Deny effect and another with the Append effect.
Why wrong: The Append effect adds tags or settings but does not log attempts for audit. Combining Deny with Append still does not address the logging/audit requirement.