While preparing for the AZ-305, many candidates struggle with automated governance and identity design for Azure Policy remediation. In the enterprise world, this decision often hinges on balancing strict resource compliance versus minimizing administrative overhead and adhering to least privilege access. Let’s drill into a simulated tagging compliance scenario.
The Scenario #
Tailspin Manufacturing has migrated many legacy applications into Azure and organized its resources within resource groups that have strict tagging standards for cost allocation and compliance. Currently, new resources must automatically inherit the tags (and tag values) from their resource group. Also, existing resources need to be scanned to verify tag compliance. If tags are missing or mismatched, an automated remediation task must add or correct those tags.
To ensure security best practices, Tailspin wants to adhere to the principle of least privilege with no excessive permissions granted. The architecture team needs to design an Azure Policy implementation that enforces and remediates these tagging requirements.
Key Requirements #
- New Azure resources automatically inherit the tag keys and values from their owning resource group upon provisioning
- Existing resources are scanned and validated for tag consistency with their resource group
- Non-compliant resources trigger an automated remediation task that adds or updates missing tags
- The solution follows the least privilege principle for any managed identities or service principals involved
The Options #
- A) Policy Effect: Append (attach missing tags without overwriting existing)
- B) Policy Effect: Modify (overwrite or add missing tags)
- C) Identity: Managed Identity with Contributor role assigned
- D) Identity: Managed Identity with User Access Administrator role assigned
- E) Identity: Service Principal with Contributor role assigned
- F) Identity: Service Principal with User Access Administrator role assigned
Correct Answer #
B and C
The Architect’s Analysis #
Correct Answer #
Option B (Policy Effect: Modify) and Option C (Managed Identity with Contributor scope).
Step-by-Step Winning Logic #
- Modify effect is preferred over Append when tags must strictly match resource group tags, as Append only adds missing tags and never overwrites incorrect values. Modify enables full enforcement and remediation.
- Using a Managed Identity (versus a Service Principal) aligns with Azure best practices for Azure Policy remediation—managed identities are easier to manage, rotate credentials automatically, and reduce security risks.
- Assigning the Contributor role (instead of User Access Administrator) grants sufficient permissions to update resource tags without over-permissioning. This supports the Cloud Adoption Framework pillars of Security (least privilege) and Operational Excellence (automated remediation with minimal manual effort).
The Traps (Distractor Analysis) #
- Why not A (Append)? Append does not correct inconsistent or incorrect tag values, which violates strong governance rules demanding tag matching.
- Why not D or F (User Access Administrator)? These roles provide broad permission to assign user roles, which breach the principle of least privilege and aren’t necessary for tag remediation tasks.
- Why not E (Service Principal)? While service principals can be used, managed identities are recommended due to improved security posture and ease of management.
The Architect Blueprint #
Mermaid Diagram illustrating the flow of the policy enforcement and remediation logic:
Diagram Note: Azure Policy evaluates resources against tag rules and triggers remediation via a Managed Identity with Contributor rights to modify tags automatically, ensuring compliance with resource group tagging standards.
The Decision Matrix (Mandatory for Expert Level) #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A: Append | Low | Minimal (policy evaluation only) | Simple to implement, minimal risk of tag overwrites | Does not fix existing incorrect tag values, partial compliance only |
| B: Modify | Medium | Minimal + transient costs if remediation runs | Full enforcement and remediation, ensures exact compliance | Slightly higher risk if misconfigured (overwrites values) |
| C: Managed Identity (Contributor) | Low | Free (no additional cost) | Built-in identity with automatic credential management, least privilege | Needs proper role assignment scoping |
| D: Managed Identity (User Access Admin) | Low | Free | Excess permissions enable role assignment | Violates least privilege, security risk |
| E: Service Principal (Contributor) | Medium | Free | Can be reused across subscriptions | Requires credential management, higher admin overhead |
| F: Service Principal (User Access Admin) | Medium | Free | Broad permissions for user/role management | Over-permissioned, violates least privilege |
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always pick Managed Identities when you see automated remediation with Azure Policy, and assign the least privileged role needed such as Contributor for resource modification.”
Real World #
“In enterprise governance, using Modify effects combined with managed identities scoped precisely ensures tagging governance at scale without granting excessive permissions or requiring manual fixes, a key principle in Microsoft’s Cloud Adoption Framework.”