Learn how to manage policy compliance in Azure Subscription1. Discover the state of policy assignments and their impact on security and access control.
Table of Contents
Question
You have an Azure subscription named Subscription1 that contains a resource group named RG1 and the users shown in the following table.
You perform the following tasks:
- Assign User1 the Network Contributor role for Subscription1.
- Assign User2 the Contributor role for RG1.
To Subscription1 and RG1, you assign the following policy definition: External accounts with write permissions should be removed from your subscription. What is the Compliance State of the policy assignments?
A. The Compliance State of both policy assignments is Non-compliant.
B. The Compliance State of the policy assignment to Subscription1 is Compliant, and the Compliance State of the policy assignment to RG1 is Non-compliant.
C. The Compliance State of the policy assignment to Subscription1 is Non-compliant, and the Compliance State of the policy assignment to RG1 is Compliant.
D. The Compliance State of both policy assignments is Compliant.
Answer
C. The Compliance State of the policy assignment to Subscription1 is Non-compliant, and the Compliance State of the policy assignment to RG1 is Compliant.
Explanation
The correct answer is C. The Compliance State of the policy assignment to Subscription1 is Non-compliant, and the Compliance State of the policy assignment to RG1 is Compliant.
The Compliance State of a policy assignment indicates whether the resources within the scope of the policy assignment are following the rules defined by the policy definition. A policy assignment can have one of the following compliance states:
- Compliant: All resources within the scope of the policy assignment are following the rules defined by the policy definition.
- Non-compliant: One or more resources within the scope of the policy assignment are not following the rules defined by the policy definition.
- Not started: The policy assignment has not been evaluated yet, or the evaluation is in progress.
- Unknown: The compliance state of the policy assignment cannot be determined due to an error or a missing value.
In this case, the policy definition assigned to Subscription1 and RG1 is “External accounts with write permissions should be removed from your subscription”. This policy definition checks whether there are any external accounts (accounts that do not belong to your Azure Active Directory tenant) that have write permissions (roles that allow creating, updating, or deleting resources) on your subscription or resource group. If there are any such accounts, the policy assignment will be non-compliant.
According to the table, User1 and User2 are both external accounts, as their Source is Microsoft Account. User1 has been assigned the Network Contributor role for Subscription1, which is a built-in role that allows managing networks, but not access to them. This role has write permissions on Subscription1, as it allows creating, updating, or deleting network resources. Therefore, User1 violates the policy definition assigned to Subscription1, and makes the policy assignment non-compliant.
User2 has been assigned the Contributor role for RG1, which is a built-in role that allows managing all resources, but not access to them. This role has write permissions on RG1, as it allows creating, updating, or deleting any resource within the resource group. However, User2 does not violate the policy definition assigned to RG1, because the policy definition only checks for external accounts with write permissions on your subscription, not on your resource group. Therefore, User2 does not affect the compliance state of the policy assignment to RG1.
Since there are no other external accounts with write permissions on Subscription1 or RG1, the compliance state of the policy assignment to Subscription1 is non-compliant, and the compliance state of the policy assignment to RG1 is compliant.
The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
