Skip to Content

AZ-500: Azure Policy Compliance: Ensuring Security in Subscription Management

By: Author Alex Lim

Posted on Last updated:

Home > AZ-500: Azure Policy Compliance: Ensuring Security in Subscription Management

Learn how to manage policy compliance in Azure Subscription1. Discover the state of policy assignments and their impact on security and access control.

Question

You have an Azure subscription named Subscription1 that contains a resource group named RG1 and the users shown in the following table.

You perform the following tasks:

  • Assign User1 the Network Contributor role for Subscription1.
  • Assign User2 the Contributor role for RG1.

To Subscription1 and RG1, you assign the following policy definition: External accounts with write permissions should be removed from your subscription. What is the Compliance State of the policy assignments?

A. The Compliance State of both policy assignments is Non-compliant.
B. The Compliance State of the policy assignment to Subscription1 is Compliant, and the Compliance State of the policy assignment to RG1 is Non-compliant.
C. The Compliance State of the policy assignment to Subscription1 is Non-compliant, and the Compliance State of the policy assignment to RG1 is Compliant.
D. The Compliance State of both policy assignments is Compliant.

Answer

C. The Compliance State of the policy assignment to Subscription1 is Non-compliant, and the Compliance State of the policy assignment to RG1 is Compliant.

Explanation

The correct answer is C. The Compliance State of the policy assignment to Subscription1 is Non-compliant, and the Compliance State of the policy assignment to RG1 is Compliant.

The Compliance State of a policy assignment indicates whether the resources within the scope of the policy assignment are following the rules defined by the policy definition. A policy assignment can have one of the following compliance states:

  • Compliant: All resources within the scope of the policy assignment are following the rules defined by the policy definition.
  • Non-compliant: One or more resources within the scope of the policy assignment are not following the rules defined by the policy definition.
  • Not started: The policy assignment has not been evaluated yet, or the evaluation is in progress.
  • Unknown: The compliance state of the policy assignment cannot be determined due to an error or a missing value.

In this case, the policy definition assigned to Subscription1 and RG1 is “External accounts with write permissions should be removed from your subscription”. This policy definition checks whether there are any external accounts (accounts that do not belong to your Azure Active Directory tenant) that have write permissions (roles that allow creating, updating, or deleting resources) on your subscription or resource group. If there are any such accounts, the policy assignment will be non-compliant.

According to the table, User1 and User2 are both external accounts, as their Source is Microsoft Account. User1 has been assigned the Network Contributor role for Subscription1, which is a built-in role that allows managing networks, but not access to them. This role has write permissions on Subscription1, as it allows creating, updating, or deleting network resources. Therefore, User1 violates the policy definition assigned to Subscription1, and makes the policy assignment non-compliant.

User2 has been assigned the Contributor role for RG1, which is a built-in role that allows managing all resources, but not access to them. This role has write permissions on RG1, as it allows creating, updating, or deleting any resource within the resource group. However, User2 does not violate the policy definition assigned to RG1, because the policy definition only checks for external accounts with write permissions on your subscription, not on your resource group. Therefore, User2 does not affect the compliance state of the policy assignment to RG1.

Since there are no other external accounts with write permissions on Subscription1 or RG1, the compliance state of the policy assignment to Subscription1 is non-compliant, and the compliance state of the policy assignment to RG1 is compliant.

The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.

AZ-500 Microsoft Azure Security Technologies Exam Questions and Answers

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.