Study/AZ-104-MicrosoftAzureAdministrator
1
0
Fork 0
mirror of https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator.git synced 2026-02-04 23:59:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update LAB_02b-Manage_Governance_via_Azure_Policy.md

Browse Source
This commit is contained in:
staleycyn 2024-01-04 07:36:20 -08:00 committed by GitHub
parent 6aa6ba79c9
commit 7f2eb89db6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
New Instructions/Lab/LAB_02b-Manage_Governance_via_Azure_Policy.md
View File

@ -44,11 +44,11 @@ There are several interactive lab simulations that you might find useful for thi
## Task 1: Assign tags via the Azure portal
In this task, you will create and assign a tag to an Azure resource group via the Azure portal. Tags are a critical component of a governance strategy as outlined by the Microsoft Well-Architected Framework and Cloud Adoption Framework. Tags can allow you to quickly identify resource owners, sunset dates, group contacts, and other name/value pairs that your organization deems important. For this exercise, you will assign a tag identifying the resource role ('Infra' for 'Infrastructure').
In this task, you will create and assign a tag to an Azure resource group via the Azure portal. Tags are a critical component of a governance strategy as outlined by the Microsoft Well-Architected Framework and Cloud Adoption Framework. Tags can allow you to quickly identify resource owners, sunset dates, group contacts, and other name/value pairs that your organization deems important. For this task, you assign a tag identifying the resource role ('Infra' for 'Infrastructure').
1. Sign in to the **Azure portal** - `https://portal.azure.com`.
1. Search for and select **Resource groups**.
1. Search for and select `Resource groups`.
1. From the Resource groups, select **+ Create**.
@ -60,7 +60,7 @@ In this task, you will create and assign a tag to an Azure resource group via th
1. On the resource group blade, click **Tags** in the left menu and create a new tag.
1. Create a tag with the following settings and apply your change:
1. Create a tag with the following settings.
| Setting | Value |
| --- | --- |
@ -75,9 +75,9 @@ In this task, you will create and assign a tag to an Azure resource group via th
In this task, you will assign the built-in *Require a tag and its value on resources* policy to the resource group and evaluate the outcome. Azure Policy can be used to enforce configuration, and in this case, governance, to your Azure resources.
1. In the Azure portal, search for and select **Policy**.
1. In the Azure portal, search for and select `Policy`.
1. In the **Authoring** section, click **Definitions**. Take a moment to browse through the list of built-in policy definitions that are available for you to use. It might also help to search for `Require a tag`.
1. In the **Authoring** section, click **Definitions**. Take a moment to browse through the list of [built-in policy definitions](https://learn.microsoft.com/azure/governance/policy/samples/built-in-policies) that are available for you to use. Notice you can also search for a definition.
![Screenshot of the policy definition.](../media/az104-lab02b-policytags.png)
@ -102,7 +102,7 @@ In this task, you will assign the built-in *Require a tag and its value on resou
| Description | `Require Cost Center tag with default value for all resources in the resource group`|
| Policy enforcement | Enabled |
>**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. The **Description** is optional. **Assigned by** is automatically populated based on the user name creating the assignment.
>**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. The **Description** is optional. **Assigned by** is automatically populated based with the user name creating the assignment.
1. Click **Next** twice and set **Parameters** to the following values:
@ -113,17 +113,13 @@ In this task, you will assign the built-in *Require a tag and its value on resou
1. Click **Next** and review the **Remediation** tab. Leave the **Create a Managed Identity** checkbox unchecked.
>**Note**: This setting can be used when the policy or initiative includes the **deployIfNotExists** or **Modify** effect.
1. Click **Review + Create** and then click **Create**.
>**Note**: Now you will verify that the new policy assignment is in effect by attempting to create another Azure Storage account in the resource group without explicitly adding the required tag.
>**Note**: Now you will verify that the new policy assignment is in effect by attempting to create an Azure Storage account in the resource group. You will create the storage account without adding the required tag.
>**Note**: It might take between 5 and 15 minutes for the policy to take effect.
>**Note**: It might take between 5 and 10 minutes for the policy to take effect.
1. Navigate back to the blade of the resource group that you created in the previous task, and select the **Tags** blade.
1. On the resource group blade, click **+ Create** and then search for **Storage Account**, and click **+ Create**.
1. In the portal, search for and select `Storage Account`, and select **+ Create**.
1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the resource group that the policy was applied to and specify the following settings (leave others with their defaults), click **Review** and then click **Create**:
@ -146,7 +142,7 @@ In this task, you will assign the built-in *Require a tag and its value on resou
In this task, we will use a new policy definition to remediate any non-compliant resources. This will use a remediation task as part of the policy to modify existing resources to be compliant with the policy. In this scenario, we will make any child resources of a resource group inherit the **Role** tag that was defined on the resource group.
1. In the Azure portal, search for and select **Policy**.
1. In the Azure portal, search for and select `Policy`.
1. In the **Authoring** section, click **Assignments**.
@ -206,7 +202,9 @@ In this task, we will use a new policy definition to remediate any non-compliant
1. Verify that this time the validation passed and click **Create**.
1. Once the new storage account is provisioned, click **Go to resource** button. On the **Overview** blade, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.
1. Once the new storage account is provisioned, click **Go to resource**.
1. On the **Overview** blade, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.
## Key takeaways