Update LAB_02b-Manage_Governance_via_Azure_Policy.md

2026-02-04 23:59:08 +00:00 · 2023-12-05 15:05:01 -08:00 · 2023-12-05 15:05:01 -08:00 · 9602ebd312
commit 9602ebd312
parent 57a27c5b07
1 changed files with 37 additions and 31 deletions
--- a/Instructions/Lab/LAB_02b-Manage_Governance_via_Azure_Policy.md
+++ b/Instructions/Lab/LAB_02b-Manage_Governance_via_Azure_Policy.md
@ -7,7 +7,8 @@ lab:
 # Lab 02b - Manage Governance via Azure Policy

 ## Lab requirements
-This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are shown as **East US**. 
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**. 

 ## Estimated timing: 30 minutes

@ -15,37 +16,39 @@ This lab requires an Azure subscription. Your subscription type may affect the a

 Your organization's cloud footprint has grown considerably in the last year. During a recent audit, you discovered a substantial number of resources that do not have a defined owner, project, or cost center. In order to improve management of Azure resources in your organization, you decide to implement the following functionality:

- resource tags to attach important metadata to Azure resources
+- apply resource tags to attach important metadata to Azure resources

- enforce the use of resource tags for new resources by using Azure Policy
+- enforce the use of resource tags for new resources by using Azure policy

 - update existing resources with resource tags

 ## Interactive lab simulation

-An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%203)** is available for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this hosted lab, but the core concepts and ideas being demonstrated are the same. An Azure subscription is not required.
+An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%203)** is available for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but the core concepts and ideas being demonstrated are the same. An Azure subscription is not required.

 ## Tasks

 + Task 1: Create and assign tags via the Azure portal
-+ Task 2: Enforce tagging via an Azure policy
-+ Task 3: Apply tagging via an Azure policy
+ Task 2: Enforce tagging via an Azure Policy
+ Task 3: Apply tagging via an Azure Policy

 ## Architecture diagram

-![Diagram of the task architecture.](../media/az104-lab02b-architecture-diagram.png)
+    ![Diagram of the task architecture.](../media/az104-lab02b-architecture-diagram.png)

 ## Task 1: Assign tags via the Azure portal

 In this task, you will create and assign a tag to an Azure resource group via the Azure portal. Tags are a critical component of a governance strategy as outlined by the Microsoft Well-Architected Framework and Cloud Adoption Framework. Tags can allow you to quickly identify resource owners, sunset dates, group contacts, and other name/value pairs that your organinzation deems important. For this exercise, you will assign a tag identifying the resource role ('Infra' for 'Infrastructure').

-1. In the Azure portal, search for and select **Resource groups**.
+1. Sign in to the **Azure portal** - `http://portal.azure.com`.
+      
+1. Search for and select **Resource groups**.

 1. From the Resource groups, select **Create**.

-1. Provide the name `az104-rg1` and ensure that the Region is set to **East US**.
+1. Provide the name `az104-rg2b` and ensure that the Region is set to **East US**.

-    ![image](../media/az104-lab02b-newrg.png)
+    ![Screenshot of the create resource gr](../media/az104-lab02b-newrg.png)

 1. Click **Review + Create**, and then click **Create**.

@ -60,11 +63,11 @@ In this task, you will create and assign a tag to an Azure resource group via th
    | Name | `Role` |
    | Value | `Infra` |

-1. Click **Apply**. You have now manually added a tag to a resource.
+1. Click **Apply**. You have now manually added a tag to a resource group. 

-    ![image](../media/az104-lab02b-manualtag.png)
+    ![Screenshot of the create tag page.](../media/az104-lab02b-manualtag.png)

-## Task 2: Enforce tagging via an Azure policy
+## Task 2: Enforce tagging via an Azure Policy

 In this task, you will assign the built-in *Require a tag and its value on resources* policy to the resource group and evaluate the outcome. Azure Policy can be used to enforce configuration, and in this case, governance, to your Azure resources. 

@ -72,7 +75,7 @@ In this task, you will assign the built-in *Require a tag and its value on resou

 1. In the **Authoring** section, click **Definitions**. Take a moment to browse through the list of built-in policy definitions that are available for you to use. List all built-in policies that involve the use of tags by selecting the **Tags** entry (and de-selecting all other entries) in the **Category** drop-down list. It might also help to search for `Require a tag`.

-    ![image](../media/az104-lab02b-policytags.png)
+    ![Screenshot of the policy definition.](../media/az104-lab02b-policytags.png)

 1. Click the entry representing the **Require a tag and its value on resources** built-in policy and review its definition.

@ -82,22 +85,22 @@ In this task, you will assign the built-in *Require a tag and its value on resou

    | Setting | Value |
    | --- | --- |
-    | Subscription | the name of the Azure subscription you are using in this lab |
-    | Resource Group | the name of the resource group that you created in the previous task |
+    | Subscription | *your subscription* |
+    | Resource Group | **az-rg2b** |

    >**Note**: A scope determines the resources or resource groups where the policy assignment takes effect. You could assign policies on the management group, subscription, or resource group level. You also have the option of specifying exclusions, such as individual subscriptions, resource groups, or resources (depending on the assignment scope).

-    ![image](../media/az104-lab02b-policyscope.png) 
+    ![Screenshot of the policy scope.](../media/az104-lab02b-policyscope.png) 

 1. Configure the **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):

    | Setting | Value |
    | --- | --- |
    | Assignment name | `Require Cost Center tag with Default value`|
-    | Description | `Require Cost Center tag with Default value for all resources in the resource group`|
+    | Description | `Require Cost Center tag with default value for all resources in the resource group`|
    | Policy enforcement | Enabled |

-    >**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. You can also add an optional **Description**. **Assigned by** is automatically populated based on the user name creating the assignment. 
+    >**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. The **Description** is optional. **Assigned by** is automatically populated based on the user name creating the assignment. 

 1. Click **Next** twice and set **Parameters** to the following values:

@ -106,7 +109,7 @@ In this task, you will assign the built-in *Require a tag and its value on resou
    | Tag Name | `Cost Center` |
    | Tag Value | `Default` |

-    ![image](../media/az104-lab02b-policyparams.png) 
+    ![Screenshot of the policy parameters.](../media/az104-lab02b-policyparams.png) 

 1. Click **Next** and review the **Remediation** tab. Leave the **Create a Managed Identity** checkbox unchecked. 

@ -126,16 +129,16 @@ In this task, you will assign the built-in *Require a tag and its value on resou

    | Setting | Value |
    | --- | --- |
-    | Resource group | **az104-rg1** |
-    | Storage account name | any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter |
+    | Resource group | **az104-rg2b** |
+    | Storage account name | *any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter* |

-    ![image](../media/az104-lab02b-createstorage1.png) 
+    ![Screenshot of the create storage page.](../media/az104-lab02b-createstorage1.png) 

-    >**Note**: You may receive a **Validation failed. Click here for details** error; If so, click the error message to identify the reason for the failure and skip the next step. 
+    >**Note**: You may receive a **Validation failed. Click here for details** error. If so, click the error message to identify the reason for the failure and skip the next step. 

 1. Once you create the deployment, you should see the **Deployment failed** message in the **Notifications** list of the portal. From the **Notifications** list, navigate to the deployment overview and click the **Deployment failed. Click here for details** message to identify the reason for the failure. 

-    ![image](../media/az104-lab02b-policyerror.png) 
+    ![Screenshot of the disallowed policy error.](../media/az104-lab02b-policyerror.png) 

    >**Note**: Verify whether the error message states that the resource deployment was disallowed by the policy. 

@ -158,7 +161,7 @@ In this task, we will use a new policy definition to remediate any non-compliant
    | Subscription | the name of the Azure subscription you are using in this lab |
    | Resource Group | the name of the resource group containing the Cloud Shell account you identified in the first task |

-    ![image](../media/az104-lab02b-policyscope2.png) 
+    ![Screenshot of the policy scope page. ](../media/az104-lab02b-policyscope2.png) 

 1. To specify the **Policy definition**, click the ellipsis button and then search for and select `Inherit a tag from the resource group if missing`.

@ -176,7 +179,7 @@ In this task, we will use a new policy definition to remediate any non-compliant
    | --- | --- |
    | Tag Name | `Role` |

-    ![image](../media/az104-lab02b-policyparams2.png) 
+    ![Screenshot of the policy parameters.](../media/az104-lab02b-policyparams2.png) 

 1. Click **Next** and, on the **Remediation** tab, configure the following settings (leave others with their defaults):

@ -187,7 +190,7 @@ In this task, we will use a new policy definition to remediate any non-compliant

    >**Note**: This policy definition includes the **Modify** effect.

-    ![image](../media/az104-lab02b-policyremediation.png) 
+    ![Screenshot of the policy remediation page. ](../media/az104-lab02b-policyremediation.png) 

 1. Click **Review + Create** and then click **Create**.

@ -205,15 +208,18 @@ In this task, we will use a new policy definition to remediate any non-compliant
    | --- | --- |
    | Storage account name | any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter |

-    ![image](../media/az104-lab02b-createstorage1.png) 
+    ![Screenshot of the validation passed page. ](../media/az104-lab02b-createstorage1.png) 

 1. Verify that this time the validation passed and click **Create**.

-1. Once the new storage account is provisioned, click **Go to resource** button and, on the **Overview** blade of the newly created storage account, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.
+1. Once the new storage account is provisioned, click **Go to resource** button. On the **Overview** blade, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.

-## Main takeaways
+## Review

 Congratulations on completing the lab. The main takeaways from the lab are:

+ Azure tags are metadata that consists of a key-value pair. Tags describe a particular resource in your environment. In particular, tagging in Azure enables you to label your resources in a logical manne.
+ Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. There are many built-in policy definitions.
+ The Azure Policy remediation task feature is used to bring resources into compliance based on a definition and assignment. Resources that are non-compliant to a modify or deployIfNotExist definition assignment, can be brought into compliance using a remediation task.