Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Your organization plans to enforce a new Azure Policy that denies the deployment of any storage account that is not encrypted with customer-managed keys (CMK). Because many existing deployment pipelines have not yet been updated, you need a transition period during which the policy records non-compliant resources but does not block their creation. You also want to avoid changing the policy definition itself during this period.
Which configuration should you apply to the policy assignment to meet these requirements?
Add the policy to an initiative and leave the initiative in draft state.
Set the policy assignment's enforcement mode to "DoNotEnforce".
Add a custom non-compliance message to the policy assignment.
Create an exemption for the subscription that expires after the transition period.
Setting the policy assignment's enforcement mode to "DoNotEnforce" tells Azure Policy to evaluate the assignment but not apply effects that would stop or change a deployment. For an assignment whose definition uses the Deny effect, Azure Policy logs the non-compliance instead of rejecting the request, giving administrators time to update deployment pipelines. Changing the enforcement mode is done at the assignment level, so the underlying policy definition remains unchanged.
Exemptions exclude specific resources or scopes from evaluation rather than keeping the policy active for all resources. A non-compliance message only customizes the error text that appears when a deny action is triggered; it does not stop the deny. An initiative groups policy assignments but does not override how individual assignments are enforced.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Policy enforcement mode?
Open an interactive chat with Bash
How do customer-managed keys (CMKs) enhance security in Azure?
Open an interactive chat with Bash
What is an exemption in Azure Policy?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .