1. A company has a management group hierarchy: Tenant Root Group → Corp-MG → Dev-MG. A policy with the 'DeployIfNotExists' effect is assigned at the Corp-MG level to automatically deploy a diagnostic settings resource whenever a new Key Vault is created. A developer creates a new Key Vault in a subscription under Dev-MG. The Key Vault is created successfully, but the diagnostic settings are NOT automatically deployed. What is the MOST likely cause?
- A. The 'DeployIfNotExists' effect is not supported at the management group scope; it can only be assigned at the subscription level.
- B. The managed identity associated with the policy assignment does not have sufficient permissions on the subscription where the Key Vault was created.✓ Correct
- C. The policy definition uses 'DeployIfNotExists', which only applies to resources that existed before the policy was assigned.
- D. The developer's RBAC role prevented the policy from evaluating the Key Vault resource.
Explanation
DeployIfNotExists policies require a managed identity to perform the remediation deployment on behalf of Azure Policy. If that managed identity does not have a role (such as Contributor) on the target subscription or resource group, the remediation task will fail silently — the resource is created successfully, but the automatic deployment does not occur. DeployIfNotExists is fully supported at management group scope. DeployIfNotExists applies to new and existing resources (existing resources are handled via manual or automatic remediation tasks). The deploying user's RBAC role has no bearing on whether the policy's managed identity can perform its remediation action.