Have you failed a job interview?
Send us your job interview questions and get correct answers.
You are implementing a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed. What effect will you use and what is the key property that defines what is to be deployed and how?
Experience Level: Junior
Tags: Azure CloudAzure PolicyAzure Virtual Machines
Answer
The effect is DeployIfNotExists. The property template defines what is to be deployed.
You can see the full code below:
{
"properties": {
"displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.",
"metadata": {
"version": "1.0.0",
"category": "Compute"
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "WindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"2008-R2-SP1",
"2008-R2-SP1-smalldisk",
"2012-Datacenter",
"2012-Datacenter-smalldisk",
"2012-R2-Datacenter",
"2012-R2-Datacenter-smalldisk",
"2016-Datacenter",
"2016-Datacenter-Server-Core",
"2016-Datacenter-Server-Core-smalldisk",
"2016-Datacenter-smalldisk",
"2016-Datacenter-with-Containers",
"2016-Datacenter-with-RDSH",
"2019-Datacenter",
"2019-Datacenter-Core",
"2019-Datacenter-Core-smalldisk",
"2019-Datacenter-Core-with-Containers",
"2019-Datacenter-Core-with-Containers-smalldisk",
"2019-Datacenter-smalldisk",
"2019-Datacenter-with-Containers",
"2019-Datacenter-with-Containers-smalldisk"
]
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "IaaSAntimalware"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Security"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string"
},
"location": {
"type": "string"
},
"ExclusionsPaths": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Semicolon delimited list of file paths or locations to exclude from scanning"
}
},
"ExclusionsExtensions": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Semicolon delimited list of file extensions to exclude from scanning"
}
},
"ExclusionsProcesses": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Semicolon delimited list of process names to exclude from scanning"
}
},
"RealtimeProtectionEnabled": {
"type": "string",
"defaultValue": "true",
"metadata": {
"description": "Indicates whether or not real time protection is enabled (default is true)"
}
},
"ScheduledScanSettingsIsEnabled": {
"type": "string",
"defaultValue": "false",
"metadata": {
"description": "Indicates whether or not custom scheduled scan settings are enabled (default is false)"
}
},
"ScheduledScanSettingsScanType": {
"type": "string",
"defaultValue": "Quick",
"metadata": {
"description": "Indicates whether scheduled scan setting type is set to Quick or Full (default is Quick)"
}
},
"ScheduledScanSettingsDay": {
"type": "string",
"defaultValue": "7",
"metadata": {
"description": "Day of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"
}
},
"ScheduledScanSettingsTime": {
"type": "string",
"defaultValue": "120",
"metadata": {
"description": "When to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."
}
}
},
"resources": [
{
"name": "[concat(parameters('vmName'),'/IaaSAntimalware')]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "[parameters('location')]",
"apiVersion": "2017-12-01",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "IaaSAntimalware",
"typeHandlerVersion": "1.3",
"autoUpgradeMinorVersion": true,
"settings": {
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": "[parameters('RealtimeProtectionEnabled')]",
"ScheduledScanSettings": {
"isEnabled": "[parameters('ScheduledScanSettingsIsEnabled')]",
"day": "[parameters('ScheduledScanSettingsDay')]",
"time": "[parameters('ScheduledScanSettingsTime')]",
"scanType": "[parameters('ScheduledScanSettingsScanType')]"
},
"Exclusions": {
"Extensions": "[parameters('ExclusionsExtensions')]",
"Paths": "[parameters('ExclusionsPaths')]",
"Processes": "[parameters('ExclusionsProcesses')]"
}
}
}
}
]
},
"parameters": {
"vmName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
},
"RealtimeProtectionEnabled": {
"value": "true"
},
"ScheduledScanSettingsIsEnabled": {
"value": "true"
}
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
"name": "2835b622-407b-4114-9198-6f7064cbe0dc"
}Related Azure Cloud job interview questions
You create an MDM Security Baseline profile in Azure Intune. Which virtual machines can you assign it to?
Azure CloudAzure Intune JuniorYou are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the auto-generated service principal to authenticate to the Azure Container Registry. What should you create?
Azure CloudAzure Container RegistryAzure Kubernetes Service JuniorYou have HubVNet connected to the on-premises network and SpokeVNet peeredwith HubVNet. In HubVNet there is a virtual network gateway and firewall. How will you ensure that traffic between SpokeVNet and HubVNet flows through the firewall?
Azure CloudAzure StorageAzure Virtual MachinesAzure Virtual Networks JuniorYou run a Docker container in Azure virtual machine (VM) that is in a virtual network (VNET) within your subscription. You create a service endpoint to Azure Storage and want to make sure that the container will be able to connect to Azure Storage. How will you achieve it?
Azure CloudAzure StorageAzure Virtual MachinesAzure Virtual Networks JuniorWhat is a difference between Owner and Contributor role in Azure?
Azure CloudAzure Resource ManagerAzure Virtual Networks Junior
