Question 16
Domain 1: Plan and Manage an Azure AI SolutionAn organization uses Azure Policy to enforce that all Azure AI Services resources must use customer-managed keys (CMK) for encryption. A developer deploys a new Azure AI Language resource without CMK. What happens?
Correct answer: C
Explanation
Azure Policy can deny deployments that do not meet required settings. If the policy requires Azure AI Services resources to use customer-managed keys for encryption, a new Azure AI Language resource deployed without CMK violates that rule and is blocked with a policy violation error.
Why each option is right or wrong
A. The resource deploys but generates a security alert in Azure Defender
B. The Azure Policy automatically enables CMK on the resource
C. The deployment fails with a policy violation error
Azure Policy can be assigned with a **deny** effect, which blocks resource creation when the request does not satisfy the policy rule. In this case, the Azure AI Language resource is being deployed without the required customer-managed key setting, so the request is noncompliant at creation time and Azure returns a **policy violation** instead of provisioning the resource.
D. The resource deploys and the CMK is automatically applied after 24 hours