An organization must ensure that all Azure VMs in a subscription have a specific tag applied at creation time. If the tag is missing, the deployment should be blocked. Which approach achieves this?

Question

Microsoft Azure Fundamentals — Hard

An organization must ensure that all Azure VMs in a subscription have a specific tag applied at creation time. If the tag is missing, the deployment should be blocked. Which approach achieves this?

Accepted Answer

Azure Policy with Deny effect requiring the tag is the correct approach because it enforces the presence of the specific tag on all Azure VMs at creation time. This ensures compliance with organizational standards. The other options do not directly address the requirement of blocking deployment if the tag is missing.