Before Lab 5.5 — Auto-Remediation
Before Lab 5.5 — Auto-Remediation
In Lab 5.4, you explored the power of tags beyond compliance — cost tracking, incident response, automation triggers, and lifecycle management. In Lab 5.5, you'll return to the compliance angle: using Azure Policy remediation tasks to automatically fix existing violations.
What is a remediation task?
A remediation task is an Azure Policy feature that automatically fixes non-compliant resources. It runs the corrective action defined by your policy — without you having to do it manually.
For a full overview of the three approaches to fixing problems (manual, encoded policy, automated remediation) and the Auto-Remediate vs Alert-Only decision framework, see the Security Automation theory page.
Quick reference — Remediation tasks vs Power Automate approval
| Approach | Pros | Cons |
|---|---|---|
| Power Automate approval | Human validates first, no blind actions | Slower, requires someone to respond |
| Remediation task | Fixes existing resources automatically, no human needed | Acts blindly, no context awareness |
How remediation tasks work
When you create a remediation task:
- Azure Policy evaluates all resources against the policy
- It identifies non-compliant resources
- It applies the corrective action (e.g., add tags, disable public access)
- It runs in the background — you can monitor progress
Important: Remediation tasks require permissions to modify resources. The policy assignment must have a managed identity with sufficient permissions.
What you will do in this lab
You will create remediation tasks for your Day 5 environment. These tasks require existing policy assignments from Lab 5.2 — specifically, the Deny public blob access and Require Tags policies — plus the Power Automate approval flow you built in Lab 5.3. You'll compare the auto-remediation approach against the human-in-the-loop pattern from Lab 5.3. Without those assignments from both labs, there's nothing to remediate.
Before proceeding, verify your policies are active and have flagged violations:
- Go to Azure Policy → Compliance in the Azure portal
- Check that both policies show non-compliant resources (if not, wait for policy evaluation — see timing note in Lab 5.3)
Then create remediation tasks for:
- Remediate tags — automatically add missing required tags to existing resources
- Remediate public network access — automatically disable public network access on existing storage accounts
What to look for in Lab 5.5
Lab 5.5 checklist
Lab focus
In Lab 5.5, you are automating the correction of existing violations — without human approval. The goal is to close the gap between policy enforcement and resource compliance, and compare it against the Power Automate approval pattern from Lab 5.3.
Check before starting
You should be able to answer these questions before starting the lab:
- Why does a remediation task need a managed identity?
- How long does a remediation task take to run?
- What happens when a remediation task fails on a resource?