After Lab 5.5 — Auto-Remediation Recap
After Lab 5.5 — Auto-Remediation Recap
You created Azure Policy remediation tasks that automatically fix existing violations — no human approval needed. Here's how it compares to the Power Automate approval pattern from Lab 5.3.
What You Built
Remediation Tasks
| Task | Policy | Action |
|---|---|---|
| Tag remediation | Require tags policy | Adds missing environment, owner tags to resources |
| Public access remediation | Deny public blob access policy | Sets container access type to private — note: In azurerm provider 3.0+, the storage account property that controls whether blobs CAN be made public is called allow_nested_items_to_be_public (Azure ARM name: AllowBlobPublicAccess). The built-in policy blocks new storage accounts with this set to true, but existing containers must be fixed separately by changing their access type. |
How It Works
- Trigger: Policy detects non-compliance
- Remediation task: Applies corrective action via managed identity
- Result: Resource becomes compliant — without human intervention
Managed identity note: Before Lab 5.5 mentioned that remediation tasks require permissions to modify resources. The policy assignment must have a managed identity with sufficient permissions (typically Contributor role on the resource group). If you encounter permission errors when creating a remediation task, verify the managed identity has the right RBAC role assigned.
Key difference from Lab 5.3: No approval step. The remediation runs as soon as the policy evaluation completes (typically within hours).
Power Automate Approval vs Auto-Remediation
| Factor | Power Automate Approval (Lab 5.3) | Auto-Remediation (this lab) |
|---|---|---|
| Speed | Minutes to hours (waits for human) | Hours (policy evaluation delay) |
| Human control | Approver decides yes/no | No human input |
| Risk of wrong action | Low (human validates first) | Higher (blind automation) |
| When to use | Critical resources, uncertain fixes | Repetitive, low-risk fixes |
Key insight: These aren't competing approaches — they're complementary. Use auto-remediation for known, low-risk fixes. Use Power Automate approval for critical resources or uncertain scenarios.
What This Teaches
You now see the full automation spectrum:
- Alert Only — humans investigate and fix (Day 4 monitoring)
- Human Approval — automation asks, humans decide (Lab 5.3)
- Auto-Remediate — automation fixes without asking (this lab)
The right approach depends on the context — and you now have the tools to build all three.
Bridge to Lab 5.6
In the next lab, you will look at anomaly detection — observing your environment for unusual activity that policies alone cannot catch. Before starting, review the Anomaly Detection theory page which explains the difference between rule-based and statistical anomaly detection, and how Azure Sentinel analytics rules convert KQL queries into automated detection.