Author a policy definition JSON with `policyRule.then.effect: DeployIfNotExists` and a `details.deployment` block that contains the ARM template to deploy when the condition is not met.
Assign the policy at the desired scope (subscription or management group) using `az policy assignment create --policy <definition-id> --scope <scope> --assign-identity --location <region>`; the `--assign-identity` flag creates a managed identity for remediation.
Grant the managed identity the required RBAC role (e.g., Contributor) on the target scope so it can deploy the remediation ARM template.
Verify non-compliant resources in the Azure Portal under Policy > Compliance or via `az policy state list --policy-assignment <assignment-id> --filter "complianceState eq 'NonCompliant'"`.
Start a remediation task with `az policy remediation create --name <NAME> --policy-assignment <assignment-id> --resource-discovery-mode ReEvaluateCompliance`; `ReEvaluateCompliance` re-evaluates all resources before selecting targets.
Monitor remediation progress with `az policy remediation show --name <NAME>` until `provisioningState` reaches `Succeeded`.
Known gotchas
`DeployIfNotExists` remediation tasks require the managed identity to have appropriate RBAC permissions at the resource scope; missing permissions cause `AuthorizationFailed` errors that appear in the remediation task details.
Remediation tasks expire and are deleted 60 days after their last modification; export results before they are purged if audit evidence is required.
A single remediation task defaults to `resourceCount: 500` with `parallelDeployments: 10`; for large environments increase parallelDeployments up to 30 to accelerate remediation.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp