The correct sequence to enforce a configuration on both new and existing Azure resources using Azure Policy involves three main steps: defining the rule, applying it, and then correcting any existing resources that don't comply.

1. Create an Azure policy definition that uses the deployIfNotExists effect: This is the first step where you define the compliance rule. The deployIfNotExists effect is specifically chosen because it can trigger a template deployment to create or configure a resource to meet a standard. In this case, it would define the rule that an SQL database must have Transparent Data Encryption (TDE) enabled and specify a template to run to enable it if it's found to be missing.
2. Create an Azure policy assignment: A policy definition has no effect until it's assigned to a scope (such as a management group, subscription, or resource group). This assignment applies the rule to all resources within that scope. During this step, a managed identity is also configured, which grants the policy the necessary permissions to run the remediation template.
3. Invoke a remediation task: By default, a policy assignment only applies to newly created or updated resources. To enforce the policy on existing resources (i.e., SQL databases that were created before the policy was assigned), you must create and run a remediation task. This task scans the assigned scope for non-compliant resources and executes the deployIfNotExists action on each one, bringing them into compliance.

Microsoft Learn, Azure Policy Documentation: The tutorial "Enforce template deployments with Azure Policy" outlines this exact sequence. It demonstrates creating a policy with a deployIfNotExists effect, assigning it, and then creating a remediation task to apply the policy to existing resources.

Reference: https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage/enforce-template-deployment, specifically the sections "Create the policy definition," "Assign the policy," and "Remediate non-compliant resources."

Microsoft Learn, Azure Policy Documentation: The document "Remediate non-compliant resources with Azure Policy" details how remediation tasks work specifically with deployIfNotExists and Modify effects to bring existing resources into a compliant state after a policy has been assigned.

Reference: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources, see the "How remediation works" section.