HOTSPOT -
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
Note: Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers.
Box 2: ManagementGroup1, Subscription1, RG1, and VM1
You can exclude a subscope from the assignment.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
Since the discussion added a lot of confusion cause a lot of people in here just drop random facts without any proof,misleading people, i tested it at an Azure lab. In the scope field at the "Basics" tab i was able to select "Tenant Root Group" or "Management Group1" with the optional entries of Subscription and Resource group So ""you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1"" As for the second answer about the exclusions, i was able to select all the items in the scope EXCEPT the Tenant Root Group Therefore the correct answer would be ""ManagementGroup1,Subscription1,RG11 and VM1"" I hope that helps
azure policies can be scoped down to individual resources. "Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources." https://learn.microsoft.com/en-us/azure/governance/policy/overview the second answer is correct
Why you could not assign policy to VM1 (for the first answer?)
for the exclusions, the Subscription dropdown menu is grayed out as well as the Resource Group drop down menu.
Wrong! Go to a resource like vm and assign a policy from there to vm and you will see the policy assignment is set to resource level and not rg level
Wrong! You can assign a policy to the Root, Management Group, Subscription and Ressource Group BUT NOT A RESSOUCE ITSELF! Test it in Portal! 2nd part of answer seems to be correct. You can not Exclude the highest scope that you can assign to. I tried it in portal as well and it wont save the exclusion Tenant Root Group
I believe you are wrong. You can assign a policy to a resource :"An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource." https://docs.microsoft.com/en-us/azure/governance/policy/overview - check assignments In my opinion the provided answer is correct
So I checked again and the portal doesnt let you do it! Thats what I based my assumption! But via Azure CLI it says that a ressource is a vaild scope for assignment: https://docs.microsoft.com/en-us/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create So yeah I think that you are right and my comment is wrong but I can not delete it. But looks like this is just a portal restriction. Sorry for the confusion!
Valid scopes are management group, subscription, resource group, and resource https://learn.microsoft.com/en-us/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create
very correct. in general you cannot exclude the parent of a child already covered by the policy e.g. if scope was RG1, you cannot exclude Subs1, you can only exclude resources underneath RG1
Tried in portal as well. You cannot select resources as scope.
I couldnt assign a policy at Tenant Root Management Group. There is no blade for policy.
It turns out that you can assign an Azure Police to an individual resource, too: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/scope
Feeling tired of reading discussions. examtopics please quality seems ?
The given answers are correct. Policy can be applied to all, Remember the kind of policy you can apply to prevent a particular set of types of instance while creating your VM. , then the Only you can exclude all except the Tenant root Group from a policy.
Answer should be: 1) Tenant Root Group, MG1, Sub1 and RG1 Only 2) MG1, Sub1, RG1 and VM1 only
was on my exam Dec 15, 2023.
Policies can be applied to the resource like VM https://learn.microsoft.com/en-us/azure/governance/policy/concepts/recommended-policies
You can assign Policy1 to Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only You can exclude Policy1 from ManagementGroup1, Subscription1, RG1, and VM1 only
given answer is correct.
In the name of discussion most confusion is created and makes me think is it worth paying $65 to examtopics. I thought examtopics would be a good material so far out of 90 questions most of them have not been given exact answer
the key in question is only
You can Assign policy to: Tenant Root Group, ManagementGroup1, Subscription1 and RG1 ONLY" You can Exclude policy from: ""ManagementGroup1,Subscription1,RG1, and VM1 ONLY""
1/ You can assing Policy1 to: Tenant Root Group, Mangement Group 1, Subscription 1, RG1,VM1 2/ You can exclude Policy1 to: Mangement Group 1, Subscription 1,RG1,VM1 "Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources." https://learn.microsoft.com/en-us/azure/governance/policy/overview "Subscopes can be excluded, if necessary. "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#understand-scope
Assign policy1: 4te Antwort Eclude policy1: 4te Antwort
1. Tenant Root Group, ManagementGroup1, Subscription1 and RG1 https://learn.microsoft.com/en-us/answers/questions/1086208/assign-policy-to-specific-resource-in-azure 2. ManagementGroup1, Subscription1, RG1, and VM1
You cannot exclude the policy from the root management group because doing so would effectively mean that the policy wouldn't be effective ANYWHERE and would therefore be moot & useless.