HOTSPOT -
You have the Azure management groups shown in the following table:
You add Azure subscriptions to the management groups as shown in the following table:
You create the Azure policies shown in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: No -
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.
Box 2: Yes -
Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.
Box 3: Yes -
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions
Answer is Wrong : It should Be NO NO NO - subscription should be moved by can't be added to 2 groups.
you are right, "move" is the right verb.
not agreed for answer 2. Only virtual networks are mentioned in the policy. Nothing is said about virtual machines. Result: NO - YES - NO
sorry, my bad. answer 2 is No.By allowing metworks, you deny all the rest.
From Udemy: NYN Explanation 1. The azure policy (not allowed resource types – Virtual networks) is inherited to Subscription1. So, Virtual networks are not allowed to create in Subscription1. 2. Policy assignments get evaluated top-to-bottom. The most restrictive policy assignment will always win, i.e. a DENY on any level will take precedence over an ALLOW on any other level. So the azure policy (not allowed resource types – Virtual networks) will be applied to Subscription2. The deny policy is only for virtual networks. This allows to create a virtual machine by leveraging existing VNet’s. 3. Each management group and subscription can only support one parent. Subscription1 is already part of a management group. We can’t add this to another management group though we can move. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
N Y N You can create VM on existing network
Who told you there is an existing VNET?
Who told you there isn't? - Actually, who would make policies like this, if there weren't any VNets available already? (I know, it's a Microsoft scenario, but still...)
no one in their right mind would make policies like these, but this is not a real world tenant in a company. this is an exam question to test if you know how allows and denies trickle down through management groups. No need to get philosophical on this
"Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list." See: https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition So the answer to the second question is NO. Only vNets are in the list, so only vNets can be created. Anything else is denied.
No - Sub1 > Group21 > Group11 > TenantRoot (Not allowed) No - Sub2 > Group12 > TenantRoot (Not allowed) No - Only one management group can be assigned to a subscription (Group21 is already assigned to sub1)
No - Tenant Root not allowed No - Azure policy is a Strict Deny system, Any deny policy on top level is not overridden by lower level allows. Since you are not allowed to create a VNet you can't create a VM without a VNet. No- you don't add a subscription group which is already assigned to other .
Answer 2: is Yes - ManagementGroup12 is allowed to create VNet as mentioned in the assignment.
overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition
Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. Not allowed resource types (Deny): Prevents a list of resource types from being deployed. Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in ManagementGroup12 scope, but you cannot deploy any other resource. Box 1: No Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11 is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’. Box 2: No: You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12). Box 3: No You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.
Box 1 and Box 2 are ok; however, I have a doubt that when all management groups here are under management group Tenant Root Group which has a policy barring Virtual Networks, so how come ManagementGroup12 can allow Virtual network creation in the first place? Do'nt member management groups inherit policies from host management group?
My question is can a nested management group override policy defined at its parent management group level by creating its own contradictory policy?
Exactly, I do have same question. Can some help to understand
Your reply for box 2 makes no sense because the question is: You can create a VM in Sun 2? And you are saying: Box 2: No: You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12). But then the answer needs to be yes based on your argument, correct?
If you can *only* create VNETS then it follows you cannot create other things like VMs. What's so hard to grasp?
Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.
Perfect comment, thank you :)
Box 2 : No since overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition
This was on my exam 25/02/2024! I just want to let people know that these questions are still up to date!
I did the lab and the correct answer is No, No, No. For the second question, even if you have explicitly allowed VNETs on the Management Group, the Tenant Root Group policy will override it. This is interesting as initially I thought that if you specifically allow something under the Tenant Root with this policy, it will override the one coming from above but apparently it's not like that.
N - Subscription 1 not allowed to create VNET N - Subscription 2 allows only VNET, restricts everything else. Per policy definition of Allowed Resources Type, "If NOT (listOfResourceTypesAllowed), then deny". So, only specified resources will be allowed, nothing else N - Subscription can be associated with only one Management group
2. Yes If there is an existing virtual network in Subscription2, you could use that network to create a VM
I wish MS would be more careful how they phrase things. There's a big difference between move and add
NNN - disallowed by explicit deny; explicit allow is implicit deny on all else; cannot be a member of multiple management groups.
Given answers are correct. 1. No The "Not allowed resource types" policy for virtualNetworks is scoped to the Tenant Root Group. 2. Yes There is no policy that restricts or disallows creating virtual machines in ManagementGroup12 or Tenant Root Group. The allowed resource types for virtualNetworks doesn't impact the creation of virtual machines. 3. Yes There are no policies or constraints provided that explicitly prevent moving Subscription1 to ManagementGroup11.
Tenant Root Group (Not Allowed Resource - Virtual N/W) | |__Management Group 11 | | | |__Management Group 21 | (Sub 1) | |__Management Group 12 (Sub 2) (Allowed Resource - Virtual N/W) Answers, 1. You can create a virtual network in Sub1 - No Reason: Subscription 1 is under Tenant Root Group, hence we will not be able to create Virtual Network 2. You can create a virtual machine in Sub2 - No Reason: Subscription 2 is also under Tenant Root Group with overrides the allow resource type in Management Group 12. You will not be able to create a Virtual network, without creation of virtual network, we will not be able to create a Virtual Machine. 3. You can add Sub1 to Management Group11 - No Reason: We cannot add subscription from one group to the other.
Final Answer : NYN
Going to go with NYN - will report back
Final Answer : No No No
No No Yes
Anything assigned on the root will apply to the entire hierarchy, which includes all management groups, subscriptions, resource groups, and resources within that Azure AD tenant
Answer is Wrong : It should Be NO YES NO Virtual networks are not allowed to create in Subscription1
During a VM creation, a VNet and NIC creation are mandatory. Because of the Policy, VM creation would be stopped if a new VNet needs to be created. But if there is any existing VNet available in the resource group already, that can be used to create the VM. In that way, the VM creation shouldn't fail. So, yes, you can create a VM.