Exam AZ-104 topic 2 question 5 discussion

Answer is Wrong : It should Be NO NO NO - subscription should be moved by can't be added to 2 groups.

Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. Not allowed resource types (Deny): Prevents a list of resource types from being deployed. Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in ManagementGroup12 scope, but you cannot deploy any other resource. Box 1: No Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11 is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’. Box 2: No: You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12). Box 3: No You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.

Answer is no, no and no. If you draw the hierarchy, it will make it easier to visualise. Point one is obviously no (policy tells that straight away). Point 2 is no because there is a sub1 under mgt21 and if you create a sub under mgt11 (one above mgt21), this cannot be done as one sub = one management group at a time. Note that mgt21 is part of mgt11 hence the one sub is already there. Point 3 is no too - why? VM without a VNET is pretty much worthless. I guess you can remove parts of the VM like NIC then what's the point of that? In short, no.

Why not NNY, Moving it to ManagementGroup11 would simply place it at a higher level in the same branch.

Statement-1 You can create a virtual network in Subscription1 Answer: No - Denied at Tenant Root, inherited down. Statement-2 You can create a virtual machine in Subscription2 Answer: No - Blocked by "Allowed resource types" policy that excludes VMs. Statement -3 You can add Subscription1 to ManagementGroup11 Answer: Yes - Permitted with proper RBAC.

To my mind No/Yes/No, cause if Vnet exist you're able to create VM

NYN - 1 - can't create the network 2 - you can create VMs all day long 3 - can't add and have 2 parents; the answer says move but move != add

Nested groups galore! NO, you cannot create a Vnet in Subscription1: Subscription1 is a member of Group21, Group21 is a member of Group11, Group11 is a member of the Tenant Root Group, The Tenant Root group is Not allowed resource types for virtual network. NO, you cannot create a Vnet in Subscription2: Subscription2 is is a member of ManagementGroup12, ManagementGroup12 is a member of the Tenant Root Group, The Tenant Root group is Not allowed resource types for virtual network. NO, you cannot ADD Subscription1 to ManagementGroup11, but you can MOVE subscription1 from ManagementGroup21 to ManagmentGroup11. Subscriptions can only be a member of ONE managementGroup at a time.

Creating a Virtual Machine alone still requires that you create a virtual network Essentially, a virtual machine is a virtual network with 1 PC. Meaning, you cannot create a VM if this action is denied. If however, the VM existed before the policy was created, which is stated nowhere, by the way, that'd be something entirely different. The question doesn't state anything about there being an existing VNet. This means the answer to question 2 should be NO. As for question 3, Subscriptions can be moved, I am not sure what they mean by Add. So this one also isn't quite clear. If by "add" they mean "move", then the answer is Yes. So it should be: NO, NO, YES

This is simple: 1. Virtual Networks are not allowed at the Tenant Root Group for ALL Management Groups. So number 1 is a No. Though virtual network is allowed for one management group, that management group is still under a Tenant root group where vnet is not allowed. 2. You cannot create a virtual Machine without a Virtual Network. Since virtual networks are not allowed, the answer is also No. 3. This is a YES for me. The architecture of a subscription forces it to trust ONLY one Directory at a time. Hence, when the question asks if we can add the subscription to a different mgt group, it was asking if we can "move" it, since architecturally, you can not have a subscription in more than 1 directory at the same time. I admit the question should have been specific in using the word "move" instead of "add". But then, it may also have been part of the question to see if we understand that a subscription can only trust one directory at time.

Box 3: Yes. Move subscriptions Add an existing Subscription to a management group in the portal Log into the Azure portal. Select All services > Management groups. Select the management group you're planning to be the parent. At the top of the page, select Add subscription. Select the subscription in the list with the correct ID. Screenshot of the 'Add subscription' options for selecting an existing subscription to add to a management group. Select "Save". https://docs.microsoft.com/en-us/azure/governance/management-groups/manage

Box1: No -> because VNets are only allowed for MG12. (here the question in principle whether the allowed VNet for MG12 overrides the previous rule that VNets are forbidden on Tenant root level, which will then mean that such a rule forbids totally the creation of new VNets). Box 2: Yes -> because forbidding VNets creation does not automatically forbit VMs creation, we can still create new VNs within the already existing Vnets. Box 3: Yes -> we can move subscriptions from one MG to another, and here we have MG21 under MG11 https://docs.microsoft.com/en-us/learn/modules/create-windows-virtual-machine-in-azure/2-create-a-windows-virtual-machine https://docs.microsoft.com/en-us/azure/governance/management-groups/manage

Adding sub1 isnt the same as moving Sub1

NYN. In general, polices are inherited through a hierarchical structure consisting of Management Groups > Subscriptions > Resource Groups > and Resources. However policies, even more restrictive policies, can be over-ridden at those lower levels. The first answer is No because it inherits the restrictive policy from the root group and there is nothing to over-ride that policy. The second answer is Yes because even though it inherits a restrictive policy from the root group, it explicitly allows VNETs to be created at a lower, more granular, management level. I know the question is asking about VM creation, but you need VNETs to create VMs and there is no policy specifically about allowing or disallowing VM creation. The third answer is No because, as other have said, you cannot have a subscription in 2 management groups. It cannot be added, but it can be moved.

NNN - disallowed by explicit deny; explicit allow is implicit deny on all else; cannot be a member of multiple management groups.

Given answers are correct. 1. No The "Not allowed resource types" policy for virtualNetworks is scoped to the Tenant Root Group. 2. Yes There is no policy that restricts or disallows creating virtual machines in ManagementGroup12 or Tenant Root Group. The allowed resource types for virtualNetworks doesn't impact the creation of virtual machines. 3. Yes There are no policies or constraints provided that explicitly prevent moving Subscription1 to ManagementGroup11.

Tenant Root Group (Not Allowed Resource - Virtual N/W) | |__Management Group 11 | | | |__Management Group 21 | (Sub 1) | |__Management Group 12 (Sub 2) (Allowed Resource - Virtual N/W) Answers, 1. You can create a virtual network in Sub1 - No Reason: Subscription 1 is under Tenant Root Group, hence we will not be able to create Virtual Network 2. You can create a virtual machine in Sub2 - No Reason: Subscription 2 is also under Tenant Root Group with overrides the allow resource type in Management Group 12. You will not be able to create a Virtual network, without creation of virtual network, we will not be able to create a Virtual Machine. 3. You can add Sub1 to Management Group11 - No Reason: We cannot add subscription from one group to the other.