Answer is Wrong : It should Be NO NO NO - subscription should be moved by can't be added to 2 groups.

Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. Not allowed resource types (Deny): Prevents a list of resource types from being deployed. Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in ManagementGroup12 scope, but you cannot deploy any other resource. Box 1: No Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11 is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’. Box 2: No: You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12). Box 3: No You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.

2. Yes If there is an existing virtual network in Subscription2, you could use that network to create a VM

During a VM creation, a VNet and NIC creation are mandatory. Because of the Policy, VM creation would be stopped if a new VNet needs to be created. But if there is any existing VNet available in the resource group already, that can be used to create the VM. In that way, the VM creation shouldn't fail. So, yes, you can create a VM.

I passed with these questions and many friends passed too, if you want real exam questions, contact me on [email protected]

I wish MS would be more careful how they phrase things. There's a big difference between move and add

There seems to be a lot of confusion about the wording of the last part of this question. In my opinion yes, of course you can add Sub1 to MG11. Nothing is stopping you from adding it, it will just no longer be in MG21. Why is this it being argued that a subscription can't exist in 2 MGs when it will obviously only be in 1 after adding it to another?

I would like to ask can I create virtual network in subscription 2?

NNN 2.- the order of the policy does not matter, the more restrictive policy wins https://www.stefanroth.net/2020/01/17/azure-policy-how-precedence-works/

NNN 1.N The policy is inherited. https://learn.microsoft.com/en-us/azure/governance/policy/overview#assignments 2.N Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition 3.N A subscription will be a direct member of only one management group. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions#azure-management-groups

This question is explained in the below video with the concept. https://youtu.be/ajrGaguGg90

It's N N Y

If we assume permission inherit from root Add virtual netwok -> No -> \root\ManagementGroup11\ManagementGroup21\Subscription1 -> Not allowed at root level -> Inherite all the following levels Create virtual machine -> No -> \root\ManagementGroup12\Subscription2 Not allowed at root level -> Inherite all the following levels Add Subscription1 to ManagementGroup11 -> Yes -> \root\ManagementGroup11\ManagementGroup21\Subscription1, Not allowed for only virtual networks, but we can add subscription1

Udemy is NO NO NO

In Azure Policy, when you have multiple policies applied to the same resource with conflicting effects (e.g., deny and allow), the effect of the last evaluated policy takes precedence. N-Y-N

NNY is the correct ans

Based on the info here and questions either NYN or NYY 1,2 are fairly straight forward. 3rd depends if it's add or move since can move. So careful on exam day.