Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 2 question 5 discussion

Actual exam question from Microsoft's AZ-104
Question #: 5
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -
You have the Azure management groups shown in the following table:

You add Azure subscriptions to the management groups as shown in the following table:

You create the Azure policies shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.

Box 2: Yes -
Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.

Box 3: Yes -
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-management-groups-and-subscriptions

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
fedztedz
Highly Voted 3 years ago
Answer is Wrong : It should Be NO NO NO - subscription should be moved by can't be added to 2 groups.
upvoted 225 times
Durden871
8 months, 4 weeks ago
From Udemy: NYN Explanation 1. The azure policy (not allowed resource types – Virtual networks) is inherited to Subscription1. So, Virtual networks are not allowed to create in Subscription1. 2. Policy assignments get evaluated top-to-bottom. The most restrictive policy assignment will always win, i.e. a DENY on any level will take precedence over an ALLOW on any other level. So the azure policy (not allowed resource types – Virtual networks) will be applied to Subscription2. The deny policy is only for virtual networks. This allows to create a virtual machine by leveraging existing VNet’s. 3. Each management group and subscription can only support one parent. Subscription1 is already part of a management group. We can’t add this to another management group though we can move. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 34 times
Zemar
8 months, 2 weeks ago
No - Sub1 > Group21 > Group11 > TenantRoot (Not allowed) No - Sub2 > Group12 > TenantRoot (Not allowed) No - Only one management group can be assigned to a subscription (Group21 is already assigned to sub1)
upvoted 8 times
...
avidlearner
4 months ago
No - Tenant Root not allowed No - Azure policy is a Strict Deny system, Any deny policy on top level is not overridden by lower level allows. Since you are not allowed to create a VNet you can't create a VM without a VNet. No- you don't add a subscription group which is already assigned to other .
upvoted 2 times
...
alexn76
8 months, 3 weeks ago
N Y N You can create VM on existing network
upvoted 2 times
ggogel
2 weeks, 4 days ago
"Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list." See: https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition So the answer to the second question is NO. Only vNets are in the list, so only vNets can be created. Anything else is denied.
upvoted 1 times
...
KrisJin
7 months, 1 week ago
Who told you there is an existing VNET?
upvoted 7 times
neolisto
1 month ago
Same question for you. Who told you there is NO existing VNet? We have no info about it (or any other resources) but we have a Q about VM's. VM's COULD be created because it's required an VNet and VNet could already exist, and there is no restriction about VM creation. So potentially you have a chance create VM (cuz it's not prohibited) by using existing VNet.
upvoted 2 times
ki01
3 weeks, 3 days ago
ms exams usually tell what resources are already available, or what will be deployed. if it requires presuming that it just exists out of the nether, then it means it's not there. A VM in azure cannot be created without VNET, meaning that avidlearner is correct
upvoted 1 times
...
...
...
...
...
Ikrom
2 years, 12 months ago
Agree. - NO: Subscription 1: is not allowed to create a VNET. - NO: Subscription 2: Allowed to create a VNET which restricts anything else. - NO: Subscription 1: already in one Management group called 21, so cannot add into another. A Subscription can be assigned to 1 Management Group.
upvoted 136 times
azuremarco2021
2 years, 7 months ago
Im sorry but why is the 2nd false? All that was forbiden at the root level is lifted on Subscription 2
upvoted 4 times
zr79
1 year, 9 months ago
It should not have permission to create a VNet as this was denied in the root directory. rules are inherited downwards from parent to child
upvoted 4 times
zr79
1 year, 9 months ago
But it should have a permission to create a VM
upvoted 3 times
Scoobysnaks86
1 year, 6 months ago
you can't create a vm without a vnet
upvoted 10 times
...
...
...
Jayad
1 year, 8 months ago
It's because of the "Allowed Resources Policy". You can only create resources of the allowed type and the ones which cannot be assigned tags. TR ->MG11 -> MG21 - Sub1 ->MG12 - sub2
upvoted 7 times
...
...
RVE
1 year, 5 months ago
Best explanation
upvoted 3 times
...
...
irosh412
2 years, 6 months ago
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition This clearly states, "Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list." Therefore, only allowed resource type is virtual nerwork. SO the answer for the second question is NO. but third is Yes, because adding subscrition and moving subscription is the same in MS docs. :)
upvoted 27 times
vamshidhara
2 years, 6 months ago
Azure Policy is an explicit deny. So the root management group deny the virtual network resource type to the child management groups/subscriptions/resources groups and ​the policy in the question does not have any thing excluded so it will deny
upvoted 5 times
faz_r_a
1 year, 5 months ago
It is an implicit deny-explicit allow policy. Anything that does not fall into the list of allowed resources for example will be denied. So you explicitly state what you want to allow and Azure AD denies everything else not in included.
upvoted 1 times
...
...
...
dp846
5 months, 1 week ago
overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition
upvoted 1 times
...
...
mlantonis
Highly Voted 2 years, 6 months ago
Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. Not allowed resource types (Deny): Prevents a list of resource types from being deployed. Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in ManagementGroup12 scope, but you cannot deploy any other resource. Box 1: No Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11 is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’. Box 2: No: You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12). Box 3: No You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.
upvoted 196 times
RamanAgarwal
2 years, 6 months ago
Policy doesnt restrict you to create a VM anywhere. It restricts you to create VNet only which is overridden at Management12 and it will be inherited by Subscription 2. So you can create Vnet hence VM in subscription 2
upvoted 9 times
...
binhdortmund
5 months ago
best explanation! Thanks
upvoted 1 times
...
dp846
5 months, 1 week ago
Box 2 : No since overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition
upvoted 2 times
...
ElDakhli
11 months, 2 weeks ago
Perfect comment, thank you :)
upvoted 2 times
...
...
jlee425
Most Recent 2 weeks, 6 days ago
2. Yes If there is an existing virtual network in Subscription2, you could use that network to create a VM
upvoted 1 times
...
psscloud
3 weeks, 1 day ago
During a VM creation, a VNet and NIC creation are mandatory. Because of the Policy, VM creation would be stopped if a new VNet needs to be created. But if there is any existing VNet available in the resource group already, that can be used to create the VM. In that way, the VM creation shouldn't fail. So, yes, you can create a VM.
upvoted 1 times
...
mattpaul
1 month, 2 weeks ago
I passed with these questions and many friends passed too, if you want real exam questions, contact me on [email protected]
upvoted 1 times
...
DWILK
1 month, 4 weeks ago
I wish MS would be more careful how they phrase things. There's a big difference between move and add
upvoted 2 times
...
sedex
3 months, 1 week ago
There seems to be a lot of confusion about the wording of the last part of this question. In my opinion yes, of course you can add Sub1 to MG11. Nothing is stopping you from adding it, it will just no longer be in MG21. Why is this it being argued that a subscription can't exist in 2 MGs when it will obviously only be in 1 after adding it to another?
upvoted 3 times
...
FatFatSam
3 months, 3 weeks ago
I would like to ask can I create virtual network in subscription 2?
upvoted 1 times
...
MGJG
3 months, 3 weeks ago
NNN 2.- the order of the policy does not matter, the more restrictive policy wins https://www.stefanroth.net/2020/01/17/azure-policy-how-precedence-works/
upvoted 2 times
...
RickySmith
3 months, 4 weeks ago
NNN 1.N The policy is inherited. https://learn.microsoft.com/en-us/azure/governance/policy/overview#assignments 2.N Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition 3.N A subscription will be a direct member of only one management group. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions#azure-management-groups
upvoted 2 times
...
kamalpur
4 months, 2 weeks ago
This question is explained in the below video with the concept. https://youtu.be/ajrGaguGg90
upvoted 1 times
avidlearner
4 months ago
that's a wrong explanation. he says you can create a VM , which you can't because you can't create the VNet on sub2. He says answer is NYN, in my logical opinion it's just not what you can do it's whether it's allowed. Answer should be NNN
upvoted 1 times
...
...
Josete1106
4 months, 3 weeks ago
It's N N Y
upvoted 1 times
...
raj24051961
5 months, 2 weeks ago
If we assume permission inherit from root Add virtual netwok -> No -> \root\ManagementGroup11\ManagementGroup21\Subscription1 -> Not allowed at root level -> Inherite all the following levels Create virtual machine -> No -> \root\ManagementGroup12\Subscription2 Not allowed at root level -> Inherite all the following levels Add Subscription1 to ManagementGroup11 -> Yes -> \root\ManagementGroup11\ManagementGroup21\Subscription1, Not allowed for only virtual networks, but we can add subscription1
upvoted 1 times
...
simer
6 months, 1 week ago
Udemy is NO NO NO
upvoted 2 times
...
friendlyvlad
6 months, 1 week ago
In Azure Policy, when you have multiple policies applied to the same resource with conflicting effects (e.g., deny and allow), the effect of the last evaluated policy takes precedence. N-Y-N
upvoted 1 times
avidlearner
4 months ago
Nope, effect of last Deny policy takes precedence. Check this out https://techcommunity.microsoft.com/t5/itops-talk-blog/the-impact-of-conflicting-azure-policies/ba-p/2227063
upvoted 1 times
...
...
Zonci
6 months, 3 weeks ago
NNY is the correct ans
upvoted 2 times
...
RandomNickname
6 months, 3 weeks ago
Based on the info here and questions either NYN or NYY 1,2 are fairly straight forward. 3rd depends if it's add or move since can move. So careful on exam day.
upvoted 1 times
RandomNickname
6 months ago
Changing my second Q from Y to N. Didn't read the Q properly and the URL below is a good expanation. Due to explicit policy restrictions on creating and deny specific resources. https://www.starwindsoftware.com/blog/use-azure-policy-to-allow-only-certain-resource-types-in-resource-groups
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...