Answer is Wrong : It should Be NO NO NO - subscription should be moved by can't be added to 2 groups.

Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. Not allowed resource types (Deny): Prevents a list of resource types from being deployed. Based on the Policies, VNETs are not allowed in the Tenant Root Group scope, so you cannot deploy VNETs. Also, VNETs only allowed in ManagementGroup12 scope, but you cannot deploy any other resource. Box 1: No Subscription1 is a member of ManagementGroup21, ManagementGroup21 is a member of ManagementGroup11, ManagementGroup11 is a member of the Tenant Root Group, The Tenant Root group has ‘Not allowed resource types for virtual network’. Box 2: No: You cannot create a VM, because based on the Policy you can only create VNETs in Sybscription2 (ManagementGroup12). Box 3: No You cannot ADD Subscription1 to ManagementGroup11, but you can MOVE Subscription1 from ManagementGroup21 to ManagmentGroup11. Subscriptions can only be a member of ONE ManagementGroup at a time.

No No Yes

This was on my exam 25/02/2024! I just want to let people know that these questions are still up to date!

Anything assigned on the root will apply to the entire hierarchy, which includes all management groups, subscriptions, resource groups, and resources within that Azure AD tenant

Answer is Wrong : It should Be NO YES NO Virtual networks are not allowed to create in Subscription1

I did the lab and the correct answer is No, No, No. For the second question, even if you have explicitly allowed VNETs on the Management Group, the Tenant Root Group policy will override it. This is interesting as initially I thought that if you specifically allow something under the Tenant Root with this policy, it will override the one coming from above but apparently it's not like that.

N - Subscription 1 not allowed to create VNET N - Subscription 2 allows only VNET, restricts everything else. Per policy definition of Allowed Resources Type, "If NOT (listOfResourceTypesAllowed), then deny". So, only specified resources will be allowed, nothing else N - Subscription can be associated with only one Management group

2. Yes If there is an existing virtual network in Subscription2, you could use that network to create a VM

During a VM creation, a VNet and NIC creation are mandatory. Because of the Policy, VM creation would be stopped if a new VNet needs to be created. But if there is any existing VNet available in the resource group already, that can be used to create the VM. In that way, the VM creation shouldn't fail. So, yes, you can create a VM.

I passed with these questions and many friends passed too, if you want real exam questions, contact me on [email protected]

I wish MS would be more careful how they phrase things. There's a big difference between move and add

There seems to be a lot of confusion about the wording of the last part of this question. In my opinion yes, of course you can add Sub1 to MG11. Nothing is stopping you from adding it, it will just no longer be in MG21. Why is this it being argued that a subscription can't exist in 2 MGs when it will obviously only be in 1 after adding it to another?

I would like to ask can I create virtual network in subscription 2?

NNN 2.- the order of the policy does not matter, the more restrictive policy wins https://www.stefanroth.net/2020/01/17/azure-policy-how-precedence-works/

NNN 1.N The policy is inherited. https://learn.microsoft.com/en-us/azure/governance/policy/overview#assignments 2.N Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition 3.N A subscription will be a direct member of only one management group. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions#azure-management-groups

This question is explained in the below video with the concept. https://youtu.be/ajrGaguGg90