ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 2 question 39 discussion

Actual exam question from Microsoft's AZ-304
Question #: 39
Topic #: 2
[All AZ-304 Questions]

HOTSPOT -
You plan to create an Azure environment that will have a root management group and five child management groups. Each child management group will contain five Azure subscriptions. You plan to have between 10 and 30 resource groups in each subscription.
You need to design a solution for the planned environment. The solution must meet the following requirements:
Prevent users who are assigned the Owner role for the subscriptions from deleting the resource groups from their respective subscription.

✑ Ensure that you can update RBAC role assignments across all the subscriptions and resource groups.
✑ Minimize administrative effort.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Azure Blueprints -
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

Role Assignments -

Policy Assignments -
Azure Resource Manager templates (ARM templates)

Resource Groups -
Incorrect:
A policy is a default allow and explicit deny system focused on resource properties during deployment and for already existing resources.
Box 2: Resource locks at the subscription level
To minimize administrative effort lock at the subscription level.
Note: As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
by Jasper666 at May 31, 2021, 1:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jasper666
Highly Voted 4 years ago
Answer should be Azure blueprints in both areas.
upvoted 69 times
d0bermannn
3 years, 10 months ago
agreed, and explanation provided said exactly this (2xbp)
upvoted 4 times
...
Kevmeister
4 years ago
I agree with Jasper666, as per the source: https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#locking-modes-and-states It's typically possible for someone with appropriate Azure role-based access control (Azure RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. This access isn't the case when Azure Blueprints applies locking as part of a deployed assignment. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. Trying to use resource locks at subscription level can be removed by owners.
upvoted 18 times
demonite
4 years ago
I agree
upvoted 2 times
...
Suharsh
4 years ago
Agree. The right answer is Azure blueprint.
upvoted 2 times
...
rdemontis
3 years, 6 months ago
Thanks for explanation
upvoted 2 times
...
...
...
RubberenRobbie
Highly Voted 3 years, 12 months ago
Blueprints for both. An owner CAN remove a resource lock. Only a blueprint can deny owners
upvoted 13 times
...
cwilson91
Most Recent 3 years, 1 month ago
On AZ-305 exam - 5.7.22
upvoted 5 times
...
Pupu86
3 years, 2 months ago
Not sure if handling 5 x 5 subscriptions resource locks is considered minimal effort - so that is considered not a right answer to me
upvoted 1 times
...
plmmsg
3 years, 3 months ago
Azure blueprints for both box
upvoted 1 times
...
Ali526
3 years, 4 months ago
After owners of ExamTopics (this web site) have found that an overwhelming majority (sometimes 100%) of contributors have agreed upon a different answer than theirs, it may be a good idea to correct their own answer.
upvoted 5 times
itenginerd
3 years, 2 months ago
TBQH, wrestling with the discussion teaches you as much or more than just cycling the questions. At least in my experience.
upvoted 5 times
...
...
BhupalS
3 years, 4 months ago
It's typically possible for someone with appropriate Azure role-based access control (Azure RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. This access isn't the case when Azure Blueprints applies locking as part of a deployed assignment. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. This security measure protects the consistency of the defined blueprint and the environment it was designed to create from accidental or programmatic deletion or alteration. As per requirements, both answer should be Blueprints
upvoted 1 times
...
Inland
3 years, 7 months ago
www.docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking (refer to notes) and the following option is correct. Box 1: Azure Blueprints Box 2: Resource locks at the subscription level
upvoted 3 times
itenginerd
3 years, 2 months ago
From your cited document: It's typically possible for someone with appropriate Azure role-based access control (Azure RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. This access isn't the case when Azure Blueprints applies locking as part of a deployed assignment. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. The only way to fully prevent someone with Owner rights from later lifting the lock would be to lock it in the Blueprint.
upvoted 1 times
...
...
syu31svc
3 years, 8 months ago
Update RBAC role is Blueprint; no argument on this one https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. Prevent deletion is at Blueprint level
upvoted 1 times
syu31svc
3 years, 8 months ago
I meant Blueprint assignment locking for prevent deletion
upvoted 2 times
...
...
nkv
3 years, 8 months ago
Came in exam on 20-sep-21, i passed, answers are correct, Answer should be Azure blueprints in both areas.
upvoted 5 times
...
souvik123
3 years, 8 months ago
Azure Blueprint for both options.
upvoted 2 times
...
teehex
3 years, 10 months ago
To minimize administrative effort the answer must be Azure Blueprint with setting lock mode.https://docs.microsoft.com/en-us/azure/governance/blueprints/tutorials/protect-new-resources
upvoted 2 times
...
MaheshS
3 years, 11 months ago
Yes it should be Azure blueprints for both
upvoted 1 times
...
DragonsGav
3 years, 11 months ago
Azure Blueprints should be the answer for both questions.
upvoted 1 times
...
mahwish
3 years, 11 months ago
Blueprints for both
upvoted 1 times
...
Rajyahoo
3 years, 11 months ago
Question is "from deleting the resource groups". If you use BluePrint to lock, all artifacts in BP is locked.
upvoted 2 times
jr_luciano
3 years, 4 months ago
Each artifact can have its individual lock. "Resources created by artifacts in a blueprint assignment have four states: Not Locked, Read Only, Cannot Edit / Delete, or Cannot Delete. Each artifact type can be in the Not Locked state." https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#locking-modes-and-states
upvoted 1 times
...
pentium75
3 years, 10 months ago
Can't you specify the lock specifically for "Resource Group" objects in BP?
upvoted 2 times
ChocolateNagaViper
3 years, 4 months ago
Rajyahoo is correct. Setting the Do Not Delete mode through Blueprints will prevent all artifacts and resource groups from being deleted: https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking. Since this is more restrictive than required in the question, we can't consider that the correct answer. The shown answer is correct.
upvoted 1 times
jr_luciano
3 years, 4 months ago
Each artifact can have its individual lock. "Resources created by artifacts in a blueprint assignment have four states: Not Locked, Read Only, Cannot Edit / Delete, or Cannot Delete. Each artifact type can be in the Not Locked state." https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#locking-modes-and-states
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel