Since the discussion added a lot of confusion cause a lot of people in here just drop random facts without any proof,misleading people, i tested it at an Azure lab. In the scope field at the "Basics" tab i was able to select "Tenant Root Group" or "Management Group1" with the optional entries of Subscription and Resource group So ""you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1"" As for the second answer about the exclusions, i was able to select all the items in the scope EXCEPT the Tenant Root Group Therefore the correct answer would be ""ManagementGroup1,Subscription1,RG11 and VM1"" I hope that helps

Wrong! You can assign a policy to the Root, Management Group, Subscription and Ressource Group BUT NOT A RESSOUCE ITSELF! Test it in Portal! 2nd part of answer seems to be correct. You can not Exclude the highest scope that you can assign to. I tried it in portal as well and it wont save the exclusion Tenant Root Group

It turns out that you can assign an Azure Police to an individual resource, too: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/scope

I passed with these questions and many friends passed too, all questions appeared in the real exam a great study resource, contact me on [email protected]

You cannot exclude the policy from the root management group because doing so would effectively mean that the policy wouldn't be effective ANYWHERE and would therefore be moot & useless.

Answer should be as : 1. Tenant Root Group,ManagementGroup1,Subscription1 and RG1 2. ManagementGroup1,Subscription1,RG11 and VM1

Wrong. Answer in this video: https://www.youtube.com/watch?v=CKsTvwTezqA

The answer is most probably correct. Says here you can assign it to a resource. https://learn.microsoft.com/en-us/azure/governance/policy/overview "To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. "

Above answer is incorrect. explained in Part-46 in MS Administrator playlist of on @azurewala Youtube Channel

1. Tenant Root Group, ManagementGroup1, Subscription1 and RG1 https://learn.microsoft.com/en-us/answers/questions/1086208/assign-policy-to-specific-resource-in-azure 2. ManagementGroup1, Subscription1, RG1, and VM1

"An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource." You can assign a policy to a single resource. https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-policy-objects

Given answer look correct to me. #1 You can assign to all, global pol from root to policy on resources, see; https://learn.microsoft.com/en-us/azure/governance/management-groups/overview https://learn.microsoft.com/en-us/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create #2 Exclusions in effect on all except global at root level; https://learn.microsoft.com/en-us/azure/governance/policy/concepts/scope https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

1. Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1 2. ManagementGroup1, Subscription1, RG1, and VM1 First elevate the access of your global admin or else the Root Group cannot be used as scope: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Got this question - Passed the exam today, 1/May/23 - scored 930. I am still digesting the fact that 95% of the questions are from here, though it is tough to believe before you take the exam.

https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-portal A - On the Assign Policy page, set the Scope by selecting the ellipsis and then selecting either a management group or subscription. Optionally, select a resource group. A scope determines what resources or grouping of resources the policy assignment gets enforced on. B - Resources can be excluded based on the Scope. Exclusions start at one level lower than the level of the Scope. So based on documentation and my Azure portal lab work: A - You can assign policy to: Root Tenant Group , MGMT Group, Subscriptions and resource group only. (No assignment to resource itself as VM1) B - You can exclude policy: MGMT Group, Subscriptions and resource group and VM1 - you can't exclude the Root mgmt group as needs to be at one level lower then root to make exclusion working.

You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1. You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only.

1. Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1 2. ManagementGroup1, Subscription1, RG1, and VM1 https://learn.microsoft.com/en-us/azure/governance/policy/overview#overview Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage Resources can be excluded based on the Scope. Exclusions start at one level lower than the level of the Scope.