Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
Contoso has an Azure AD tenant that contains three business units: Retail, Manufacturing, and Research. Each unit must have separate development and production subscriptions. Corporate IT must enforce a set of Azure Policy definitions across every subscription, collect Activity logs centrally, and grant the GlobalSecurity group read-only access to all resources. Business units must retain autonomy to manage access within their own subscriptions. You need to recommend a management group and RBAC design that meets the requirements with minimal administrative effort. What should you recommend?
Provision a separate Azure AD tenant for each business unit and apply the Azure Policy initiative and GlobalSecurity Reader role at each tenant's root. Forward Activity logs to a Log Analytics workspace in each tenant.
Place all subscriptions directly under the tenant root group and use Azure Blueprints to assign the Azure Policy initiative and GlobalSecurity Reader role individually to every subscription.
Create one management group for each business unit under the tenant root, then create Dev and Prod child management groups within each. Assign the required Azure Policy initiative and the GlobalSecurity Reader role at the tenant root management group.
Create two management groups, Dev and Prod, under the tenant root and place all subscriptions in the appropriate group. Assign the Azure Policy initiative and GlobalSecurity Reader role at each environment management group.
Placing a dedicated management group under the tenant root for each business unit and creating Dev and Prod child management groups inside each one lets you segregate environments while still rolling up to a single organizational hierarchy. Assigning the corporate Azure Policy initiative and the GlobalSecurity Reader role at the tenant root propagates these settings to every descendant management group and subscription, so IT sets them only once. Business-unit administrators can still manage more-granular RBAC on resources inside their own subscriptions because lower-level assignments can add (but not remove) permissions. Designing per-environment management groups under a single branch, using separate tenants, or assigning policy and roles on every individual subscription would all increase administrative overhead or break the requirement for a single corporate policy scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Management Group and why is it important?
Open an interactive chat with Bash
How does the GlobalSecurity Reader role work in this design?
Open an interactive chat with Bash
What is the benefit of using Azure Policy with management groups?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .