Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
Contoso Ltd. operates three autonomous subsidiaries (A, B, and C), each running both production and non-production workloads in Microsoft Azure. Corporate security must prevent creation of public IP addresses in any workload. Finance requires the costCenter tag to be automatically added and locked on every production resource, but not on development or test resources. Each subsidiary must be able to manage only its own resources. Governance administration effort should be minimized. Which Azure hierarchy and policy design should you recommend?
Create a single root management group. Under it, add two child management groups named Prod and NonProd. Place each subsidiary's production subscriptions in Prod and its dev/test subscriptions in NonProd. Assign a deny-public-IP Azure Policy at the root and a modify policy that adds the costCenter tag at the Prod management group.
Use a single subscription per subsidiary. Separate production and dev/test workloads with resource groups. Apply the deny-public-IP policy at the subscription scope and enforce the costCenter tag through an Azure Blueprint.
Create one management group for each subsidiary under the root. Inside each management group, separate production and non-production workloads with resource groups and assign both policies at every resource-group scope.
Place all subscriptions in a single management group and apply an initiative at the resource-group level that contains both policies, adding policy exemptions for dev/test resource groups to skip the costCenter tag requirement.
Placing all subscriptions in a single root management group makes it possible to assign organization-wide policy once. Creating two child management groups-one for production and one for non-production-and placing the subsidiaries' subscriptions under the appropriate child group lets you apply environment-specific governance without duplicating assignments. A deny policy that blocks public IP addresses can be assigned at the root so every subscription inherits it automatically. A separate modify policy that adds and locks the costCenter tag can be scoped only to the production management group, ensuring that development and test subscriptions are not affected. Because RBAC is granted at the subscription scope, each subsidiary sees only its own subscriptions, satisfying the isolation requirement. The other options either duplicate policy assignments across many scopes, fail to separate production from non-production at the management-group level, or rely on exemptions/Blueprints that increase administration overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Management Group?
Open an interactive chat with Bash
What is the difference between a Deny Policy and a Modify Policy in Azure?
Open an interactive chat with Bash
How does Role-Based Access Control (RBAC) help ensure isolation between subsidiaries in Azure?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .