Assigning Azure Policy Definitions - Scopes and Solutions

Azure Policy Scopes: Subscriptions, Resource Groups, Management Groups

Q: You are designing a large Azure environment that will contain many subscriptions.You plan to use Azure Policy as part of a governance solution.To which three scopes can you assign Azure Policy definitions? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.

Azure Active Directory (Azure AD) administrative unitssubscriptionsmanagement groups

Prev Question Next Question

Question

You are designing a large Azure environment that will contain many subscriptions.

You plan to use Azure Policy as part of a governance solution.

To which three scopes can you assign Azure Policy definitions? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers

A. Azure Active Directory (Azure AD) administrative units

B. Azure Active Directory (Azure AD) tenants

C. subscriptions

D. compute resources

E. resource groups

F. management groups

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

ACF

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.

https://docs.microsoft.com/en-us/azure/governance/policy/overview

Sure, I'd be happy to provide a detailed explanation of the answer to your question.

Azure Policy is a service in Azure that allows administrators to create, assign, and manage policies that enforce rules and effects over resources in an Azure subscription. These policies can help to ensure that resources deployed in Azure adhere to organizational standards and best practices.

When designing a large Azure environment that will contain many subscriptions, it is important to understand the different scopes at which Azure Policy can be applied. The three scopes at which Azure Policy definitions can be assigned are:

Subscriptions: A subscription is the logical container for Azure resources. Azure Policy can be assigned at the subscription level, which means that the policy will apply to all resources within that subscription.
Resource groups: Resource groups are containers that hold related resources for an Azure solution. Azure Policy can be assigned at the resource group level, which means that the policy will apply to all resources within that resource group.
Management groups: Management groups are containers that help to manage access, policy, and compliance across multiple subscriptions. Azure Policy can be assigned at the management group level, which means that the policy will apply to all resources within all subscriptions that are members of that management group.

Azure Policy cannot be assigned at the Azure AD administrative units or tenants level. Azure AD administrative units are containers that can be used to organize and manage Azure AD resources, but they do not have any relation to Azure resources that would require Azure Policy. Azure AD tenants, on the other hand, are the identity and access management foundation for all Azure resources, but they are not a container for Azure resources themselves.

Compute resources, while a scope within Azure, is not a valid scope for assigning Azure Policy definitions. Compute resources include virtual machines, virtual machine scale sets, and other compute resources in Azure, but they do not have the necessary scope to apply Azure Policy.

In summary, the three scopes at which Azure Policy definitions can be assigned are subscriptions, resource groups, and management groups.

Prev Question Next Question