Question 53 of 115 from exam AZ-304: Microsoft Azure Architect Design
Question
HOTSPOT -
You plan to create an Azure environment that will have a root management group and five child management groups. Each child management group will contain five Azure subscriptions. You plan to have between 10 and 30 resource groups in each subscription.
You need to design a solution for the planned environment. The solution must meet the following requirements:
Prevent users who are assigned the Owner role for the subscriptions from deleting the resource groups from their respective subscription.
-> Ensure that you can update RBAC role assignments across all the subscriptions and resource groups.
-> Minimize administrative effort.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Explanations
Box 1: Azure Blueprints -
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
Role Assignments -
Policy Assignments -
Azure Resource Manager templates (ARM templates)
Resource Groups -
Incorrect:
A policy is a default allow and explicit deny system focused on resource properties during deployment and for already existing resources.
Box 2: Resource locks at the subscription level
To minimize administrative effort lock at the subscription level.
Note: As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources