Exam AZ-500 topic 4 question 97 discussion

C, Initiative1, Initiative2 Microsoft Defender for Cloud applies security initiatives to the subscriptions. So when you go to Environment Settings of Defender for Cloud you will be able to assign Initiative1 (inheritied from TRG) and 2 to Sub1. MG1 does not have an Subscription so it wont even be an available option in Environment Settings.

B. Policy1 and Initiative1 only

Both policies and initiatives are used in Defender for Cloud, but it's the initiatives that are assigned directly as security policies at the subscription or management group level. You can add individual policy definitions to an initiative, but the initiative itself is what gets assigned.

E. This aligns with the Microsoft Defender for Cloud Security Policy Concept, which explicitly supports using both policies and initiatives at various scopes to define security policies.

only iniciatives to the subscriptions.

I've found two documents that say Initiative only: https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendations#create-a-custom-recommendationstandard-legacy https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept#security-standards I can find nothing that says an initiative will only show up as an option in D4C in Management Groups where Defender for Cloud is enabled. I have no idea if the correct answer is C or D because the question is worded so poorly. But it's certain that A, B, and E cannot be right.

C. We can use initiatives with Security Policies with. In this picture MG1 is not cover Sub1 and we can not use Initiative that it has, and we cannot use Policy1. Tenant Root Group has initiative that will be inherited to Sub1, and it can use this as Security Policy in defender for cloud and its own inherited as well. So, the answer will be here C initiative1 and 2.

It's D

https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept

It's C

C, Initiative1, Initiative2 Microsoft Defender for Cloud applies security initiatives to the subscriptions. So when you go to Environment Settings of Defender for Cloud you will be able to assign Initiative1 (inheritied from TRG) and 2 to Sub1. Also tested in the lab this is correct

B is not correct. Microsoft documentation below imply that Policy cannot be added in Defender. Only initiative. Microsoft Defender for Cloud applies security initiatives to the subscriptions. Defender for Cloud offers the following options for working with security initiatives and policies: - View and edit the built-in default initiative - Add your own custom initiatives - Add regulatory compliance standards as initiatives

I think the correct answer will be Initiated2 only. The reason is - An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups (https://learn.microsoft.com/en-us/azure/governance/policy/overview#resources-covered-by-azure-policy) Microsoft Defender for Cloud applies security initiatives to your subscriptions. (https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept) Nowhere in the above links it says initiate can be assigned to Tenant Root Group.

given answer is correct , Policy used as an individual security policy. It can be applied directly to the subscription and Initiative Initiatives are collections of security policies bundled together. While you can apply initiatives at the subscription level, they are typically used to manage and enforce multiple policies across multiple resources, subscriptions, or management groups. since there is no option for p1,in1andin2 B is the only one

Policy cannot be added in Defender. Tested. Only initiative

Defender for Cloud is only on Sub1. From Environment Settings, you can add a custom initiative, you can create a new custom initiative with a custom policy from the same definition scope. Initiative 3 is on MG1: I don't think you can use initiatives from a different scope if it is not inheriting. I believe answer is: Policy1, Initiative1, Initiative2

C is correct, only Initiative1 (for TRG) and Initiative2 (for Sub1) Microsoft Defender for Cloud applies security initiatives to your subscriptions. Sub3 is not correct, as Sub 1 is not under MG1