Exam AZ-304 topic 2 question 18 discussion

Disagree with answer #2. Answer 1: The root management group (correct) Answer 2: The subscriptions Explanation: When creating a blueprint definition, you'll define where the blueprint is saved. Blueprints can be saved to a management group or subscription that you have Contributor access to. If the location is a management group, the blueprint is available to assign to any child subscription of that management group. Since question #2 clearly mentions the scope of assignments, it should be on the subscription level.

tested . no need to confuse things . I created a blueprint . when creating your asked for the location - I selected the tenant group . I then saved as a draft . then published it with version1.0. the blueprint was in definitions blade and now where else. I then clicked on assign(no another place to "CREATE" assignments ) the first thing I was asked for is SUBSCRIPTION !. so the answer is 1- Root management group 2- Subscriptions

Assigning a blueprint definition to a management group means the assignment object exists at the management group. The deployment of artifacts still targets a subscription. To perform a management group assignment, the Create Or Update REST API must be used and the request body must include a value for properties.scope to define the target subscription. https://learn.microsoft.com/en-us/azure/governance/blueprints/overview Answer 1: The root management group Answer 2: The root management group

Creation can be done at Management Group, but assignment has to be sub level - https://learn.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal#assign-a-blueprint

root management group and subscription

I am testing this at the Azure portal now. I have a few test management groups. When I create a new Blueprint definition and select "definition location" the root management group is greyed out to me. I can only select a child management group. No matter if they have a subscription or not. Later when I try to assign the blueprint, I can only select a Subscription. So based on this experience, the correct answer seems to be: 1) Child level 2) Subscriptions

On exam 31.03.2022

https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/deployment-stages#:~:text=The%20blueprint%20assignment%20object%20is%20created,-A%20user%2C%20group&text=The%20assignment%20object%20exists%20at,of%20managed%20identity%20is%20selected. The blueprint assignment object is created A user, group, or service principal assigns a blueprint to a subscription. The assignment object exists at the subscription level where the blueprint was assigned. Resources created by the deployment aren't done in context of the deploying entity.

Blueprint assignment Each Published Version of a blueprint can be assigned (with a max name length of 90 characters) to an existing management group or subscription. In the portal, the blueprint defaults the Version to the one Published most recently. If there are artifact parameters or blueprint parameters, then the parameters are defined during the assignment process. Note Assigning a blueprint definition to a management group means the assignment object exists at the management group. The deployment of artifacts still targets a subscription. To perform a management group assignment, the Create Or Update REST API must be used and the request body must include a value for properties.scope to define the target subscription. Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#blueprint-assignment

https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#blueprint-assignment Assigning a blueprint definition to a management group means the assignment object exists at the management group. The deployment of artifacts still targets a subscription so Root Management is correct for both boxes.

Root management group for both

1) root management group 2) root management group The only option to prevent subscription owners from removing a blueprint assignment is to assign the blueprint to a management group. In this scenario, only Owners of the management group have the permissions needed to remove the blueprint assignment. https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/governance/blueprints/concepts/resource-locking.md#assign-at-management-group

Root Management Group is highest level. If assign to mgmt group, it will be available for assigining subscriptuion in that management group. so answer is corect.Refer microsoft video. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#blueprint-definition-locations

Answer is correct. You assign blueprint to subscription not to management group. A blueprint crates resources and resources are in a subscription not in a mgmt groups which is a concept for governance not for hosting resources and bill their consumption

If you can define at the root level surely you can create at the root level for consistency and minimizing definitions

Box 1: Root management group (most agree with it) So the confusion is on Box 2 whether its MG or Subscription. You can create Blueprint Assignment at both MG level (using Rest API) and subscription level. If you create the Assignment at Subscription level, then subscription owners can change/remove the Blueprint assignments thereby the purpose of "to control governance across all subscriptions and RGs" will be defeated. The only option to prevent subscription owners from removing a blueprint assignment is to assign the blueprint to a management group. https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/governance/blueprints/concepts/resource-locking.md

Answer is correct