ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 57 discussion

Actual exam question from Microsoft's AZ-104
Question #: 57
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription that contains the hierarchy shown in the following exhibit.

You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
Note: Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers.

Box 2: ManagementGroup1, Subscription1, RG1, and VM1
You can exclude a subscope from the assignment.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
by RichardBill at Aug. 30, 2022, 4:04 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ntinsky
Highly Voted 2 years, 5 months ago
Since the discussion added a lot of confusion cause a lot of people in here just drop random facts without any proof,misleading people, i tested it at an Azure lab. In the scope field at the "Basics" tab i was able to select "Tenant Root Group" or "Management Group1" with the optional entries of Subscription and Resource group So ""you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1"" As for the second answer about the exclusions, i was able to select all the items in the scope EXCEPT the Tenant Root Group Therefore the correct answer would be ""ManagementGroup1,Subscription1,RG11 and VM1"" I hope that helps
upvoted 267 times
Sanaz90
7 months, 2 weeks ago
Wrong! Go to a resource like vm and assign a policy from there to vm and you will see the policy assignment is set to resource level and not rg level
upvoted 4 times
junkz
3 months, 3 weeks ago
huh, i learned something new today with this answer.
upvoted 1 times
...
...
witalis
3 months ago
The question pertains to assigning and excluding Azure Policy definitions. Here's the answer: You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only Azure Policies can be assigned at higher levels of hierarchy like the Tenant Root Group, Management Groups, Subscriptions, and Resource Groups. You can exclude Policy1 from: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1 Azure Policies allow exclusions at any scope under the assignment, including specific resources like VMs.
upvoted 1 times
...
XristophD
2 years, 3 months ago
Since your answer added a lot of confusion, cause you drop random answers: The Azure Portal only allows to select scopes down to Resource Groups. That is correct. BUT: With Azure CLI or Azure PowerShell, a Policy Assignment can be done at a specific resource. The Azure Portal UI is limited in many ways, so always check the possibilities with Azure CLI or PowerShell, before assuming something is not there or doesn't work.
upvoted 20 times
...
codeScalable
2 years, 2 months ago
azure policies can be scoped down to individual resources. "Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources." the second answer is correct
upvoted 12 times
...
Load full discussion...
...
RichardBill
Highly Voted 2 years, 6 months ago
Wrong! You can assign a policy to the Root, Management Group, Subscription and Ressource Group BUT NOT A RESSOUCE ITSELF! Test it in Portal! 2nd part of answer seems to be correct. You can not Exclude the highest scope that you can assign to. I tried it in portal as well and it wont save the exclusion Tenant Root Group
upvoted 38 times
Traian
2 years, 6 months ago
I believe you are wrong. You can assign a policy to a resource :"An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource." https://docs.microsoft.com/en-us/azure/governance/policy/overview - check assignments In my opinion the provided answer is correct
upvoted 25 times
RichardBill
2 years, 5 months ago
So I checked again and the portal doesnt let you do it! Thats what I based my assumption! But via Azure CLI it says that a ressource is a vaild scope for assignment: https://docs.microsoft.com/en-us/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create So yeah I think that you are right and my comment is wrong but I can not delete it. But looks like this is just a portal restriction. Sorry for the confusion!
upvoted 37 times
meeko86
2 years, 3 months ago
Valid scopes are management group, subscription, resource group, and resource https://learn.microsoft.com/en-us/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create
upvoted 6 times
...
...
...
Grande
2 years, 6 months ago
very correct. in general you cannot exclude the parent of a child already covered by the policy e.g. if scope was RG1, you cannot exclude Subs1, you can only exclude resources underneath RG1
upvoted 1 times
...
northstar88
2 years, 6 months ago
Tried in portal as well. You cannot select resources as scope.
upvoted 4 times
...
buzzerboy
2 years, 2 months ago
I couldnt assign a policy at Tenant Root Management Group. There is no blade for policy.
upvoted 2 times
...
Load full discussion...
...
nikiv_896
Most Recent 5 days, 16 hours ago
1/ You can assign Policy1 to: Tenant Root Group, Management Group 1, Subscription 1, RG1,VM1 2/ You can exclude Policy1 to: Management Group 1, Subscription 1,RG1,VM1 Refer the link https://learn.microsoft.com/en-us/azure/governance/policy/overview It states this "Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded"
upvoted 1 times
...
Jay_D_Lincoln
1 month ago
The answer is correct. You CAN assign a policy to a RESOURCE level using AZURE PORTAL as well. But to do this you have to do it from the resource dashboard or using cli. go to VM1->Operations->Policies->Assign Policy->Scope->Subscription1/MG1/RG1/VM1
upvoted 2 times
...
vrm1358
1 month, 3 weeks ago
2025-Jan Tested in LAB: you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1, VM1 allow exclusions
upvoted 3 times
vrm1358
1 month, 3 weeks ago
Sorry missed Exclusion 2025-Jan Tested in LAB: you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1, VM1 allow exclusions: Management Group1, Subscription1, RG1, VM1
upvoted 5 times
...
...
fittech
5 months ago
!! Please be careful not to share incorrect information! According to Microsoft documentation: "policies can be assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources." !! -
upvoted 4 times
...
[Removed]
5 months, 3 weeks ago
WRONG You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only
upvoted 2 times
...
[Removed]
6 months ago
Wrong You can assign Policy1 to: Tenant Root Group, ManagementGroup1, and Subscription1 only You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only
upvoted 1 times
[Removed]
5 months, 3 weeks ago
sorry i misserad it, You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only
upvoted 1 times
...
Mshaty
5 months, 3 weeks ago
if you can exclude it doesnt that mean you can assign the policy to the resource ?you cant exclude something that cannot be part of the policy
upvoted 1 times
[Removed]
5 months, 3 weeks ago
you can´t assign a policy for a resource on the portal, you can do it only on CLI or PowerShell, which is not mintioned here, so we have to answer this in gerenal.
upvoted 1 times
...
...
...
pasangawa
6 months ago
tested on lab, you can assign policy on vm
upvoted 1 times
...
pet3r
7 months, 2 weeks ago
Policies can be applied to the resource like VM https://learn.microsoft.com/en-us/azure/governance/policy/concepts/recommended-policies
upvoted 1 times
...
VinodRK
8 months, 1 week ago
You can assign Policy1 to Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only You can exclude Policy1 from ManagementGroup1, Subscription1, RG1, and VM1 only
upvoted 1 times
...
23169fd
8 months, 3 weeks ago
given answer is correct.
upvoted 2 times
...
76d5e04
9 months ago
Feeling tired of reading discussions. examtopics please quality seems ?
upvoted 3 times
...
76d5e04
9 months ago
In the name of discussion most confusion is created and makes me think is it worth paying $65 to examtopics. I thought examtopics would be a good material so far out of 90 questions most of them have not been given exact answer
upvoted 3 times
nailedIT
7 months ago
The issue lies on the people and bots using examtopics. I still find it very useful to get access to the questions, but I can never rely exclusively on examtopics answers nor community. Yet, community seems to be sharp on the right answer than examtopics, but is full of bots giving almost random answers without any explanation.
upvoted 2 times
...
...
Limobakry
9 months, 3 weeks ago
the key in question is only
upvoted 1 times
...
3c5adce
9 months, 4 weeks ago
You can Assign policy to: Tenant Root Group, ManagementGroup1, Subscription1 and RG1 ONLY" You can Exclude policy from: ""ManagementGroup1,Subscription1,RG1, and VM1 ONLY""
upvoted 1 times
...
MCLC2021
10 months ago
1/ You can assing Policy1 to: Tenant Root Group, Mangement Group 1, Subscription 1, RG1,VM1 2/ You can exclude Policy1 to: Mangement Group 1, Subscription 1,RG1,VM1 "Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources." https://learn.microsoft.com/en-us/azure/governance/policy/overview "Subscopes can be excluded, if necessary. "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#understand-scope
upvoted 1 times
Dankho
5 months, 1 week ago
Link doesn't include tenant level.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago