ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.3: GovernanceDomain 1GovernanceAzure PolicyManagement Groups

AZ-305 · Question 10 · Domain 1.3: Governance

A global enterprise has 50 Azure subscriptions organized under a single root Management Group. They have three main business units: North America (NA), Europe (EU), and Asia Pacific (APAC).

Due to strict GDPR compliance, the EU business unit must be absolutely restricted from deploying any resources outside of the 'West Europe' and 'North Europe' Azure regions. The NA and APAC units have no such restrictions.

You need to design a governance solution that enforces this requirement with the least administrative effort. What should you do?

Answer options:

A.

Assign an Azure Policy restricting locations to the root Management Group, and create exclusions for NA and APAC subscriptions.

B.

Create an 'EU' Management Group under the root. Move EU subscriptions to it. Assign an Azure Policy restricting locations to the 'EU' Management Group.

C.

Assign an Azure Policy restricting locations individually to each EU subscription.

D.

Configure Azure Role-Based Access Control (RBAC) on the EU subscriptions to deny deployment to non-EU regions.

How to approach this question

Use Management Groups to reflect organizational structure and apply Azure Policy at the appropriate level to minimize overhead.

Full Answer

B.Create an 'EU' Management Group under the root. Move EU subscriptions to it. Assign an Azure Policy restricting locations to the 'EU' Management Group.✓ Correct
Create an 'EU' Management Group under the root. Move EU subscriptions to it. Assign an Azure Policy restricting locations to the 'EU' Management Group.
Management Groups allow you to organize subscriptions into a hierarchy for unified governance. By creating an 'EU' Management Group, you can assign the 'Allowed locations' Azure Policy once at that level. All current and future EU subscriptions placed in that group will automatically inherit the restriction, providing the least administrative effort. RBAC cannot restrict resource locations.

Common mistakes

Confusing RBAC with Azure Policy. RBAC is for authorization (who can do what), while Policy is for governance rules (what can be created and where).
09All questions11

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 2

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Fabrikam Inc. is a global financial services company with 200 Azure subscriptions managed via a c...HardQ02A healthcare organization has 500 on-premises Windows Server VMs and 300 Azure VMs. They are impl...HardQ03You are designing a security monitoring solution using Microsoft Sentinel. The compliance depar...EasyQ04Your company has a microservices application deployed across multiple Azure App Service instances...MediumQ05A defense contractor is migrating to Microsoft 365 and Azure. They have a strict security policy ...Hard
View all 55 questions →