Domain 1.3: Design Governance

You are designing a governance strategy for a large enterprise with 150 Azure subscriptions. The enterprise has the following compliance requirements: - All resources must be deployed in the 'West Europe' or 'North Europe' regions. - Every resource group must have a 'CostCenter' tag. - If a resource is deployed without a 'CostCenter' tag, it should automatically inherit the tag from its parent resource group. - These rules must be applied centrally and automatically to all new and existing subscriptions. Which THREE components should you include in your governance design? (Select THREE)

A company has a critical Azure SQL Database hosting their ERP system. To prevent accidental deletion, an administrator applies a 'CanNotDelete' resource lock to the resource group containing the database. A developer with the 'Owner' RBAC role on the resource group attempts to delete the SQL Database. What will be the outcome, and why?

Your enterprise is adopting the Microsoft Cloud Adoption Framework (CAF) for Azure. You need to design an Azure Landing Zone architecture that provides a scalable, secure, and governed environment for new application workloads. The design must separate platform resources (like ExpressRoute and central firewalls) from application workloads. Which TWO management groups are standard components of the enterprise-scale Landing Zone architecture? (Select TWO)

A development team needs the ability to start and stop Azure Virtual Machines in a specific resource group. They should not be able to create new VMs, delete existing VMs, or modify network settings. You review the built-in Azure RBAC roles and find that none perfectly match these exact requirements. What should you do?

You are designing the Azure resource organization for a large enterprise. The enterprise has three main divisions: Retail, Manufacturing, and Finance. The Finance division requires strict compliance policies (e.g., PCI-DSS) that must not affect the other divisions. The Retail and Manufacturing divisions share common security policies. All divisions must inherit a baseline set of corporate policies (e.g., allowed regions). How should you design the Management Group hierarchy?

Your company is expanding its Azure footprint to Europe. Due to strict GDPR requirements, you must ensure that no Azure resources can be deployed outside of the 'West Europe' and 'North Europe' regions for a specific set of subscriptions. You need to design a governance solution to enforce this requirement. The solution must automatically prevent non-compliant deployments and provide a dashboard showing compliance status. Which TWO components should you include in your design? (Select TWO)

You are designing a resource tagging strategy for your Azure environment. The finance team requires a 'CostCenter' tag on all Resource Groups. Furthermore, they require that all resources deployed within those Resource Groups automatically inherit the 'CostCenter' tag and its value from the parent Resource Group, without requiring developers to manually add the tag during deployment. Which Azure governance feature should you use?

Your organization is adopting an Azure Landing Zone architecture. You need to design a process for 'subscription vending'—rapidly provisioning new Azure subscriptions for application teams. Each new subscription must automatically have standard networking (VNet peering to a hub), security center standard tier enabled, and baseline RBAC roles assigned. Which approach provides the most scalable and repeatable solution?