Domain 1.3: Governance

A global enterprise has 50 Azure subscriptions organized under a single root Management Group. They have three main business units: North America (NA), Europe (EU), and Asia Pacific (APAC). Due to strict GDPR compliance, the EU business unit must be absolutely restricted from deploying any resources outside of the 'West Europe' and 'North Europe' Azure regions. The NA and APAC units have no such restrictions. You need to design a governance solution that enforces this requirement with the least administrative effort. What should you do?

Your organization is implementing a chargeback model using Microsoft Cost Management. The finance department requires that every Azure resource be tagged with a 'CostCenter' tag. If a user attempts to create a resource without this tag, the deployment must be blocked. Furthermore, for existing resources missing the tag, the tag should be automatically added with a value of 'Unassigned'. Which THREE Azure Policy effects should you use to achieve this? (Select THREE)

You have an Azure Storage account containing critical compliance archives. You apply a 'ReadOnly' resource lock to the Storage account at the Azure Resource Manager (ARM) level. What is the effect of this lock on the data within the Storage account?

Your company is adopting Azure and needs to deploy 20 new subscriptions for various project teams. Each subscription must be provisioned with a standard set of role assignments, Azure Policies, and a core virtual network topology. You want to ensure this provisioning process is repeatable, version-controlled, and aligns with the Microsoft Cloud Adoption Framework. Which solution should you recommend?

An organization mandates that every new Azure Virtual Machine must have the Azure Monitor Agent (AMA) installed automatically upon creation to ensure compliance with monitoring standards. If a developer deploys a VM without the agent, the system should automatically install the agent without blocking the VM deployment process. Which Azure Policy effect should you use in your policy definition?

A multinational corporation is designing its Azure landing zone architecture. The company has 5 distinct Business Units (BUs). Requirements: 1. The Central IT team must enforce baseline security policies (e.g., requiring Microsoft Defender) across ALL subscriptions in the company. 2. Each BU must be able to manage its own resources and apply BU-specific policies. 3. Two of the BUs operate in the healthcare sector and must adhere to strict HIPAA compliance policies that do not apply to the other three BUs. You need to design a Management Group hierarchy. Which THREE actions should you include in your design? (Select THREE)

The finance department requires that all Azure resources be tagged with a 'CostCenter' tag for billing allocation. You need to ensure that if a user attempts to create a resource without the 'CostCenter' tag, the resource is created anyway, but the tag is automatically added with a default value of 'Unassigned'. Which Azure Policy effect should you use?

You are the Azure Architect for a company. A critical production Azure SQL Database is hosted in a resource group named `RG-Prod-DB`. To prevent accidental deletion, you apply a `CanNotDelete` resource lock to the `RG-Prod-DB` resource group. A database administrator, who has the 'Owner' RBAC role on the resource group, attempts to delete the Azure SQL Database. What will be the result of this action?

You are designing the resource organization strategy for a large enterprise. You plan to use Azure Management Groups to apply Azure Policy and RBAC across multiple subscriptions. What is the maximum depth of the management group hierarchy that you can design, excluding the Root management group and the subscription level?

Your company has an Azure environment with 10 subscriptions under a single Management Group named 'MG-Corp'. To control costs, the finance team requires that developers can only deploy specific, cost-effective Virtual Machine SKUs (e.g., D-series and B-series) across all subscriptions. If a developer attempts to deploy an expensive GPU-optimized VM (e.g., N-series), the deployment must be blocked immediately. Which governance solution should you implement?

You are implementing a resource tagging strategy for cost allocation. You create an Azure Policy that requires the tag 'CostCenter' on all Resource Groups. You assign this policy with the 'Modify' effect to your main subscription. After assigning the policy, you notice that newly created Resource Groups receive the tag automatically, but existing Resource Groups that were created before the policy assignment do not have the tag. Which TWO actions must you take to ensure existing Resource Groups get the tag? (Select TWO)

You are designing an Azure Landing Zone architecture for a multinational corporation. The company uses a 'Subscription Vending Machine' process to automatically provision new subscriptions for application teams. The security team requires that every new subscription automatically has Microsoft Defender for Cloud enabled, specific Azure Policies assigned, and a standard VNet deployed and peered to the central Hub VNet. Which Azure native approach provides the most scalable and declarative way to achieve this during the subscription creation process?

An enterprise has 100 Azure subscriptions across 5 business units. You need to ensure that all storage accounts created in any subscription are restricted to the 'Standard_GRS' SKU. The solution must automatically apply to any new subscriptions created in the future. What is the most efficient way to design this governance strategy?

Your company requires that all Azure resources be tagged with a 'CostCenter' tag. If a user attempts to create a resource without this tag, the resource creation must be blocked. Furthermore, you need to identify all existing resources that are missing this tag so they can be remediated. Which TWO Azure Policy effects should you use? (Select TWO)

You are designing an Azure Landing Zone for a highly regulated industry. You need to deploy a repeatable environment that includes specific Resource Groups, Role Assignments, Azure Policies, and ARM templates. The deployment must be version-controlled and track the compliance of the deployed environment over time. What should you recommend?

A critical production Azure SQL Database must be protected from accidental deletion by administrators. However, applications must still be able to read and write data to the database. Which feature should you implement?

CASE STUDY: Contoso migrating 500 servers to Azure. RTO 2h, RPO 15m, GDPR compliance, 10Gbps ExpressRoute required. QUESTION: Contoso has 20 subscriptions. You need to enforce ISO 27001 compliance across all subscriptions automatically. What should you use?

You need to ensure that a critical production Resource Group cannot be accidentally deleted by any administrator, even those with the Owner role. What should you apply?

You need to enforce a tagging strategy. If a user creates a resource without a 'CostCenter' tag, the system should automatically add the tag with a default value of 'Unassigned'. Which TWO components are required? (Select TWO)

You are designing a Management Group hierarchy for a global enterprise. What is the Microsoft-recommended primary driver for structuring Management Groups?