Microsoft Azure Architect Design (AZ-304) Practice Test

In a large Azure environment, to which scopes can Azure Policy definitions be assigned?

• A. management groups, subscriptions, Azure Active Directory (Azure AD) tenants
• B. resource groups, compute resources, Azure Active Directory (AD) administrative units
• C. management groups, subscriptions, resource groups
• D. management groups, Azure Active Directory (AD) administrative units, subscriptions

The correct answer is: management groups, subscriptions, Azure Active Directory (Azure AD) tenants

The correct answer provides a clear understanding of the assignment of Azure Policy definitions within an Azure environment. Azure Policy is a service that helps you manage and enforce organizational standards and assess compliance at various levels. The scopes where Azure Policy definitions can be assigned include management groups, subscriptions, and resource groups. Management groups allow resource organization beyond the subscription level, enabling policies to be applied broadly across multiple subscriptions. Subscriptions are key organizational structures in Azure, and applying policies at this level ensures that all resources within the subscription comply with defined rules. Resource groups provide another layer of policy application, allowing for control over the resources shared within a specific project or application context. By including Azure Active Directory (Azure AD) tenants or administrative units in the choice, it may incorrectly suggest areas not applicable for Azure Policy assignments. While Azure AD is crucial for identity management, it does not serve as a scope for policy definitions, focusing instead on resources under Azure’s resource management hierarchy, which does not include user or identity governance components. Thus, the correct answer reflects the viable scopes for implementing governance and compliance through Azure Policy, allowing organizations to maintain control and enforcement of rules effectively.