Table of Contents
What Are the Different Scope Levels for Assigning Azure Policies?
Ace your AZ-500 exam by understanding the different levels where Azure Policies can be assigned. Learn how policies are targeted at management groups, subscriptions, and resource groups, and how inheritance works across the Azure hierarchy to enforce compliance on individual resources.
Question
You can configure Azure policies to target the following levels:
A. Management Groups
B. Subscription and Resource Groups
C. Resources
D. All the these
Answer
D. All the these
Explanation
The correct answer is D. Azure Policy assignments are designed to be hierarchical and can be applied at all the listed scopes: management groups, subscriptions, resource groups, and by extension, they are evaluated against individual resources.
Azure policies can be applied to Management Groups, subscriptions, resource groups, and resources.
Azure Policy Hierarchy and Inheritance
Azure Policy operates on a principle of inheritance. When a policy is assigned at a parent scope, it is automatically inherited by all child scopes. This hierarchical structure is fundamental to applying governance at scale across an organization.
Management Groups
This is the highest level in the Azure governance hierarchy, sitting above subscriptions. Assigning a policy at the management group level is the most efficient way to enforce organizational standards across multiple subscriptions. For example, you could create a policy at the root management group to restrict resource creation to specific geographic regions, and this rule would apply to every subscription within your organization.
Subscriptions
A subscription is a common scope for policy assignments. Policies applied at the subscription level are inherited by all resource groups and resources within that subscription. This is useful for applying standards that are specific to a certain environment (e.g., production vs. development) or a business unit. For example, a policy could be assigned to a development subscription to enforce the use of lower-cost VM SKUs.
Resource Groups
Assigning a policy to a resource group provides more granular control. The policy will apply to all resources contained within that specific resource group. This is ideal for project-specific or application-specific governance, such as requiring a specific tag for all resources related to a single application.
Resources
While policy assignments are typically made at the management group, subscription, or resource group level, the policies themselves are ultimately evaluated against individual resources. In this sense, resources are the final target of a policy’s effect. Furthermore, you can create exemptions at the resource scope, which allows a specific resource to bypass a policy inherited from a higher level. This ability to exempt a single resource demonstrates that policies can be configured to target down to the individual resource level.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.