Skip to main content

Technical Lab: Configure management groups

Questions​

Question 1 β€” Multiple Choice​

An organization has the following structure in Azure:

  • Tenant Root Group
    • MG-Production
      • MG-FinanceUS
      • MG-FinanceBR
    • MG-Development

An administrator applies an Azure Policy directly to the MG-Production management group with a Deny effect. What is the expected behavior for subscriptions within MG-FinanceUS?

A) The policy does not apply, as policies only affect subscriptions directly associated with the group where they were defined.

B) The policy applies, as inheritance flows from the parent group to all child groups and descendant subscriptions.

C) The policy applies only if MG-FinanceUS does not have any policy of its own defined.

D) The policy applies, but can be overridden by an Audit effect policy defined in MG-FinanceUS.

Question 2 β€” Technical Scenario​

An administrator attempts to move a subscription from the MG-Legacy management group to MG-Corporate using the following command:

az account management-group subscription add \
  --name "MG-Corporate" \
  --subscription "sub-id-xyz"

The operation fails with a permission error, even though the administrator has the Contributor role in both management groups. What is the most likely cause of the failure?

A) The command is incorrect; the correct syntax requires the --source-group parameter to specify the source group.

B) The Contributor role does not grant permission to move subscriptions between management groups; this operation requires the Management Group Contributor role or higher on the destination group and Owner on the subscription.

C) Subscriptions can only be moved between management groups through the Azure portal; CLI operations are not supported for this action.

D) The administrator needs to remove the subscription from the MG-Legacy group before adding it to MG-Corporate in a separate operation.

Question 3 β€” True or False​

A management group can contain both other management groups and Azure subscriptions at the same hierarchical level. Therefore, it is possible for a subscription to be a direct member of two distinct management groups simultaneously, as long as both belong to the same tenant.

Question 4 β€” Technical Scenario​

A governance team needs to ensure that no regions outside of Brazil South and East US are used to create resources across all company subscriptions. The company has 47 subscriptions organized under a single corporate root management group called MG-Company. The analyst proposes the following approach:

Manually apply a region restriction policy to each of the 47 subscriptions individually, to avoid having a policy at the root group affect future sandbox subscriptions that will be created outside this group.

What is the main problem with this approach?

A) There is no problem; this is the recommended approach when granular control per subscription is desired.

B) The approach ignores that new subscriptions added to MG-Company will not automatically inherit the policy, requiring recurring manual reconfiguration, while a policy on the management group would cover all descendant subscriptions automatically.

C) Region restriction policies cannot be applied at the subscription level; they must be defined at management groups.

D) The number of subscriptions exceeds the supported limit for manual policy application via portal, making the operation technically unfeasible.

Question 5 β€” Multiple Choice​

Which of the statements below correctly describes a limit or fixed behavior of the management groups hierarchy in Azure?

A) The Tenant Root Group can be deleted and recreated by a Global Administrator if the structure needs to be reorganized from scratch.

B) A tenant supports up to 10,000 management groups, with a maximum depth of six levels below the Tenant Root Group, not counting the subscription level.

C) Free Trial type subscriptions cannot be associated with management groups and always remain directly under the Tenant Root Group.

D) Each management group can contain a maximum of 100 directly associated subscriptions, regardless of the number of child groups.

Answer Key and Explanations​

Answer Key β€” Question 1​

Answer: B

Explanation:

  • Policy inheritance in management groups flows top-down through the hierarchy. A policy applied to MG-Production is automatically inherited by all child groups (MG-FinanceUS, MG-FinanceBR) and by all subscriptions and resources contained within them.
  • Alternative A describes a behavior that doesn't exist: scope isolation doesn't work this way in management groups.
  • Alternative C confuses inheritance behavior with the concept of precedence. The absence of an own policy is not a condition for inheritance to occur.
  • Alternative D represents a common misconception: an Audit effect policy at a child level does not replace or block a Deny effect policy inherited from the parent. Effects don't cancel each other through hierarchy; the most restrictive effect prevails in the combined evaluation.

Answer Key β€” Question 2​

Answer: B

Explanation:

  • Moving subscriptions between management groups is a privileged operation that requires specific permissions: Microsoft.Management/managementGroups/write on the destination group and Microsoft.Management/managementGroups/subscriptions/write on the subscription. The Management Group Contributor role covers the group; the Owner role covers the subscription.
  • The Contributor role is a data plane role that does not include organizational structure management permissions like subscription movement.
  • Alternative A is false: the az account management-group subscription add command is syntactically correct and doesn't require a --source-group parameter.
  • Alternative C is false: movement operations via CLI are fully supported.
  • Alternative D is false: it's not necessary to remove before adding; the move operation is atomic from Azure's perspective when permissions are correct.

Answer Key β€” Question 3​

Answer: False

Explanation:

  • A subscription in Azure belongs to exactly one management group at a time. There is no multiple or shared association between different management groups, even within the same tenant.
  • This behavior is intentional: the management groups hierarchy is a tree, not a graph. Each node (group or subscription) has a single parent, which ensures that policy and RBAC inheritance is deterministic and unambiguous.
  • The misconception represented by the statement confuses the freedom to move a subscription between groups with the possibility of it belonging to multiple groups simultaneously, which is never the case.

Answer Key β€” Question 4​

Answer: B

Explanation:

  • The main problem is operational and governance scalability: applying policies individually to 47 subscriptions creates a manual process that doesn't scale and is prone to inconsistencies. More importantly, new subscriptions added to the tenant in the future will not automatically inherit the restriction.
  • The concern about sandbox subscriptions is legitimate, but the correct solution is to organize these subscriptions in a separate management group (e.g., MG-Sandbox) and exclude them from the policy scope, not give up on centralized policy.
  • Alternative A ignores maintenance risks and the lack of automatic coverage for new subscriptions.
  • Alternative C is false: location policies can be applied at subscriptions, management groups, and resource group levels.
  • Alternative D is false: there is no technical limit preventing manual policy application to 47 subscriptions via portal or CLI.

Answer Key β€” Question 5​

Answer: B

Explanation:

  • Azure supports up to 10,000 management groups per tenant, with a maximum depth of six levels below the Tenant Root Group (not counting the Root Group itself, nor the subscription level). This is a documented and fixed platform limit.
  • Alternative A is false: the Tenant Root Group cannot be deleted. It is automatically created by Azure and represents the absolute root of the tenant. Its existence is mandatory and permanent.
  • Alternative C is false: subscriptions of any type, including Free Trial, can be associated with management groups, as long as the user has the necessary permissions.
  • Alternative D is false: there is no limit of 100 subscriptions per management group. The actual limit is 10,000 management groups total per tenant, but the number of subscriptions per group is not limited in this fixed way.