Technical Lab: Manage Subscriptions
Questionsβ
Question 1 β Multiple Choiceβ
An organization has three separate environments (development, staging, and production) and needs to ensure that the costs of each environment are tracked independently, without creating new Azure accounts. The FinOps team requires cost reports by environment and the ability to apply distinct policies to each one.
What is the most appropriate approach to meet these requirements within a single Azure account?
A) Create a separate subscription for each environment and organize them into distinct management groups
B) Use a single subscription with distinct resource groups per environment and apply cost tags
C) Create multiple Microsoft Entra ID tenants, one per environment, and link each one to a subscription
D) Use Azure Cost Management to create "views" per environment within a single subscription without structural separation
Question 2 β Technical Scenarioβ
An administrator needs to ensure that all resources created in a production subscription are deployed only in the brazilsouth and eastus regions. They apply the following Azure Policy to the subscription:
{
"policyRule": {
"if": {
"not": {
"field": "location",
"in": ["brazilsouth", "eastus"]
}
},
"then": {
"effect": "deny"
}
}
}
After applying it, a developer tries to create a Microsoft.Resources/resourceGroups resource in the westus region and the operation is successful. What is the correct explanation for this behavior?
A) The policy was applied with incorrect scope; it should be at the resource group level, not the subscription
B) The deny effect doesn't apply to resource groups; only audit is supported for this resource type
C) Resource groups have the location field only as convenience metadata, and some policies don't evaluate this resource type without an explicit type condition
D) The policy only takes effect after the next evaluation cycle, which occurs every 24 hours for new assignments
Question 3 β True or Falseβ
An Azure Policy with append effect applied to a subscription prevents the creation of resources that don't meet the defined condition, in the same way as the deny effect.
Question 4 β Technical Scenarioβ
A company acquired another organization and needs to move the acquired company's subscriptions to their own Microsoft Entra ID tenant. The administrator initiates the subscription transfer process between tenants.
Which of the following consequences should be considered as a direct and immediate impact of this operation?
A) All subscription resources are deleted and need to be recreated in the destination tenant
B) Existing role assignments (RBAC) in the subscription are permanently removed and need to be reconfigured
C) Azure policies assigned to the subscription are automatically migrated along with it
D) Resource managed identities are preserved, as they are tied to the resource, not the tenant
Question 5 β Multiple Choiceβ
An architect needs to structure the Azure environment for a holding company with 12 subsidiaries. Each subsidiary should have autonomy to manage their own resources, but the holding needs to apply security and compliance policies centrally across all of them, without having to manually replicate configurations.
Which structure best meets this model?
A) One subscription per subsidiary, without additional hierarchy, with policies applied individually to each subscription
B) A root management group with child management groups per subsidiary, policies applied at the root level and subscriptions grouped by subsidiary
C) A single resource group per subsidiary within a shared subscription, with policies applied per resource group
D) One Microsoft Entra ID tenant per subsidiary, with one subscription per tenant and policies synchronized via Azure Arc
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: A
Subscriptions are the natural boundary for cost isolation, policies, and access control in Azure. When the requirement combines independent cost tracking with applying distinct policies per environment, creating separate subscriptions is the correct approach, as each subscription has its own billing context and accepts independent policy assignments.
Alternative B is the most common mistake: tags and resource groups allow cost filtering, but don't create real policy isolation. A policy applied to the subscription affects all resource groups within it, preventing distinct configurations per environment without complex workarounds.
Alternative C introduces unnecessary identity complexity and doesn't solve the billing or policy problem natively. Alternative D describes a visualization feature, not structuring, and doesn't meet the distinct policies requirement.
Answer Key β Question 2β
Answer: C
The location field in a Microsoft.Resources/resourceGroups is treated as informative metadata and doesn't follow the same policy evaluation cycle as common resources. The policy defined in the statement doesn't include a type condition (type), which means it evaluates all resources, but the practical application of the deny effect on resource groups depends on the policy evaluator's internal behavior for this specific type.
The key point is that location policies frequently require the resource type to be explicitly considered or the condition to use field: location combined with type restrictions to reliably cover resource groups.
Alternative A is wrong because applying the policy to the subscription is exactly the correct scope to cover all resources within it. Alternative B is incorrect; the deny effect is supported for resource groups. Alternative D confuses the compliance evaluation cycle (which is periodic) with the real-time application of the deny effect at creation time, which is immediate.
Answer Key β Question 3β
Answer: False
The append effect doesn't block resource creation. It adds fields or values to a resource during its creation or update, such as including a mandatory tag or a missing configuration field. The behavior is additive, not restrictive. Only the deny and denyAction effects explicitly prevent operations. Confusing append with deny is a relevant conceptual error, as using append when the goal is to block results in non-compliant resources being created with added fields, which is the opposite of the desired control.
Answer Key β Question 4β
Answer: B
When a subscription is transferred between Microsoft Entra ID tenants, all role assignments (RBAC) are permanently removed. This occurs because role assignments are linked to identities (object IDs) from the source tenant, which don't exist in the destination tenant. The administrator must reconfigure all access after the transfer.
Alternative A is wrong: resources aren't deleted; they continue to exist in the subscription. Alternative C is wrong: policies assigned to the subscription aren't automatically migrated and need to be reapplied. Alternative D is the most dangerous distractor: managed identities are tied to the tenant, not just the resource. When moving the subscription, managed identities are deleted and need to be recreated and reassigned to resources in the new tenant.
Answer Key β Question 5β
Answer: B
Management groups were created exactly for this scenario: applying centralized governance across multiple subscriptions without manual replication. Policies and role assignments applied to a parent management group are inherited by all child management groups and subscriptions within it. The hierarchical structure allows the holding to apply controls at the root level while each subsidiary maintains autonomy within their own subscription.
Alternative A is the classic antipattern: it works, but doesn't scale and requires manual maintenance on each subscription. Alternative C doesn't offer real isolation between subsidiaries and mixes resources in a single billing and policy context. Alternative D introduces unnecessary multi-tenant complexity without justified benefit; Azure Arc is aimed at managing resources outside Azure, not for structuring subsidiaries within it.