AZ-305 · Question #376
AZ-305 Question #376: Real Exam Question with Answer & Explanation
This question tests your understanding of Azure Policy definitions versus assignments, and how to scope policies to minimize administrative effort while targeting only specific subscriptions.
Question
Hotspot Question You have six Azure subscriptions in a management group. Each subscription contains two resource groups. Each resource group contains an Azure App Service instance. The App Service instances use app slots. You need to perform the following actions on three of the subscriptions: - Disable public network access for all the app slots. - Assign tags to all the App Service instances. The solution must meet the following requirements: - Ensure that the App Service instances in the remaining subscriptions are unaffected. - Minimize administrative effort. What is the minimum number of Azure Policy definitions and assignments required? To answer, select the appropriate options in the answer area. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests your understanding of Azure Policy definitions versus assignments, and how to scope policies to minimize administrative effort while targeting only specific subscriptions.
Approach. You need 2 policy definitions: one to disable public network access for app slots, and one to assign tags to App Service instances. These are two distinct actions requiring two separate policy definitions. However, you need 6 policy assignments: each of the 2 policy definitions must be assigned 3 times (once per targeted subscription), because scoping each assignment to a specific subscription ensures the remaining 3 subscriptions are unaffected. Assigning at the management group level would affect all 6 subscriptions, so per-subscription assignment is required. Therefore: Definitions = 2, Assignments = 6.
Concept tested. Azure Policy definitions are reusable blueprints that define what to enforce, while assignments determine WHERE (scope) the policy is applied. A single definition can be assigned multiple times at different scopes. To target only 3 of 6 subscriptions without affecting the rest, you cannot assign at the management group level - you must assign each definition individually at each of the 3 subscriptions, resulting in 3 assignments per definition × 2 definitions = 6 total assignments. Combining both actions into one initiative/definition is not possible since they address different resource types (app slots vs App Service instances), confirming 2 definitions are the minimum.
Reference. https://learn.microsoft.com/en-us/azure/governance/policy/overview
Topics
Community Discussion
No community discussion yet for this question.