You have the Azure management groups shown in the following table.

Microsoft AZ-104 Question Answer

You add Azure subscriptions to the management groups as shown in the following table.

You create the Azure policies shown in the following table.

For each of the following statements, select Yes it the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Explanation:

Azure management groups allow administrators to organize multiple subscriptions and apply governance policies such as Azure Policy and RBAC across a hierarchy. Policies assigned at a higher-level management group are inherited by all child management groups and subscriptions beneath it. When two or more policies conflict, Deny policies always override Allow policies as per Microsoft’s official documentation (Microsoft Learn: Azure Policy Overview – Inheritance and Enforcement Logic).

In this question:

Policy Assignments

Tenant Root Group has a “Not allowed resource types” policy that denies virtualNetworks creation.

ManagementGroup12 has an “Allowed resource types” policy that allows virtualNetworks creation.

Because Subscription2 resides under ManagementGroup12, it inherits the allowed policy. However, Subscription1 resides under ManagementGroup21, which is a child of ManagementGroup11, both of which fall under the Tenant Root Group — inheriting the deny rule.

✅ Conclusion:

Subscription1 → Denied (inherits “Not allowed resource types: virtualNetworks”)

Subscription2 → Allowed (inherits “Allowed resource types: virtualNetworks”)

Creating Resources

In Subscription1, you cannot create a virtual network due to the deny policy from the Tenant Root Group.

In Subscription2, you can create a virtual machine, as no deny policy prevents it.

Moving Subscriptions

According to Azure governance hierarchy rules, subscriptions can be moved between management groups if the user has proper RBAC permissions (Owner or User Access Administrator). There are no policy restrictions preventing Subscription1 from being moved from ManagementGroup21 to ManagementGroup11, as this is within the same management group hierarchy.

Final Verified Answer (as per Microsoft Azure Administrator Documentation):

Statement

Answer

You can create a virtual network in Subscription1

❌ No

You can create a virtual machine in Subscription2

✅ Yes

You can move Subscription1 to ManagementGroup11

✅ Yes

Official Microsoft Azure Reference (Document Extract Summary):

“Azure Policy effects are inherited by all child resources. A ‘deny’ effect from a parent management group overrides any ‘allow’ effects from descendant scopes. Policies at higher scopes take precedence in conflicts.”

“Subscriptions can be moved between management groups within the same hierarchy when permissions are sufficient.”

(Source: Microsoft Learn — Azure Policy Overview, Management Groups Overview, and RBAC Permissions for Governance Management)

Microsoft AZ-104 View All Questions