An operations team must apply three related policies to all subscriptions in a department: require a cost-center tag, allow only approved locations, and block certain VM SKUs. They want to assign and track these rules as one unit. What should they create?

A single Azure Policy definition containing all three rules.

A single policy definition is not the usual way to package multiple independent rules. A policy initiative is the proper construct for grouping related policies.

A management group with no policy assignments.

A management group is a scope container, not a packaged set of compliance rules. It can hold the assignment, but it is not the object that groups the policies themselves.

An RBAC custom role with deny permissions.

RBAC roles do not enforce configuration compliance in the way policies do, and they are not used to combine multiple policy checks into one assignable package.

What does this AZ-104 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: An Azure Policy initiative. — An Azure Policy initiative is the right answer because it bundles multiple policy definitions into a single assignable unit. The team can then apply the initiative to the departmental scope and track compliance centrally, instead of managing three separate assignments. This is especially useful when one governance package includes tagging, allowed locations, and SKU restrictions together. Why others are wrong: A single policy definition is not the normal way to combine unrelated compliance controls. A management group can be a scope, but it does not itself package policies. RBAC custom roles are for permissions, not compliance enforcement, so they cannot replace an initiative for this requirement.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.