A company has a management group hierarchy: Root > Europe > Production. They assign a policy at the Root level that denies creation of resources without a tag. Later, they assign a different policy at the Europe level. What is the effective effect on the Production subscription?
Policies assigned at different levels in the management group hierarchy all apply to child subscriptions.
Why this answer
Azure Policy is inherited by default from higher-level management groups down to subscriptions. When a policy is assigned at the Root management group, it applies to all child management groups and subscriptions, including the Production subscription. Assigning an additional policy at the Europe management group does not remove or override the Root-level policy; instead, both policies are evaluated and enforced, with the most restrictive effect taking precedence.
Therefore, the Production subscription is subject to both policies.
Exam trap
The trap here is that candidates often confuse Azure Policy inheritance with role-based access control (RBAC) inheritance, where a lower-level assignment can override a higher-level one, but Azure Policy is cumulative and does not support override behavior.
How to eliminate wrong answers
Option A is wrong because it assumes that a policy at a lower level (Europe) replaces higher-level policies, but Azure Policy inheritance is additive, not exclusive. Option B is wrong because it ignores the fact that the Europe-level policy is also inherited by the Production subscription, so both policies apply. Option D is wrong because Azure Policy does not support overriding; policies are cumulative, and if there is a conflict, the most restrictive effect (e.g., 'Deny' overrides 'Audit') is applied, but both policies remain in effect.