A company has a root management group that contains all Azure subscriptions. A centralized governance team needs to create and assign Azure Policy definitions and set initiatives that apply to all subscriptions. Which built-in role should be assigned to the governance team at the root management group scope to grant the minimum required permissions?
Policy Contributor is designed specifically for managing Azure Policy resources. It allows creating, updating, and deleting policy definitions, initiatives, and assignments. At the root management group scope, this role enables policy governance across all subscriptions without granting broader management capabilities.
Why this answer
The Policy Contributor built-in role grants the minimum required permissions to create and assign Azure Policy definitions and initiatives, including the ability to read policy assignments and manage policy resources, without granting full write access to all resources. Assigning this role at the root management group scope ensures the governance team can apply policies across all subscriptions while adhering to the principle of least privilege.
Exam trap
The trap here is that candidates often confuse the Contributor role (which can manage resources but not policies) with the Policy Contributor role, or assume that Owner is required because policy assignments affect all resources, but Azure provides a dedicated built-in role specifically for policy management to enforce least privilege.
How to eliminate wrong answers
Option A is wrong because the Owner role grants full administrative access to all resources, including the ability to delete or modify any resource, which far exceeds the minimum permissions needed for policy management and violates least privilege. Option B is wrong because the Contributor role allows creating and managing all types of Azure resources but does not include the specific permissions required to create or assign Azure Policy definitions and initiatives, such as Microsoft.Authorization/policyAssignments/write.