Describe Azure management and governance

A company has multiple Azure subscriptions for different departments. They want to enforce consistent policies across all subscriptions regarding allowed virtual machine sizes and require compliance reporting. Which Azure feature should they use?

A company uses Azure and wants to ensure that their IT team receives alerts when virtual machines are deallocated unexpectedly. Which Azure service should they use to create a rule that triggers an action when a VM is deallocated?

A company needs to track and optimize costs across multiple Azure subscriptions. They want to allocate budgets and receive notifications when spending exceeds forecasted amounts. Which Azure tool should they use?

A global company wants to organize its Azure resources by department and project. They need to enforce cost allocation and apply governance policies consistently across all subscriptions. Which two Azure features should they use together? (Select two.)

A company wants to ensure that all new Azure resources in a subscription are automatically tagged with a 'Department' tag. Which Azure service should they use to enforce this requirement?

A company has multiple Azure subscriptions for different departments. They want to receive budget alerts when spending in any subscription exceeds 80% of the allocated amount. Which Azure feature enables them to set up these alerts?

A company wants to ensure that whenever a new Azure subscription is created, it automatically inherits a set of baseline policies, role assignments, and resource groups. Which Azure tool should they use to package and deploy these governance components consistently?

A company uses Azure Resource Manager templates to deploy and manage infrastructure. They need to ensure that resources are deployed in a consistent, repeatable manner across environments. Which two benefits does using ARM templates provide? (Choose two.)

A company wants to deploy a standardized environment that includes Azure Policy assignments, RBAC roles, and resource group templates. They need to version these components and apply them to multiple subscriptions. Which Azure service should they use?

A company has multiple Azure subscriptions. The finance team needs to analyze spending trends and create budgets to prevent cost overruns. Which Azure tool should they use to visualize historical spending and set budget alerts?

A company uses Azure Policy to enforce that all virtual machines must be from an approved list of SKUs. They want to ensure that any non-compliant VMs that already exist are automatically remediated by changing the VM size to a compliant SKU. Which policy effect should they use?

A company has a critical Azure resource group that contains production resources. They want to ensure that no one can accidentally delete or modify the resources in this group, even if they have Contributor permissions. Which Azure feature should they use?

A company wants to receive notifications when Azure services in their region experience an outage or planned maintenance that might affect their resources. Which Azure service should they set up alerts for?

A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?

A company has multiple Azure subscriptions. The IT team wants to apply common policies and role assignments across all subscriptions automatically when a new subscription is created. Which Azure service should they use?

A company wants to track resource usage across departments and projects. They have multiple Azure subscriptions. They need to assign costs to specific departments based on resource usage. Which Azure feature enables them to view and analyze costs by resource tags?

A company has a policy that requires all storage accounts to have secure transfer enabled. They want to automatically audit all existing storage accounts and enforce the setting on new ones. They also want to automatically fix non-compliant new storage accounts. Which Azure Policy effect combination should they use?

A company uses Azure Resource Manager templates to deploy infrastructure. They need to manage secrets such as database connection strings and passwords securely. Which Azure service should they use to store and retrieve these secrets during deployment?

A company manages multiple Azure subscriptions for different business units. They want to define a standard set of policies, such as allowed VM SKUs and required resource tags, and ensure these policies are always applied whenever a new subscription is created. Which Azure feature should they use to enforce governance at this level?

A company uses Azure Policy to require that all storage accounts must have blob soft delete enabled. They also want to automatically create a remediation task that fixes any existing non-compliant storage accounts. Which policy effect should they include in the policy definition to achieve automatic remediation?

A company has a policy that all Azure resources deployed to production subscriptions must be tagged with a 'CostCenter' tag. They want to automatically prevent the creation of any resource that does not include this tag. Which Azure Policy effect should they use in their policy definition?

A company wants to analyze historical spending data across all Azure subscriptions and set proactive budget alerts to prevent cost overruns. They also need to identify spending trends by resource type. Which Azure tool should they use to meet all these requirements?

A company has an Azure policy requirement that all new resources in a specific resource group must have a 'Department' tag. If a resource is created without this tag, the tag should be automatically added with a default value of 'Finance'. Which Azure Policy effect should be used?

A company has multiple Azure subscriptions for different departments. The IT team wants to apply a common set of policies (e.g., allowed VM sizes) and assign the same role-based access control (RBAC) permissions across all subscriptions automatically. Which Azure feature should they use?

A company wants to track spending across different projects. They have multiple Azure subscriptions and need to assign costs to specific departments based on resource usage. Which Azure feature enables them to view and analyze costs by resource tags?

A company has multiple Azure subscriptions for different departments. The IT team wants to ensure that all resources in a specific subscription are only deployed in the 'West Europe' region. Which Azure feature should they use to enforce this restriction?

A company wants to track costs by department across multiple Azure subscriptions. They have tagged resources with 'Department' tags. However, some resources are missing tags. They want to see a report of costs grouped by department, including untagged resources. Which Azure tool should they use?

A company wants to enforce a naming convention for all Azure resources. For example, all resources must start with 'Contoso-'. They want to automatically audit and deny creation of resources that do not follow the naming convention. Which Azure Policy effect should they use?

A company uses Azure Blueprints to define a repeatable set of Azure resources and policies for new subscriptions. They want to ensure that when a new subscription is created, a specific role assignment is automatically applied. What should they include in the blueprint definition?

A company has a policy that all Azure resources must have an 'Owner' tag. They want to automatically add the 'Owner' tag with a value 'Default' to any resource created without it. Which Azure Policy effect should they use?

A company wants to view a consolidated list of all Azure resources across multiple subscriptions and query them using Kusto Query Language (KQL). Which Azure tool should they use?

A company has a policy that all Azure resources must have a 'CostCenter' tag. They want to automatically audit and deny the creation of any resource that does not include this tag. Which Azure Policy effect should they use?

A company uses Azure Policy to require encryption on storage accounts. They want to automatically deploy an encryption extension to any new storage account that does not have it enabled, without manual intervention. Which policy effect should they use?

A company wants to set monthly spending limits for each department and receive alert emails when spending reaches 80% of the budget. Which Azure tool should they use?

An IT administrator needs to query all Azure resources across multiple subscriptions to find all virtual machines that were created in the last 30 days. They want to use a powerful query language. Which Azure service should they use?

A company needs to enforce compliance by deploying a standard set of Azure resources, policies, and RBAC assignments for each new development subscription. They want to define this environment as a repeatable package. Which Azure service should they use?

A company has multiple Azure subscriptions for different development teams. They need to define a repeatable environment that includes a set of Azure policies, role assignments, and resource templates that must be applied to any new subscription created for a project. Which Azure service should they use?

A company's finance team needs to track Azure costs by project. Each resource is tagged with a 'Project' tag, but some resources were created without tags. The finance team wants to generate a report that shows costs grouped by project and also identifies untagged resources. Which Azure tool should they use?

A company wants to enforce that all Azure storage accounts must have encryption enabled. If a storage account is created without encryption, the policy should automatically enable encryption without manual intervention. Which Azure Policy effect should they use?

A company has a management group hierarchy: Root (tenant root group) > Contoso > Sales, Marketing. They want to assign an Azure policy that applies to all subscriptions under the Sales and Marketing management groups only. The policy must not affect any other subscriptions in the hierarchy. Where should they assign the policy?

A company needs to find all virtual machines that have the tag 'Environment:Production' and were created more than 6 months ago. They want to run a complex query across all subscriptions in their tenant. Which Azure tool should they use?

A company wants to ensure that all Azure resources are created within a specific set of approved regions. They want to automatically block any resource creation that is not in an approved region. Which Azure Policy effect should they use?

A company has multiple departments, each with its own Azure subscription. They want to apply the same set of policies and role assignments to all subscriptions under the Sales department. They also plan to create more subscriptions for Sales in the future. Which Azure construct should they use?

A company uses Azure Blueprints to define a standard environment for all new development subscriptions. The blueprint includes a set of Azure policies, role assignments, and resource templates. However, after applying the blueprint, some resources are created that do not comply with the policies. The company wants to be notified of these non-compliant resources without blocking their creation. Which Azure Policy effect should be used in the blueprint?

A company wants to query all Azure resources across multiple subscriptions to find all storage accounts without encryption enabled. They need to use a powerful query language to filter and join data. Which Azure tool should they use?

A company has an Azure Policy assigned to all subscriptions that denies creation of any resource without a 'CostCenter' tag. During an emergency, a team needs to create a resource without the tag. They want a temporary exception without changing the policy. What should they create?

A company has multiple Azure subscriptions for different projects. They want to apply the same set of Azure policies and role assignments to all subscriptions under a specific department, and they plan to add more subscriptions in the future. Which Azure construct should they use?

A company wants to organize their Azure subscriptions into a hierarchy for policy and cost management. They have multiple departments, each with multiple subscriptions. What should they create first to establish this structure?

A company uses Azure Policy to enforce encryption on storage accounts. They discover some existing storage accounts are non-compliant. They want to automatically enable encryption on these accounts without manual intervention. Which combination of policy effects should they use?

A company needs to ensure that all Azure resources have a mandatory 'CostCenter' tag. If a resource is created without this tag, the resource creation should be blocked. Which Azure Policy effect should they use?

A company wants to track and manage costs across multiple Azure subscriptions. They have created a hierarchy of management groups: Root -> Department A -> Project 1, Project 2. They want to see the total cost for Department A across all its projects. Which Azure tool should they use?

A company wants to ensure that all Azure resources are tagged with metadata such as 'Environment' and 'Department'. They have created an Azure Policy that appends the required tags and their values when a resource is created. However, they notice that some resources created before the policy assignment are missing tags. They want to automatically add those tags without manual effort. What should they do?

A company wants to enforce a set of security policies across all their Azure subscriptions. They have created several individual policy definitions. Which Azure construct should they use to group these policies together and assign them as a single package?

A company needs to grant a group of users the ability to restart and start/stop virtual machines, but not to create or delete them. They want to assign this permission at the resource group level. What should they do?

A company has a management group hierarchy: Root > Europe > Production. They assign a policy at the Root level that denies creation of resources without a tag. Later, they assign a different policy at the Europe level. What is the effective effect on the Production subscription?

A company uses Azure Blueprints to define a standard environment. They publish a new version of the blueprint with an updated role assignment. All existing subscriptions that were created from an older version need to receive the new role assignment. What should they do?

A company wants to monitor the performance of their Azure VMs and receive alerts when CPU usage exceeds 90%. Which Azure service should they use?

A company wants to organize their Azure subscriptions into a hierarchy to manage access policies and cost across different departments. They have three departments: Sales, Marketing, IT. What should they create first?

A company has multiple Azure subscriptions for different projects. They want to apply a common set of policies and role assignments to all subscriptions under the 'Research' department. They also plan to add more subscriptions for Research in the future. What should they use?

A company has a management group hierarchy: Root → UK → Production. They assign a policy at the Root level that allows only certain VM sizes. Later, they assign another policy at the UK level that denies all resources. What is the effective effect on the Production subscription?

A company wants to enforce a naming convention on all Azure resources by automatically adding a tag with the environment name (e.g., 'Env-Prod' or 'Env-Dev') when a resource is created. They do not want to block resource creation if the tag is missing. Which Azure Policy effect should they use?

A company has created an Azure Blueprint to define a standard environment with role assignments and policies. They have published multiple versions. They want all existing subscriptions that were created from an older version to automatically receive the updates from the latest version. What should they do?

A company wants to ensure that all new Azure storage accounts have a specific encryption setting enabled. They also want to automatically remediate any existing non-compliant storage accounts without manual effort. Which Azure Policy effect should they use?

A company has multiple Azure subscriptions for different departments. They want to track and analyze costs, and allocate costs to each department based on tags applied to resources. Which Azure tool should they use?

A company needs to grant a specific user the ability to restart virtual machines in a specific resource group, but not to create, delete, or modify them in any other way. The built-in 'Virtual Machine Contributor' role grants too many permissions. What is the most appropriate solution?

A company has multiple subscriptions. They want to apply a policy that denies creation of resources without a specific tag at the top-level management group. Later, they need to allow a specific subscription to create resources without that tag. What should they do?

A company wants to ensure that all resources in their Azure environment are created with mandatory tags for cost tracking. They have already assigned a policy to append tags, but existing resources are still missing tags. They want to automatically add the tags to existing resources without manual intervention. What should they do?

A company wants to enforce that all storage accounts use the 'Standard' performance tier and block creation of any 'Premium' storage accounts. Which Azure Policy effect could achieve this?

A company uses Azure Blueprints to define a standard environment with policies, role assignments, and resource groups. They publish a new version of the blueprint that adds a new role assignment. However, existing subscriptions created from older versions do not have this new role assignment. What must they do to apply the update to existing subscriptions?

A company wants to ensure a specific resource group cannot be deleted, but they also need to be able to delete it temporarily during maintenance windows. Which approach allows the most granular control?

A company wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. They want to automatically apply the tag to new resources, and also to existing resources that are missing it. Which Azure service should they use?

A company has multiple Azure subscriptions organized under a management group hierarchy. They need to assign the 'Contributor' role to a security team for all subscriptions under the 'Production' management group. They also want new subscriptions added later to automatically inherit this role assignment. What should they do?

A company wants to ensure that no one can create virtual machines without approval from the IT department. They want to block all VM creation attempts and notify the requester that they need to request access. Which Azure Policy effect should they use?

A company wants to track and analyze Azure costs across multiple departments. They have tagged resources with 'Department' tags. Which tool should they use to view cost breakdowns by department?

A company has multiple Azure subscriptions. They need to enforce a rule that only specific virtual machine sizes (e.g., Standard_D2s_v3) can be used across all subscriptions. They also want this rule to automatically apply to any future subscriptions created. Which Azure service should they use?

A company wants to receive proactive recommendations to reduce Azure costs, improve security, and increase reliability. They want a single dashboard that provides best practices for their deployed resources. Which Azure service should they use?

A multinational company has multiple Azure subscriptions managed by different teams. The compliance team requires that all new virtual machines deployed in any subscription must have a specific tag (e.g., 'CostCenter') and must be deployed in approved regions only. They also want to automatically enforce these requirements without manual intervention. Which Azure service should the compliance team use to achieve this?

A company has multiple Azure subscriptions that are managed by different departments. The governance team needs to ensure that every new subscription follows a standardized set of compliance requirements, including specific Azure Policy definitions, a predefined role assignment for a central security group, and a base set of network resources. The solution must be reusable and allow the governance team to update the requirements centrally, with changes automatically applied to all subscriptions that use the same definition. Which Azure service should the governance team use?

A company has deployed hundreds of virtual machines in Azure across multiple subscriptions. The governance team wants to generate a compliance report that identifies which VMs are using approved VM sizes and which are not, according to a corporate policy. The team must not block the deployment of non-compliant VMs; they only want to track compliance. Which Azure Policy effect should they use in the policy definition?

A company has a critical Azure Storage account that stores immutable backups. The IT administrator wants to ensure that no one can delete or modify this storage account, even administrators with Contributor or Owner roles. The company still needs to allow read access to the data within the storage account. Which Azure governance feature should the administrator implement?

A company has a policy that all Azure Storage accounts must have diagnostic settings enabled to send logs and metrics to a specific Log Analytics workspace. The governance team wants to automatically configure these diagnostic settings when a new storage account is created, without blocking the initial creation. The solution must not require manual intervention. Which Azure Policy effect should the team use in their policy definition?

A company uses Azure for its production workloads. The security team wants to receive proactive, personalized recommendations to improve the security of their Azure resources, such as enabling Microsoft Defender for Cloud on subscriptions that do not have it enabled. Which Azure service provides these security recommendations?

A company runs multiple projects in Azure, each project is placed in a separate resource group. The finance team wants to set a monthly spending limit of $10,000 per project and receive automated email alerts when a project's spending reaches 80% of the limit and again when it exceeds the limit. The solution must use native Azure capabilities and be configurable per resource group. Which Azure service should the finance team use?

A healthcare organization needs to enforce a set of compliance requirements (e.g., enable encryption on all storage accounts, restrict public network access to SQL databases, and enforce a specific TLS version) across all Azure subscriptions. The organization has defined these requirements as individual Azure Policy definitions. The governance team wants to assign all these policies together as a single unit to a management group, ensuring that any new subscription created under that group automatically receives all the policies. Which Azure object should the governance team create first?

A company is adopting a landing zone approach in Azure. The governance team wants to automatically provision a standardized environment for each new Azure subscription. The environment must include: a predefined set of Azure Policy assignments (e.g., enforce resource tagging), specific RBAC role assignments for a central operations team, and a baseline resource group containing a storage account with a specific configuration. The team wants to package all these components into a single, versioned object that can be assigned to a management group and updated over time as requirements change. Which Azure governance service should the team use?

A company has a policy that all Azure resources must have a tag named 'CostCenter'. The governance team wants to automatically add the tag with a default value 'IT' to any new resource that is created without it. The team wants the tag to be applied during resource creation, not just report non-compliance. The solution must also support remediation for existing non-compliant resources if needed later. Which Azure Policy effect should the team use in their policy definition?

A company has three departments: Sales, Marketing, and IT. Each department has its own Azure subscription. The IT department manages all networking and security policies across all subscriptions. The Sales and Marketing departments should be able to create and manage their own resources but cannot modify networking or security policies. The IT department wants to apply a consistent set of policies (e.g., enforce tagging, restrict VM SKUs) across all subscriptions without needing to assign policies to each subscription individually. Additionally, the IT department wants to delegate administration of a specific custom role to a junior administrator who can assign that role to users within the Sales subscription only. Which combination of Azure governance features should the IT department use?

A company manages a production Azure subscription that contains critical resources. The security team wants to prevent any user, including users with the Owner role, from accidentally deleting the entire subscription or any resource within it. The team still wants authorized users to be able to modify settings and create new resources. Which Azure feature should the team use?

A company has a resource group named 'RG-Prod' that contains critical virtual machines (VMs), virtual networks, and a SQL database. The infrastructure team needs to grant a group of developers the ability to start, stop, and restart only the VMs in RG-Prod. The developers must not be able to create new VMs, delete existing VMs, modify the virtual networks, or access the database. The company wants to follow the principle of least privilege. Which Azure role-based access control (RBAC) approach should the company use?

A company uses a single Azure subscription for its development and production workloads. The finance team wants to set a monthly spending limit for the entire subscription and receive an email alert when the costs are projected to exceed 80% of that limit. The company does not want any resources to be automatically stopped or deleted when the limit is reached. Which Azure feature should the finance team configure?

A company has multiple Azure subscriptions used by different departments. The governance team has created several Azure Policy definitions to enforce tagging rules, restrict allowed VM SKUs, and require HTTPS for storage accounts. The team wants to assign these policies as a single, manageable unit to a management group so that they can track overall compliance across all subscriptions in that group from one dashboard. The compliance summary should show how many resources are compliant against all the combined policies. Which Azure feature should the team use?

A company is adopting Azure and wants to ensure that every new subscription automatically includes a standard set of governance artifacts: two custom Azure Policy definitions (one for allowed locations, one for resource tagging), a custom Role-Based Access Control (RBAC) assignment for the security team, and an initial resource group with an Azure Resource Manager (ARM) template that sets up a network topology. The company wants to version these artifacts and update them over time, ensuring that new subscriptions always use the latest approved version. Which Azure service should the company use to package and deploy this standardized environment?

A company uses Azure Policy to enforce governance. They want to prevent users from creating virtual machines of the Standard_DS3_v2 SKU in their subscription, and they also want to log any attempt to create such a VM (whether successful or not) for audit purposes. What is the minimum number of Azure Policy assignments required to meet both requirements?

A company has an Azure subscription used by multiple development teams. The security team wants to ensure that every virtual network (VNet) created in the subscription automatically has a specific network security group (NSG) associated with its default subnet. The NSG rules are defined by the security team, and developers should not have to perform any extra steps after creating a VNet. Which Azure Policy effect should the security team use in the policy definition?

A company has a resource group named 'RG-Prod' that contains critical virtual machines, a SQL database, and a storage account. The infrastructure team needs to ensure that no one can accidentally delete this resource group or any of its resources. However, users must still be able to create, update, and delete individual resources within the group as needed for normal operations. Which type of Azure Resource Lock should the team apply to 'RG-Prod'?

A company uses Azure Management Groups to organize subscriptions. The hierarchy is: Root Management Group -> Contoso Management Group -> Sales (management group) and R&D (management group). Under Sales there are two subscriptions: Sales-Prod and Sales-Dev. Under R&D there is one subscription: R&D-Prod. The governance team assigns an Azure Policy definition that denies the creation of resources in the East US region. They assign this policy to the Contoso Management Group, but they add an exclusion for the Sales-Dev subscription. A developer in the Sales-Dev subscription attempts to create a virtual machine in the East US region. What will happen?

A company wants to proactively monitor and control its Azure spending. The finance team has set a monthly budget of $10,000 for the 'Marketing' subscription. They want to receive an email notification when the actual spending reaches 80% of the budget and another notification when it reaches 100%. Additionally, if the spending ever exceeds $12,000 in a month, they want to automatically trigger a runbook that scales down non-critical resources. Which Azure feature should the finance team use to achieve all these requirements?

A company uses Azure Policy to enforce governance on their subscriptions. They want to ensure that every newly created Azure resource automatically receives two tags: 'Owner' and 'CostCenter'. If a user or an automated process creates a resource without specifying these tags, the policy should add the missing tags with default values of 'Unassigned' without blocking the resource creation. Which Azure Policy effect should be used in the policy definitions?

A financial services company must deploy a standardized environment for a new customer-facing application. The environment must include a specific set of Azure resources (such as virtual networks, databases, and App Service plans), pre-configured role assignments for the compliance team, and a collection of Azure Policy definitions that enforce encryption and tagging rules. The company needs to package all these components into a single, versioned artifact that can be consistently deployed across multiple subscriptions and regions, with the ability to track changes and updates. Which Azure service should the company use to achieve this?

A company has an Azure Policy assigned at the root management group that denies the creation of resources without a 'Department' tag. The IT team needs to deploy a temporary set of resources in a specific resource group under a child management group. These resources will not have the required tag. The team must not alter the original policy definition or the policy assignment. What should the team create to allow this deployment?

A company uses Azure Blueprints to enforce a standard landing zone for all development subscriptions. The blueprint includes a virtual network, subnets, and network security groups. After the blueprint is assigned to a subscription, a development team manually adds a new subnet to the virtual network. The company plans to update the blueprint to add a new network security group rule. When the updated blueprint is published and the assignment is updated, what will happen to the manually added subnet?

A company has deployed a production Azure SQL Database that is used by a critical line-of-business application. The database administrators need to be able to change the database schema and scaling settings. However, the operations team must ensure that no one can accidentally delete the database or its server. The company does not want to implement a complex backup strategy for this prevention; they want a simple control that can be applied at the resource level without affecting other management operations. What should the operations team configure to meet these requirements?

A company runs several Azure virtual machines and an Azure SQL Database in a single subscription. The operations team needs a single, personalized dashboard that displays the current health status of these specific resources, as well as any upcoming planned maintenance events from Microsoft that might affect them. The team wants to see all this information in one place without having to navigate multiple tools. Which Azure service should the operations team use to meet these requirements?

A company uses Azure to host multiple virtual machines and virtual networks. The network team is responsible for configuring and maintaining virtual networks, subnets, and network security groups. The company wants to ensure that the network team can manage these network resources but cannot modify or delete virtual machines. Which Azure built-in role should the company assign to the network team?

A company uses Azure Policy to govern its Azure environment. The governance team wants to enforce that all virtual machines (VMs) deployed in the production subscription use only approved operating system images from a specific Azure Compute Gallery. However, during a transition period, the team does not want to block the creation of VMs that use non-approved images; instead, they need to identify and report on any non-compliant VMs. They also want to track compliance over time. Which Azure Policy effect should the governance team use in the policy definition to meet these requirements?

A company's security team needs to audit all virtual machines (VMs) that have a public IP address directly attached, across more than 50 Azure subscriptions organized under several management groups. The team wants to run a single query to get a list of these VMs along with the subscription and resource group details. The solution must provide fast results without the need to write custom scripts or iterate through each subscription individually. Which Azure service should the team use?

A company has 30 Azure subscriptions organized under a single management group. The governance team wants to enforce that all resource groups must have a specific tag 'CostCenter' with a valid value. They create an Azure Policy definition with the 'Deny' effect and assign it to the root management group. However, the development team complains that they have a sandbox subscription where they need to create resource groups without the 'CostCenter' tag for testing. The governance team still wants the policy to apply to all other subscriptions but exempt the sandbox subscription. Which solution should the governance team use?

A company has multiple Azure subscriptions, each managed by different development teams. The central governance team wants to ensure that every subscription adheres to the same security baselines, including specific Azure Policy definitions, RBAC role assignments, and a standard resource group structure. The team needs a single, versioned package that brings these components together and can be consistently deployed across all subscriptions. Which Azure service should the governance team use to meet these requirements?

A company stores critical financial records in an Azure Storage account. The operations team needs to ensure that the storage account cannot be deleted by any user, including administrators with Contributor permissions. However, authorized users must still be able to add and modify blobs. The solution should not affect the ability to update the account's configuration. Which Azure feature should the company implement?

A company has 15 Azure subscriptions organized under multiple management groups. The security team has defined a standard set of 8 Azure Policy definitions that must be applied to every subscription. These definitions enforce required tags, deny creation of public IPs, require encryption for storage accounts, and restrict VM SKUs. The team wants to assign these policies as a single entity to simplify management and ensure consistent compliance. What should the team create and assign?

A company has 10 Azure subscriptions used by different departments. The finance team wants to receive automated, prioritized recommendations to reduce cloud costs. Specifically, they want suggestions for identifying idle virtual machines and rightsizing underutilized resources across all subscriptions. Which Azure service should the finance team use to get these recommendations?

A company uses multiple Azure subscriptions for development and production. The finance team wants to set a monthly budget of $1,000 for a specific dev subscription. When the actual cost reaches 80% of the budget, the team wants to receive an email alert. If the cost exceeds 100%, they want to automatically stop a specific virtual machine in that subscription to prevent overspending. Which Azure feature should the team use to automate the stopping of the VM when the budget is exceeded?

A company manages hundreds of Azure SQL databases across multiple subscriptions. The compliance team requires that every Azure SQL database has diagnostic settings enabled to send logs to a central Log Analytics workspace. The team wants a solution that automatically configures diagnostic settings for any new Azure SQL database when it is created, without requiring manual intervention or additional scripting. Which Azure governance feature should the team use?

A company has a regulatory requirement that all Azure resources must be deployed only in the West Europe region. The governance team needs to automatically prevent any user or application from creating resources in any other region. The team must also ensure that this restriction is applied to all existing and future subscriptions within the tenant. Which Azure service should the governance team use?

A company has a root management group that contains all Azure subscriptions. A centralized governance team needs to create and assign Azure Policy definitions and set initiatives that apply to all subscriptions. Which built-in role should be assigned to the governance team at the root management group scope to grant the minimum required permissions?

A company has a governance requirement that every Azure virtual machine must have a tag named 'CostCenter' with the value 'Unassigned'. If a user creates a VM without the tag, or with a different value for that tag, the tag should be automatically corrected to 'Unassigned' immediately upon resource creation. The IT team is writing an Azure Policy definition to enforce this. Which Policy effect should they use?

A global company creates a new Azure subscription for each major project. To ensure compliance and consistency, the governance team needs a single, versioned, auditable package that, when assigned to a subscription, automatically deploys a standard set of Azure Policy assignments, role assignments, a resource group structure, and a pre-configured virtual network. The solution must allow these packages to be updated centrally and have changes tracked for auditing. Which Azure service should the governance team use?

A company manages its production workloads in a dedicated Azure subscription under the root management group. The infrastructure team recently created a critical resource group named 'rg-prod-core' that contains networking resources. To prevent accidental deletion of this entire resource group, the team needs a mechanism that blocks delete operations on 'rg-prod-core' while still allowing changes to resources within it. The solution must not affect any other resource groups in the subscription. Which Azure feature should the team apply to 'rg-prod-core'?

A company's finance team uses Azure Cost Management + Billing to monitor cloud spending. They want to configure a rule that sends an email notification to the finance team's distribution list when the monthly cost for resources tagged with Department=Marketing exceeds $10,000. Which Azure Cost Management feature should they configure?

A company has a root management group containing three subscriptions: Production, Development, and Sandbox. The governance team assigns an Azure Policy initiative to the root management group that enforces tagging requirements. The Sandbox subscription is used for experimental testing and needs to be temporarily excluded from the tagging requirements while the team evaluates a new tagging schema. The team must ensure the policy assignment remains active in Production and Development but does not affect resources in Sandbox. Which Azure Policy feature should the team use?

A company operates a hybrid IT environment with virtual machines running on-premises and in Amazon Web Services (AWS). The company also has a growing number of resources in Microsoft Azure. To simplify management, the company wants to use a single Azure service to apply Azure Policy definitions and enable unified inventory and tagging across all virtual machines, regardless of their location. Which Azure service should the company use?

A multinational company has a strict data residency requirement: all Azure virtual machines must be deployed only in the East US or West Europe Azure regions. The IT governance team wants to enforce this rule automatically so that any attempt to create a virtual machine in any other region is blocked immediately at the time of deployment. Users must receive a clear error message if they try to create a VM in a disallowed region. Which Azure feature should the governance team configure to meet this requirement?

A company has an Azure subscription used by several development teams. The governance team wants to identify any virtual machines that are not tagged with a mandatory 'CostCenter' tag. The team does not want to block the creation of untagged VMs; they only want to report on non-compliant resources in Azure Policy's compliance dashboard. Which Azure Policy effect should they use in their policy definition?

A company has an Azure Policy assignment that denies the creation of any virtual machine (VM) that does not have a mandatory 'CostCenter' tag. A development team needs to deploy a temporary test VM without the required tag for a short-term experiment. The governance team wants to allow this specific exception while recording the reason for the exception, ensuring the policy is still enforced for all other resources. The exception must also automatically expire after 30 days. Which Azure Policy feature should the governance team use?

A company has an Azure subscription that contains production resources. The IT manager is concerned that a user who has the Contributor role might accidentally delete the entire subscription. The company wants a solution that prevents anyone from deleting the subscription, even users with the Owner role, while still allowing modifications to the resources inside the subscription. What should the administrator configure?

A company has an Azure subscription with 200 virtual machines. The compliance team requires that all virtual machines have diagnostic settings enabled to send metrics and logs to a central Log Analytics workspace. The team wants Azure to automatically configure these diagnostic settings on any VM that currently lacks them, without manual intervention. Which Azure Policy effect should the team use in the policy definition?

A company requires that all resources deployed in a production Azure subscription must include a 'Department' tag. Resources without this tag must be automatically prevented from being created. Which Azure service should the company use to enforce this requirement?

A multinational corporation wants to deploy a standard set of Azure resources—including virtual networks, virtual machines, and SQL databases—to multiple departments. Each deployment must automatically include assigned Azure Policy definitions to enforce security rules, role-based access control (RBAC) assignments for the operations team, and a predefined naming convention. The solution must provide a single, repeatable package that can be versioned and updated centrally. Which Azure service should the company use?

A large enterprise has multiple Azure subscriptions for different business units. The governance team wants to apply a set of Azure Policy initiatives, such as allowed locations and required tags, to all subscriptions in the organization. They also want to set up role-based access control for the compliance team at the root level so that they can monitor compliance across all subscriptions. Which Azure feature should they use to achieve this?

A company has deployed a critical production application in an Azure resource group. The security team wants to prevent accidental deletion or modification of any resources within that resource group. They have already configured Azure RBAC roles to grant only necessary permissions to the operations team. However, they need an additional protection that even users with Owner permissions cannot delete the resource group or its resources without a two-step process to remove the protection. Which Azure feature should the company implement?

A company runs a development subscription in Azure. The finance team wants to set a monthly spending limit of $5,000 for this subscription and receive email alerts when spending reaches 80% and 100% of that limit. The team must also be able to review historical spending trends. Which Azure tool should the finance team use to configure these alerts and track spending?

A company operates a fleet of on-premises servers running legacy applications. Due to strict regulatory compliance requirements, these servers cannot be migrated to Azure. However, the IT team wants to centrally manage these servers using Azure tools, including applying Azure Policy to enforce configuration standards and using Azure Monitor for log collection and performance monitoring. The team needs to treat these on-premises servers as Azure resources without moving them. Which Azure service should the company use?

A company uses Azure Policy to enforce that all virtual machines must have the Azure Monitor agent extension installed. The policy is assigned to a subscription and uses the 'DeployIfNotExists' effect, which automatically installs the agent on new VMs. However, the security team notices that several existing VMs are non-compliant because they were provisioned before the policy was assigned. The team wants to automatically make these existing VMs compliant without manual intervention. What should the team do?

A company uses Azure Policy to enforce governance rules across its Azure subscriptions. The security team wants to ensure that all virtual machines deployed in a subscription must be of an approved size from a predefined list. If a user attempts to deploy a virtual machine with a size not on the list, the deployment must be immediately blocked. Which Azure Policy effect should the company use in the policy definition?

A company has multiple Azure subscriptions for different departments. The governance team needs to ensure that every new subscription is automatically provisioned with a consistent set of resources, including a predefined network topology, mandatory Azure Policy assignments (e.g., allowed locations), and specific role-based access control (RBAC) assignments for the security team. The solution must be repeatable, version-controlled, and allow the team to update the defined artifacts and apply updates to existing subscriptions. Which Azure service should the team use to define and deploy this collection of governance artifacts?

A company needs to deploy a consistent set of Azure resources (a virtual network, two subnets, and a network security group) into multiple environments: dev, test, and prod. The IT operations team wants to define these resources in a declarative file that can be deployed repeatedly and reliably to different resource groups. The team also wants to version control the file and have the ability to update all environments by redeploying the same file. Which Azure feature should the team use?

A company uses Azure Policy to enforce resource tagging. The governance team creates a policy that requires all resources in a subscription to have a 'CostCenter' tag. However, the team does not want to block resource creation if the tag is missing. Instead, they want the policy to automatically add the tag with a default value of 'Unassigned' to any new resource that is created without the tag. Which Azure Policy effect should the team configure in the policy definition?

A large enterprise has multiple Azure subscriptions for different departments. The central IT team wants to enforce a policy that restricts the Azure regions where resources can be deployed. The policy must automatically apply to all existing subscriptions and to any new subscriptions created in the future, without requiring manual assignment to each subscription individually. Which Azure feature should the central IT team use to achieve this hierarchical governance?

A company has a critical Azure resource group that contains all production virtual machines and databases. The IT security administrator wants to ensure that no user, including members of the 'Owner' role, can accidentally or intentionally delete this resource group. The solution must not prevent modification of resources inside the resource group. The administrator needs to apply a governance control at the resource group level. What should the administrator do?

A company has an Azure subscription that contains hundreds of virtual machines (VMs) across multiple resource groups. The security team needs to enforce two governance rules: 1) All VMs must use managed disks. 2) All VMs must be deployed only in the East US region. The team wants to assign a single governance artifact that combines both rules so that the compliance state is evaluated as a group. The solution must not require assigning each rule individually. Which Azure feature should the team use to define and assign this combined set of rules?

A company has a single Azure subscription that contains multiple resource groups for different departments. The security team needs to ensure that only members of the 'VM Operators' Azure Active Directory group can create virtual machines in the subscription. All other users, including subscription Owners, must be blocked from creating virtual machines. Which Azure feature should the security team use to enforce this requirement?

A multinational company has multiple Azure subscriptions for different business units. The central governance team wants to define a standardized environment that must be automatically applied to every new subscription. The standard must include a set of Azure Policy definitions (e.g., allowed regions), a specific Azure RBAC role assignment (e.g., a contributor access for a central security group), and a preconfigured resource group with a virtual network. The team wants to package all these components together so that they can be deployed consistently and updated centrally. Which Azure service should the team use?

A company has an Azure subscription that hosts multiple virtual machines, databases, and storage accounts. The finance team wants to receive an automated email notification when the forecasted monthly spending for the subscription exceeds $10,000. The team needs to use a native Azure feature that can track actual and forecasted costs and trigger alerts based on a monetary threshold. The solution must not require custom scripts or third-party tools. Which Azure feature should the team configure?

A company uses Azure for multiple projects. The IT governance team wants to ensure that every new Azure resource within a subscription is automatically assigned a 'CostCenter' tag based on the resource group it is created in. The team does not want to rely on users manually applying the tag. They need a built-in Azure solution that enforces this rule without custom scripts. Which Azure feature should they use?

A company has multiple Azure subscriptions used by different departments. The security team wants to enforce a requirement that all Azure Storage accounts in every subscription must be encrypted at rest using customer-managed keys (CMK). The solution must automatically evaluate existing and new storage accounts for compliance, and it must be able to automatically remediate non-compliant resources by enabling CMK encryption. The team wants to use a single, centralized Azure feature that can be assigned once and apply to all subscriptions. Which Azure feature should they use?

A company has a production resource group that contains several Azure virtual machines and a SQL database. The company wants to ensure that no user can accidentally delete these resources, but authorized administrators must still be able to modify the configuration and update the resources. The company needs a straightforward governance feature that can be applied directly to the resource group and can be removed only by an authorized user with the Owner role. Which Azure feature should the company use?

A company has deployed multiple Azure virtual machines for a production workload. The IT administrator wants a centralized list of prioritized recommendations to improve the security, high availability, and cost efficiency of the virtual machines. The administrator also wants to be able to view the potential impact of implementing each recommendation. Which Azure service should the administrator use?

A company has a team of support engineers who need to be able to restart Azure virtual machines when they become unresponsive. The support engineers must not be able to modify the VM configuration, delete the VMs, or access VM data. The company wants to use the principle of least privilege. No built-in Azure role meets these exact requirements. What should the company do?

A company is adopting Azure and needs to deploy a standardized environment that includes a resource group, a virtual network with specific IP address ranges, and a set of Azure Policy definitions to restrict allowed deployment locations. The environment will be deployed to multiple subscriptions used by different departments. The company requires a repeatable, versioned package that defines the resources, policies, and role assignments as a single item. The solution must allow updates to be managed and enforced over time. Which Azure feature should the company use?

A company uses multiple Azure subscriptions for different departments. The finance team wants to monitor spending across all subscriptions and receive automated email alerts when a subscription's actual spending reaches 80% of its monthly budget. The team does not want to write custom scripts or use external tools. Which Azure feature should they use?

A large enterprise manages hundreds of Azure subscriptions. The compliance team needs to run an on-demand report that shows all virtual machines with their current power state (running or deallocated), operating system, and VM size, filtering by specific resource groups or subscriptions. The team wants to use a native Azure tool that allows querying Azure resources at scale using a Kusto Query Language (KQL) syntax. Which Azure service should they use?

A large enterprise manages hundreds of Azure subscriptions. The central governance team wants to ensure that every resource deployed across all subscriptions always has two required tags: 'Department' and 'CostCenter'. If a resource is created without these tags, the governance policy must automatically add the missing tags with placeholder values (e.g., 'Department: Unknown') and generate a compliance report. The team does not want to rely on user training or manual audits. Which Azure service should the team use to meet these requirements?

A large enterprise manages Azure subscriptions for three business units: Sales, Research & Development, and Information Technology. Each business unit has its own Azure subscription. The central governance team needs to ensure that a specific set of Azure Policy definitions (e.g., restricting allowed regions to 'East US' only) is applied to all current and future subscriptions belonging to these three business units. The team wants to minimize administrative overhead and ensure that any new subscription created for a business unit automatically inherits the same policies. Which Azure feature should the team use to achieve this goal?

A company runs a critical line-of-business application on Azure virtual machines. The operations team needs to receive proactive notifications about any upcoming planned maintenance events that could affect their virtual machines, as well as real-time alerts when a service incident occurs in the Azure region where the application is deployed. The team wants a native Azure solution that provides a personalized view of all service health events relevant to their subscriptions, including historical incident reports. Which Azure service should the operations team use?

A company has a policy that every Azure virtual machine must have the Azure Monitor Agent installed and configured to send metrics to a central Log Analytics workspace. To enforce this requirement without relying on manual user action, the governance team wants to automatically deploy the agent to any existing or new VM that is missing it. They also need to generate a compliance report showing any VMs where the installation failed. Which Azure Policy effect should the team use to meet these requirements?

A company wants to enforce a governance policy that only allows virtual machines of the SKU 'Standard_DS2_v2' to be deployed in their Azure subscription. If a user attempts to create a virtual machine with a different SKU (e.g., 'Standard_D2s_v3'), the deployment must be immediately rejected with an error, and the resource must not be created. Which Azure Policy effect should the team use to implement this requirement?

A large enterprise manages multiple Azure subscriptions for different business units. The central governance team wants to deploy a consistent landing zone across all subscriptions. The landing zone must include pre-defined Azure Policy definitions (e.g., allowed locations, allowed VM SKUs), standard RBAC role assignments (e.g., Owner, Contributor for specific security groups), and a predefined resource group structure (e.g., 'Networking', 'Security', 'Workloads'). The team wants a single, versioned artifact that can be assigned to any subscription to apply all these configurations together, with the ability to update the artifact and have changes propagate to existing assignments. Which Azure service should the team use?

A company has a policy that all Azure resources must have a 'CostCenter' tag. The governance team wants to identify any resources that are missing the tag without preventing their creation. They need a compliance report generated automatically showing all non-compliant resources. Which Azure Policy effect should they use?

A company has an Azure subscription with hundreds of existing virtual machines. The governance team wants to enforce a policy that every virtual machine must have a tag named 'CostCenter' with a valid value. The team wants to automatically add the 'CostCenter' tag with a default value of 'Undefined' to any existing or new virtual machine that is missing the tag. They do not want to block the creation of virtual machines that are missing the tag, but they do want the tag to be added automatically within a few minutes of detection. Which Azure Policy effect should the team use?

A company has 10 Azure subscriptions organized under two management groups: Production and Non-Production. The governance team needs to enforce a policy that all Azure resources must be deployed only in the East US or West US Azure regions. The policy must apply to every subscription under both management groups, including any new subscriptions added in the future, without requiring separate assignments per subscription. Which Azure feature should the team use to achieve this with the least administrative effort?

A company has a critical resource group named 'Prod-Databases' that contains Azure SQL databases and virtual machines used by a production order-processing system. The database administrator wants to prevent any user, including administrators, from accidentally deleting or modifying resources in this resource group. The operations team needs a safeguard that requires an explicit action to be taken before any changes become possible, without affecting the ability to manage resources in other resource groups. Which Azure feature should the team implement?

A company's finance team wants to proactively monitor Azure spending and receive automated email notifications when costs reach 80% of a predefined monthly limit. They want to avoid manual cost tracking and set up alerts without custom scripting. Which Azure feature should they use?

A company manages 50 Azure subscriptions that contain thousands of resources. The DevOps team needs to identify all virtual machines that are tagged with 'Environment: Production' across all subscriptions. They need a single query that returns the VM name, resource group, and location for every such VM. The team does not want to write PowerShell commands or loop through each subscription manually. Which Azure service should they use?

A company has a management group hierarchy with a root management group that contains all subscriptions. The governance team assigns a built-in Azure Policy initiative 'Allowed Locations' to the root management group with the 'Deny' effect, restricting resource deployment to East US and West US only. After six months, a new regulatory requirement forces the marketing department's subscription (placed under the root) to deploy resources in North Europe for a specific pilot project. The governance team must allow this exception without changing the original policy assignment and without allowing any other subscription to deploy to North Europe. What should the governance team do?

A multinational corporation must ensure that every new Azure subscription automatically conforms to corporate security and compliance baselines. The team wants to deploy a predefined set of Azure resources (e.g., a central logging storage account, a network security group configuration) and apply a standard set of Azure Policy definitions (e.g., restricting allowed VM sizes, enforcing encryption) to any new subscription. They want to manage these as a single, versioned package that can be updated and re-assigned to existing subscriptions. Which Azure service should they use?

A retail company has 50 on-premises servers in multiple branch offices that run legacy applications that cannot be migrated to Azure. The company wants to govern these servers using the same Azure Policy and tagging standards that they use for their Azure virtual machines. They also want to view these servers alongside Azure resources in the Azure portal. Which Azure service should they deploy to extend Azure management capabilities to these on-premises servers?

A company uses Azure for multiple workloads. The finance team wants to identify virtual machines that are consistently underutilized (average CPU usage below 5%) so they can reduce costs by resizing or shutting down those VMs. They want a built-in Azure tool that automatically analyzes resource usage and provides actionable recommendations. Which Azure service should they use?

A company has a root management group that contains two child management groups: Production and Development. Each child management group contains several subscriptions. The security team assigns a built-in Azure Policy definition with the 'Deny' effect to the Production management group to enforce encryption on all storage accounts. Later, the Development team requests that storage accounts in their subscriptions must not be encrypted because they host temporary test data that needs to be quickly deleted and recreated. The security team must allow this exception for Development only, without changing the policy for Production. What should the security team do?

A company has a policy that every Azure resource must have a 'CostCenter' tag assigned at creation time. The governance team wants to automatically prevent any resource creation if the tag is missing, without requiring manual review after deployment. Which Azure feature should they use to enforce this requirement?

A company has several Azure subscriptions that contain hundreds of virtual machines. A new corporate standard requires that all VMs must use Azure managed disks instead of unmanaged disks. The governance team needs to automatically identify existing VMs with unmanaged disks and convert them to managed disks without requiring manual intervention for each VM. The team also wants to ensure that any new VMs created in the future automatically use managed disks. Which Azure feature should they use to meet both requirements?

A company has an Azure subscription with multiple resource groups. The governance team wants to ensure that every new resource created in the subscription automatically receives a 'Department' tag with a default value of 'Finance' if the creator did not specify one. The team wants the tag to be applied without blocking the creation of the resource. Which Azure feature should they use?

A multinational company has 10 Azure subscriptions, each managed by a different department. The central governance team wants to deploy a standardized environment that includes a specific network topology (virtual network, subnets, and network security groups), a set of Azure Policy definitions to enforce tagging and encryption, and a role assignment granting the 'Reader' role to a central security team in every subscription. The team must be able to update this standard definition in one place, and any changes should automatically apply to all existing deployments that were created from the definition. Which Azure service should they use?

A company has a critical production resource group that contains several virtual machines and an Azure SQL Database. The IT manager wants to prevent anyone from accidentally deleting the resource group or any of its resources. However, authorized administrators must still be able to add, update, or delete individual resources within the group (except deletion of the group itself). Which Azure feature should the manager apply to the resource group?

A company has multiple Azure subscriptions, each belonging to a different department. The finance department wants to set spending limits per subscription and receive automated email notifications whenever actual spending reaches 80% of the allocated budget. Which Azure feature should they configure?

A company's security policy requires that all Azure Storage accounts must enforce a minimum TLS version of 1.2. The governance team needs to continuously audit all existing storage accounts for compliance with this requirement, and also ensure that any new storage account that does not meet the TLS version requirement is automatically flagged as non-compliant in the Azure portal compliance dashboard. The team does not want to block the creation of non-compliant resources; they only need to report them. Which Azure feature should they use?

A company has a single Azure subscription that contains resource groups for several business units. The company's compliance team wants to enforce a rule: no virtual network (VNet) can be deployed in any resource group unless the VNet is in a specific allowed region (West Europe). The rule must also block the creation of VNets in disallowed regions, but the team must be able to selectively exempt certain resource groups (e.g., for disaster recovery testing) without altering the underlying rule definition. Which Azure feature should the compliance team implement?

A multinational company uses Azure management groups to organize its subscriptions. The company has a root management group (tenant root group) containing three child management groups: 'Finance', 'HR', and 'IT'. Each child management group contains multiple subscriptions. The global governance team needs to enforce an Azure Policy that restricts all resource deployments across every subscription in the organization to only the 'West US' and 'East US' regions. The policy must automatically apply to any new subscriptions that are created under any management group in the future. The team wants to assign the policy once and have it affect all current and future subscriptions with minimal administrative overhead. At which Azure scope should the team assign the policy?

A company has a production Azure subscription used by multiple teams. The governance team wants to enforce a rule that only virtual machines (VMs) of specific SKU sizes (e.g., Standard_D2s_v3 and Standard_D4s_v3) can be deployed. If a team attempts to deploy a VM of a different SKU size, the deployment must be blocked immediately and the user must see an error message explaining the restriction. Which Azure feature should the governance team use?

A company manages multiple Azure subscriptions for development, testing, and production environments. The governance team needs to ensure that every new subscription automatically includes a consistent baseline consisting of Azure Policy definitions, role assignments, and a predefined resource group structure. The team wants to package these governance components into a single deployable artifact that can be applied to any subscription with minimal manual effort. Which Azure feature should the team use?

A company uses Azure Policy to enforce governance rules across its subscriptions. The governance team wants to ensure that every resource in the 'Production' subscription has a tag named 'Environment' with the value 'Production'. If a resource is created without this tag, or with a different value, the tag must be automatically corrected to 'Production' without blocking the creation of the resource. Which Azure Policy effect should the team configure?

A company has an Azure tenant with a management group hierarchy. The 'Production' management group contains five subscriptions used by the operations team. The IT security team wants to grant the 'Network Contributor' role to a group of network administrators for all subscriptions under the 'Production' management group. The role assignment must automatically apply to any new subscription added under the 'Production' management group in the future. The network administrators already exist as a security group in Azure AD. What is the most efficient way to achieve this?

A company stores critical configuration data in an Azure Storage account. The IT administrator wants to prevent accidental deletion of this storage account. However, the administrator must still be able to read and update the data within the storage account. The company uses Azure Role-Based Access Control (RBAC) to manage permissions. Which Azure governance feature should the administrator implement to achieve this goal?