A company has three departments: Sales, Marketing, and IT. Each department has its own Azure subscription. The IT department manages all networking and security policies across all subscriptions. The Sales and Marketing departments should be able to create and manage their own resources but cannot modify networking or security policies. The IT department wants to apply a consistent set of policies (e.g., enforce tagging, restrict VM SKUs) across all subscriptions without needing to assign policies to each subscription individually. Additionally, the IT department wants to delegate administration of a specific custom role to a junior administrator who can assign that role to users within the Sales subscription only. Which combination of Azure governance features should the IT department use?

Create a management group for each department, assign Azure Policy initiatives at each management group, and use Azure Blueprints to manage role assignments.

Creating separate management groups per department does not reduce the number of policy assignments; each group would need its own assignment. Azure Blueprints can include role assignments, but they are not the primary mechanism for cross-subscription policy inheritance or delegation.

Use Azure Resource Manager templates to deploy policies and role assignments to each subscription, and use Azure Active Directory administrative units to manage delegation.

ARM templates can deploy resources, but they do not provide a hierarchical governance structure to automatically apply policies to multiple subscriptions. Administrative units are for managing users and groups in Azure AD, not for Azure RBAC delegation at subscription scope.

Assign Azure Policy initiatives to each subscription individually, and create a custom role that is scoped to the management group.

Assigning policies to each subscription individually duplicates effort and does not leverage Azure's hierarchical management capabilities. Scoping a custom role to the management group would grant permissions across all subscriptions, which is broader than the requirement of restricting delegation to the Sales subscription only.

What does this AZ-900 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Create a management group containing all three subscriptions, assign Azure Policy initiatives at the management group, and use Azure RBAC with a custom role scoped to the Sales subscription. — Management groups provide a hierarchical structure that allows you to apply Azure Policy initiatives at a scope that covers multiple subscriptions. By placing all three subscriptions under a single management group, the IT department can assign the required policies once and they will automatically apply to every subscription in the group. For the delegation task, Azure RBAC allows you to create a custom role and assign it at the Sales subscription scope, giving the junior administrator the permission to assign that role only within that subscription. Option B is less efficient because it requires separate policy assignments per management group. Option C uses ARM templates and Azure Active Directory administrative units, which are not designed for cross-subscription policy inheritance or Azure RBAC delegation in this context. Option D requires per-subscription policy assignment, which is not the most efficient approach, and scoping the custom role to the management group would grant permissions across all subscriptions, which is not the requirement.

What should I do if I get this AZ-900 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.