The answer to No 28 of “Timed Mode Set 3 – AZ-104 Azure Administrator”

[Bostonasian]

Answer to “You can create a virtual machine in TD-Subscription2” – No 28 of “Timed Mode Set 3 – AZ-104 Azure Administrator” doesn’t sound right.

TD-Subscription2 is the child to the management group TD-Management-Group20 which has “Allowed resource Types=Virtual Networks”. So this means that you can create a virtual network in this subscription. And this also means that it allows to create virtual machines, no?
Please have a look. This doesn’t sound right.

[Gerome-TutorialsDojo]

Hi Bostonasian,

Thanks for sharing your thoughts on this item.

Take note that there is also a policy “Not allowed resource types” and the scope is Tenant Root Group. Since the TD-Management-Group20 is under that root group, the policy would also take effect on the management groups.

When you assign a policy to the tenant root group, the policy would also be applied to the subscription and management group. For example, if there is a Deny policy at the tenant root group then the policy will be applied to the hierarchy of management groups and subscriptions. Remember that a Deny policy always overrides an Allow policy.

Therefore, you can’t create a virtual machine in TD-Subscription2 if a virtual network can’t also be created. That is why the answer to the statement is No.

Regards,
Gerome @ Tutorials Dojo