Skip to main content
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-305
  6. >
  7. This article

Azure AZ-305 Drill: Enterprise Governance - Azure Policy Scoping in Large Environments

·683 words·4 mins·
Architecture Drills Microsoft Azure AZ-305 Azure CAF Governance Azure Policy
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-305 Expert Architect exam, many candidates struggle with Azure Policy governance scope and assignment levels. In large enterprises managing dozens or hundreds of subscriptions, this decision often hinges on balancing centralized management with delegated control and compliance requirements. Let’s drill into a simulated governance scenario.

The Scenario
#

Tailspin Manufacturing, a global enterprise specializing in industrial equipment, is modernizing their Azure governance model. They have a large environment with multiple subscriptions grouped into management groups to align with their organizational hierarchy. Tailspin plans to use Azure Policy to enforce compliance and security standards across their cloud estates, which also include hybrid resources managed through Azure Arc.

Key Requirements
#

Design a scalable governance solution where Azure Policy definitions can be assigned to ensure consistent compliance across various scopes, from broad organizational levels down to resource groups, enabling Tailspin to meet enterprise governance mandates and support delegated administration.

The Options
#

  • A) Azure Active Directory Administrative Units
  • B) Azure Active Directory Tenant
  • C) Subscription
  • D) Compute Resources
  • E) Resource Group
  • F) Management Group

Correct Answer
#

C) Subscription
E) Resource Group
F) Management Group

The Architect’s Analysis
#

Correct Answer
#

Options C, E, and F

Step-by-Step Winning Logic
#

Azure Policy is designed to enforce organizational standards via policy assignments at three key Azure scopes:

  • Management Groups: Useful to govern large collections of subscriptions aligned by business units or geography. This supports enterprise-wide policy enforcement, essential for operational excellence and security compliance at scale (CAF Governance discipline).

  • Subscriptions: The core billing and security boundary level within Azure. Assigning policies here allows tailored controls per environment (prod, dev) correlating with reliability and cost optimization.

  • Resource Groups: Enables granular policy control on subsets of resources, allowing delegated and specialized governance for different application teams or projects, supporting operational agility.

This aligns with Microsoft’s Well-Architected Framework pillars, particularly Operational Excellence and Security, ensuring consistent governance while minimizing administrative overhead.

The Traps (Distractor Analysis)
#

  • A) Azure AD Administrative Units: These are for managing user/group permissions inside Azure AD, not for resource governance. They cannot be policy assignment scopes.
  • B) Azure AD Tenant: Policy does not apply at the tenant level since it encompasses all subscriptions and management groups but policy assignments require one of the enforceable scopes.
  • D) Compute Resources: Individual compute instances or resources cannot be assigned policies directly; policies apply at resource group or higher scopes only.

The Architect Blueprint
#

Mermaid Diagram illustrating Azure Policy assignment scopes across a large enterprise:

graph TD Org([Azure AD Tenant]) --> MG1[Management Group - North America] Org --> MG2[Management Group - Europe] MG1 --> Sub1[Subscription - Prod] MG1 --> Sub2[Subscription - Dev] Sub1 --> RG1[Resource Group - App1] Sub1 --> RG2[Resource Group - App2] RG1 --> R1[Virtual Machine] style MG1 fill:#0078D4,stroke:#333,color:#fff style Sub1 fill:#5C2D91,stroke:#333,color:#fff style RG1 fill:#2D7D9A,stroke:#333,color:#fff

Diagram Note: Azure Policy can be assigned at Management Group, Subscription, and Resource Group levels to enforce governance hierarchically across Tailspin Manufacturing’s cloud estate.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A) Azure AD Administrative Units Low None Useful for user/group AD permissions management Not a valid scope for Azure Policy assignment
B) Azure AD Tenant Medium None Covers entire tenant Cannot assign Azure Policies directly at this scope
C) Subscription Medium None Primary resource container for policy enforcement; aligns with billing Requires policy propagation through nested resources
D) Compute Resources High N/A N/A Policies cannot be assigned at individual resource level
E) Resource Group Low None Granular enforcement, delegated governance Complexity increases with many resource groups
F) Management Group High None Enterprise-wide consistent governance across subscriptions Requires management group hierarchy configured properly

Real-World Practitioner Insight
#

Exam Rule
#

For the AZ-305 exam, always remember: Azure Policy assignments occur only at Resource Group, Subscription, or Management Group scopes — never at individual resources or Azure AD administrative scopes.

Real World
#

In practice, large enterprises like Tailspin adopt Azure Management Groups to model corporate hierarchy, enabling uniform policy enforcement at the top, reducing administrative drift and supporting hybrid cloud governance with Azure Arc resources scoped under the same policy model.

Related Articles

Weekly Azure AZ-305 Drills: Architect Solutions

Design identity, governance, and monitoring solutions. Master Azure infrastructure and data storage.