Question 16 - Microsoft Azure AZ-500 Real Exam Questions [March 2026 Update]

Q: 16

From Azure Security Center, you need to deploy SecPol1. What should you do first?

Options

Discussion

Quinn F. Mar 18, 2026 7:40 am

B . You gotta set the management group first, otherwise you can't assign SecPol1 to anything meaningful. Seen this step called out in a bunch of official guides and labs, pretty sure it's the right starting point.

SteadyArchitect8556 Mar 7, 2026 8:09 am

Does anyone know if the question says there's already a management group? If so, would C (create an initiative) be next or are we missing something else in the requirements?

Olivia Mar 6, 2026 5:20 pm

C/B? Tempting to pick C since initiatives bundle policies, but you can't assign anything without a management group first. B feels right, seen similar on practice but open if I'm missing a twist.

Nathan P. Mar 18, 2026 1:18 pm

C here. Initiative brings policies together, so I'd pick that before thinking about the scope. Not totally sure though.

Jamie N. Mar 5, 2026 9:19 pm

I thought C at first since initiatives bundle policies, but now not so sure. C

SkepticalConsultant3062 Mar 11, 2026 2:52 am

Had something like this in a mock. You always need to define the scope first, so creating an Azure Management group (B) makes the most sense here. Without that, there's nothing for your security policy to attach to at org level. Pretty sure B is correct but open to other thoughts if I missed a nuance.

Nora G. Mar 3, 2026 2:23 am

B imo. You need the management group in place to define where SecPol1 goes. Option C is tempting but without a scope set first, you can't deploy. Seen similar setup in previous practice sets.

Leo Mar 4, 2026 2:31 pm

B for this one.

Riley Y. Mar 6, 2026 8:29 pm

B tbh. Before you assign a security policy in Security Center, you need a management group so you have something to target at the right scope. Just setting up the policy before that wouldn't work as expected. Not 100% sure but that's how it's been in similar questions. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

Azure Security Center (now part of Microsoft Defender for Cloud) leverages Azure Policy to enforce security configurations. To deploy a security policy, you must first define the scope of its assignment. While policies can be assigned to individual subscriptions, the best practice for managing policies across an organization is to use management groups. Creating a management group allows you to apply policies, access controls, and compliance settings to a collection of subscriptions efficiently. Therefore, the foundational step, especially for a structured deployment of a new policy like "SecPol1," is to create the management group that will serve as the target scope for the policy assignment.

Why Incorrect

A. Enable Azure Defender: Azure Defender (now Microsoft Defender for Cloud plans) provides advanced threat protection. Basic security policy management is available in the free tier and does not require enabling paid plans first.

C. Create an initiative: An initiative (or policy set) is a definition of a collection of policies. While you might need to create a custom initiative, you cannot assign or "deploy" it without first having a scope (like a management group or subscription) to assign it to.

D. Configure continuous export: Continuous export is a feature for streaming security alerts and recommendations to external tools like a SIEM. It is unrelated to deploying or assigning security policies.

References

1. Microsoft Learn

"Organize your resources with Azure management groups": "If your organization has many subscriptions

you may need a way to efficiently manage access

policies

and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions... You can apply governance conditions like policies... at the management group level." This document establishes that management groups are the primary tool for organizing subscriptions to apply policies.

2. Microsoft Learn

"What is Azure Policy?": Under the "Assignment" section

it states

"An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to a resource group." This confirms that a scope

such as a management group

is a prerequisite for policy assignment (deployment).

3. Microsoft Learn

"Security policy and compliance": "Defender for Cloud uses Azure Policy to set policies and to check for compliance... To apply a security policy to a group of resources

you can assign the policy to a management group

a subscription

or a resource group." This highlights that the assignment process

which is the deployment of the policy

requires a target scope

and management groups are a primary option for this.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE