AZ-900 Practice Test

AZ-900 Practice Test

 โ–ถ

AZ-900 Azure Management and Governance

Domain 3 Overview: Management and Governance

Azure Management and Governance is the largest domain on the AZ-900 exam, accounting for 30โ€“35% of all questions. This domain tests your understanding of how Azure helps organizations control costs, enforce compliance, and maintain visibility across cloud resources.

Domain 3 is organized around three pillars:

Because this domain makes up roughly one-third of the exam, even a basic conceptual understanding of each tool can meaningfully improve your score. You are not expected to configure these services โ€” only to understand what they do and when you would use them.

Before diving in, make sure you have already reviewed core Azure services and the broader AZ-900 study guide, since governance concepts build on foundational cloud knowledge.

dollar-sign Cost Management Tools
shield Governance Features
activity Monitoring Tools

Cost Management Tools in Detail

Pricing Calculator vs. TCO Calculator

The Azure Pricing Calculator is used before you deploy. You select Azure products, configure their expected usage (region, tier, hours per month), and receive a cost estimate. It is ideal for planning new workloads or comparing service tiers.

The Total Cost of Ownership (TCO) Calculator serves a different purpose: it helps you justify migration by comparing your current on-premises infrastructure costs against equivalent Azure costs over time. You input your existing servers, storage, networking, and labor costs, and the tool projects multi-year savings. On the exam, remember: Pricing Calculator = estimate Azure costs; TCO Calculator = compare cloud vs. on-prem.

Azure Cost Management

Once resources are running, Azure Cost Management (sometimes called Microsoft Cost Management) provides dashboards, budgets, and alerts to track actual spending. You can set budget thresholds that trigger email alerts when costs approach or exceed defined limits, and use cost-analysis views to break down spending by service, resource group, or time period.

Tags

Tags are name-value pairs you attach to Azure resources (e.g., Department: Finance or Environment: Production). Tags do not affect resource behavior, but they make it easy to filter cost reports and allocate charges to specific teams or projects. Tags are applied at the resource or resource-group level.

Governance Features in Detail

Azure Policy vs. Resource Locks

Azure Policy lets you define rules โ€” called policy definitions โ€” that Azure enforces across your subscriptions and resource groups. A policy might require all resources to have a specific tag, restrict deployment to certain regions, or mandate a minimum VM SKU. Policies can audit (report non-compliant resources) or deny (block non-compliant deployments). You can bundle multiple policies into an initiative (also called a policy set).

Resource Locks operate differently: they prevent changes or deletions regardless of the user's permissions. A CanNotDelete lock allows reads and modifications but blocks deletion. A ReadOnly lock prevents all writes โ€” even authorized administrators cannot modify the resource without first removing the lock. Locks are applied at the resource, resource-group, or subscription level and cascade downward.

Key distinction for the exam: Azure Policy enforces what can be deployed or configured; Resource Locks protect existing resources from modification or deletion.

Microsoft Purview

Microsoft Purview is a unified data-governance platform. It discovers data across Azure, on-premises, and multi-cloud environments, classifies it (e.g., identifying personal data or financial records), and tracks data lineage. Purview supports compliance requirements such as GDPR by giving organizations a map of where sensitive data lives and how it flows.

Azure Blueprints

Azure Blueprints package together role assignments, policy assignments, ARM templates, and resource groups into a single reusable definition. When you deploy a blueprint to a subscription, Azure creates all the components consistently and maintains a tracked relationship between the blueprint and what was deployed โ€” making it easy to audit or update governed environments. Blueprints are designed for repeatable, compliant environment setup at scale.

Monitoring Tools in Detail

Azure Advisor

Azure Advisor analyzes your Azure usage and configurations and provides personalized, actionable recommendations across five categories: Cost, Security, Reliability (formerly High Availability), Operational Excellence, and Performance. Advisor is proactive โ€” it surfaces potential improvements before problems occur. For example, it might recommend resizing an underutilized VM or enabling soft delete on a storage account.

Azure Monitor

Azure Monitor is the central platform for collecting, analyzing, and acting on telemetry from Azure and on-premises environments. It ingests metrics (numerical time-series data like CPU usage) and logs (structured or unstructured event records). Key sub-features include Log Analytics (query logs with KQL), Application Insights (application performance monitoring), and Alerts (notifications triggered by metric thresholds or log conditions). Azure Monitor is reactive โ€” it tells you what is happening or has happened.

Azure Service Health

Azure Service Health communicates the health of the Azure platform itself โ€” not your individual resources. It has three components: Azure Status (global outage map), Service Health (personalized alerts for the regions and services you use), and Resource Health (health of your specific resources). If an Azure data center has an outage affecting your region, Service Health is where you learn about it and receive updates.

For a complete picture of exam topics, see the complete AZ-900 guide and review all domains in the Microsoft Certified Azure Fundamentals overview.

Exam Tips: What Each Tool Does โ€” Conceptually
  • Pricing Calculator = estimate costs for new Azure deployments (pre-deployment).
  • TCO Calculator = compare on-premises costs against Azure (migration justification).
  • Azure Cost Management = monitor and alert on live spending (post-deployment).
  • Tags = label resources for cost allocation and filtering โ€” no effect on behavior.
  • Azure Policy = enforce what can/cannot be deployed or configured across your organization.
  • Resource Locks = protect existing resources from deletion (CanNotDelete) or any change (ReadOnly).
  • Microsoft Purview = discover, classify, and govern data across cloud and on-premises sources.
  • Azure Blueprints = package and deploy governed environments repeatably at scale.
  • Azure Advisor = proactive, personalized best-practice recommendations (Cost, Security, Reliability, Ops, Performance).
  • Azure Monitor = reactive telemetry platform โ€” metrics, logs, alerts, Application Insights.
  • Azure Service Health = Azure platform health โ€” outages, planned maintenance, and resource-level health.
Explain the difference between the Pricing Calculator and the TCO Calculator.
Describe what Azure Cost Management does and how budget alerts work.
Explain how resource tags are used for cost allocation.
Distinguish between Azure Policy (rule enforcement) and Resource Locks (change protection).
Know the two lock types: CanNotDelete and ReadOnly.
Describe what Microsoft Purview does and why organizations use it.
Explain the five recommendation categories in Azure Advisor.
Differentiate Azure Monitor (telemetry platform) from Azure Service Health (platform health).
Start Practice Test

What is the difference between the Azure Pricing Calculator and the TCO Calculator?

The Pricing Calculator estimates the cost of specific Azure services you plan to deploy โ€” you select products and configure usage to get a monthly cost estimate. The TCO Calculator is used for migration planning: you input your current on-premises infrastructure (servers, storage, networking, labor) and it projects how much you could save by moving to Azure over time. Use the Pricing Calculator to plan Azure workloads; use the TCO Calculator to justify a migration to stakeholders.

What does Azure Policy do and how is it different from Resource Locks?

Azure Policy defines and enforces rules across your Azure environment โ€” for example, requiring all resources to have specific tags, restricting deployments to certain regions, or mandating particular VM sizes. Policies can audit non-compliant resources or actively block non-compliant deployments. Resource Locks, by contrast, protect resources that already exist: a CanNotDelete lock prevents deletion even by administrators, and a ReadOnly lock prevents any modifications. Policy controls what gets deployed; Locks protect what is already there.

What is Microsoft Purview and when would an organization use it?

Microsoft Purview is a unified data-governance platform that discovers, classifies, and tracks data across Azure, on-premises, and multi-cloud environments. Organizations use it to maintain visibility over where sensitive data (such as personal information or financial records) lives, understand how data flows through systems, and demonstrate compliance with regulations like GDPR. For the AZ-900 exam, think of Purview as the tool that gives you a map of your organization's data landscape.

What are the five recommendation categories in Azure Advisor?

Azure Advisor provides personalized recommendations across five categories: Cost (identify underutilized resources and reduce spending), Security (address security vulnerabilities and misconfigurations), Reliability (improve availability and business continuity), Operational Excellence (improve efficiency and deployments), and Performance (increase the speed and responsiveness of your applications). Advisor analyzes your existing Azure usage and surfaces actionable suggestions โ€” you do not need to configure it, just review and act on its recommendations.

How does Azure Monitor differ from Azure Service Health?

Azure Monitor collects and analyzes telemetry from your own resources โ€” CPU metrics, application logs, response times, error rates โ€” and lets you create alerts when thresholds are breached. It is focused on the health and performance of what you have deployed. Azure Service Health, on the other hand, communicates the health of the Azure platform itself: it reports on outages, planned maintenance, and service advisories for the regions and services you use. If your VM is slow, check Azure Monitor. If an Azure data center has an incident, check Azure Service Health.

What is the purpose of Azure Blueprints?

Azure Blueprints allow you to package a set of Azure components โ€” including role assignments, Azure Policy assignments, ARM templates, and resource groups โ€” into a single reusable definition. When you apply a blueprint to a subscription, Azure deploys all the components consistently and maintains a tracked relationship between the blueprint version and what was deployed. This makes it easy to stand up compliant, governed environments repeatedly across multiple subscriptions. Blueprints are especially useful in large organizations that need to enforce standards across many teams.
โ–ถ Start Quiz