Domain 3: Describe Azure Management and Governance (30-35%)
Domain 3 of the AZ-900 Microsoft Azure Fundamentals exam covers cost management, governance, compliance, resource deployment, and monitoring. This domain represents 30-35% of the exam -- roughly 12-21 questions out of approximately 40-60 total. A score of 700 or greater on a 1000-point scale is required to pass. The exam objectives were last updated January 14, 2026. (AZ-900 Study Guide)
The domain breaks into four exam objective groups:
- Describe cost management in Azure
- Describe features and tools in Azure for governance and compliance
- Describe features and tools for managing and deploying Azure resources
- Describe monitoring tools in Azure
3.1 Describe Cost Management in Azure
Factors That Affect Costs in Azure
Azure pricing depends on several factors. Understanding these is critical because the exam regularly tests whether you can identify what drives costs up or down. (Microsoft Learn: Describe factors that can affect costs in Azure)
| Factor | How It Affects Cost |
|---|---|
| Resource type | Each Azure service has its own pricing model and meters. A VM is billed for compute hours, disk storage, and networking separately. A storage account is billed by capacity, transactions, and redundancy tier. Different SKUs within the same resource type have different prices. |
| Consumption | Azure uses a pay-as-you-go (PAYG) model by default -- you pay only for what you consume. Reserved Instances (1- or 3-year commitments) offer up to 72% savings over PAYG. Spot VMs use unused Azure capacity at up to 90% discount but can be evicted at any time. |
| Maintenance | Deprovisioning associated resources matters. If you delete a VM but forget to delete its disk, public IP, and NIC, you keep paying for those orphaned resources. |
| Geography (Region) | Power, labor, taxes, and fees vary by region. Deploying in US East is typically cheaper than deploying in Brazil South. Data transfer costs also differ by region -- transferring data within the same region is cheaper than cross-region transfers. |
| Network traffic (Bandwidth) | Inbound data transfers (ingress) to Azure are generally free. Outbound data transfers (egress) are billed based on Billing Zones -- geographical groupings of Azure regions used for bandwidth pricing. |
| Subscription type | Some subscription types include usage allowances. Free Trial subscriptions include a credit. Enterprise Agreements (EA) offer volume-based discounts for multi-year commitments. |
| Azure Marketplace | Third-party solutions purchased through Azure Marketplace have their own pricing set by the vendor, billed through your Azure account. You pay both for the Azure infrastructure and the third-party software license. |
Cost reduction strategies the exam may reference:
| Strategy | Savings | Commitment |
|---|---|---|
| Reserved Instances | Up to 72% off PAYG | 1 or 3 years |
| Azure Savings Plans | Automatic discounts across eligible compute | Fixed hourly spend for 1 or 3 years |
| Spot VMs | Up to 90% off PAYG | None -- VMs can be evicted with short notice |
| Azure Hybrid Benefit | Up to 40% off VM costs | Requires existing Windows Server or SQL Server licenses |
| Dev/Test pricing | Reduced rates for non-production workloads | Requires Visual Studio subscription |
Exam trap: The exam may ask what happens if you delete a VM. Deleting the VM does NOT automatically delete its associated disks, NICs, or public IPs. Those resources continue to incur charges until explicitly deleted.
Pricing Calculator
The Azure Pricing Calculator is a free, browser-based tool that estimates costs for Azure services before you deploy anything. It does not require an Azure subscription. (Microsoft Learn: Explore the pricing calculator)
How it works:
- Select products from the product picker (browse by category or search)
- Configure each product: region, tier, instance type, expected usage hours, storage capacity, redundancy options
- The calculator generates an estimated monthly cost
- Export the estimate as PDF or Excel, or save a shareable link
Key inputs the calculator uses:
- Region
- Tier (Free, Basic, Standard, Premium)
- Instance size and series
- Operating system
- Billing option (PAYG, Reserved, Spot)
- Expected hours of operation
- Storage type, capacity, and redundancy
If you sign in, the calculator shows your negotiated or discounted prices (e.g., EA pricing) rather than retail rates.
Exam trap: The Pricing Calculator estimates costs for new Azure deployments. It does NOT show your current spending -- that is Cost Management's job.
Total Cost of Ownership (TCO) Calculator
The Azure TCO Calculator compares the cost of running workloads on-premises versus in Azure. It is designed for organizations evaluating whether cloud migration makes financial sense. (Microsoft Learn: Describe cost management in Azure)
Three-step process:
- Define workloads: Enter your on-premises infrastructure -- servers (OS, cores, RAM, virtualization), databases (type, cores), storage (capacity, type), networking (outbound bandwidth)
- Adjust assumptions: Fine-tune hidden costs -- electricity price per kWh, IT labor costs, real estate, cooling, hardware maintenance cycles, whether to apply Azure Hybrid Benefit, whether to replicate storage across regions
- View report: Get a side-by-side comparison over 1-5 years broken down by compute, datacenter, networking, storage, and IT labor
| Calculator | Purpose | Requires Azure Account? |
|---|---|---|
| Pricing Calculator | Estimate Azure costs for specific services you plan to deploy | No |
| TCO Calculator | Compare on-premises costs vs. Azure costs for migration decisions | No |
Exam trap: The TCO Calculator is for comparing on-premises vs. Azure. The Pricing Calculator is for estimating Azure service costs. The exam will test whether you know which to use in which scenario.
Cost Management Capabilities
Microsoft Cost Management is a built-in Azure tool for monitoring, analyzing, and optimizing cloud spending. It is free to use with your Azure subscription.
Core features:
| Feature | What It Does |
|---|---|
| Cost analysis | Visualize and explore spending with charts, filters, and groupings. View costs by resource, resource group, subscription, tag, service, or location. Supports daily, monthly, and custom date ranges. |
| Budgets | Set spending limits for subscriptions or resource groups. Azure does NOT automatically stop resources when a budget is exceeded -- budgets generate alerts only. |
| Cost alerts | Three types of alerts: Budget alerts (triggered when spending reaches a threshold you define, e.g., 80% or 100% of budget), Credit alerts (triggered when Azure Prepayment/monetary commitment credits are consumed -- at 90% and 100%), Department spending quota alerts (triggered when department spending reaches a configured threshold). |
| Cost anomaly alerts | Automatically detect unusual spending spikes and notify you. |
| Recommendations | Identifies cost-saving opportunities such as shutting down underutilized VMs, right-sizing resources, and switching to Reserved Instances. These overlap with Azure Advisor cost recommendations. |
Exam trap: Budgets do NOT stop or shut down resources. They only generate alerts. This is a frequently tested distinction.
Purpose of Tags
Tags are name-value pairs applied to Azure resources, resource groups, and subscriptions for organization and cost tracking.
Key facts about tags:
- A tag consists of a name and a value (e.g.,
Environment: Production,CostCenter: IT,Owner: jsmith) - Each resource, resource group, or subscription can have up to 50 tag name-value pairs
- Tags are NOT inherited by default -- tags applied to a resource group do NOT automatically flow down to the resources within it
- You can use Azure Policy to enforce tag inheritance (e.g., "Inherit a tag from the resource group if missing")
- Cost Management supports tag inheritance as an opt-in setting that applies resource group and subscription tags to child resource usage records for cost analysis
- Tags are not required by default, but Azure Policy can enforce mandatory tagging (e.g., deny resource creation if a
CostCentertag is missing)
Common uses for tags:
| Use Case | Example Tag |
|---|---|
| Cost tracking | CostCenter: Finance |
| Environment identification | Environment: Production |
| Owner identification | Owner: TeamAlpha |
| Compliance / regulation | DataClassification: Confidential |
| Automation | AutoShutdown: 6PM |
| Workload grouping | Project: MigrationPhase2 |
Exam trap: Tags are NOT inherited. If you tag a resource group, the resources inside it do NOT automatically get that tag. You need Azure Policy to enforce inheritance. This is one of the most commonly tested facts in Domain 3.
3.2 Describe Features and Tools for Governance and Compliance
Microsoft Purview
Microsoft Purview is a unified data governance, risk, and compliance platform. It provides a single view across on-premises, multi-cloud, and SaaS data. (Microsoft Learn: Describe features and tools in Azure for governance and compliance)
Two main solution areas:
| Solution Area | What It Covers |
|---|---|
| Risk and Compliance (integrates with Microsoft 365) | Data Loss Prevention (DLP), information protection, insider risk management, compliance manager, eDiscovery, audit, records management |
| Unified Data Governance | Data catalog, data discovery, data classification, data lineage tracking across on-premises, multi-cloud, and SaaS data sources |
Key capabilities for AZ-900:
- Data Catalog: A searchable inventory of data assets across the organization. Enables data discovery so teams can find and understand available data.
- Data Classification: Automatically identifies and categorizes sensitive data (credit card numbers, social security numbers, etc.) using built-in or custom classifiers.
- Data Lineage: Tracks how data moves and transforms across systems, showing data flow from source to destination.
- Compliance Manager: Provides a compliance score and pre-built assessments for industry regulations (GDPR, HIPAA, ISO 27001). Includes recommended improvement actions.
- Data Loss Prevention (DLP): Policies that prevent sensitive data from being shared inappropriately across email, Teams, SharePoint, and endpoints.
Exam trap: Microsoft Purview is NOT a backup service. It does not back up or restore data. It governs, classifies, and protects data. If the exam asks what tool provides data backup, Purview is the wrong answer.
Azure Policy
Azure Policy enforces organizational standards and assesses compliance at scale. It evaluates resources by comparing their properties against business rules defined in JSON format.
How Azure Policy works:
- Create a policy definition -- a JSON rule describing what to evaluate and what action to take (e.g., "deny VMs not in allowed regions")
- Assign the policy to a scope -- management group, subscription, resource group, or individual resource
- Azure evaluates resources against the policy during creation, updates, and on a regular 24-hour compliance cycle
- View compliance through the compliance dashboard showing per-resource, per-policy results
Policy effects (what happens when a resource is non-compliant):
| Effect | Behavior |
|---|---|
| Audit | Logs a warning but allows the resource (good for testing before enforcement) |
| Deny | Blocks creation or modification of non-compliant resources |
| Modify | Adds, updates, or removes properties on a resource during creation or update (e.g., add a required tag) |
| DeployIfNotExists | Deploys a related resource if it does not exist (e.g., deploy diagnostic settings) |
| AuditIfNotExists | Audits if a related resource does not exist |
| Append | Adds additional fields to a resource during creation or update |
| Disabled | Turns off the policy without deleting it |
Initiatives (Policy Sets):
An initiative is a collection of policy definitions grouped toward a single goal. For example, the "Enable Monitoring in Microsoft Defender for Cloud" initiative bundles multiple monitoring policies together. Initiatives simplify management -- you assign one initiative instead of dozens of individual policies. Adding a new policy to an initiative automatically includes it in all existing assignments. (Azure Policy Overview)
Built-in policies -- Azure provides hundreds of ready-to-use policy definitions:
- Allowed Locations (Deny resources outside specified regions)
- Allowed Resource Types / Not Allowed Resource Types
- Allowed Virtual Machine SKUs
- Require a tag on resources
- Inherit a tag from the resource group
Azure Policy vs. Azure RBAC -- a critical distinction:
| Aspect | Azure Policy | Azure RBAC |
|---|---|---|
| What it controls | Resource properties and state (what a resource looks like) | User actions and permissions (what a user can do) |
| Scope | Evaluates all resources regardless of who made the change | Controls who can perform specific operations |
| Example | "All VMs must be in East US" (denies any VM outside East US, no matter who creates it) | "Only the Network team can create virtual networks" |
| Default behavior | Explicit deny -- blocks non-compliant resources | Allow all -- access must be explicitly granted |
Azure Policy and RBAC work together: RBAC controls who can perform actions, while Policy controls what the resulting resource state must look like. Even if RBAC grants you permission to create a VM, Policy can still deny it if it violates a rule.
Exam trap: Azure Policy is NOT RBAC. Policy evaluates resource state. RBAC evaluates user permissions. The exam frequently presents scenarios asking whether Policy or RBAC is the correct solution. If the question is about restricting what resources look like (location, size, tags), the answer is Azure Policy. If the question is about restricting who can do what, the answer is RBAC.
Resource Locks
Resource locks prevent accidental deletion or modification of Azure resources. Locks override user permissions -- even an Owner cannot delete a resource with a Delete lock without first removing the lock.
Two lock types:
| Lock Type | Portal Name | CLI Name | Effect |
|---|---|---|---|
| Delete | Delete | CanNotDelete | Users can read and modify the resource but cannot delete it |
| Read-only | Read-only | ReadOnly | Users can read the resource but cannot modify or delete it. Equivalent to granting all users the Reader role on that resource. |
Lock inheritance:
- Locks applied at a parent scope (subscription or resource group) are inherited by all child resources
- Resources added later also inherit the parent lock
- The most restrictive lock in the inheritance chain takes precedence
- If a resource group has a Delete lock, you cannot delete ANY resource in that group, even if individual resources have no lock
Who can manage locks:
Only users with Microsoft.Authorization/locks/* permissions can create or delete locks. Of the built-in roles, only Owner and User Access Administrator have these permissions. (Azure Resource Locks)
Locks apply to control plane operations only:
Locks protect resources from management operations (control plane: https://management.azure.com). They do NOT restrict data plane operations. A ReadOnly lock on a storage account prevents changing the account configuration, but users can still read and write blob data. A ReadOnly lock on a SQL Database logical server prevents deletion or configuration changes, but users can still query and modify data within the databases.
Exam trap: A ReadOnly lock on a storage account prevents users from listing account access keys (because that is a POST operation on the control plane). This can break applications that rely on key-based access. This is a frequently asked gotcha.
Exam trap: Locks apply regardless of RBAC permissions. Even an Owner cannot delete a locked resource without first removing the lock. The lock must be explicitly removed before the protected action can be performed.
3.3 Describe Features and Tools for Managing and Deploying Azure Resources
Azure Portal
The Azure portal is a web-based, graphical user interface for managing Azure resources. (Microsoft Learn: Describe features and tools for managing and deploying Azure resources)
Key characteristics:
- Browser-based -- accessible from any modern browser, no installation needed
- Provides a GUI for creating, configuring, and monitoring resources
- Customizable dashboards for organizing frequently used resources
- Always available -- resilient across Azure datacenters with no downtime for maintenance
- Best for: one-off tasks, visual exploration, learning Azure
Azure Cloud Shell
Azure Cloud Shell is a browser-based, authenticated shell environment for managing Azure resources. It is accessible from the Azure portal (via the >_ icon), from shell.azure.com, or from the Azure mobile app.
Key characteristics:
| Feature | Detail |
|---|---|
| Shell options | Choose between Bash (with Azure CLI pre-installed) and PowerShell (with Azure PowerShell pre-installed). You can switch between them at any time. |
| Authentication | Automatically authenticates with your Azure account -- no manual az login required |
| Persistent storage | Optionally mounts an Azure file share to persist files across sessions. Without storage, Cloud Shell runs as an ephemeral session where files are lost when the window closes. |
| Session timeout | Sessions time out after 20 minutes of inactivity |
| Pre-installed tools | Azure CLI, Azure PowerShell, Terraform, Ansible, kubectl, git, and many more |
| Runs on Azure Linux | The underlying OS is Azure Linux (Microsoft's Linux distribution for cloud workloads) |
| Cost | Cloud Shell itself is free, but the storage account used for persistence incurs a small charge |
Azure CLI vs. Azure PowerShell
Both tools manage Azure resources from the command line. The choice is largely one of preference and existing skill set.
| Feature | Azure CLI | Azure PowerShell |
|---|---|---|
| Syntax | Bash-style (az vm create ...) |
Cmdlet-style (New-AzVM ...) |
| Platform | Cross-platform (Windows, macOS, Linux) | Cross-platform (Windows, macOS, Linux) |
| Best for | Linux admins, Bash users | Windows admins, PowerShell users |
| Output format | JSON by default (can switch to table, TSV, YAML) | PowerShell objects |
| Installable | Yes (standalone installer) | Yes (PowerShell module Az) |
| Available in Cloud Shell | Yes | Yes |
Both tools can accomplish the same Azure management tasks. The exam does not test syntax -- it tests whether you understand what these tools are and when you would use them.
Exam trap: Both Azure CLI and Azure PowerShell are cross-platform. Azure CLI is NOT Linux-only, and Azure PowerShell is NOT Windows-only. Both run on Windows, macOS, and Linux.
Azure Arc
Azure Arc extends Azure management and governance to resources outside of Azure -- on-premises servers, multi-cloud environments, and edge locations.
What Azure Arc can manage:
| Resource Type | What Arc Does |
|---|---|
| Servers | Manage Windows and Linux physical servers and VMs hosted outside Azure. Install Azure VM extensions, apply Azure Policy, collect logs with Azure Monitor. |
| Kubernetes clusters | Attach and configure Kubernetes clusters running anywhere (on-premises, AWS, GCP, etc.) with multiple supported distributions |
| SQL Server | Extend Azure services to SQL Server instances hosted outside Azure |
| Azure data services | Run Azure SQL Managed Instance and Azure Arc-enabled PostgreSQL on any Kubernetes environment |
| VMware vSphere / SCVMM | Manage on-premises VMs through Azure for lifecycle operations (create, resize, delete, start, stop) |
Key benefits:
- Manage all resources in a single pane of glass (Azure portal)
- Apply Azure Policy to non-Azure resources for consistent governance
- Use Azure RBAC for access control on Arc-enabled resources
- Use Azure Monitor for centralized monitoring across hybrid environments
- Apply Azure tags for organization and cost tracking
- Use GitOps for Kubernetes configuration management
Pricing: Azure Arc control plane features are free -- resource organization, RBAC, tags, search through Resource Graph. You only pay for Azure services you enable on Arc resources (e.g., Azure Monitor, Defender for Cloud). (Azure Arc Overview)
Exam trap: Azure Arc does NOT move or migrate resources to Azure. It projects them into Azure Resource Manager so they can be managed using Azure tools. The resources stay where they are (on-premises, in AWS, etc.) but become visible and manageable from Azure.
Infrastructure as Code (IaC)
Infrastructure as Code means managing and provisioning infrastructure through machine-readable definition files rather than manual processes.
Two approaches:
| Approach | Description | Example Tools |
|---|---|---|
| Declarative | You describe the desired end state. The tool figures out how to achieve it. | ARM templates, Bicep, Terraform |
| Imperative | You write step-by-step commands to execute. The tool does exactly what you tell it. | Azure CLI scripts, Azure PowerShell scripts |
Key IaC benefits:
- Idempotent: Deploy the same template multiple times and get the same result. If a resource already exists in the desired state, no changes are made.
- Repeatable: The same template deploys consistently across environments (dev, test, prod).
- Version-controlled: Templates stored in source control provide audit trails and rollback capability.
- Consistent: Eliminates configuration drift caused by manual changes.
Azure Resource Manager (ARM)
Azure Resource Manager (ARM) is the deployment and management service for Azure. It is the control plane that processes ALL requests -- whether you use the portal, CLI, PowerShell, SDKs, or REST API, the request goes through ARM.
What ARM provides:
- Consistent management layer: Every tool (portal, CLI, PowerShell, SDKs) sends requests through the same ARM API. Results are consistent regardless of tool used.
- Resource group management: Deploy, manage, and delete resources as a group
- Dependency management: ARM deploys resources in the correct order based on declared dependencies
- Access control: RBAC is built into ARM for fine-grained access management
- Tagging: Organize resources logically
- Billing clarity: View costs grouped by tags
ARM Templates
ARM templates are JSON files that define Azure infrastructure using declarative syntax.
Template structure:
{
"$schema": "https://schema.management.azure.com/...",
"contentVersion": "1.0.0.0",
"parameters": { },
"variables": { },
"resources": [ ],
"outputs": { }
}
| Section | Purpose | Limit |
|---|---|---|
| $schema | Location of the JSON schema file that describes the template version | Required |
| contentVersion | Version of the template (e.g., "1.0.0.0") | Required |
| parameters | Values provided at deployment time to customize the deployment (region, VM size, etc.) | Max 256 parameters |
| variables | Values constructed within the template to simplify complex expressions | Max 256 variables |
| resources | The Azure resources to deploy or update | Required |
| outputs | Values returned after deployment (e.g., public IP address, connection string) | Max 64 outputs |
Key characteristics:
- Declarative: You state what you want, not how to create it
- Idempotent: Deploying the same template again produces the same result without duplicating resources
- Orchestrated: ARM handles dependency ordering and deploys independent resources in parallel
- Modular: Templates can be linked or nested for reuse
- Validated: ARM validates the template before deployment begins
Bicep
Bicep is a domain-specific language (DSL) that simplifies writing ARM templates. Bicep files are transpiled (converted) into standard ARM template JSON during deployment.
Bicep vs. ARM template JSON:
| Aspect | ARM Template (JSON) | Bicep |
|---|---|---|
| Syntax | Verbose JSON | Concise, readable DSL |
| Learning curve | Higher -- JSON nesting is complex | Lower -- cleaner syntax |
| Output | Native deployment format | Transpiled to ARM JSON |
| Modularity | Linked/nested templates | Native module support |
| Tooling | JSON editors | VS Code extension with IntelliSense |
Bicep is functionally equivalent to ARM templates -- anything you can do in JSON you can do in Bicep, and vice versa. Bicep is a convenience layer, not a replacement.
Exam trap: Bicep is listed in the official January 2026 AZ-900 skills-measured document alongside ARM templates. Know that Bicep is a DSL that transpiles to ARM template JSON and provides simpler syntax for the same deployments.
3.4 Describe Monitoring Tools in Azure
Azure Advisor
Azure Advisor is a free, personalized recommendation engine that analyzes your Azure resources and provides actionable best-practice recommendations. (Microsoft Learn: Describe the purpose of Azure Advisor)
Five recommendation categories:
| Category | What It Recommends |
|---|---|
| Reliability | Improve continuity of business-critical applications. Examples: enable VM backups, add resources to availability zones, configure redundancy. |
| Security | Detect threats and vulnerabilities. Examples: enable encryption, close open management ports, apply network security groups. (Security recommendations are provided by Microsoft Defender for Cloud.) |
| Performance | Improve application speed. Examples: resize underperforming VMs, use caching, optimize SQL query performance. |
| Operational Excellence | Improve process efficiency and deployment practices. Examples: configure service health alerts, adopt best practices for resource naming, apply resource tags. |
| Cost | Reduce spending without sacrificing performance. Examples: shut down underutilized VMs, right-size resources, purchase Reserved Instances, delete unused resources. |
Key facts:
- Recommendations are personalized to your deployed resources
- Accessible from the Azure portal (search "Advisor")
- Recommendations include a direct link to take action
- You can filter recommendations by subscription, resource group, or category
- Advisor is free -- no additional cost
Exam trap: Azure Advisor provides recommendations. It does NOT automatically apply changes. You must review and act on recommendations manually (or set up automation). Advisor is also NOT the same as Azure Monitor -- Advisor gives best-practice recommendations while Monitor collects telemetry data.
Azure Service Health
Azure Service Health provides a personalized view of the health of Azure services and regions you use. It combines three separate services into one experience. (Microsoft Learn: Describe Azure Service Health)
Three components:
| Component | Scope | What It Shows |
|---|---|---|
| Azure Status | Global -- all Azure regions and services | Broad view of Azure service health worldwide. Shows widespread outages. Available at status.azure.com. |
| Service Health | Your subscriptions -- services and regions you actually use | Personalized view of outages, planned maintenance, and health/security advisories that affect YOUR resources. Supports configurable alerts. |
| Resource Health | Individual resources | Diagnoses whether a specific resource (e.g., a particular VM) is healthy or experiencing a problem. Shows current and historical health status. |
Service Health event types:
| Event Type | Description |
|---|---|
| Service issues | Active problems in Azure that affect your resources right now (outages, degraded performance) |
| Planned maintenance | Upcoming scheduled maintenance that may affect your resources. Advance notice so you can plan. |
| Health advisories | Changes in Azure services that require your attention (e.g., a feature being deprecated, an action required on your part) |
| Security advisories | Security-related notifications or vulnerabilities that affect your Azure services |
Key facts:
- Service Health can send alerts via email, SMS, webhook, or push notification
- You can create Service Health alerts to be notified of issues affecting your services
- Provides root cause analysis (RCA) reports after incidents are resolved
- Service Health is free -- no additional cost
Exam trap: Azure Status (status.azure.com) shows the big picture for ALL of Azure globally. Service Health in the portal is personalized to YOUR subscriptions and resources. The exam tests whether you know the difference. If the question asks about a broad Azure-wide outage page, the answer is Azure Status. If it asks about notifications specific to your deployed resources, the answer is Service Health.
Azure Monitor
Azure Monitor is the comprehensive monitoring platform for collecting, analyzing, and acting on telemetry from Azure and non-Azure resources. (Microsoft Learn: Describe Azure Monitor)
What Azure Monitor collects:
| Data Type | Description | Examples |
|---|---|---|
| Metrics | Numerical values collected at regular intervals describing resource performance | CPU percentage, available memory, disk IOPS, network bytes in/out |
| Logs | Text-based records of events and traces | Activity logs (who did what), diagnostic logs (resource-level events), application logs |
Key components of Azure Monitor:
| Component | What It Does |
|---|---|
| Log Analytics workspace | Central repository where log data is stored. You query logs using Kusto Query Language (KQL). Multiple resources across subscriptions can send data to the same workspace. |
| Azure Monitor alerts | Notify you when specific conditions are met. Alert rules define the condition (metric threshold, log query result, activity log event) and the action (email, SMS, webhook, run an Azure Function, trigger an IT service management tool). |
| Application Insights | An Application Performance Management (APM) service for monitoring live web applications. Supports .NET, Java, Node.js, Python, and more. Auto-detects performance anomalies, tracks request rates, response times, failure rates, and dependencies. Can be configured with an SDK in your application code or with a codeless agent. |
Application Insights monitors:
- Request rates, response times, and failure rates
- Dependency tracking (calls to databases, REST APIs, external services)
- Page views and load performance (for web apps)
- User and session counts
- Performance counters (CPU, memory, network)
- Exception tracking and diagnostics
- Custom events and metrics you define in your code
Azure Monitor data flow:
- Resources generate metrics and logs
- Data is sent to Azure Monitor (metrics database and/or Log Analytics workspace)
- You analyze data using metrics explorer, Log Analytics (KQL queries), or workbooks
- Alerts trigger notifications or automated actions based on conditions you define
- Dashboards and visualizations display real-time and historical data
Exam trap: Azure Monitor is the umbrella platform. Log Analytics and Application Insights are features within Azure Monitor, not separate services. The exam may test whether you understand this hierarchy.
Exam trap: Azure Monitor collects data. Azure Advisor provides recommendations. These are different tools with different purposes. Monitor tells you what IS happening. Advisor tells you what you SHOULD do.
Quick Reference: Tool Comparison
The exam frequently tests whether you can pick the correct tool for a given scenario. Use this table to distinguish between overlapping tools.
| Scenario | Correct Tool |
|---|---|
| Estimate cost of deploying new VMs to Azure | Pricing Calculator |
| Compare on-premises datacenter costs vs. Azure | TCO Calculator |
| View current Azure spending and set budget alerts | Cost Management |
| Get recommendations to reduce Azure spending | Azure Advisor (Cost category) |
| Enforce a rule that all VMs must be in East US | Azure Policy |
| Restrict who can create virtual networks | Azure RBAC |
| Prevent accidental deletion of a production database | Resource Lock (Delete lock) |
| Manage on-premises servers from Azure portal | Azure Arc |
| Deploy 50 identical VMs with consistent configuration | ARM template (or Bicep) |
| Check if Azure is experiencing a global outage | Azure Status (status.azure.com) |
| Get notified of planned maintenance affecting your VMs | Service Health |
| Investigate why a specific VM is running slowly | Azure Monitor (metrics/logs) |
| Monitor web app response times and failure rates | Application Insights |
| Find and classify sensitive data across your organization | Microsoft Purview |
Common Exam Traps Summary
| Trap | Correct Answer |
|---|---|
| Tags are inherited from resource groups to resources | False -- tags are NOT inherited by default. Use Azure Policy to enforce inheritance. |
| Budgets automatically stop resources when exceeded | False -- budgets only generate alerts. |
| Deleting a VM deletes all associated resources | False -- disks, NICs, and public IPs must be deleted separately. |
| Azure Policy and RBAC do the same thing | False -- Policy controls resource state; RBAC controls user permissions. |
| Resource locks can be overridden by Owners | False -- locks must be explicitly removed first, even by Owners. |
| Azure CLI only works on Linux | False -- Azure CLI is cross-platform (Windows, macOS, Linux). |
| Azure Arc migrates resources to Azure | False -- Arc projects resources into ARM for management; resources stay where they are. |
| Microsoft Purview provides data backup | False -- Purview provides data governance, classification, and compliance. |
| Azure Advisor automatically fixes issues | False -- Advisor provides recommendations; you must act on them. |
| ReadOnly locks protect data in a storage account | False -- locks only affect control plane operations, not data plane. |
References
- AZ-900 Study Guide (Skills Measured as of January 14, 2026)
- Microsoft Learn: Describe Azure Management and Governance (Learning Path)
- Microsoft Learn: Describe Cost Management in Azure (Module)
- Microsoft Learn: Describe Features and Tools for Governance and Compliance (Module)
- Microsoft Learn: Describe Features and Tools for Managing and Deploying Resources (Module)
- Microsoft Learn: Describe Monitoring Tools in Azure (Module)
- Azure Policy Overview
- Azure Arc Overview
- Azure Resource Locks
- Azure Tags
- ARM Templates Overview
- ARM Template Structure and Syntax
- Bicep Overview
- Azure Advisor Overview
- Azure Service Health Overview
- Azure Monitor Overview
- Microsoft Purview Overview
- Azure Pricing Calculator
- Azure TCO Calculator
- Microsoft Cost Management Overview