Courseiva
Azure Administrator GuideMicrosoft Azure Administrator

Azure Monitor Questions: Metrics, Logs and Alerts

Azure Monitor is the umbrella service for all Azure observability. The AZ-104 exam tests which component to use for which monitoring scenario.

9 min read
14 sections
Courseiva Study Hub

Quick answer

Azure Monitor is the umbrella service for all Azure observability. The AZ-104 exam tests which component to use for which monitoring scenario.

In this guide

  1. 1.Azure Monitor: The Umbrella
  2. 2.Metrics
  3. 3.Logs
  4. 4.Alerts
  5. 5.Diagnostic Settings
  6. 6.Application Insights
  7. 7.Activity Log vs Diagnostic Logs
  8. 8.Log Analytics Workspace — The Central Logging Hub
  9. 9.Application Insights — The Application Performance Monitoring Layer
  10. 10.Action Groups — What Happens When an Alert Fires
  11. 11.Diagnostic Settings — Where Logs Go
  12. 12.Azure Advisor — The Proactive Recommendation Service
  13. 13.Monitor Workbooks — The Visualisation Layer
  14. 14.Practice Question Sets

Azure Monitor questions on the AZ-104 exam test whether you can choose the right monitoring component for a given scenario. The confusion usually comes from the overlapping terminology — metrics vs logs, alerts vs action groups, Application Insights vs Log Analytics.

Azure Monitor: The Umbrella

Azure Monitor is not a single tool — it is a platform that includes:

  • Metrics — Numerical time-series data about resource performance
  • Logs — Text-based event data stored in Log Analytics workspaces
  • Alerts — Notifications triggered when conditions are met
  • Insights — Curated monitoring views for specific services (VM Insights, Container Insights, Application Insights)

Metrics

Metrics are lightweight numerical values collected at regular intervals (typically every minute). Examples:

  • CPU percentage on a VM
  • Number of requests to a web app
  • Storage account transactions
  • Database DTU consumption

Metrics are stored for 93 days by default. They are ideal for real-time dashboards and performance trending.

Use metrics when: you need to see current or recent performance numbers, set up auto-scaling triggers, or create performance dashboards.

Logs

Logs are text-based records of events. They are stored in a Log Analytics workspace and queried using the Kusto Query Language (KQL).

Log sources include:

  • Azure Activity Log (subscription-level operations: who created what, when)
  • Resource diagnostic logs (enabled via Diagnostic settings on each resource)
  • VM agent logs (collected via Log Analytics agent or Azure Monitor agent)
  • Custom logs from applications

Logs are retained for 31 days by default in a Log Analytics workspace (configurable up to 2 years, or archive to Storage).

Use logs when: you need to investigate past events, answer "who did what when" questions, or correlate events across multiple resources.

Exam scenario: "An administrator wants to see who deleted a storage account last week." — Query the Azure Activity Log via Log Analytics.

Alerts

An alert rule monitors a metric or log and triggers an action when a threshold is breached.

Components:

  • Alert rule — Defines the condition (CPU > 90% for 5 minutes)
  • Action group — What happens when the alert fires (send email, SMS, call webhook, trigger Azure Function, run a Logic App runbook)
  • Alert state — New, Acknowledged, Closed

Exam trap: the alert rule and the action group are separate resources. You can reuse the same action group across multiple alert rules. A question asking "how do you ensure the same team is notified for alerts from both a VM and a storage account" — create one action group and attach it to both alert rules.

Diagnostic Settings

Most Azure resources do not send logs anywhere by default. You must enable Diagnostic settings to route logs to:

  • A Log Analytics workspace (for querying and alerting)
  • An Azure Storage account (for archival and cost-effective long-term retention)
  • An Event Hub (for streaming to third-party SIEM tools)

Exam scenario: "An administrator needs to send Azure SQL Database query logs to a SIEM." — Enable Diagnostic settings on the SQL database and route to Event Hub.

Application Insights

Application Insights is an application performance monitoring (APM) service built on top of Azure Monitor. It collects:

  • Request rates, response times, failure rates
  • Dependency calls (external services)
  • Custom events and metrics from the application
  • User behaviour (page views, session counts)

Exam distinction: Application Insights monitors your application code and user experience. Azure Monitor Metrics monitor the infrastructure beneath it (VM CPU, memory). Both feed into the same Azure Monitor platform.

Activity Log vs Diagnostic Logs

Log Type What It Records Who Enables It
Activity Log Subscription-level operations (create, delete, modify resources) Always on by default
Diagnostic Logs Resource-specific detail (query logs, access logs, metrics) Must be enabled via Diagnostic settings

Practice AZ-104 monitoring questions to lock in the distinction between these components.

Log Analytics Workspace — The Central Logging Hub

Log Analytics workspace is where all log data in Azure Monitor is stored and queried. Metrics flow separately (to the metrics store), but logs — including resource logs, activity logs, and agent-collected data — all land in Log Analytics.

Key facts the exam tests:

KQL (Kusto Query Language) is the query language. You don't need to write KQL for AZ-104, but you need to know that logs are queried with KQL and that the language supports joining, filtering, aggregating, and charting.

Data retention: 30 days of interactive retention are included free. You can extend up to 2 years (extended retention at lower cost) or archive to a Storage Account for even longer. The exam tests: "How long are logs retained in a Log Analytics workspace by default?" → 30 days.

Multiple sources in one workspace: a single Log Analytics workspace can receive logs from VMs across multiple subscriptions and regions. The exam pattern for centralised logging: "A company has 5 Azure subscriptions and wants to centralise all logs in one location for querying and alerting." → Create one Log Analytics workspace, configure diagnostic settings on all resources to send logs to it.

Portal path: Monitor → Log Analytics workspaces → Create (or search directly for "Log Analytics workspaces").

To query: Log Analytics workspace → Logs → enter KQL query.

Application Insights — The Application Performance Monitoring Layer

Application Insights is Azure Monitor's application performance monitoring (APM) service. It sits on top of Azure Monitor infrastructure but is focused on application-layer telemetry, not infrastructure metrics.

What it collects automatically (with the SDK or auto-instrumentation):

  • HTTP request rates, response times, failure rates
  • Dependency calls (SQL, HTTP calls to external services)
  • Exceptions and stack traces
  • Page views and user session data (for browser-side monitoring)
  • Custom events and metrics your code emits

Application Insights is the correct answer for scenarios about application monitoring. If a question mentions "monitor API response times," "track exception rates," "identify slow database queries from the application's perspective," or "measure user behaviour in a web app" — the answer is Application Insights.

Azure Monitor metrics and Log Analytics are for infrastructure: CPU, memory, disk, network at the VM/service level. The exam specifically tests this boundary.

Exam trap: "A company wants to monitor the performance of their Azure VMs." → Azure Monitor metrics. "A company wants to monitor the performance of their web application hosted on Azure App Service." → Application Insights.

Action Groups — What Happens When an Alert Fires

An action group defines the set of actions to take when an alert fires. Actions include: email, SMS, voice call, push notification to the Azure mobile app, Azure Function (run custom code), Logic App, webhook (call any HTTPS endpoint), ITSM connector, Automation Runbook.

Action groups are reusable — the same action group can be referenced by multiple alert rules. This is the key exam point. If you have 20 alert rules that all need to notify the same on-call team, you create one action group and reference it from all 20 rules. Changing the notification list means updating one action group instead of 20 alert rules.

Exam pattern: "A company has 15 alert rules and needs all of them to notify the NOC team via email and page via SMS. What is the most efficient approach?" → Create one action group with email and SMS actions, reference it from all 15 alert rules.

Action groups are created in the portal at: Monitor → Alerts → Action groups → Create. They can also be created during alert rule creation.

Diagnostic Settings — Where Logs Go

Diagnostic settings control where a resource sends its platform logs (resource logs, activity logs) and metrics. Without a diagnostic setting, that data stays inside the resource and is not accessible for analysis or archiving.

Three destination types and the exam scenario for each:

Log Analytics workspace — For querying, alerting, and dashboarding. Use when you need to run KQL queries against the data, create alert rules based on log content, or correlate logs across multiple resources.

Storage Account — For long-term archiving. Data lands as JSON blobs. You can't query it directly from Storage — it's for compliance archiving where you need the data to be retained for years but rarely accessed. Exam clue: "long-term archive," "retain logs for 7 years for compliance."

Event Hub — For streaming logs in real time to external systems. Common use: SIEM integration (Splunk, Microsoft Sentinel via Event Hub connector). Exam clue: "real-time security information and event management," "stream logs to a third-party SIEM."

A single diagnostic setting can send to all three destinations simultaneously. The exam tests: "A company needs logs available for querying and alerting, archived for 5 years, and streamed to their SIEM. How many diagnostic settings are needed?" → One diagnostic setting with all three destinations.

Azure Advisor — The Proactive Recommendation Service

Azure Advisor is frequently confused with Azure Monitor because both surface information about your Azure resources. The distinction:

Azure Monitor — Collects and analyzes telemetry (metrics, logs) from resources. You define what to watch and what constitutes an alert condition. Reactive.

Azure Advisor — Analyzes your Azure usage and configuration and provides proactive recommendations across five categories: Cost, Performance, Security, Reliability (formerly High Availability), and Operational Excellence. Advisor identifies underutilised VMs for right-sizing, flags unprotected resources, recommends enabling soft delete, etc.

Exam pattern: "A company wants to identify virtual machines that are underutilised so they can be right-sized to reduce costs." → Azure Advisor (not Azure Monitor, not Azure Cost Management specifically, not Log Analytics).

Azure Advisor recommendations are pulled from analysis of your actual usage data over the past 7 days. No configuration is needed — it's on by default.

Monitor Workbooks — The Visualisation Layer

Azure Monitor Workbooks are interactive, parameterised reports that combine metrics charts, log query results, text, and links into a single visual document. They're more flexible than dashboard tiles and support user input (dropdowns, date pickers) to filter the view dynamically.

Workbooks support:

  • KQL queries against Log Analytics
  • Azure Resource Graph queries
  • Metrics charts
  • Conditional formatting, grid views, charts
  • Parameter-driven filtering (select a subscription or VM from a dropdown, all visuals update)

The exam tests Workbooks for the scenario: "A company needs an interactive dashboard that shows both metrics and log query results for a specific application, allowing users to filter by time range and resource group." → Workbooks. (Azure dashboards support metrics tiles but not KQL log results in the same interactive view.)

Portal path: Monitor → Workbooks → New (or use a gallery template as a starting point).

Practice Question Sets

Session Questions Estimated time Link
Quick check 10 10–12 min Start →
Standard session 20 20–25 min Start →
Focused drill 30 30–40 min Start →
Deep study block 50 50–65 min Start →
Full mock exam 120 2–2.5 hours Start →

Practise AZ-104 questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

AZ-104 practice testAll AZ-104 questions

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.