Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-900DomainsDescribe Azure management and governance
AZ-900Free — No Signup

Describe Azure management and governance

Azure Management and Governance covers the tools and practices for organizing, securing, and controlling Azure resources, including Azure Policy, RBAC, resource locks, tags, cost management, and the Cloud Adoption Framework.

328questions

Start practicing

Describe Azure management and governance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

AZ-900 Domains

Describe cloud conceptsDescribe Azure architecture and servicesDescribe Azure management and governance

Domain overview

About the Describe Azure management and governance domain

Azure Management and Governance is the domain that covers how to organize, secure, and control your Azure resources at scale. Think of it as the 'operating system' for your cloud environment—it includes tools for managing multiple subscriptions, applying policies to enforce compliance, tracking costs, and ensuring your cloud stays secure and well-organized. For example, you might use Azure Policy to automatically block the creation of virtual machines in certain regions, or Azure Cost Management to set budgets and get alerts when spending exceeds a threshold.

This domain is crucial because without proper governance, cloud environments can quickly become chaotic, expensive, and insecure. In real-world IT, a company might have hundreds of subscriptions and thousands of resources; governance tools help administrators maintain control, meet regulatory requirements, and optimize costs. On the AZ-900 exam, this domain tests your understanding of these management and governance services, not their deep technical implementation.

You'll need to know what each service does, when to use it, and how they relate to each other. Common topics include Azure Blueprints, Azure Policy, Role-Based Access Control (RBAC), resource locks, tags, Azure Cost Management, and the Microsoft Cloud Adoption Framework. To study effectively, focus on the purpose and use cases of each service rather than memorizing steps.

Use Microsoft's free documentation and the Azure portal to explore these tools in a trial subscription. Create a resource group, apply a policy, set up a budget, and assign roles—this hands-on practice will solidify your understanding and help you answer scenario-based questions on the exam.

Exam objectives

What Describe Azure management and governance tests on AZ-900

  1. 1

    Azure Policy – creating and assigning policies to enforce compliance rules

  2. 2

    Role-Based Access Control (RBAC) – assigning roles like Owner, Contributor, Reader to users/groups

  3. 3

    Resource locks – preventing accidental deletion or modification of resources

  4. 4

    Tags – organizing resources with metadata for cost tracking and management

  5. 5

    Azure Cost Management – setting budgets, analyzing costs, and using pricing calculator

  6. 6

    Azure Blueprints – packaging policies, RBAC, and resource groups for repeatable deployments

Watch out — common Describe Azure management and governance traps

  • !

    Confusing Azure Policy with Azure RBAC: Policy enforces rules on resources (e.g., 'must have a tag'), while RBAC controls who can access resources

  • !

    Thinking resource locks prevent all changes: Read-only lock prevents modification but not deletion; Delete lock prevents deletion but allows modification

  • !

    Assuming tags are inherited by default: Tags are not automatically inherited from resource groups to resources; you must apply them explicitly or use Azure Policy to enforce inheritance

Practice Describe Azure management and governance questions

10Q20Q30Q50Q

AZ-900 Describe Azure management and governance questions (showing 300 of 328)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company has multiple Azure subscriptions for different departments. They want to enforce consistent policies across all subscriptions regarding allowed virtual machine sizes and require compliance reporting. Which Azure feature should they use?

2

A company uses Azure and wants to ensure that their IT team receives alerts when virtual machines are deallocated unexpectedly. Which Azure service should they use to create a rule that triggers an action when a VM is deallocated?

3

A company needs to track and optimize costs across multiple Azure subscriptions. They want to allocate budgets and receive notifications when spending exceeds forecasted amounts. Which Azure tool should they use?

4

A global company wants to organize its Azure resources by department and project. They need to enforce cost allocation and apply governance policies consistently across all subscriptions. Which two Azure features should they use together? (Select two.)

5

A company wants to ensure that all new Azure resources in a subscription are automatically tagged with a 'Department' tag. Which Azure service should they use to enforce this requirement?

6

A company has multiple Azure subscriptions for different departments. They want to receive budget alerts when spending in any subscription exceeds 80% of the allocated amount. Which Azure feature enables them to set up these alerts?

7

A company wants to ensure that whenever a new Azure subscription is created, it automatically inherits a set of baseline policies, role assignments, and resource groups. Which Azure tool should they use to package and deploy these governance components consistently?

8

A company uses Azure Resource Manager templates to deploy and manage infrastructure. They need to ensure that resources are deployed in a consistent, repeatable manner across environments. Which two benefits does using ARM templates provide? (Choose two.)

9

A company wants to deploy a standardized environment that includes Azure Policy assignments, RBAC roles, and resource group templates. They need to version these components and apply them to multiple subscriptions. Which Azure service should they use?

10

A company has multiple Azure subscriptions. The finance team needs to analyze spending trends and create budgets to prevent cost overruns. Which Azure tool should they use to visualize historical spending and set budget alerts?

11

A company uses Azure Policy to enforce that all virtual machines must be from an approved list of SKUs. They want to ensure that any non-compliant VMs that already exist are automatically remediated by changing the VM size to a compliant SKU. Which policy effect should they use?

12

A company has a critical Azure resource group that contains production resources. They want to ensure that no one can accidentally delete or modify the resources in this group, even if they have Contributor permissions. Which Azure feature should they use?

13

A company wants to receive notifications when Azure services in their region experience an outage or planned maintenance that might affect their resources. Which Azure service should they set up alerts for?

14

A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?

15

A company has multiple Azure subscriptions. The IT team wants to apply common policies and role assignments across all subscriptions automatically when a new subscription is created. Which Azure service should they use?

16

A company wants to track resource usage across departments and projects. They have multiple Azure subscriptions. They need to assign costs to specific departments based on resource usage. Which Azure feature enables them to view and analyze costs by resource tags?

17

A company has a policy that requires all storage accounts to have secure transfer enabled. They want to automatically audit all existing storage accounts and enforce the setting on new ones. They also want to automatically fix non-compliant new storage accounts. Which Azure Policy effect combination should they use?

18

A company uses Azure Resource Manager templates to deploy infrastructure. They need to manage secrets such as database connection strings and passwords securely. Which Azure service should they use to store and retrieve these secrets during deployment?

19

A company manages multiple Azure subscriptions for different business units. They want to define a standard set of policies, such as allowed VM SKUs and required resource tags, and ensure these policies are always applied whenever a new subscription is created. Which Azure feature should they use to enforce governance at this level?

20

A company uses Azure Policy to require that all storage accounts must have blob soft delete enabled. They also want to automatically create a remediation task that fixes any existing non-compliant storage accounts. Which policy effect should they include in the policy definition to achieve automatic remediation?

21

A company has a policy that all Azure resources deployed to production subscriptions must be tagged with a 'CostCenter' tag. They want to automatically prevent the creation of any resource that does not include this tag. Which Azure Policy effect should they use in their policy definition?

22

A company wants to analyze historical spending data across all Azure subscriptions and set proactive budget alerts to prevent cost overruns. They also need to identify spending trends by resource type. Which Azure tool should they use to meet all these requirements?

23

A company has an Azure policy requirement that all new resources in a specific resource group must have a 'Department' tag. If a resource is created without this tag, the tag should be automatically added with a default value of 'Finance'. Which Azure Policy effect should be used?

24

A company has multiple Azure subscriptions for different departments. The IT team wants to apply a common set of policies (e.g., allowed VM sizes) and assign the same role-based access control (RBAC) permissions across all subscriptions automatically. Which Azure feature should they use?

25

A company wants to track spending across different projects. They have multiple Azure subscriptions and need to assign costs to specific departments based on resource usage. Which Azure feature enables them to view and analyze costs by resource tags?

26

A company has multiple Azure subscriptions for different departments. The IT team wants to ensure that all resources in a specific subscription are only deployed in the 'West Europe' region. Which Azure feature should they use to enforce this restriction?

27

A company wants to track costs by department across multiple Azure subscriptions. They have tagged resources with 'Department' tags. However, some resources are missing tags. They want to see a report of costs grouped by department, including untagged resources. Which Azure tool should they use?

28

A company wants to enforce a naming convention for all Azure resources. For example, all resources must start with 'Contoso-'. They want to automatically audit and deny creation of resources that do not follow the naming convention. Which Azure Policy effect should they use?

29

A company uses Azure Blueprints to define a repeatable set of Azure resources and policies for new subscriptions. They want to ensure that when a new subscription is created, a specific role assignment is automatically applied. What should they include in the blueprint definition?

30

A company has a policy that all Azure resources must have an 'Owner' tag. They want to automatically add the 'Owner' tag with a value 'Default' to any resource created without it. Which Azure Policy effect should they use?

31

A company wants to view a consolidated list of all Azure resources across multiple subscriptions and query them using Kusto Query Language (KQL). Which Azure tool should they use?

32

A company has a policy that all Azure resources must have a 'CostCenter' tag. They want to automatically audit and deny the creation of any resource that does not include this tag. Which Azure Policy effect should they use?

33

A company uses Azure Policy to require encryption on storage accounts. They want to automatically deploy an encryption extension to any new storage account that does not have it enabled, without manual intervention. Which policy effect should they use?

34

A company wants to set monthly spending limits for each department and receive alert emails when spending reaches 80% of the budget. Which Azure tool should they use?

35

An IT administrator needs to query all Azure resources across multiple subscriptions to find all virtual machines that were created in the last 30 days. They want to use a powerful query language. Which Azure service should they use?

36

A company needs to enforce compliance by deploying a standard set of Azure resources, policies, and RBAC assignments for each new development subscription. They want to define this environment as a repeatable package. Which Azure service should they use?

37

A company has multiple Azure subscriptions for different development teams. They need to define a repeatable environment that includes a set of Azure policies, role assignments, and resource templates that must be applied to any new subscription created for a project. Which Azure service should they use?

38

A company's finance team needs to track Azure costs by project. Each resource is tagged with a 'Project' tag, but some resources were created without tags. The finance team wants to generate a report that shows costs grouped by project and also identifies untagged resources. Which Azure tool should they use?

39

A company wants to enforce that all Azure storage accounts must have encryption enabled. If a storage account is created without encryption, the policy should automatically enable encryption without manual intervention. Which Azure Policy effect should they use?

40

A company has a management group hierarchy: Root (tenant root group) > Contoso > Sales, Marketing. They want to assign an Azure policy that applies to all subscriptions under the Sales and Marketing management groups only. The policy must not affect any other subscriptions in the hierarchy. Where should they assign the policy?

41

A company needs to find all virtual machines that have the tag 'Environment:Production' and were created more than 6 months ago. They want to run a complex query across all subscriptions in their tenant. Which Azure tool should they use?

42

A company wants to ensure that all Azure resources are created within a specific set of approved regions. They want to automatically block any resource creation that is not in an approved region. Which Azure Policy effect should they use?

43

A company has multiple departments, each with its own Azure subscription. They want to apply the same set of policies and role assignments to all subscriptions under the Sales department. They also plan to create more subscriptions for Sales in the future. Which Azure construct should they use?

44

A company uses Azure Blueprints to define a standard environment for all new development subscriptions. The blueprint includes a set of Azure policies, role assignments, and resource templates. However, after applying the blueprint, some resources are created that do not comply with the policies. The company wants to be notified of these non-compliant resources without blocking their creation. Which Azure Policy effect should be used in the blueprint?

45

A company wants to query all Azure resources across multiple subscriptions to find all storage accounts without encryption enabled. They need to use a powerful query language to filter and join data. Which Azure tool should they use?

46

A company has an Azure Policy assigned to all subscriptions that denies creation of any resource without a 'CostCenter' tag. During an emergency, a team needs to create a resource without the tag. They want a temporary exception without changing the policy. What should they create?

47

A company has multiple Azure subscriptions for different projects. They want to apply the same set of Azure policies and role assignments to all subscriptions under a specific department, and they plan to add more subscriptions in the future. Which Azure construct should they use?

48

A company wants to organize their Azure subscriptions into a hierarchy for policy and cost management. They have multiple departments, each with multiple subscriptions. What should they create first to establish this structure?

49

A company uses Azure Policy to enforce encryption on storage accounts. They discover some existing storage accounts are non-compliant. They want to automatically enable encryption on these accounts without manual intervention. Which combination of policy effects should they use?

50

A company needs to ensure that all Azure resources have a mandatory 'CostCenter' tag. If a resource is created without this tag, the resource creation should be blocked. Which Azure Policy effect should they use?

51

A company wants to track and manage costs across multiple Azure subscriptions. They have created a hierarchy of management groups: Root -> Department A -> Project 1, Project 2. They want to see the total cost for Department A across all its projects. Which Azure tool should they use?

52

A company wants to ensure that all Azure resources are tagged with metadata such as 'Environment' and 'Department'. They have created an Azure Policy that appends the required tags and their values when a resource is created. However, they notice that some resources created before the policy assignment are missing tags. They want to automatically add those tags without manual effort. What should they do?

53

A company wants to enforce a set of security policies across all their Azure subscriptions. They have created several individual policy definitions. Which Azure construct should they use to group these policies together and assign them as a single package?

54

A company needs to grant a group of users the ability to restart and start/stop virtual machines, but not to create or delete them. They want to assign this permission at the resource group level. What should they do?

55

A company has a management group hierarchy: Root > Europe > Production. They assign a policy at the Root level that denies creation of resources without a tag. Later, they assign a different policy at the Europe level. What is the effective effect on the Production subscription?

56

A company uses Azure Blueprints to define a standard environment. They publish a new version of the blueprint with an updated role assignment. All existing subscriptions that were created from an older version need to receive the new role assignment. What should they do?

57

A company wants to monitor the performance of their Azure VMs and receive alerts when CPU usage exceeds 90%. Which Azure service should they use?

58

A company wants to organize their Azure subscriptions into a hierarchy to manage access policies and cost across different departments. They have three departments: Sales, Marketing, IT. What should they create first?

59

A company has multiple Azure subscriptions for different projects. They want to apply a common set of policies and role assignments to all subscriptions under the 'Research' department. They also plan to add more subscriptions for Research in the future. What should they use?

60

A company has a management group hierarchy: Root → UK → Production. They assign a policy at the Root level that allows only certain VM sizes. Later, they assign another policy at the UK level that denies all resources. What is the effective effect on the Production subscription?

61

A company wants to enforce a naming convention on all Azure resources by automatically adding a tag with the environment name (e.g., 'Env-Prod' or 'Env-Dev') when a resource is created. They do not want to block resource creation if the tag is missing. Which Azure Policy effect should they use?

62

A company has created an Azure Blueprint to define a standard environment with role assignments and policies. They have published multiple versions. They want all existing subscriptions that were created from an older version to automatically receive the updates from the latest version. What should they do?

63

A company wants to ensure that all new Azure storage accounts have a specific encryption setting enabled. They also want to automatically remediate any existing non-compliant storage accounts without manual effort. Which Azure Policy effect should they use?

64

A company has multiple Azure subscriptions for different departments. They want to track and analyze costs, and allocate costs to each department based on tags applied to resources. Which Azure tool should they use?

65

A company needs to grant a specific user the ability to restart virtual machines in a specific resource group, but not to create, delete, or modify them in any other way. The built-in 'Virtual Machine Contributor' role grants too many permissions. What is the most appropriate solution?

66

A company has multiple subscriptions. They want to apply a policy that denies creation of resources without a specific tag at the top-level management group. Later, they need to allow a specific subscription to create resources without that tag. What should they do?

67

A company wants to ensure that all resources in their Azure environment are created with mandatory tags for cost tracking. They have already assigned a policy to append tags, but existing resources are still missing tags. They want to automatically add the tags to existing resources without manual intervention. What should they do?

68

A company wants to enforce that all storage accounts use the 'Standard' performance tier and block creation of any 'Premium' storage accounts. Which Azure Policy effect could achieve this?

69

A company uses Azure Blueprints to define a standard environment with policies, role assignments, and resource groups. They publish a new version of the blueprint that adds a new role assignment. However, existing subscriptions created from older versions do not have this new role assignment. What must they do to apply the update to existing subscriptions?

70

A company wants to ensure a specific resource group cannot be deleted, but they also need to be able to delete it temporarily during maintenance windows. Which approach allows the most granular control?

71

A company wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. They want to automatically apply the tag to new resources, and also to existing resources that are missing it. Which Azure service should they use?

72

A company has multiple Azure subscriptions organized under a management group hierarchy. They need to assign the 'Contributor' role to a security team for all subscriptions under the 'Production' management group. They also want new subscriptions added later to automatically inherit this role assignment. What should they do?

73

A company wants to ensure that no one can create virtual machines without approval from the IT department. They want to block all VM creation attempts and notify the requester that they need to request access. Which Azure Policy effect should they use?

74

A company wants to track and analyze Azure costs across multiple departments. They have tagged resources with 'Department' tags. Which tool should they use to view cost breakdowns by department?

75

A company has multiple Azure subscriptions. They need to enforce a rule that only specific virtual machine sizes (e.g., Standard_D2s_v3) can be used across all subscriptions. They also want this rule to automatically apply to any future subscriptions created. Which Azure service should they use?

76

A company wants to receive proactive recommendations to reduce Azure costs, improve security, and increase reliability. They want a single dashboard that provides best practices for their deployed resources. Which Azure service should they use?

77

A multinational company has multiple Azure subscriptions managed by different teams. The compliance team requires that all new virtual machines deployed in any subscription must have a specific tag (e.g., 'CostCenter') and must be deployed in approved regions only. They also want to automatically enforce these requirements without manual intervention. Which Azure service should the compliance team use to achieve this?

78

A company has multiple Azure subscriptions that are managed by different departments. The governance team needs to ensure that every new subscription follows a standardized set of compliance requirements, including specific Azure Policy definitions, a predefined role assignment for a central security group, and a base set of network resources. The solution must be reusable and allow the governance team to update the requirements centrally, with changes automatically applied to all subscriptions that use the same definition. Which Azure service should the governance team use?

79

A company has deployed hundreds of virtual machines in Azure across multiple subscriptions. The governance team wants to generate a compliance report that identifies which VMs are using approved VM sizes and which are not, according to a corporate policy. The team must not block the deployment of non-compliant VMs; they only want to track compliance. Which Azure Policy effect should they use in the policy definition?

80

A company has a critical Azure Storage account that stores immutable backups. The IT administrator wants to ensure that no one can delete or modify this storage account, even administrators with Contributor or Owner roles. The company still needs to allow read access to the data within the storage account. Which Azure governance feature should the administrator implement?

81

A company has a policy that all Azure Storage accounts must have diagnostic settings enabled to send logs and metrics to a specific Log Analytics workspace. The governance team wants to automatically configure these diagnostic settings when a new storage account is created, without blocking the initial creation. The solution must not require manual intervention. Which Azure Policy effect should the team use in their policy definition?

82

A company uses Azure for its production workloads. The security team wants to receive proactive, personalized recommendations to improve the security of their Azure resources, such as enabling Microsoft Defender for Cloud on subscriptions that do not have it enabled. Which Azure service provides these security recommendations?

83

A company runs multiple projects in Azure, each project is placed in a separate resource group. The finance team wants to set a monthly spending limit of $10,000 per project and receive automated email alerts when a project's spending reaches 80% of the limit and again when it exceeds the limit. The solution must use native Azure capabilities and be configurable per resource group. Which Azure service should the finance team use?

84

A healthcare organization needs to enforce a set of compliance requirements (e.g., enable encryption on all storage accounts, restrict public network access to SQL databases, and enforce a specific TLS version) across all Azure subscriptions. The organization has defined these requirements as individual Azure Policy definitions. The governance team wants to assign all these policies together as a single unit to a management group, ensuring that any new subscription created under that group automatically receives all the policies. Which Azure object should the governance team create first?

85

A company is adopting a landing zone approach in Azure. The governance team wants to automatically provision a standardized environment for each new Azure subscription. The environment must include: a predefined set of Azure Policy assignments (e.g., enforce resource tagging), specific RBAC role assignments for a central operations team, and a baseline resource group containing a storage account with a specific configuration. The team wants to package all these components into a single, versioned object that can be assigned to a management group and updated over time as requirements change. Which Azure governance service should the team use?

86

A company has a policy that all Azure resources must have a tag named 'CostCenter'. The governance team wants to automatically add the tag with a default value 'IT' to any new resource that is created without it. The team wants the tag to be applied during resource creation, not just report non-compliance. The solution must also support remediation for existing non-compliant resources if needed later. Which Azure Policy effect should the team use in their policy definition?

87

A company has three departments: Sales, Marketing, and IT. Each department has its own Azure subscription. The IT department manages all networking and security policies across all subscriptions. The Sales and Marketing departments should be able to create and manage their own resources but cannot modify networking or security policies. The IT department wants to apply a consistent set of policies (e.g., enforce tagging, restrict VM SKUs) across all subscriptions without needing to assign policies to each subscription individually. Additionally, the IT department wants to delegate administration of a specific custom role to a junior administrator who can assign that role to users within the Sales subscription only. Which combination of Azure governance features should the IT department use?

88

A company manages a production Azure subscription that contains critical resources. The security team wants to prevent any user, including users with the Owner role, from accidentally deleting the entire subscription or any resource within it. The team still wants authorized users to be able to modify settings and create new resources. Which Azure feature should the team use?

89

A company has a resource group named 'RG-Prod' that contains critical virtual machines (VMs), virtual networks, and a SQL database. The infrastructure team needs to grant a group of developers the ability to start, stop, and restart only the VMs in RG-Prod. The developers must not be able to create new VMs, delete existing VMs, modify the virtual networks, or access the database. The company wants to follow the principle of least privilege. Which Azure role-based access control (RBAC) approach should the company use?

90

A company uses a single Azure subscription for its development and production workloads. The finance team wants to set a monthly spending limit for the entire subscription and receive an email alert when the costs are projected to exceed 80% of that limit. The company does not want any resources to be automatically stopped or deleted when the limit is reached. Which Azure feature should the finance team configure?

91

A company has multiple Azure subscriptions used by different departments. The governance team has created several Azure Policy definitions to enforce tagging rules, restrict allowed VM SKUs, and require HTTPS for storage accounts. The team wants to assign these policies as a single, manageable unit to a management group so that they can track overall compliance across all subscriptions in that group from one dashboard. The compliance summary should show how many resources are compliant against all the combined policies. Which Azure feature should the team use?

92

A company is adopting Azure and wants to ensure that every new subscription automatically includes a standard set of governance artifacts: two custom Azure Policy definitions (one for allowed locations, one for resource tagging), a custom Role-Based Access Control (RBAC) assignment for the security team, and an initial resource group with an Azure Resource Manager (ARM) template that sets up a network topology. The company wants to version these artifacts and update them over time, ensuring that new subscriptions always use the latest approved version. Which Azure service should the company use to package and deploy this standardized environment?

93

A company uses Azure Policy to enforce governance. They want to prevent users from creating virtual machines of the Standard_DS3_v2 SKU in their subscription, and they also want to log any attempt to create such a VM (whether successful or not) for audit purposes. What is the minimum number of Azure Policy assignments required to meet both requirements?

94

A company has an Azure subscription used by multiple development teams. The security team wants to ensure that every virtual network (VNet) created in the subscription automatically has a specific network security group (NSG) associated with its default subnet. The NSG rules are defined by the security team, and developers should not have to perform any extra steps after creating a VNet. Which Azure Policy effect should the security team use in the policy definition?

95

A company has a resource group named 'RG-Prod' that contains critical virtual machines, a SQL database, and a storage account. The infrastructure team needs to ensure that no one can accidentally delete this resource group or any of its resources. However, users must still be able to create, update, and delete individual resources within the group as needed for normal operations. Which type of Azure Resource Lock should the team apply to 'RG-Prod'?

96

A company uses Azure Management Groups to organize subscriptions. The hierarchy is: Root Management Group -> Contoso Management Group -> Sales (management group) and R&D (management group). Under Sales there are two subscriptions: Sales-Prod and Sales-Dev. Under R&D there is one subscription: R&D-Prod. The governance team assigns an Azure Policy definition that denies the creation of resources in the East US region. They assign this policy to the Contoso Management Group, but they add an exclusion for the Sales-Dev subscription. A developer in the Sales-Dev subscription attempts to create a virtual machine in the East US region. What will happen?

97

A company wants to proactively monitor and control its Azure spending. The finance team has set a monthly budget of $10,000 for the 'Marketing' subscription. They want to receive an email notification when the actual spending reaches 80% of the budget and another notification when it reaches 100%. Additionally, if the spending ever exceeds $12,000 in a month, they want to automatically trigger a runbook that scales down non-critical resources. Which Azure feature should the finance team use to achieve all these requirements?

98

A company uses Azure Policy to enforce governance on their subscriptions. They want to ensure that every newly created Azure resource automatically receives two tags: 'Owner' and 'CostCenter'. If a user or an automated process creates a resource without specifying these tags, the policy should add the missing tags with default values of 'Unassigned' without blocking the resource creation. Which Azure Policy effect should be used in the policy definitions?

99

A financial services company must deploy a standardized environment for a new customer-facing application. The environment must include a specific set of Azure resources (such as virtual networks, databases, and App Service plans), pre-configured role assignments for the compliance team, and a collection of Azure Policy definitions that enforce encryption and tagging rules. The company needs to package all these components into a single, versioned artifact that can be consistently deployed across multiple subscriptions and regions, with the ability to track changes and updates. Which Azure service should the company use to achieve this?

100

A company has an Azure Policy assigned at the root management group that denies the creation of resources without a 'Department' tag. The IT team needs to deploy a temporary set of resources in a specific resource group under a child management group. These resources will not have the required tag. The team must not alter the original policy definition or the policy assignment. What should the team create to allow this deployment?

101

A company uses Azure Blueprints to enforce a standard landing zone for all development subscriptions. The blueprint includes a virtual network, subnets, and network security groups. After the blueprint is assigned to a subscription, a development team manually adds a new subnet to the virtual network. The company plans to update the blueprint to add a new network security group rule. When the updated blueprint is published and the assignment is updated, what will happen to the manually added subnet?

102

A company has deployed a production Azure SQL Database that is used by a critical line-of-business application. The database administrators need to be able to change the database schema and scaling settings. However, the operations team must ensure that no one can accidentally delete the database or its server. The company does not want to implement a complex backup strategy for this prevention; they want a simple control that can be applied at the resource level without affecting other management operations. What should the operations team configure to meet these requirements?

103

A company runs several Azure virtual machines and an Azure SQL Database in a single subscription. The operations team needs a single, personalized dashboard that displays the current health status of these specific resources, as well as any upcoming planned maintenance events from Microsoft that might affect them. The team wants to see all this information in one place without having to navigate multiple tools. Which Azure service should the operations team use to meet these requirements?

104

A company uses Azure to host multiple virtual machines and virtual networks. The network team is responsible for configuring and maintaining virtual networks, subnets, and network security groups. The company wants to ensure that the network team can manage these network resources but cannot modify or delete virtual machines. Which Azure built-in role should the company assign to the network team?

105

A company uses Azure Policy to govern its Azure environment. The governance team wants to enforce that all virtual machines (VMs) deployed in the production subscription use only approved operating system images from a specific Azure Compute Gallery. However, during a transition period, the team does not want to block the creation of VMs that use non-approved images; instead, they need to identify and report on any non-compliant VMs. They also want to track compliance over time. Which Azure Policy effect should the governance team use in the policy definition to meet these requirements?

106

A company's security team needs to audit all virtual machines (VMs) that have a public IP address directly attached, across more than 50 Azure subscriptions organized under several management groups. The team wants to run a single query to get a list of these VMs along with the subscription and resource group details. The solution must provide fast results without the need to write custom scripts or iterate through each subscription individually. Which Azure service should the team use?

107

A company has 30 Azure subscriptions organized under a single management group. The governance team wants to enforce that all resource groups must have a specific tag 'CostCenter' with a valid value. They create an Azure Policy definition with the 'Deny' effect and assign it to the root management group. However, the development team complains that they have a sandbox subscription where they need to create resource groups without the 'CostCenter' tag for testing. The governance team still wants the policy to apply to all other subscriptions but exempt the sandbox subscription. Which solution should the governance team use?

108

A company has multiple Azure subscriptions, each managed by different development teams. The central governance team wants to ensure that every subscription adheres to the same security baselines, including specific Azure Policy definitions, RBAC role assignments, and a standard resource group structure. The team needs a single, versioned package that brings these components together and can be consistently deployed across all subscriptions. Which Azure service should the governance team use to meet these requirements?

109

A company stores critical financial records in an Azure Storage account. The operations team needs to ensure that the storage account cannot be deleted by any user, including administrators with Contributor permissions. However, authorized users must still be able to add and modify blobs. The solution should not affect the ability to update the account's configuration. Which Azure feature should the company implement?

110

A company has 15 Azure subscriptions organized under multiple management groups. The security team has defined a standard set of 8 Azure Policy definitions that must be applied to every subscription. These definitions enforce required tags, deny creation of public IPs, require encryption for storage accounts, and restrict VM SKUs. The team wants to assign these policies as a single entity to simplify management and ensure consistent compliance. What should the team create and assign?

111

A company has 10 Azure subscriptions used by different departments. The finance team wants to receive automated, prioritized recommendations to reduce cloud costs. Specifically, they want suggestions for identifying idle virtual machines and rightsizing underutilized resources across all subscriptions. Which Azure service should the finance team use to get these recommendations?

112

A company uses multiple Azure subscriptions for development and production. The finance team wants to set a monthly budget of $1,000 for a specific dev subscription. When the actual cost reaches 80% of the budget, the team wants to receive an email alert. If the cost exceeds 100%, they want to automatically stop a specific virtual machine in that subscription to prevent overspending. Which Azure feature should the team use to automate the stopping of the VM when the budget is exceeded?

113

A company manages hundreds of Azure SQL databases across multiple subscriptions. The compliance team requires that every Azure SQL database has diagnostic settings enabled to send logs to a central Log Analytics workspace. The team wants a solution that automatically configures diagnostic settings for any new Azure SQL database when it is created, without requiring manual intervention or additional scripting. Which Azure governance feature should the team use?

114

A company has a regulatory requirement that all Azure resources must be deployed only in the West Europe region. The governance team needs to automatically prevent any user or application from creating resources in any other region. The team must also ensure that this restriction is applied to all existing and future subscriptions within the tenant. Which Azure service should the governance team use?

115

A company has a root management group that contains all Azure subscriptions. A centralized governance team needs to create and assign Azure Policy definitions and set initiatives that apply to all subscriptions. Which built-in role should be assigned to the governance team at the root management group scope to grant the minimum required permissions?

116

A company has a governance requirement that every Azure virtual machine must have a tag named 'CostCenter' with the value 'Unassigned'. If a user creates a VM without the tag, or with a different value for that tag, the tag should be automatically corrected to 'Unassigned' immediately upon resource creation. The IT team is writing an Azure Policy definition to enforce this. Which Policy effect should they use?

117

A global company creates a new Azure subscription for each major project. To ensure compliance and consistency, the governance team needs a single, versioned, auditable package that, when assigned to a subscription, automatically deploys a standard set of Azure Policy assignments, role assignments, a resource group structure, and a pre-configured virtual network. The solution must allow these packages to be updated centrally and have changes tracked for auditing. Which Azure service should the governance team use?

118

A company manages its production workloads in a dedicated Azure subscription under the root management group. The infrastructure team recently created a critical resource group named 'rg-prod-core' that contains networking resources. To prevent accidental deletion of this entire resource group, the team needs a mechanism that blocks delete operations on 'rg-prod-core' while still allowing changes to resources within it. The solution must not affect any other resource groups in the subscription. Which Azure feature should the team apply to 'rg-prod-core'?

119

A company's finance team uses Azure Cost Management + Billing to monitor cloud spending. They want to configure a rule that sends an email notification to the finance team's distribution list when the monthly cost for resources tagged with Department=Marketing exceeds $10,000. Which Azure Cost Management feature should they configure?

120

A company has a root management group containing three subscriptions: Production, Development, and Sandbox. The governance team assigns an Azure Policy initiative to the root management group that enforces tagging requirements. The Sandbox subscription is used for experimental testing and needs to be temporarily excluded from the tagging requirements while the team evaluates a new tagging schema. The team must ensure the policy assignment remains active in Production and Development but does not affect resources in Sandbox. Which Azure Policy feature should the team use?

121

A company operates a hybrid IT environment with virtual machines running on-premises and in Amazon Web Services (AWS). The company also has a growing number of resources in Microsoft Azure. To simplify management, the company wants to use a single Azure service to apply Azure Policy definitions and enable unified inventory and tagging across all virtual machines, regardless of their location. Which Azure service should the company use?

122

A multinational company has a strict data residency requirement: all Azure virtual machines must be deployed only in the East US or West Europe Azure regions. The IT governance team wants to enforce this rule automatically so that any attempt to create a virtual machine in any other region is blocked immediately at the time of deployment. Users must receive a clear error message if they try to create a VM in a disallowed region. Which Azure feature should the governance team configure to meet this requirement?

123

A company has an Azure subscription used by several development teams. The governance team wants to identify any virtual machines that are not tagged with a mandatory 'CostCenter' tag. The team does not want to block the creation of untagged VMs; they only want to report on non-compliant resources in Azure Policy's compliance dashboard. Which Azure Policy effect should they use in their policy definition?

124

A company has an Azure Policy assignment that denies the creation of any virtual machine (VM) that does not have a mandatory 'CostCenter' tag. A development team needs to deploy a temporary test VM without the required tag for a short-term experiment. The governance team wants to allow this specific exception while recording the reason for the exception, ensuring the policy is still enforced for all other resources. The exception must also automatically expire after 30 days. Which Azure Policy feature should the governance team use?

125

A company has an Azure subscription that contains production resources. The IT manager is concerned that a user who has the Contributor role might accidentally delete the entire subscription. The company wants a solution that prevents anyone from deleting the subscription, even users with the Owner role, while still allowing modifications to the resources inside the subscription. What should the administrator configure?

126

A company has an Azure subscription with 200 virtual machines. The compliance team requires that all virtual machines have diagnostic settings enabled to send metrics and logs to a central Log Analytics workspace. The team wants Azure to automatically configure these diagnostic settings on any VM that currently lacks them, without manual intervention. Which Azure Policy effect should the team use in the policy definition?

127

A company requires that all resources deployed in a production Azure subscription must include a 'Department' tag. Resources without this tag must be automatically prevented from being created. Which Azure service should the company use to enforce this requirement?

128

A multinational corporation wants to deploy a standard set of Azure resources—including virtual networks, virtual machines, and SQL databases—to multiple departments. Each deployment must automatically include assigned Azure Policy definitions to enforce security rules, role-based access control (RBAC) assignments for the operations team, and a predefined naming convention. The solution must provide a single, repeatable package that can be versioned and updated centrally. Which Azure service should the company use?

129

A large enterprise has multiple Azure subscriptions for different business units. The governance team wants to apply a set of Azure Policy initiatives, such as allowed locations and required tags, to all subscriptions in the organization. They also want to set up role-based access control for the compliance team at the root level so that they can monitor compliance across all subscriptions. Which Azure feature should they use to achieve this?

130

A company has deployed a critical production application in an Azure resource group. The security team wants to prevent accidental deletion or modification of any resources within that resource group. They have already configured Azure RBAC roles to grant only necessary permissions to the operations team. However, they need an additional protection that even users with Owner permissions cannot delete the resource group or its resources without a two-step process to remove the protection. Which Azure feature should the company implement?

131

A company runs a development subscription in Azure. The finance team wants to set a monthly spending limit of $5,000 for this subscription and receive email alerts when spending reaches 80% and 100% of that limit. The team must also be able to review historical spending trends. Which Azure tool should the finance team use to configure these alerts and track spending?

132

A company operates a fleet of on-premises servers running legacy applications. Due to strict regulatory compliance requirements, these servers cannot be migrated to Azure. However, the IT team wants to centrally manage these servers using Azure tools, including applying Azure Policy to enforce configuration standards and using Azure Monitor for log collection and performance monitoring. The team needs to treat these on-premises servers as Azure resources without moving them. Which Azure service should the company use?

133

A company uses Azure Policy to enforce that all virtual machines must have the Azure Monitor agent extension installed. The policy is assigned to a subscription and uses the 'DeployIfNotExists' effect, which automatically installs the agent on new VMs. However, the security team notices that several existing VMs are non-compliant because they were provisioned before the policy was assigned. The team wants to automatically make these existing VMs compliant without manual intervention. What should the team do?

134

A company uses Azure Policy to enforce governance rules across its Azure subscriptions. The security team wants to ensure that all virtual machines deployed in a subscription must be of an approved size from a predefined list. If a user attempts to deploy a virtual machine with a size not on the list, the deployment must be immediately blocked. Which Azure Policy effect should the company use in the policy definition?

135

A company has multiple Azure subscriptions for different departments. The governance team needs to ensure that every new subscription is automatically provisioned with a consistent set of resources, including a predefined network topology, mandatory Azure Policy assignments (e.g., allowed locations), and specific role-based access control (RBAC) assignments for the security team. The solution must be repeatable, version-controlled, and allow the team to update the defined artifacts and apply updates to existing subscriptions. Which Azure service should the team use to define and deploy this collection of governance artifacts?

136

A company needs to deploy a consistent set of Azure resources (a virtual network, two subnets, and a network security group) into multiple environments: dev, test, and prod. The IT operations team wants to define these resources in a declarative file that can be deployed repeatedly and reliably to different resource groups. The team also wants to version control the file and have the ability to update all environments by redeploying the same file. Which Azure feature should the team use?

137

A company uses Azure Policy to enforce resource tagging. The governance team creates a policy that requires all resources in a subscription to have a 'CostCenter' tag. However, the team does not want to block resource creation if the tag is missing. Instead, they want the policy to automatically add the tag with a default value of 'Unassigned' to any new resource that is created without the tag. Which Azure Policy effect should the team configure in the policy definition?

138

A large enterprise has multiple Azure subscriptions for different departments. The central IT team wants to enforce a policy that restricts the Azure regions where resources can be deployed. The policy must automatically apply to all existing subscriptions and to any new subscriptions created in the future, without requiring manual assignment to each subscription individually. Which Azure feature should the central IT team use to achieve this hierarchical governance?

139

A company has a critical Azure resource group that contains all production virtual machines and databases. The IT security administrator wants to ensure that no user, including members of the 'Owner' role, can accidentally or intentionally delete this resource group. The solution must not prevent modification of resources inside the resource group. The administrator needs to apply a governance control at the resource group level. What should the administrator do?

140

A company has an Azure subscription that contains hundreds of virtual machines (VMs) across multiple resource groups. The security team needs to enforce two governance rules: 1) All VMs must use managed disks. 2) All VMs must be deployed only in the East US region. The team wants to assign a single governance artifact that combines both rules so that the compliance state is evaluated as a group. The solution must not require assigning each rule individually. Which Azure feature should the team use to define and assign this combined set of rules?

141

A company has a single Azure subscription that contains multiple resource groups for different departments. The security team needs to ensure that only members of the 'VM Operators' Azure Active Directory group can create virtual machines in the subscription. All other users, including subscription Owners, must be blocked from creating virtual machines. Which Azure feature should the security team use to enforce this requirement?

142

A multinational company has multiple Azure subscriptions for different business units. The central governance team wants to define a standardized environment that must be automatically applied to every new subscription. The standard must include a set of Azure Policy definitions (e.g., allowed regions), a specific Azure RBAC role assignment (e.g., a contributor access for a central security group), and a preconfigured resource group with a virtual network. The team wants to package all these components together so that they can be deployed consistently and updated centrally. Which Azure service should the team use?

143

A company has an Azure subscription that hosts multiple virtual machines, databases, and storage accounts. The finance team wants to receive an automated email notification when the forecasted monthly spending for the subscription exceeds $10,000. The team needs to use a native Azure feature that can track actual and forecasted costs and trigger alerts based on a monetary threshold. The solution must not require custom scripts or third-party tools. Which Azure feature should the team configure?

144

A company uses Azure for multiple projects. The IT governance team wants to ensure that every new Azure resource within a subscription is automatically assigned a 'CostCenter' tag based on the resource group it is created in. The team does not want to rely on users manually applying the tag. They need a built-in Azure solution that enforces this rule without custom scripts. Which Azure feature should they use?

145

A company has multiple Azure subscriptions used by different departments. The security team wants to enforce a requirement that all Azure Storage accounts in every subscription must be encrypted at rest using customer-managed keys (CMK). The solution must automatically evaluate existing and new storage accounts for compliance, and it must be able to automatically remediate non-compliant resources by enabling CMK encryption. The team wants to use a single, centralized Azure feature that can be assigned once and apply to all subscriptions. Which Azure feature should they use?

146

A company has a production resource group that contains several Azure virtual machines and a SQL database. The company wants to ensure that no user can accidentally delete these resources, but authorized administrators must still be able to modify the configuration and update the resources. The company needs a straightforward governance feature that can be applied directly to the resource group and can be removed only by an authorized user with the Owner role. Which Azure feature should the company use?

147

A company has deployed multiple Azure virtual machines for a production workload. The IT administrator wants a centralized list of prioritized recommendations to improve the security, high availability, and cost efficiency of the virtual machines. The administrator also wants to be able to view the potential impact of implementing each recommendation. Which Azure service should the administrator use?

148

A company has a team of support engineers who need to be able to restart Azure virtual machines when they become unresponsive. The support engineers must not be able to modify the VM configuration, delete the VMs, or access VM data. The company wants to use the principle of least privilege. No built-in Azure role meets these exact requirements. What should the company do?

149

A company is adopting Azure and needs to deploy a standardized environment that includes a resource group, a virtual network with specific IP address ranges, and a set of Azure Policy definitions to restrict allowed deployment locations. The environment will be deployed to multiple subscriptions used by different departments. The company requires a repeatable, versioned package that defines the resources, policies, and role assignments as a single item. The solution must allow updates to be managed and enforced over time. Which Azure feature should the company use?

150

A company uses multiple Azure subscriptions for different departments. The finance team wants to monitor spending across all subscriptions and receive automated email alerts when a subscription's actual spending reaches 80% of its monthly budget. The team does not want to write custom scripts or use external tools. Which Azure feature should they use?

151

A large enterprise manages hundreds of Azure subscriptions. The compliance team needs to run an on-demand report that shows all virtual machines with their current power state (running or deallocated), operating system, and VM size, filtering by specific resource groups or subscriptions. The team wants to use a native Azure tool that allows querying Azure resources at scale using a Kusto Query Language (KQL) syntax. Which Azure service should they use?

152

A large enterprise manages hundreds of Azure subscriptions. The central governance team wants to ensure that every resource deployed across all subscriptions always has two required tags: 'Department' and 'CostCenter'. If a resource is created without these tags, the governance policy must automatically add the missing tags with placeholder values (e.g., 'Department: Unknown') and generate a compliance report. The team does not want to rely on user training or manual audits. Which Azure service should the team use to meet these requirements?

153

A large enterprise manages Azure subscriptions for three business units: Sales, Research & Development, and Information Technology. Each business unit has its own Azure subscription. The central governance team needs to ensure that a specific set of Azure Policy definitions (e.g., restricting allowed regions to 'East US' only) is applied to all current and future subscriptions belonging to these three business units. The team wants to minimize administrative overhead and ensure that any new subscription created for a business unit automatically inherits the same policies. Which Azure feature should the team use to achieve this goal?

154

A company runs a critical line-of-business application on Azure virtual machines. The operations team needs to receive proactive notifications about any upcoming planned maintenance events that could affect their virtual machines, as well as real-time alerts when a service incident occurs in the Azure region where the application is deployed. The team wants a native Azure solution that provides a personalized view of all service health events relevant to their subscriptions, including historical incident reports. Which Azure service should the operations team use?

155

A company has a policy that every Azure virtual machine must have the Azure Monitor Agent installed and configured to send metrics to a central Log Analytics workspace. To enforce this requirement without relying on manual user action, the governance team wants to automatically deploy the agent to any existing or new VM that is missing it. They also need to generate a compliance report showing any VMs where the installation failed. Which Azure Policy effect should the team use to meet these requirements?

156

A company wants to enforce a governance policy that only allows virtual machines of the SKU 'Standard_DS2_v2' to be deployed in their Azure subscription. If a user attempts to create a virtual machine with a different SKU (e.g., 'Standard_D2s_v3'), the deployment must be immediately rejected with an error, and the resource must not be created. Which Azure Policy effect should the team use to implement this requirement?

157

A large enterprise manages multiple Azure subscriptions for different business units. The central governance team wants to deploy a consistent landing zone across all subscriptions. The landing zone must include pre-defined Azure Policy definitions (e.g., allowed locations, allowed VM SKUs), standard RBAC role assignments (e.g., Owner, Contributor for specific security groups), and a predefined resource group structure (e.g., 'Networking', 'Security', 'Workloads'). The team wants a single, versioned artifact that can be assigned to any subscription to apply all these configurations together, with the ability to update the artifact and have changes propagate to existing assignments. Which Azure service should the team use?

158

A company has a policy that all Azure resources must have a 'CostCenter' tag. The governance team wants to identify any resources that are missing the tag without preventing their creation. They need a compliance report generated automatically showing all non-compliant resources. Which Azure Policy effect should they use?

159

A company has an Azure subscription with hundreds of existing virtual machines. The governance team wants to enforce a policy that every virtual machine must have a tag named 'CostCenter' with a valid value. The team wants to automatically add the 'CostCenter' tag with a default value of 'Undefined' to any existing or new virtual machine that is missing the tag. They do not want to block the creation of virtual machines that are missing the tag, but they do want the tag to be added automatically within a few minutes of detection. Which Azure Policy effect should the team use?

160

A company has 10 Azure subscriptions organized under two management groups: Production and Non-Production. The governance team needs to enforce a policy that all Azure resources must be deployed only in the East US or West US Azure regions. The policy must apply to every subscription under both management groups, including any new subscriptions added in the future, without requiring separate assignments per subscription. Which Azure feature should the team use to achieve this with the least administrative effort?

161

A company has a critical resource group named 'Prod-Databases' that contains Azure SQL databases and virtual machines used by a production order-processing system. The database administrator wants to prevent any user, including administrators, from accidentally deleting or modifying resources in this resource group. The operations team needs a safeguard that requires an explicit action to be taken before any changes become possible, without affecting the ability to manage resources in other resource groups. Which Azure feature should the team implement?

162

A company's finance team wants to proactively monitor Azure spending and receive automated email notifications when costs reach 80% of a predefined monthly limit. They want to avoid manual cost tracking and set up alerts without custom scripting. Which Azure feature should they use?

163

A company manages 50 Azure subscriptions that contain thousands of resources. The DevOps team needs to identify all virtual machines that are tagged with 'Environment: Production' across all subscriptions. They need a single query that returns the VM name, resource group, and location for every such VM. The team does not want to write PowerShell commands or loop through each subscription manually. Which Azure service should they use?

164

A company has a management group hierarchy with a root management group that contains all subscriptions. The governance team assigns a built-in Azure Policy initiative 'Allowed Locations' to the root management group with the 'Deny' effect, restricting resource deployment to East US and West US only. After six months, a new regulatory requirement forces the marketing department's subscription (placed under the root) to deploy resources in North Europe for a specific pilot project. The governance team must allow this exception without changing the original policy assignment and without allowing any other subscription to deploy to North Europe. What should the governance team do?

165

A multinational corporation must ensure that every new Azure subscription automatically conforms to corporate security and compliance baselines. The team wants to deploy a predefined set of Azure resources (e.g., a central logging storage account, a network security group configuration) and apply a standard set of Azure Policy definitions (e.g., restricting allowed VM sizes, enforcing encryption) to any new subscription. They want to manage these as a single, versioned package that can be updated and re-assigned to existing subscriptions. Which Azure service should they use?

166

A retail company has 50 on-premises servers in multiple branch offices that run legacy applications that cannot be migrated to Azure. The company wants to govern these servers using the same Azure Policy and tagging standards that they use for their Azure virtual machines. They also want to view these servers alongside Azure resources in the Azure portal. Which Azure service should they deploy to extend Azure management capabilities to these on-premises servers?

167

A company uses Azure for multiple workloads. The finance team wants to identify virtual machines that are consistently underutilized (average CPU usage below 5%) so they can reduce costs by resizing or shutting down those VMs. They want a built-in Azure tool that automatically analyzes resource usage and provides actionable recommendations. Which Azure service should they use?

168

A company has a root management group that contains two child management groups: Production and Development. Each child management group contains several subscriptions. The security team assigns a built-in Azure Policy definition with the 'Deny' effect to the Production management group to enforce encryption on all storage accounts. Later, the Development team requests that storage accounts in their subscriptions must not be encrypted because they host temporary test data that needs to be quickly deleted and recreated. The security team must allow this exception for Development only, without changing the policy for Production. What should the security team do?

169

A company has a policy that every Azure resource must have a 'CostCenter' tag assigned at creation time. The governance team wants to automatically prevent any resource creation if the tag is missing, without requiring manual review after deployment. Which Azure feature should they use to enforce this requirement?

170

A company has several Azure subscriptions that contain hundreds of virtual machines. A new corporate standard requires that all VMs must use Azure managed disks instead of unmanaged disks. The governance team needs to automatically identify existing VMs with unmanaged disks and convert them to managed disks without requiring manual intervention for each VM. The team also wants to ensure that any new VMs created in the future automatically use managed disks. Which Azure feature should they use to meet both requirements?

171

A company has an Azure subscription with multiple resource groups. The governance team wants to ensure that every new resource created in the subscription automatically receives a 'Department' tag with a default value of 'Finance' if the creator did not specify one. The team wants the tag to be applied without blocking the creation of the resource. Which Azure feature should they use?

172

A multinational company has 10 Azure subscriptions, each managed by a different department. The central governance team wants to deploy a standardized environment that includes a specific network topology (virtual network, subnets, and network security groups), a set of Azure Policy definitions to enforce tagging and encryption, and a role assignment granting the 'Reader' role to a central security team in every subscription. The team must be able to update this standard definition in one place, and any changes should automatically apply to all existing deployments that were created from the definition. Which Azure service should they use?

173

A company has a critical production resource group that contains several virtual machines and an Azure SQL Database. The IT manager wants to prevent anyone from accidentally deleting the resource group or any of its resources. However, authorized administrators must still be able to add, update, or delete individual resources within the group (except deletion of the group itself). Which Azure feature should the manager apply to the resource group?

174

A company has multiple Azure subscriptions, each belonging to a different department. The finance department wants to set spending limits per subscription and receive automated email notifications whenever actual spending reaches 80% of the allocated budget. Which Azure feature should they configure?

175

A company's security policy requires that all Azure Storage accounts must enforce a minimum TLS version of 1.2. The governance team needs to continuously audit all existing storage accounts for compliance with this requirement, and also ensure that any new storage account that does not meet the TLS version requirement is automatically flagged as non-compliant in the Azure portal compliance dashboard. The team does not want to block the creation of non-compliant resources; they only need to report them. Which Azure feature should they use?

176

A company has a single Azure subscription that contains resource groups for several business units. The company's compliance team wants to enforce a rule: no virtual network (VNet) can be deployed in any resource group unless the VNet is in a specific allowed region (West Europe). The rule must also block the creation of VNets in disallowed regions, but the team must be able to selectively exempt certain resource groups (e.g., for disaster recovery testing) without altering the underlying rule definition. Which Azure feature should the compliance team implement?

177

A multinational company uses Azure management groups to organize its subscriptions. The company has a root management group (tenant root group) containing three child management groups: 'Finance', 'HR', and 'IT'. Each child management group contains multiple subscriptions. The global governance team needs to enforce an Azure Policy that restricts all resource deployments across every subscription in the organization to only the 'West US' and 'East US' regions. The policy must automatically apply to any new subscriptions that are created under any management group in the future. The team wants to assign the policy once and have it affect all current and future subscriptions with minimal administrative overhead. At which Azure scope should the team assign the policy?

178

A company has a production Azure subscription used by multiple teams. The governance team wants to enforce a rule that only virtual machines (VMs) of specific SKU sizes (e.g., Standard_D2s_v3 and Standard_D4s_v3) can be deployed. If a team attempts to deploy a VM of a different SKU size, the deployment must be blocked immediately and the user must see an error message explaining the restriction. Which Azure feature should the governance team use?

179

A company manages multiple Azure subscriptions for development, testing, and production environments. The governance team needs to ensure that every new subscription automatically includes a consistent baseline consisting of Azure Policy definitions, role assignments, and a predefined resource group structure. The team wants to package these governance components into a single deployable artifact that can be applied to any subscription with minimal manual effort. Which Azure feature should the team use?

180

A company uses Azure Policy to enforce governance rules across its subscriptions. The governance team wants to ensure that every resource in the 'Production' subscription has a tag named 'Environment' with the value 'Production'. If a resource is created without this tag, or with a different value, the tag must be automatically corrected to 'Production' without blocking the creation of the resource. Which Azure Policy effect should the team configure?

181

A company has an Azure tenant with a management group hierarchy. The 'Production' management group contains five subscriptions used by the operations team. The IT security team wants to grant the 'Network Contributor' role to a group of network administrators for all subscriptions under the 'Production' management group. The role assignment must automatically apply to any new subscription added under the 'Production' management group in the future. The network administrators already exist as a security group in Azure AD. What is the most efficient way to achieve this?

182

A company stores critical configuration data in an Azure Storage account. The IT administrator wants to prevent accidental deletion of this storage account. However, the administrator must still be able to read and update the data within the storage account. The company uses Azure Role-Based Access Control (RBAC) to manage permissions. Which Azure governance feature should the administrator implement to achieve this goal?

183

Which Azure tool provides personalized recommendations to improve the security, performance, cost, and reliability of your Azure resources?

184

Which Azure feature allows you to organize resources into logical groups for billing, management, and access control purposes?

185

Which Azure service provides a way to enforce organizational standards and assess compliance at scale across Azure resources?

186

What does an Azure Service Level Agreement (SLA) define?

187

Which Azure feature allows you to prevent accidental deletion or modification of critical Azure resources?

188

Which Azure service monitors the health of Azure services and infrastructure in your region, and provides notifications about planned maintenance?

189

What is the purpose of Azure tags?

190

Which Azure cost management feature allows you to analyze historical spending and forecast future costs?

191

Which Azure feature helps organizations maintain compliance by managing and auditing privileged access to Azure resources using just-in-time access?

192

Which Azure governance feature allows you to create a repeatable, deployable package of Azure resources, role assignments, and policies for new subscriptions?

193

Which Azure feature provides a unified compliance score and consolidated view of your organization's compliance posture across different regulatory standards?

194

What is the purpose of Azure Management Groups?

195

A company wants to estimate the cost of a new Azure solution before deploying it. Which tool should they use?

196

What is the purpose of the Azure Total Cost of Ownership (TCO) Calculator?

197

Which Azure service provides centralized log collection, querying, and analysis from multiple Azure resources and services?

198

Which Azure RBAC role allows a user to manage all Azure resources but cannot grant access to others?

199

What is Azure Active Directory Conditional Access?

200

Which Azure monitoring capability sends automated alerts when resource metrics exceed defined thresholds?

201

Which Azure service allows customers to extend Azure management and governance to non-Azure resources, including on-premises servers and other cloud providers?

202

A company needs to ensure that all Azure resources in a subscription are created only in specific approved regions. Which Azure feature should they implement?

203

Which Azure service provides a cloud-native SIEM (Security Information and Event Management) solution for detecting and responding to threats?

204

What is the primary purpose of Azure subscriptions?

205

Which Azure tool helps identify compliance issues by continuously evaluating your resource configurations against defined policies?

206

What is the Microsoft Trust Center?

207

What is the purpose of Azure Active Directory B2C?

208

Which Azure compliance feature allows organizations to understand which standards and regulations Azure services comply with?

209

What is Azure Role-Based Access Control (RBAC)?

210

Which Azure feature provides continuous application performance monitoring with automatic anomaly detection?

211

A company needs to ensure that no resources in any subscription can be created without a specific cost center tag. Which Azure feature accomplishes this?

212

Which Azure feature allows organizations to apply the same governance at a hierarchy of subscriptions and resource groups?

213

What does 'compliance' mean in the context of Azure?

214

Which tool allows you to automate the creation and management of Azure resources using declarative JSON or Bicep templates?

215

Which Azure governance tool provides a way to audit all changes made to resources in your Azure subscription?

216

Which Azure identity feature ensures that users must provide an additional form of verification beyond their password when signing in?

217

What is a Service Principal in Azure Active Directory?

218

Which Azure feature enables you to create policy definitions, RBAC role assignments, and ARM templates as a single package and track their deployment relationship?

219

What is a key difference between Azure Public regions and Azure Government regions?

220

Which Azure cost optimization practice involves analyzing resource usage and removing or resizing underutilized resources?

221

Which Azure feature automatically identifies cost savings opportunities like orphaned resources and idle VMs?

222

Which Azure service helps you manage and automate the deployment of virtual machines at scale across development, testing, and production environments?

223

What is the purpose of Azure AD Identity Protection?

224

What is Azure DDoS Protection Standard?

225

Which Azure service enables automated configuration management and desired state enforcement for Windows and Linux VMs?

226

What is the minimum Azure support plan that provides 24/7 access to technical support via phone and email?

227

Which Azure feature enables you to create custom roles with specific permissions when built-in RBAC roles do not meet your requirements?

228

Which Azure feature ensures that users accessing sensitive applications must be on compliant corporate devices?

229

What is the purpose of the Azure portal?

230

Which Azure cost management practice helps identify which teams or projects are consuming Azure resources through cost allocation?

231

What happens when an Azure subscription reaches its spending limit?

232

Which Azure tool provides a unified command-line experience for managing Azure resources across Windows, macOS, and Linux?

233

Which Azure feature provides a way to define and enforce allowed resource configurations, like permitted VM sizes or storage redundancy types?

234

Which Azure feature allows you to save money on Azure SQL Database and Azure SQL Managed Instance using existing on-premises SQL Server licenses?

235

What are the two types of Azure Resource Locks?

236

Which Azure feature allows an organization to identify resources that do not comply with defined policies and automatically trigger remediation?

237

Which Azure security feature prevents accidental deletion of a critical production resource group?

238

What is the purpose of Azure Cost Management budgets?

239

Which Azure portal feature enables you to create a customized view of the most important resources and metrics at a glance?

240

What is the purpose of Azure Marketplace?

241

What does the Azure SLA guarantee for a single Virtual Machine with Premium SSD disk?

242

Which Azure feature allows organizations to track spending trends and get spending forecasts for the next 30 days?

243

Which Azure feature provides an overview of the overall security posture across your Azure subscriptions with a secure score?

244

What does the Azure Pricing Calculator help you do?

245

Which Azure compliance tool helps financial services organizations meet GDPR requirements for data subject requests?

246

Which Azure support plan provides a dedicated Technical Account Manager and a 15-minute response time for critical business impact issues?

247

What is Azure Cost Management's 'cost allocation' feature used for?

248

Which Azure tool provides an interactive, browser-based command-line experience that is authenticated and pre-configured for Azure management?

249

What does the Azure SLA for a storage account guarantee?

250

What is the purpose of Azure Policy initiatives (policy sets)?

251

Which Azure feature automatically moves blob data between access tiers based on defined rules to optimize storage costs?

252

Which Azure service helps organizations understand their compliance status against regulatory standards like ISO 27001, PCI DSS, and NIST?

253

What is the Azure portal?

254

Which Azure tool helps you compare the 5-year cost of running an on-premises datacenter versus migrating those workloads to Azure?

255

Which aspect of Azure governance ensures that resources are protected from accidental or unauthorized deletion regardless of RBAC role?

256

Which Azure feature enables governance teams to define standard, repeatable Azure environments for new projects?

257

Which Azure feature allows you to set a maximum amount that can be spent on Azure services within a billing period?

258

What is Microsoft's definition of 'cloud computing' as used in the context of Azure?

259

What is the purpose of Azure Resource Graph?

260

Which Azure governance feature enables organizations to enforce that all virtual machines be tagged with a specific 'Owner' tag before deployment?

261

Which Azure service enables organizations to identify and classify sensitive data (like credit card numbers and passport numbers) stored in Azure?

262

What is the Azure Well-Architected Framework?

263

Which Azure feature automatically identifies and informs you of Azure service issues that may be affecting your resources in your region?

264

Which Azure feature provides a way to audit and track access to sensitive resources using detailed logs?

265

An organization wants to ensure that no one can create Azure resources outside of approved geographic locations across all of their subscriptions. What is the most scalable way to enforce this?

266

Which Azure support option provides technical support through community forums and documentation only?

267

Which Azure governance concept ensures that access to resources is granted only to users who need it for their job function?

268

Which Azure tool helps organizations evaluate and quantify the potential impact of Azure service disruptions on their operations?

269

Which Azure feature enables organizations to review and recertify privileged role assignments on a scheduled basis?

270

Which Azure portal blade allows you to view all resources across your subscriptions in a single place?

271

What is the primary benefit of Azure Management Groups in a large enterprise with hundreds of subscriptions?

272

What is the purpose of Azure's 'Secure Score' in Microsoft Defender for Cloud?

273

What does the Azure 'Reliability' pillar of the Well-Architected Framework focus on?

274

Which Azure feature creates an audit trail showing who performed what actions on Azure resources and when?

275

Which Azure feature can be used to prevent Azure resources in a subscription from being moved to a different resource group?

276

Which Azure service provides a centralized console for monitoring the health, performance, and security of your entire Azure environment?

277

What is the purpose of Azure's 'Cost Management + Billing' service?

278

Which Azure portal feature enables you to manage multiple Azure cloud environments (Azure Commercial, Azure Government, Azure China) from a single location?

279

What is Azure Policy's 'audit' effect used for?

280

Which Azure service provides recommendations for improving the security posture of your Azure SQL databases?

281

Which Azure feature reduces costs by allowing customers to use existing on-premises Windows Server licenses in Azure?

282

Which Azure service generates automatic recommendations for right-sizing, reserved instance purchasing, and idle resource cleanup?

283

A company needs to ensure that Azure resources are deployed with specific settings enforced without the ability for any user to change them. Which approach achieves this?

284

Which Azure concept represents the hierarchical organization of management groups, subscriptions, resource groups, and resources?

285

Which Azure feature automatically turns off virtual machines at a scheduled time daily to reduce development costs?

286

Which Azure feature enables centralized governance for multiple Azure AD tenants in a managed service provider (MSP) scenario?

287

An administrator wants to ensure that all Azure resources in a subscription have a 'CostCenter' tag applied. Which Azure service enforces this requirement?

288

An organization wants to review the compliance status of all resources across multiple subscriptions against a set of regulatory standards. Which Azure tool provides this consolidated view?

289

Which feature of Azure subscriptions allows an organization to separate billing and access management for different departments?

290

Which Azure tool provides personalized recommendations to optimize Azure resources for cost, security, reliability, performance, and operational excellence?

291

Which Azure feature allows administrators to set a maximum spending limit to prevent unexpected charges on a subscription?

292

A global organization wants to apply a consistent set of Azure policies and RBAC roles across all new subscriptions automatically as they are created. Which Azure capability enables this?

293

Which Azure feature allows you to define and enforce naming conventions for Azure resources?

294

An IT administrator needs to manage Azure resources via command line across both Windows and Linux systems. Which tools support this?

295

What is the purpose of Azure Service Health?

296

Which Azure service provides a unified security management system that strengthens the security posture of data centers and cloud workloads?

297

An administrator needs to grant a user the ability to manage virtual machines in a specific resource group but NOT allow them to modify networking or storage. Which approach is BEST?

298

What is the purpose of Azure Resource Manager (ARM)?

299

A company needs to store database connection strings and API keys securely, ensuring only authorized applications can access them. Which Azure service is designed for this?

300

Which Azure pricing option offers the GREATEST discount compared to pay-as-you-go pricing for a stable, predictable workload that will run continuously for one year?

Practice all 300 Describe Azure management and governance questions

Other AZ-900 exam domains

Describe cloud conceptsDescribe Azure architecture and services

Frequently asked questions

What does the Describe Azure management and governance domain cover on the AZ-900 exam?

Azure Management and Governance covers the tools and practices for organizing, securing, and controlling Azure resources, including Azure Policy, RBAC, resource locks, tags, cost management, and the Cloud Adoption Framework.

How many Describe Azure management and governance questions are in the AZ-900 question bank?

The Courseiva AZ-900 question bank contains 300 questions in the Describe Azure management and governance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Describe Azure management and governance for AZ-900?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Describe Azure management and governance questions for AZ-900?

Yes — the session launcher on this page draws questions exclusively from the Describe Azure management and governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your AZ-900 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-104SC-900AI-900DP-900