Azure Management and Governance is the domain that covers how to organize, secure, and control your Azure resources at scale. Think of it as the 'operating system' for your cloud environment—it includes tools for managing multiple subscriptions, applying policies to enforce compliance, tracking costs, and ensuring your cloud stays secure and well-organized. For example, you might use Azure Policy to automatically block the creation of virtual machines in certain regions, or Azure Cost Management to set budgets and get alerts when spending exceeds a threshold. This domain is crucial because without proper governance, cloud environments can quickly become chaotic, expensive, and insecure. In real-world IT, a company might have hundreds of subscriptions and thousands of resources; governance tools help administrators maintain control, meet regulatory requirements, and optimize costs. On the AZ-900 exam, this domain tests your understanding of these management and governance services, not their deep technical implementation. You'll need to know what each service does, when to use it, and how they relate to each other. Common topics include Azure Blueprints, Azure Policy, Role-Based Access Control (RBAC), resource locks, tags, Azure Cost Management, and the Microsoft Cloud Adoption Framework. To study effectively, focus on the purpose and use cases of each service rather than memorizing steps. Use Microsoft's free documentation and the Azure portal to explore these tools in a trial subscription. Create a resource group, apply a policy, set up a budget, and assign roles—this hands-on practice will solidify your understanding and help you answer scenario-based questions on the exam.
AZ-900 Describe Azure management and governance — Key Topics
Azure Management and Governance covers the tools and practices for organizing, securing, and controlling Azure resources, including Azure Policy, RBAC, resource locks, tags, cost management, and the Cloud Adoption Framework.
Azure Policy – creating and assigning policies to enforce compliance rules
Role-Based Access Control (RBAC) – assigning roles like Owner, Contributor, Reader to users/groups
Resource locks – preventing accidental deletion or modification of resources
Tags – organizing resources with metadata for cost tracking and management
Azure Cost Management – setting budgets, analyzing costs, and using pricing calculator
Azure Blueprints – packaging policies, RBAC, and resource groups for repeatable deployments
Common exam traps
Where candidates lose marks on Describe Azure management and governance
⚠Confusing Azure Policy with Azure RBAC: Policy enforces rules on resources (e.g., 'must have a tag'), while RBAC controls who can access resources
⚠Thinking resource locks prevent all changes: Read-only lock prevents modification but not deletion; Delete lock prevents deletion but allows modification
⚠Assuming tags are inherited by default: Tags are not automatically inherited from resource groups to resources; you must apply them explicitly or use Azure Policy to enforce inheritance
AZ-900 Describe Azure management and governance — Practice Questions
A company has multiple Azure subscriptions for different departments. They want to enforce consistent policies across all subscriptions regarding allowed virtual machine sizes and require compliance reporting. Which Azure feature should they use?
A company uses Azure and wants to ensure that their IT team receives alerts when virtual machines are deallocated unexpectedly. Which Azure service should they use to create a rule that triggers an action when a VM is deallocated?
A company needs to track and optimize costs across multiple Azure subscriptions. They want to allocate budgets and receive notifications when spending exceeds forecasted amounts. Which Azure tool should they use?
A global company wants to organize its Azure resources by department and project. They need to enforce cost allocation and apply governance policies consistently across all subscriptions. Which two Azure features should they use together? (Select two.)
A company wants to ensure that all new Azure resources in a subscription are automatically tagged with a 'Department' tag. Which Azure service should they use to enforce this requirement?
A company has multiple Azure subscriptions for different departments. They want to receive budget alerts when spending in any subscription exceeds 80% of the allocated amount. Which Azure feature enables them to set up these alerts?
A company wants to ensure that whenever a new Azure subscription is created, it automatically inherits a set of baseline policies, role assignments, and resource groups. Which Azure tool should they use to package and deploy these governance components consistently?
A company uses Azure Resource Manager templates to deploy and manage infrastructure. They need to ensure that resources are deployed in a consistent, repeatable manner across environments. Which two benefits does using ARM templates provide? (Choose two.)
A company wants to deploy a standardized environment that includes Azure Policy assignments, RBAC roles, and resource group templates. They need to version these components and apply them to multiple subscriptions. Which Azure service should they use?
A company has multiple Azure subscriptions. The finance team needs to analyze spending trends and create budgets to prevent cost overruns. Which Azure tool should they use to visualize historical spending and set budget alerts?
A company uses Azure Policy to enforce that all virtual machines must be from an approved list of SKUs. They want to ensure that any non-compliant VMs that already exist are automatically remediated by changing the VM size to a compliant SKU. Which policy effect should they use?
A company has a critical Azure resource group that contains production resources. They want to ensure that no one can accidentally delete or modify the resources in this group, even if they have Contributor permissions. Which Azure feature should they use?
A company wants to receive notifications when Azure services in their region experience an outage or planned maintenance that might affect their resources. Which Azure service should they set up alerts for?
A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?
A company has multiple Azure subscriptions. The IT team wants to apply common policies and role assignments across all subscriptions automatically when a new subscription is created. Which Azure service should they use?
A company wants to track resource usage across departments and projects. They have multiple Azure subscriptions. They need to assign costs to specific departments based on resource usage. Which Azure feature enables them to view and analyze costs by resource tags?
A company has a policy that requires all storage accounts to have secure transfer enabled. They want to automatically audit all existing storage accounts and enforce the setting on new ones. They also want to automatically fix non-compliant new storage accounts. Which Azure Policy effect combination should they use?
A company uses Azure Resource Manager templates to deploy infrastructure. They need to manage secrets such as database connection strings and passwords securely. Which Azure service should they use to store and retrieve these secrets during deployment?
A company manages multiple Azure subscriptions for different business units. They want to define a standard set of policies, such as allowed VM SKUs and required resource tags, and ensure these policies are always applied whenever a new subscription is created. Which Azure feature should they use to enforce governance at this level?
A company uses Azure Policy to require that all storage accounts must have blob soft delete enabled. They also want to automatically create a remediation task that fixes any existing non-compliant storage accounts. Which policy effect should they include in the policy definition to achieve automatic remediation?
A company has a policy that all Azure resources deployed to production subscriptions must be tagged with a 'CostCenter' tag. They want to automatically prevent the creation of any resource that does not include this tag. Which Azure Policy effect should they use in their policy definition?
A company wants to analyze historical spending data across all Azure subscriptions and set proactive budget alerts to prevent cost overruns. They also need to identify spending trends by resource type. Which Azure tool should they use to meet all these requirements?
A company has an Azure policy requirement that all new resources in a specific resource group must have a 'Department' tag. If a resource is created without this tag, the tag should be automatically added with a default value of 'Finance'. Which Azure Policy effect should be used?
A company has multiple Azure subscriptions for different departments. The IT team wants to apply a common set of policies (e.g., allowed VM sizes) and assign the same role-based access control (RBAC) permissions across all subscriptions automatically. Which Azure feature should they use?
A company wants to track spending across different projects. They have multiple Azure subscriptions and need to assign costs to specific departments based on resource usage. Which Azure feature enables them to view and analyze costs by resource tags?
A company has multiple Azure subscriptions for different departments. The IT team wants to ensure that all resources in a specific subscription are only deployed in the 'West Europe' region. Which Azure feature should they use to enforce this restriction?
A company wants to track costs by department across multiple Azure subscriptions. They have tagged resources with 'Department' tags. However, some resources are missing tags. They want to see a report of costs grouped by department, including untagged resources. Which Azure tool should they use?
A company wants to enforce a naming convention for all Azure resources. For example, all resources must start with 'Contoso-'. They want to automatically audit and deny creation of resources that do not follow the naming convention. Which Azure Policy effect should they use?
A company uses Azure Blueprints to define a repeatable set of Azure resources and policies for new subscriptions. They want to ensure that when a new subscription is created, a specific role assignment is automatically applied. What should they include in the blueprint definition?
A company has a policy that all Azure resources must have an 'Owner' tag. They want to automatically add the 'Owner' tag with a value 'Default' to any resource created without it. Which Azure Policy effect should they use?
More Describe Azure management and governance questions available in the full practice test.