AZ-900 · topic practice

Azure Governance practice questions

Practise Microsoft Azure Fundamentals AZ-900 Azure Governance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Azure Governance

What the exam tests

What to know about Azure Governance

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Azure Governance exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Azure Governance questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Governance explanation →

A company uses Azure Policy to enforce governance. They want to prevent users from creating virtual machines of the Standard_DS3_v2 SKU in their subscription, and they also want to log any attempt to create such a VM (whether successful or not) for audit purposes. What is the minimum number of Azure Policy assignments required to meet both requirements?

Question 2mediummultiple choice
Read the full Governance explanation →

A company wants to view a consolidated list of all Azure resources across multiple subscriptions and query them using Kusto Query Language (KQL). Which Azure tool should they use?

Question 3mediummultiple choice
Read the full Governance explanation →

A global company creates a new Azure subscription for each major project. To ensure compliance and consistency, the governance team needs a single, versioned, auditable package that, when assigned to a subscription, automatically deploys a standard set of Azure Policy assignments, role assignments, a resource group structure, and a pre-configured virtual network. The solution must allow these packages to be updated centrally and have changes tracked for auditing. Which Azure service should the governance team use?

Question 4easymultiple choice
Read the full Governance explanation →

A company wants to segregate their Azure resources into logical groups based on department and environment. They also want to apply access control and management at these group levels. Which Azure construct should they use?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company has a strict data residency requirement: all Azure virtual machines must be deployed only in the East US or West Europe Azure regions. The IT governance team wants to enforce this rule automatically so that any attempt to create a virtual machine in any other region is blocked immediately at the time of deployment. Users must receive a clear error message if they try to create a VM in a disallowed region. Which Azure feature should the governance team configure to meet this requirement?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company uses Azure management groups to organize its subscriptions. The company has a root management group (tenant root group) containing three child management groups: 'Finance', 'HR', and 'IT'. Each child management group contains multiple subscriptions. The global governance team needs to enforce an Azure Policy that restricts all resource deployments across every subscription in the organization to only the 'West US' and 'East US' regions. The policy must automatically apply to any new subscriptions that are created under any management group in the future. The team wants to assign the policy once and have it affect all current and future subscriptions with minimal administrative overhead. At which Azure scope should the team assign the policy?

A global company wants to organize its Azure resources by department and project. They need to enforce cost allocation and apply governance policies consistently across all subscriptions. Which two Azure features should they use together? (Select two.)

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company has 10 Azure subscriptions, each managed by a different department. The central governance team wants to deploy a standardized environment that includes a specific network topology (virtual network, subnets, and network security groups), a set of Azure Policy definitions to enforce tagging and encryption, and a role assignment granting the 'Reader' role to a central security team in every subscription. The team must be able to update this standard definition in one place, and any changes should automatically apply to all existing deployments that were created from the definition. Which Azure service should they use?

Question 9mediummultiple choice
Read the full Governance explanation →

A company has multiple Azure subscriptions for different projects. They want to apply the same set of Azure policies and role assignments to all subscriptions under a specific department, and they plan to add more subscriptions in the future. Which Azure construct should they use?

Question 10easymultiple choice
Read the full Governance explanation →

A company wants to organize their Azure subscriptions into a hierarchy to manage access policies and cost across different departments. They have three departments: Sales, Marketing, IT. What should they create first?

Question 11mediummultiple choice
Read the full Governance explanation →

A company stores critical configuration data in an Azure Storage account. The IT administrator wants to prevent accidental deletion of this storage account. However, the administrator must still be able to read and update the data within the storage account. The company uses Azure Role-Based Access Control (RBAC) to manage permissions. Which Azure governance feature should the administrator implement to achieve this goal?

Question 12mediummultiple choice
Read the full Governance explanation →

What is the purpose of Azure Management Groups?

Question 13mediummultiple choice
Read the full Governance explanation →

Which Azure governance feature allows you to create a repeatable, deployable package of Azure resources, role assignments, and policies for new subscriptions?

Question 14easymultiple choice
Read the full Governance explanation →

What does an Azure Service Level Agreement (SLA) define?

Question 15mediummultiple choice
Read the full Governance explanation →

A company has a policy that all Azure Storage accounts must have diagnostic settings enabled to send logs and metrics to a specific Log Analytics workspace. The governance team wants to automatically configure these diagnostic settings when a new storage account is created, without blocking the initial creation. The solution must not require manual intervention. Which Azure Policy effect should the team use in their policy definition?

Question 16mediummultiple choice
Read the full Governance explanation →

A company has a governance requirement that every Azure virtual machine must have a tag named 'CostCenter' with the value 'Unassigned'. If a user creates a VM without the tag, or with a different value for that tag, the tag should be automatically corrected to 'Unassigned' immediately upon resource creation. The IT team is writing an Azure Policy definition to enforce this. Which Policy effect should they use?

Question 17mediummultiple choice
Read the full Governance explanation →

A company has an Azure Policy assignment that denies the creation of any virtual machine (VM) that does not have a mandatory 'CostCenter' tag. A development team needs to deploy a temporary test VM without the required tag for a short-term experiment. The governance team wants to allow this specific exception while recording the reason for the exception, ensuring the policy is still enforced for all other resources. The exception must also automatically expire after 30 days. Which Azure Policy feature should the governance team use?

Question 18mediummultiple choice
Read the full Governance explanation →

A company has multiple Azure subscriptions for different development teams. They need to define a repeatable environment that includes a set of Azure policies, role assignments, and resource templates that must be applied to any new subscription created for a project. Which Azure service should they use?

Question 19mediummultiple choice
Read the full Governance explanation →

A company has a management group hierarchy with a root management group that contains all subscriptions. The governance team assigns a built-in Azure Policy initiative 'Allowed Locations' to the root management group with the 'Deny' effect, restricting resource deployment to East US and West US only. After six months, a new regulatory requirement forces the marketing department's subscription (placed under the root) to deploy resources in North Europe for a specific pilot project. The governance team must allow this exception without changing the original policy assignment and without allowing any other subscription to deploy to North Europe. What should the governance team do?

Question 20mediummultiple choice
Read the full Governance explanation →

A company has 30 Azure subscriptions organized under a single management group. The governance team wants to enforce that all resource groups must have a specific tag 'CostCenter' with a valid value. They create an Azure Policy definition with the 'Deny' effect and assign it to the root management group. However, the development team complains that they have a sandbox subscription where they need to create resource groups without the 'CostCenter' tag for testing. The governance team still wants the policy to apply to all other subscriptions but exempt the sandbox subscription. Which solution should the governance team use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Azure Governance sessions

Start a Azure Governance only practice session

Every question in these sessions is drawn from the Azure Governance domain — nothing else.

Related practice questions

Related AZ-900 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-900 exam test about Azure Governance?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Azure Governance questions in a focused session?
Yes — the session launcher on this page draws every question from the Azure Governance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-900 topics?
Use the topic links above to move to related areas, or go back to the AZ-900 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-900 exam covers. They are not copied from any real exam or dump site.