SkarpChapter 20 of 21
Domain Review: Azure Management, Governance, and Monitoring Practice
Lock in your understanding of cost management, governance, and monitoring with scenario-based drills that mirror how AZ-900 frames these topics.
Big Picture: Management, Governance, and Monitoring on AZ-900
Why This Domain Matters
This domain tests if you can choose the right Azure feature for cost, access, compliance, and monitoring scenarios, not if you can code or design complex architectures.
Key Tool Families
You must recognize Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), and Azure Resource Manager templates, plus know when to use RBAC, Azure Policy, and resource locks.
Monitoring Focus
Conceptually distinguish Azure Monitor, Azure Service Health, alerts, Log Analytics, and Application Insights so you can pick the right one in short scenario questions.
Exam Skills to Build
Focus on tool selection, understanding scopes (subscription, resource group, resource), and avoiding traps like confusing RBAC with Azure Policy or Monitor with Service Health.
Azure Management Tools: Canonical List and Usage
The Canonical List
Azure management tools on AZ-900: Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), Azure Resource Manager templates. Memorize this exact list.
Azure Portal
Web-based graphical UI for dashboards and wizards. Best for quick, one-off tasks, exploration, and admins who prefer point-and-click operations.
PowerShell vs CLI
Azure PowerShell uses PowerShell cmdlets (great for Windows admins). Azure CLI uses `az` commands and is cross-platform for Windows, macOS, and Linux.
ARM Templates
Azure Resource Manager templates are JSON, declarative infrastructure as code. Best for consistent, repeatable deployments across environments.
Tool Selection Traps
If the question says "declarative" or "infrastructure as code", think ARM templates. If it says "non-technical user", think Azure portal instead of CLI or PowerShell.
Cost Management: Pricing Calculator and Azure Cost Management
Two Core Cost Tools
Know the difference: Azure pricing calculator (pre-deployment estimates) vs Azure Cost Management and Billing (post-deployment analysis and control).
Pricing Calculator Use
Use the pricing calculator to estimate monthly cost of planned services, compare SKUs or regions, and build a budget proposal before you deploy.
Cost Management Use
Use Azure Cost Management and Billing to see actual usage, view costs by subscription, resource group, or tag, and set budgets and alerts.
Tags and Chargeback
Apply tags like Department=Finance or Environment=Test to resources so you can group and filter costs for chargeback or showback in Cost Management.
Exam Keyword Mapping
"Estimate" or "plan costs" → pricing calculator. "Analyze current spend" or "budget alerts" → Azure Cost Management and Billing.
Cost Scenarios: Practice Choosing the Right Tool
Scenario 1: Planning a New Deployment
Need a rough monthly cost for planned VMs, database, and load balancer before approval? Use the Azure pricing calculator to estimate, since nothing is deployed yet.
Scenario 2: Department Budgets
CFO wants past three months of spend by department and alerts when budgets are exceeded. Use Azure Cost Management and Billing with tags and budgets.
Scenario 3: Comparing VM Sizes
You compare 2 vCPU vs 4 vCPU VM prices in the same region. This is SKU comparison before deployment, so use the Azure pricing calculator.
Scenario 4: Sudden Cost Spike
Costs jumped and you must find which resource group and service are responsible. Use Azure Cost Management and Billing to analyze actual spend.
Heuristic
Ask: Is this planning or analyzing actual usage? Planning → pricing calculator. Analyzing actuals → Azure Cost Management and Billing.
Governance: RBAC, Azure Policy, and Resource Locks
Three Governance Tools
Governance questions usually involve role-based access control (RBAC), Azure Policy, and resource locks. Each solves a different type of problem.
RBAC: Who Can Do What
RBAC manages who can perform which actions on which resources, using roles assigned to users, groups, or service principals.
Azure Policy: Are Resources Compliant
Azure Policy enforces rules like allowed regions, required tags, or approved SKUs so resources stay aligned with standards and SLAs.
Resource Locks: Prevent Changes
Resource locks prevent accidental deletion or modification. CanNotDelete stops deletes; ReadOnly stops both changes and deletes.
Quick Mapping
Permissions issue → RBAC. Configuration/compliance rule → Azure Policy. Protect from deletion or edits → resource lock.
Governance Thought Drills: RBAC vs Policy vs Locks
Decide which governance tool fits each scenario. Think your answer, then compare with the explanation.
Scenario A
You need to ensure that only the networking team can modify virtual networks, but the application team can still modify VMs in the same resource group.
- Best fit: RBAC.
- Reasoning: This is about who can modify which resource types. Use RBAC roles scoped appropriately (e.g., Network Contributor on VNets only).
Scenario B
Your company has a rule that all resources must be created in the "North Europe" or "West Europe" regions to meet data residency requirements.
- Best fit: Azure Policy.
- Reasoning: You are enforcing a configuration rule about allowed regions for resources.
Scenario C
You want to prevent accidental deletion of a production SQL database, even if an admin has Contributor permissions.
- Best fit: Resource lock (CanNotDelete).
- Reasoning: This is about blocking deletion, regardless of RBAC permissions.
Scenario D
Auditors require that all resources have a "CostCenter" tag so spending can be tracked correctly.
- Best fit: Azure Policy.
- Reasoning: You are enforcing a tagging rule on resources.
Scenario E
A junior admin should be able to view production resources but must not be able to change or delete anything.
- Best fit: RBAC (Reader role).
- Reasoning: This is purely about read-only access for a user, not about resource configuration.
Pattern to memorize: People → RBAC, Rules → Policy, Protection from deletion → Locks.
Monitoring: Azure Monitor, Logs, Metrics, and Alerts
Azure Monitor as Umbrella
Azure Monitor is the main service that collects and analyzes telemetry from Azure resources and applications so you can understand performance and detect issues.
Metrics vs Logs
Metrics are numeric time-series like CPU percentage. Logs are detailed event data, good for queries, auditing, and root-cause analysis.
Log Analytics and App Insights
Log Analytics workspaces store and query logs. Application Insights provides application performance monitoring under Azure Monitor.
Alerts
Azure Monitor alerts fire when metric or log conditions are met, notifying admins via email, SMS, or integrations so they can respond.
Exam Scenario Mapping
High CPU alert → metric alert. Investigate failures or sign-ins → logs/Log Analytics. Web app performance and failures → Application Insights.
Service Health vs Monitor: Knowing When Things Are Broken
Two Perspectives
Azure Monitor watches your resources and apps. Azure Service Health reports on Azure platform and region issues that affect those resources.
Service Health Components
Azure Status shows global service health, Service Health shows issues affecting your subscriptions, and Resource Health shows status of individual resources.
When to Use Service Health
Use Service Health to see if an outage or maintenance in a region or Azure service is impacting your resources, and to get incident history.
When to Use Monitor
Use Azure Monitor to track performance metrics, logs, and alerts for your VMs, databases, and applications.
Exam Trap Pattern
If the scenario mentions Microsoft outages or planned maintenance notifications, choose Azure Service Health, not Azure Monitor.
Quick Check: Cost and Governance
Answer this exam-style question and then review the explanation.
Your company wants to ensure that all new resources in a subscription are created only in the "North Europe" or "West Europe" regions. Which Azure feature should you use?
- Role-based access control (RBAC)
- Azure Policy
- Resource locks
- Azure Cost Management and Billing
Show Answer
Answer: B) Azure Policy
This is a configuration rule about allowed regions for resources, which is exactly what Azure Policy is for. RBAC controls who can perform actions, resource locks prevent deletion or modification, and Azure Cost Management and Billing analyzes and controls spending.
Quick Check: Monitoring and Management Tools
Test your ability to pick the correct monitoring or management tool.
An admin needs to be notified if Microsoft schedules planned maintenance that may impact your virtual machines in a specific region. Which service should they configure alerts in?
- Azure Monitor metrics
- Azure Service Health
- Azure Cost Management and Billing
- Azure Command-Line Interface (CLI)
Show Answer
Answer: B) Azure Service Health
Planned maintenance and outages on the Azure platform are surfaced through Azure Service Health. You can configure Service Health alerts to notify you when incidents or maintenance events affect your resources.
Key Term Flashcards: Governance and Monitoring
Use these flashcards to reinforce core definitions and distinctions.
- Azure management tools (canonical list)
- Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), Azure Resource Manager templates.
- role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- Azure Policy
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- Resource lock types
- Two main types: CanNotDelete (cannot delete but can read/modify) and ReadOnly (can only read; no changes or deletes).
- Azure pricing calculator vs Azure Cost Management and Billing
- Pricing calculator: estimates future costs before deployment. Azure Cost Management and Billing: analyzes and controls actual spending after deployment, supports budgets and cost analysis.
- Azure Monitor
- Azure Monitor is the platform service that collects and analyzes telemetry (metrics and logs) from Azure resources and applications, enabling dashboards, alerts, and insights.
- Azure Service Health
- Azure Service Health provides personalized alerts and guidance when Azure service and region issues, planned maintenance, or health advisories affect your resources.
- Metrics vs logs
- Metrics are numeric values collected at regular intervals (e.g., CPU%). Logs are detailed event records and messages for auditing and troubleshooting.
- Application Insights (concept)
- Application Insights, under Azure Monitor, provides application performance monitoring such as request rates, response times, failures, and user behavior.
- When to choose Azure portal
- Use Azure portal for interactive, graphical management, quick one-off tasks, visualization, and when non-scripting admins need to manage resources.
Common Exam Traps and How to Avoid Them
RBAC vs Policy
Who can do what → RBAC. How resources must be configured (regions, tags, SKUs) → Azure Policy. Do not mix these up on the exam.
Monitor vs Service Health
Resource performance and telemetry → Azure Monitor. Azure-wide outages and maintenance events → Azure Service Health.
Cost Tools Traps
Future cost estimates → pricing calculator. Actual spend analysis and budgets → Azure Cost Management and Billing.
Locks vs Permissions
Use resource locks to block deletion or modification even if RBAC allows it. Use RBAC to grant or restrict actions in the first place.
Management Tool Mapping
ARM templates = declarative IaC, PowerShell = Windows scripting, CLI = cross-platform scripting, portal = graphical interface and dashboards.
Key Terms
- Tags
- Key-value pairs applied to Azure resources to organize and categorize them, often used for cost tracking, automation, and governance.
- Azure Status
- Part of Azure Service Health that shows the global health of Azure services and regions.
- Azure portal
- The web-based graphical user interface for managing Azure resources, providing dashboards, blades, and wizards.
- Azure Monitor
- The platform service that collects metrics and logs from Azure resources and applications, enabling dashboards, alerts, and insights.
- Resource lock
- A setting applied to Azure resources or resource groups to prevent accidental deletion or modification, with CanNotDelete and ReadOnly options.
- Resource Health
- Part of Azure Service Health that shows the current and historical health of individual Azure resources.
- Azure PowerShell
- A set of PowerShell cmdlets for managing Azure resources from the command line or scripts, often used by Windows administrators.
- Application Insights
- An Azure Monitor feature that provides application performance monitoring, including request rates, response times, failures, and usage analytics.
- Azure Service Health
- Service that provides personalized alerts and information about Azure service and region issues, planned maintenance, and health advisories affecting your resources.
- Log Analytics workspace
- An Azure Monitor component that stores log data and allows querying and analysis using Kusto Query Language (KQL).
- Azure pricing calculator
- An online tool for estimating the cost of planned Azure services before deployment by selecting SKUs, regions, and quantities.
- Budgets (Cost Management)
- Limits set in Azure Cost Management and Billing to track and get alerted when spending approaches or exceeds specified thresholds.
- Azure Resource Manager templates
- JSON-based, declarative templates used to define and deploy Azure infrastructure as code in a consistent, repeatable way.
- Azure Cost Management and Billing
- Azure service for tracking, analyzing, and optimizing cloud spending, including budgets, alerts, and cost analysis by subscription, resource group, or tag.
- Azure Command-Line Interface (CLI)
- A cross-platform command-line tool (using `az` commands) for creating and managing Azure resources on Windows, macOS, and Linux.