Domain 3 of 3

Azure Management & Governance

Domain · 33.4% of the AZ-900 exam

This domain is 'running Azure well after you've built it': four management disciplines

Assuming you can already name Azure's core services, by the end of this domain you will be able to spot which operational discipline any question belongs to. Domain 3 of AZ-900 is the largest slice of the exam and shifts focus from what Azure offers to how you operate it day to day. It groups into four disciplines, each answering a different operational question. Cost Management controls spend: what will this cost, and what is it actually costing. Governance & Compliance enforces standards: what configurations are allowed and what must never be deleted. Resource Management Tools covers how you deploy and manage resources, from the point-and-click portal to declarative ARM templates. Monitoring Tools covers how you observe health: best-practice advice, Azure-platform status, and live telemetry. A question usually tests exactly one of these four, so the first move is to name which discipline it belongs to.

Estimate cost before you deploy, then track and control it after: two distinct tool sets

AZ-900 draws a hard line between planning and operating spend. Before anything exists, the Pricing Calculator estimates the cost of a planned configuration so you can compare SKUs, tiers, and regions on paper. After resources are running, Microsoft Cost Management analyzes real spend, sets budgets, and fires cost alerts. The exam reliably rewards 'calculator = estimate before; Cost Management = monitor and control after.' The standalone TCO Calculator that once built the on-premises-versus-Azure migration business case has been retired; Microsoft now routes that on-prem-vs-Azure cost/ROI comparison through the Azure Migrate business case feature, though AZ-900 may still test the TCO concept.

Governance enforces standards on resources; it is not the same as RBAC

The governance trio keeps an estate consistent as it grows, and each piece guards a different thing. Azure Policy enforces what resource configurations are allowed (permitted regions or SKUs, required tags) and reports compliance at scale, but it never grants or denies a user's permissions. Resource locks protect critical resources from accidental change and override RBAC, so even a Subscription Owner is blocked by a CanNotDelete lock until it is removed. Microsoft Purview governs the data estate (discovery, classification, and lineage across on-premises, multicloud, and SaaS) which is broader than the resource governance Policy and locks provide. The recurring exam trap is treating Policy as access control: who-can-do-what is always RBAC.

Every management tool routes through Azure Resource Manager: pick the tool by the task

The Azure portal, Azure CLI, Azure PowerShell, the SDKs, ARM/Bicep templates, and the REST API are all front ends to one control plane, the single management layer every request passes through: Azure Resource Manager (ARM). ARM authenticates and authorizes every create/read/update/delete request, so the result is identical regardless of which tool issued it. Choose interactive (portal, Cloud Shell) for one-off and exploratory work; choose declarative Infrastructure as Code (ARM templates or Bicep) when you need repeatable, version-controlled, idempotent deployments (re-applying the same definition always yields the same result) that eliminate configuration drift. Azure Arc extends this same control plane to non-Azure resources (on-premises servers, multicloud machines, Kubernetes) so Policy, RBAC, tags, and Monitor apply across the whole estate from one place.

Three monitoring tools answer three different questions

AZ-900 expects you to keep Azure Advisor, Azure Service Health, and Azure Monitor straight by the question each one answers. Advisor gives free, personalized best-practice recommendations on your configuration across reliability, security, cost, operational excellence, and performance. Service Health tells you whether Azure itself is having an issue (outage, planned maintenance, or advisory) scoped to the subscriptions and regions you actually use (distinct from the global public Azure Status page). Azure Monitor observes how your own resources and applications behave through metrics and logs, with Log Analytics for querying, alerts for proactive notification or automation, and Application Insights for application performance. Almost every monitoring item is really asking you to pick the right one of these three.

The four management disciplines: what each controls and the question it answers

DisciplineKey toolsWhat it controlsQuestion it answers
Cost ManagementPricing Calculator, Microsoft Cost Management, tagsSpend: estimated before and tracked after deploymentWhat will this cost, and what is it actually costing?
Governance & ComplianceAzure Policy, resource locks, Microsoft PurviewStandards: resource configuration, deletion protection, data governanceWhat configurations are allowed, and what must never be deleted?
Resource ManagementAzure portal, Cloud Shell (CLI/PowerShell), ARM templates/Bicep, Azure ArcDeployment and management of resources via Azure Resource ManagerHow do I create and manage resources, including non-Azure ones?
MonitoringAzure Advisor, Azure Service Health, Azure Monitor (Log Analytics, alerts, App Insights)Health: best-practice advice, platform status, and live telemetryHow do I optimize, is Azure healthy, and how are my resources behaving?

Subtopics in this domain