AzureAZ-900

Domain 3: Describe Azure Management and Governance

Topic 3 of 3 · Study notes

Microsoft Azure Fundamentals (AZ-900) — Domain 3: Describe Azure Management and Governance

Exam Code: AZ-900 | Level: Foundational
Domain Weight: 30–35% | Total Domains: 3 | Passing Score: 700/1000

Cost Management in Azure
Governance and Compliance
Managing and Deploying Azure Resources
Monitoring Tools in Azure
Exam Tips & Quick Reference

1. Cost Management in Azure

Cost management is a core governance concern for every organization on Azure. Without proper controls, cloud spending can grow unpredictably. Azure provides multiple tools to estimate, monitor, analyze, and optimize cloud costs. This is one of the most practical and exam-heavy topics in Domain 3.

1.1 Factors That Affect Azure Costs

Understanding what drives Azure costs is essential before you can manage them. Azure uses a consumption-based model — you pay for what you use — but several variables influence the final bill.

Resource Type

Different Azure services have different pricing structures. A VM is billed per hour; Blob Storage is billed per GB stored; Azure Functions is billed per execution and execution duration. Pricing varies by:

The tier or SKU of the resource (e.g., Premium SSD vs Standard HDD)
The configuration (e.g., 2 vCPUs vs 64 vCPUs on a VM)
The specific service (e.g., Azure SQL is priced differently from Cosmos DB)

Geographic Region

Pricing for the same Azure service varies by region. This happens because of differences in:

Electricity and datacenter operations cost per region
Local tax and regulatory requirements
Supply and demand for infrastructure in that region

Exam Tip: East US is generally one of the cheapest Azure regions for most services. West Europe tends to cost more. Region selection is a genuine cost optimization lever.

Ingress and Egress (Data Transfer)

Azure follows an asymmetric data transfer pricing model:

Data Transfer	Cost
Inbound (Ingress) to Azure	Free
Outbound (Egress) from Azure to Internet	Charged (tiered by GB, varies by region)
Between Azure regions	Charged
Within the same region	Free (between resources in same VNet)
Between Availability Zones (same region)	Charged (per GB)

Key Concept: You pay to get data out of Azure — not to get data in. This is a universal cloud pricing principle. Large-scale data egress (e.g., streaming, analytics exports) can significantly affect total cost.

Consumption vs Reserved vs Spot Pricing

Model	Description	Typical Savings
Pay-As-You-Go	Default; billed per second of use	Baseline
Reserved Instances	1- or 3-year commitment to a VM type/region	Up to 72%
Azure Savings Plans	Flexible commitment to hourly spend; more flexibility than RI	Up to 65%
Azure Spot VMs	Use unused Azure capacity; can be evicted with 30-second notice	Up to 90%
Azure Hybrid Benefit	Use existing Windows Server / SQL Server licenses on Azure	Up to 40%
Dev/Test Pricing	Discounted rates for non-production environments	~55% on Windows VMs

Azure Marketplace

Some third-party software deployed from Azure Marketplace carries software licensing fees on top of Azure infrastructure costs. For example, deploying a vendor's security appliance from Marketplace bills both the VM compute cost and the vendor's software license fee.

1.2 Azure Pricing Calculator

The Azure Pricing Calculator is a free, web-based tool that lets you build hypothetical Azure configurations and estimate their monthly cost before deploying anything.

URL: https://azure.microsoft.com/pricing/calculator/

How to use it:

Select the Azure services you plan to use (e.g., 1 × D4s_v5 VM in East US)
Configure each service (region, tier, usage hours, storage amount, etc.)
The calculator shows a monthly cost estimate broken down by service
Save and share estimates with stakeholders

Key features:

Feature	Description
Product catalog	Browse all Azure services and add them to your estimate
Region selector	Compare costs across different Azure regions
Licensing options	Toggle between Pay-As-You-Go, Reserved, and Azure Hybrid Benefit
Export	Download the estimate as an Excel file
Shareable link	Send the estimate URL to colleagues

Exam Tip: The Pricing Calculator gives estimates, not actual costs. It is for planning and budgeting — not for seeing what you've already been charged. For actual billing, use the Microsoft Cost Management tool.

1.3 Azure Total Cost of Ownership Calculator

The Azure TCO (Total Cost of Ownership) Calculator compares the cost of running workloads on-premises versus on Azure — used to build the business case for cloud migration.

URL: https://azure.microsoft.com/pricing/tco/calculator/

How it works:

Define workloads: Enter your current on-premises infrastructure (servers, databases, storage, networking)
Adjust assumptions: Modify cost assumptions (electricity price, IT labor rate, hardware refresh cycle, software licenses)
View the report: The TCO Calculator shows a side-by-side comparison of on-premises vs Azure costs over 1–5 years

What the TCO Calculator accounts for:

Server hardware purchase and refresh cycles
Datacenter facility costs (rent, power, cooling)
IT labor costs (server administration, maintenance)
Software licensing (OS, middleware)
Networking hardware

Key Concept: The TCO Calculator exists to justify cloud migration financially. Its target audience is executives and finance teams — not engineers. Exam questions often test whether you can distinguish the TCO Calculator (compare on-prem vs cloud) from the Pricing Calculator (estimate Azure costs).

Calculator	Purpose	When to Use
Pricing Calculator	Estimate Azure costs before deploying	Planning new Azure workloads
TCO Calculator	Compare on-premises vs Azure costs	Building business case for migration
Cost Management	View and analyze actual Azure spend	After resources are deployed

1.4 Microsoft Cost Management Tool

Microsoft Cost Management (formerly Azure Cost Management + Billing) is the built-in Azure tool for monitoring, analyzing, and optimizing actual Azure spending after resources are deployed.

Key capabilities:

Capability	Description
Cost Analysis	Visualize costs over time; filter by subscription, resource group, service, tag, or location
Budgets	Set spending limits and receive alerts when thresholds are approached or exceeded
Alerts	Automated notifications when costs hit a % of the budget
Recommendations	Integrated with Azure Advisor to surface cost savings opportunities
Cost allocation	Use tags to allocate costs to departments, teams, or projects
Invoice and billing	View invoices, download CSV billing data
Multi-cloud	Monitor AWS costs alongside Azure costs

Budgets and Alerts workflow:

Set Budget (e.g., $10,000/month for subscription)
    │
    ▼
Cost Management tracks actual spend in real time
    │
    ▼
Alert threshold reached (e.g., 80% = $8,000 spent)
    │
    ▼
Email / Action Group triggered
    │
    ▼
Team investigates and adjusts resources

Key Concept: Budgets in Azure Cost Management do NOT automatically stop resources when the limit is hit — they only alert you. Stopping resources requires manual action or automation (e.g., an Azure Automation runbook triggered by the alert).

Tags for Cost Allocation:

Tags are key-value pairs attached to Azure resources. They are the primary mechanism for cost allocation and chargeback across teams, projects, or environments.

Example tags:
  Environment = Production
  Department  = Finance
  Project     = ERP-Upgrade
  Owner       = [email protected]
  CostCenter  = CC-4521

With proper tagging, Cost Management can filter and group costs by any tag — enabling department-level billing reports.

Exam Tip: Tags are optional and not inherited by child resources automatically (unlike RBAC and policies from Management Groups). You must apply tags explicitly to each resource or configure a policy to enforce tagging.

1.5 Azure Cost Optimization Strategies

A complete cost optimization strategy combines multiple levers:

Right-sizing: Analyze VM metrics and downsize over-provisioned VMs (Azure Advisor recommendations)
Reserved Instances: Commit to 1 or 3 years for predictable workloads (up to 72% savings)
Spot VMs: Use for batch jobs, testing, and fault-tolerant workloads that tolerate interruption
Auto-shutdown: Schedule VMs to shut down outside business hours (e.g., dev/test VMs off on nights and weekends)
Blob lifecycle management: Automatically tier or delete old blobs based on age
Delete unused resources: Identify orphaned disks, unused public IPs, empty resource groups
Azure Hybrid Benefit: Apply existing on-premises Windows Server and SQL Server licenses
Budgets and alerts: Proactively catch overspending before it becomes a large invoice
Azure Savings Plans: Flexible commitment to an hourly spend across any VM family or region

2. Governance and Compliance

Governance is the framework of rules, processes, and tools that ensure Azure resources are used in a controlled, compliant, and consistent manner. Without governance, organizations face audit failures, security risks, and uncontrolled cloud sprawl.

2.1 Microsoft Purview

Microsoft Purview is a unified data governance and compliance service that helps organizations discover, classify, protect, and manage their data — both on-premises and in the cloud.

Key Concept: Microsoft Purview was formerly two separate products: Azure Purview (data governance) and the Microsoft 365 Compliance Center (compliance and data protection). They have been unified into a single platform.

Microsoft Purview — Core Areas:

Area	What It Does
Data Map	Discovers and maps data assets across Azure, on-premises, AWS, and Microsoft 365
Data Catalog	A searchable inventory of data assets; enables data discovery across the organization
Data Insights	Reports on data classification, sensitivity labels, and compliance status
Information Protection	Classifies and labels sensitive data (e.g., PII, financial data); applies encryption and access policies
Data Lifecycle Management	Automates retention and deletion of records to meet regulatory requirements
Compliance Manager	Tracks compliance against standards like GDPR, ISO 27001, HIPAA, and SOC 2
Audit	Captures and searches audit logs of user and admin activities across Microsoft 365 and Azure
eDiscovery	Identifies, holds, and exports data for legal investigations

Exam Tip: When a scenario asks about "discovering and classifying data across the organization" or "managing compliance with GDPR," the answer is Microsoft Purview.

2.2 Azure Policy

Azure Policy is a governance service that creates, assigns, and manages rules (policies) that enforce or audit specific configurations across Azure resources. It ensures resources remain compliant with organizational standards and regulatory requirements.

Key Concept: Azure Policy defines what is allowed — it can prevent non-compliant resources from being created (Deny effect) or flag existing non-compliant resources without preventing them (Audit effect).

Azure Policy Effects:

Effect	What Happens
Deny	Blocks the creation or modification of a non-compliant resource
Audit	Allows the resource to be created but marks it as non-compliant in the compliance report
Append	Adds additional fields to a resource (e.g., add a required tag)
DeployIfNotExists	Deploys a required companion resource if it doesn't exist (e.g., deploy a monitoring agent)
Modify	Adds, updates, or removes tags and properties on resources
Disabled	Policy is defined but not enforced (useful for testing)

Policy example — Enforce tagging:

{
  "if": {
    "field": "tags['Environment']",
    "exists": "false"
  },
  "then": {
    "effect": "Deny"
  }
}

This policy denies the creation of any resource that does not have an Environment tag.

Policy Initiatives (Policy Sets):

A Policy Initiative (also called a Policy Set) is a collection of multiple policy definitions grouped together to achieve a broader goal. For example, the built-in initiative "Enable Azure Monitor for VMs" contains several policies that together ensure VMs have monitoring agents installed and configured.

Policy Assignment Scope:

Policies can be assigned at:

Management Group level (applies to all subscriptions within it)
Subscription level (applies to all resource groups in it)
Resource Group level (applies to all resources in it)

Azure Policy — How It Works:

Resource Create/Modify Request
        │
        ▼
  Azure Resource Manager
        │
        ▼
  Policy Engine Evaluation
  ┌─────────────────────────────┐
  │  Does resource comply with  │
  │  all assigned policies?     │
  └─────────────────────────────┘
        │                    │
       YES                   NO
        │                    │
        ▼                    ▼
  Resource Created     Deny Effect → Request Blocked
                       Audit Effect → Resource Created, marked non-compliant

Exam Tip: Azure Policy is a preventive and detective control — not an identity control. RBAC controls who can do things; Azure Policy controls what configurations are allowed. They are complementary, not substitutes.

2.3 Resource Locks

Resource Locks protect critical Azure resources from accidental deletion or modification. Even if a user has Owner-level RBAC permissions, a lock will prevent the protected action.

Two types of Resource Locks:

Lock Type	Prevents	Allows
Delete	Deletion of the resource	Reading and modifying the resource
ReadOnly	Both deletion AND modification	Reading the resource only (like Reader RBAC role)

Key Concept: Resource Locks override RBAC permissions. An Owner with a Delete lock on a resource group cannot delete that resource group until the lock is removed first. This is by design — locks protect against human error.

Inheritance: Locks set at a higher scope (e.g., resource group) are inherited by all resources within that scope. A Delete lock on a resource group prevents deletion of any resource in that group.

Who can manage locks:

The Owner and User Access Administrator built-in roles can create and delete locks
The Contributor role cannot manage locks (this is a commonly tested distinction)

Lock Hierarchy — Lock at resource group level:

Resource Group [DELETE LOCK]
  ├── VM-Production      ◄── Cannot be deleted
  ├── SQL-Database       ◄── Cannot be deleted
  └── StorageAccount-01  ◄── Cannot be deleted

To delete the VM: First remove the lock → Then delete the VM

Exam Tip: Resource locks prevent accidental operations by authorized users. They are not a substitute for RBAC (which prevents unauthorized access). The correct answer for "prevent even administrators from accidentally deleting a critical database" is a Delete Lock.

2.4 Microsoft Defender for Cloud (Compliance View)

Microsoft Defender for Cloud (covered technically in Domain 2) also serves a key governance and compliance function in Domain 3 through its Regulatory Compliance Dashboard.

The Regulatory Compliance section of Defender for Cloud:

Maps your Azure configurations against industry standards and frameworks
Supported frameworks: NIST SP 800-53, ISO 27001, PCI-DSS, HIPAA, SOC 2, CIS Benchmarks, GDPR, Australian ISM, and many more
Shows a compliance score per framework
Identifies specific controls that are failing and links to remediation steps

Note: Defender for Cloud's compliance assessment is automated — it continuously scans your environment and updates the compliance dashboard in near real-time. No manual questionnaires required.

3. Managing and Deploying Azure Resources

Azure resources can be managed through multiple interfaces. Choosing the right tool depends on whether you need a graphical interface, scripting/automation, infrastructure-as-code, or multi-cloud management.

3.1 Azure Portal

The Azure Portal is a web-based, graphical interface for managing all Azure resources. It is the primary tool for users who prefer visual interaction.

URL: https://portal.azure.com

Key capabilities:

Create, view, modify, and delete any Azure resource
Build custom dashboards with pinned charts, metrics, and resource tiles
Navigate the resource hierarchy (Management Groups → Subscriptions → Resource Groups → Resources)
Access Cost Management, Azure Monitor, and all governance tools
Integrated Cloud Shell for command-line access within the browser

Characteristics:

No automation capability (cannot be scripted or scheduled)
Best for one-off tasks, exploration, and learning
Accessible from any modern browser
Role-based UI — users only see what their RBAC roles permit

Note: The Azure Portal is not recommended for large-scale repetitive deployments — use CLI, PowerShell, or ARM Templates for automation.

3.2 Azure Cloud Shell, CLI, and PowerShell

Azure provides two command-line interfaces for scripting and automation:

Azure Cloud Shell

Azure Cloud Shell is a browser-based, authenticated, interactive shell that runs directly in the Azure Portal or at https://shell.azure.com. It requires no local installation.

Supports both Bash (Azure CLI) and PowerShell interfaces
Automatically authenticated using your Azure account
Comes pre-installed with Azure CLI, Azure PowerShell, kubectl, Terraform, and more
Persists a small amount of storage (5 GB) for scripts and files across sessions
Free to use (standard Cloud Shell) — requires an Azure Storage account for file persistence

Azure CLI

Azure CLI is a cross-platform command-line tool for managing Azure resources using Bash syntax. Available on Windows, macOS, and Linux.

# Login to Azure
az login

# List all resource groups in a subscription
az group list --output table

# Create a Resource Group
az group create --name MyResourceGroup --location eastus

# Create a Virtual Machine
az vm create \
  --resource-group MyResourceGroup \
  --name MyVM \
  --image Ubuntu2204 \
  --admin-username azureuser \
  --generate-ssh-keys

# Start / Stop a VM
az vm start --resource-group MyResourceGroup --name MyVM
az vm deallocate --resource-group MyResourceGroup --name MyVM

Azure PowerShell

Azure PowerShell is a module for managing Azure resources using PowerShell syntax (cmdlets). Preferred by Windows administrators familiar with PowerShell scripting.

# Login to Azure
Connect-AzAccount

# List all Resource Groups
Get-AzResourceGroup | Format-Table

# Create a Resource Group
New-AzResourceGroup -Name "MyResourceGroup" -Location "EastUS"

# Create a VM
New-AzVM -ResourceGroupName "MyResourceGroup" -Name "MyVM" -Location "EastUS"

# Stop and deallocate a VM
Stop-AzVM -ResourceGroupName "MyResourceGroup" -Name "MyVM" -Force

Exam Tip: Both CLI and PowerShell can accomplish the same Azure management tasks — the choice is purely preference (Bash vs PowerShell). Both support scripting, automation, and integration with CI/CD pipelines. The exam does NOT ask you to choose one over the other based on capability.

3.3 Azure Arc

Azure Arc extends Azure management capabilities to resources outside of Azure — including on-premises servers, Kubernetes clusters, and databases running in other clouds (AWS, GCP).

Key Concept: Azure Arc brings non-Azure resources into the Azure control plane. Once Arc-enabled, these external resources appear in the Azure Portal, can be tagged, monitored with Azure Monitor, governed by Azure Policy, and secured with Defender for Cloud — as if they were native Azure resources.

What Azure Arc supports:

Resource Type	What Arc Enables
Servers (Windows/Linux)	Manage on-premises or multi-cloud VMs from Azure Portal
Kubernetes clusters	Deploy and manage Kubernetes configurations from Azure (GitOps)
SQL Server	Manage on-premises SQL Server with Azure services (Defender, backups)
Azure data services	Run Azure SQL Managed Instance and PostgreSQL on-premises

Use cases for Azure Arc:

Unified management of a hybrid environment (on-premises + Azure + AWS)
Apply Azure Policy to on-premises servers for consistent compliance
Use Azure Monitor to collect logs and metrics from on-premises machines
Multi-cloud governance — manage AWS EC2 instances from Azure Portal

Without Arc:                      With Azure Arc:
  Azure Portal  ──► Azure only    Azure Portal ──► Azure Resources
  On-prem tools ──► On-prem       Azure Portal ──► On-Premises Servers
  AWS Console   ──► AWS           Azure Portal ──► AWS / GCP VMs
                                  (Unified single pane of glass)

3.4 Azure Resource Manager and ARM Templates

Azure Resource Manager (ARM) is the management layer that processes all Azure resource requests — whether they come from the Portal, CLI, PowerShell, REST API, or third-party tools. ARM authenticates and authorizes every request, then routes it to the appropriate Azure service.

All management channels:
  Azure Portal
  Azure CLI          ──►  Azure Resource Manager  ──►  Azure Services
  Azure PowerShell               (ARM)                 (VMs, Storage,
  REST API                                              SQL, etc.)
  ARM Templates
  Bicep / Terraform

ARM Templates are JSON files that declaratively define the Azure infrastructure you want to deploy. Instead of running commands step-by-step (imperative), you describe the desired end state and ARM deploys it (declarative).

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vmName": {
      "type": "string",
      "defaultValue": "MyVM"
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2023-01-01",
      "name": "[parameters('vmName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "StorageV2"
    }
  ]
}

Benefits of ARM Templates (Infrastructure as Code):

Benefit	Description
Declarative	Define what you want; ARM figures out how to deploy it
Idempotent	Deploy the same template multiple times; only changes are applied
Repeatable	Deploy identical environments (dev, test, prod) from the same template
Version-controlled	Store templates in Git for history, collaboration, and rollback
Modular	Link templates together; reuse template components
Previewing changes	Use `what-if` to see what will change before deploying

Exam Tip: ARM Templates are Infrastructure as Code (IaC) — they enable repeatable, consistent deployments and eliminate configuration drift. Terraform is a third-party IaC tool that also works with Azure via the AzureRM provider.

3.5 Azure Bicep

Azure Bicep is a domain-specific language (DSL) that provides a cleaner, more concise syntax for deploying Azure resources — compiling down to ARM JSON under the hood. It was created by Microsoft as a simpler alternative to writing raw ARM JSON.

Bicep vs ARM JSON — Same resource, different syntax:

ARM Template (JSON):

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "mystorageaccount",
  "location": "eastus",
  "sku": { "name": "Standard_LRS" },
  "kind": "StorageV2"
}

Equivalent Bicep:

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'mystorageaccount'
  location: 'eastus'
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

Why Bicep over ARM JSON:

Much less verbose — typically 30–50% fewer lines
Better IDE support (VS Code extension with IntelliSense)
Supports modules natively for reusability
Transpiles to valid ARM JSON — no new API or deployment mechanism
First-class support from Microsoft (new features land in Bicep before ARM JSON)

Note: Bicep and ARM Templates are functionally equivalent from Azure's perspective. Both compile to the same ARM REST API calls. The exam may ask about Bicep as the "Azure-native IaC language" alternative to ARM JSON.

4. Monitoring Tools in Azure

Azure provides a suite of monitoring tools that give visibility into the health, performance, security, and cost of Azure resources. Proactive monitoring is essential for maintaining reliability and optimizing operations.

4.1 Azure Advisor

Azure Advisor is a personalized cloud consultant that analyzes your Azure resource configuration and usage telemetry, then provides actionable, prioritized recommendations to improve your deployments.

Key Concept: Azure Advisor is a free recommendations service. It doesn't monitor in real-time — it analyzes existing configurations and usage patterns and surfaces opportunities for improvement.

Azure Advisor — Five Recommendation Categories:

Category	Focus	Example Recommendation
Cost	Reduce Azure spend	"Resize or shut down underutilized VMs"
Security	Improve security posture	"Enable MFA for accounts with Owner role"
Reliability	Increase availability	"Add a second VM instance for higher availability"
Operational Excellence	Streamline operations	"Apply resource tags for better organization"
Performance	Improve speed and responsiveness	"Upgrade to Premium SSD for lower latency"

Key Advisor features:

Recommendations are scored (High, Medium, Low impact)
Recommendations can be dismissed or postponed with a reason
Integrates with Cost Management to show potential cost savings in dollars/month
Available at no additional charge — part of your Azure subscription

Exam Tip: Azure Advisor is the answer to: "Which tool provides personalized recommendations to improve cost, security, reliability, performance, and operations?" It is advisory only — it does not automatically implement changes.

4.2 Azure Service Health

Azure Service Health provides personalized information about the health of Azure services in the regions you use. It combines three data sources:

Component	What It Shows
Azure Status	Global Azure service outages visible at `status.azure.com` — affects all customers
Service Health	Personalized view of outages, planned maintenance, and advisories for your subscriptions and regions
Resource Health	Status of your specific resources (e.g., is your VM in East US healthy right now?)

Service Health event types:

Event Type	Description
Service Issues	Active Azure platform problems affecting your services right now
Planned Maintenance	Scheduled Azure maintenance that may temporarily affect your resources
Health Advisories	Notices of changes requiring your action (e.g., service deprecations, required upgrades)
Security Advisories	Security-related notices that may affect your Azure resources

Service Health Alerts:

You can configure Service Health Alerts to receive notifications (email, SMS, webhook, Logic App trigger) when:

An outage occurs in a service/region you care about
Planned maintenance is scheduled for your resources
Microsoft publishes an advisory affecting your subscription

Azure Service Health Alert Flow:

  Azure Platform Event (outage / maintenance)
            │
            ▼
  Service Health detects it for your subscriptions
            │
            ▼
  Alert Rule triggers (matches your configured service + region)
            │
            ▼
  Action Group executes:
    ├── Send Email to ops team
    ├── Send SMS to on-call engineer
    ├── Post to Teams/Slack webhook
    └── Trigger Azure Automation runbook

Exam Tip: Azure Service Health is for Microsoft platform-level issues affecting Azure itself. Azure Monitor is for issues within your own deployed resources and applications. These are two different scopes.

4.3 Azure Monitor

Azure Monitor is the comprehensive monitoring platform for Azure — collecting, analyzing, and acting on telemetry data from Azure resources, on-premises environments, and other clouds.

Key Concept: Azure Monitor is the platform — all Azure monitoring services feed into it. Log Analytics, Application Insights, and Azure Alerts are components within Azure Monitor.

Azure Monitor — Core Data Types:

Data Type	Description	Examples
Metrics	Numerical time-series data, collected at regular intervals	CPU %, memory %, disk I/O, request count
Logs	Text-based event records, queried with Kusto Query Language (KQL)	Application errors, audit logs, security events
Traces	Distributed tracing data for application performance across services	End-to-end request traces in microservices

Azure Monitor — Architecture:

Data Sources (What Monitor Collects From):
  Azure Resources (VMs, Storage, SQL)
  Azure Platform (Activity Log, Resource Logs)
  Guest OS (Windows/Linux metrics via agents)
  Applications (via Application Insights SDK)
  Custom Sources (REST API, Logic Apps)
        │
        ▼
  Azure Monitor
  ┌────────────────────────────────────────┐
  │  Metrics Store    │   Log Analytics    │
  │  (time-series)    │   Workspace (KQL)  │
  └────────────────────────────────────────┘
        │
        ▼
  Analysis & Visualization:
    Metrics Explorer | Workbooks | Dashboards | Power BI
        │
        ▼
  Actions (Alerting):
    Alert Rules → Action Groups → Email, SMS, Webhook, ITSM, Azure Functions

Azure Monitor Alerts:

Alerts notify teams when specific conditions are met in your monitored resources:

Metric Alerts: Triggered when a metric crosses a threshold (e.g., CPU > 90% for 5 minutes)
Log Alerts: Triggered when a KQL query over logs returns results (e.g., error count > 10 in 1 hour)
Activity Log Alerts: Triggered when specific Azure management operations occur (e.g., a VM is deleted)

Action Groups:

An Action Group is a reusable set of notification and automation actions that can be attached to multiple alert rules.

Action Type	What It Does
Email/SMS/Push	Notify team members directly
Webhook	Send HTTP POST to an external system (e.g., Slack, PagerDuty)
Azure Function	Execute a serverless function (e.g., auto-remediation)
Logic App	Trigger a complex workflow (e.g., create a ServiceNow ticket)
Automation Runbook	Execute a PowerShell or Python runbook (e.g., restart a service)
ITSM	Create incidents in connected IT Service Management tools

4.4 Log Analytics and Application Insights

Log Analytics

Azure Log Analytics is the log storage and query engine within Azure Monitor. All log data from Azure resources, VMs, and applications flows into a Log Analytics Workspace and is queried using Kusto Query Language (KQL).

Example KQL Queries:

// Find all errors in the last 24 hours
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Level == "Error"
| summarize Count = count() by Resource
| order by Count desc

// VM CPU usage average by hour
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize AvgCPU = avg(CounterValue) by bin(TimeGenerated, 1h), Computer
| render timechart

Note: KQL is not required knowledge for AZ-900, but knowing that Log Analytics uses KQL for queries and stores logs in a workspace is testable.

Application Insights

Application Insights is an Application Performance Monitoring (APM) service within Azure Monitor, designed for developers. It monitors live applications and automatically detects performance anomalies.

What Application Insights monitors:

Feature	Description
Request rates, response times, failure rates	How well is the app performing end-to-end?
Dependency tracking	Calls to external services (SQL, REST APIs, Redis) — where is the bottleneck?
Exceptions and stack traces	What errors are occurring in production?
User analytics	How many users, sessions, page views, and where they're coming from
Live Metrics Stream	Real-time performance data with sub-second latency
Availability Tests	Ping tests from Azure locations worldwide to verify your app is reachable
Smart Detection	AI-powered anomaly detection that alerts on unusual patterns

Application Insights is integrated via a SDK in your application code, or via an agent for zero-code instrumentation on Azure App Service, VMs, and AKS.

Exam Tip: Application Insights is for application-level monitoring (code, dependencies, user behavior). Azure Monitor metrics/logs are for infrastructure-level monitoring (CPU, disk, network). Both feed into the same Azure Monitor platform.

Exam Tips & Quick Reference

Scenario-to-Answer Mapping

Scenario Keyword / Requirement	Correct Answer
"Estimate the monthly cost of a new Azure solution before deploying"	Azure Pricing Calculator
"Build a business case showing cost savings of moving to Azure from on-premises"	Azure TCO Calculator
"View and analyze actual Azure spending after deployment"	Microsoft Cost Management
"Set a spending limit and get alerts when approaching it"	Budget + Alerts in Cost Management
"Allocate Azure costs to different departments or projects"	Tags + Cost Management
"Discover, classify, and govern data across the organization"	Microsoft Purview
"Ensure all VMs deployed in Azure have a specific tag"	Azure Policy (Deny or Append effect)
"Check if resources comply with GDPR or ISO 27001"	Microsoft Purview / Defender for Cloud Compliance
"Prevent even Owners from deleting a critical database"	Resource Lock (Delete)
"Make a resource read-only, no modifications allowed"	Resource Lock (ReadOnly)
"Manage Azure resources from a browser without installing anything"	Azure Portal or Azure Cloud Shell
"Script and automate Azure deployments using Bash"	Azure CLI
"Script and automate Azure deployments using PowerShell syntax"	Azure PowerShell
"Deploy the same infrastructure consistently across dev, test, and prod"	ARM Templates or Bicep (IaC)
"Manage on-premises servers from the Azure Portal"	Azure Arc
"Get personalized recommendations to reduce costs and improve security"	Azure Advisor
"Check if an Azure region is having an outage right now"	Azure Service Health
"Monitor the health of my specific resources (my VM, my SQL DB)"	Azure Resource Health (part of Service Health)
"Set an alert when CPU on a VM exceeds 90%"	Azure Monitor — Metric Alert
"Collect and query log data from Azure resources using KQL"	Log Analytics (Azure Monitor)
"Monitor application performance, track errors, and trace requests"	Application Insights
"Receive notifications when Microsoft performs planned maintenance"	Azure Service Health Alerts
"Apply Azure Policy to all subscriptions across the organization"	Management Groups + Azure Policy
"Simplest alternative to ARM JSON for IaC on Azure"	Azure Bicep

Common Traps

Pricing Calculator vs TCO Calculator: The Pricing Calculator estimates Azure costs for workloads you plan to run in Azure. The TCO Calculator compares Azure costs against your current on-premises costs. They have completely different purposes; the exam tests this distinction with scenario questions.
Budgets don't stop resources: Azure Budgets alert you when spending reaches a threshold — they do NOT automatically shut down or restrict resources. Stopping resources requires automation (Azure Automation Runbooks triggered by the alert Action Group).
Tags are not inherited: Tags applied to a resource group do NOT automatically propagate to resources inside it. Use Azure Policy to enforce mandatory tagging or auto-apply tags to child resources.
Resource Locks can be set by Contributors? No. Only Owner and User Access Administrator can manage (create or delete) Resource Locks. Contributor cannot manage locks — this is commonly confused because Contributors have broad resource management rights.
Azure Policy vs RBAC — different purposes: RBAC controls who can perform actions. Azure Policy controls what configurations are allowed regardless of who is performing the action. An Owner role doesn't bypass an Azure Policy Deny — these operate at different layers.
Azure Advisor vs Azure Monitor: Advisor gives recommendations based on analysis of your configuration and usage (advisory, not real-time). Monitor collects real-time metrics and logs and triggers alerts based on live data. Advisor is proactive; Monitor is reactive.
Azure Service Health vs Azure Monitor: Service Health reports on the health of the Azure platform itself (is Azure having an outage?). Azure Monitor reports on the health of your deployed resources (is your VM running?). Very commonly confused on the exam.
ARM vs Bicep — not competing platforms: Bicep is a simpler language that compiles to ARM JSON. They both deploy through the same Azure Resource Manager. Choosing Bicep doesn't exclude ARM — it IS ARM under the hood.
Azure Arc is not a migration tool: Arc doesn't move resources to Azure. It extends Azure management to existing on-premises or multi-cloud resources. The resources stay where they are; you just manage them through Azure.
ReadOnly lock still allows reads: A ReadOnly Resource Lock prevents modifications and deletions — but allows reading the resource. Some operations that look like reads (like listing storage account keys) are actually POST operations and will be blocked by ReadOnly.

Key Terms — Domain 3

Term	One-Line Definition
Azure Pricing Calculator	Web tool to estimate monthly Azure costs for planned workloads before deployment.
TCO Calculator	Web tool to compare on-premises infrastructure costs against equivalent Azure costs.
Microsoft Cost Management	Built-in Azure service for monitoring, analyzing, and optimizing actual cloud spend.
Budget (Cost Management)	A configured spending limit with alert thresholds; does NOT automatically stop resources.
Tags	Key-value metadata applied to resources for cost allocation, governance, and organization.
Microsoft Purview	Unified data governance platform for discovering, classifying, and protecting data assets.
Azure Policy	Service that creates rules to enforce or audit Azure resource configurations for compliance.
Policy Initiative	A collection of Azure Policies grouped together to achieve a broader compliance goal.
Resource Lock	A protection layer that prevents accidental deletion (Delete) or modification (ReadOnly) of resources.
Azure Portal	Browser-based GUI for managing Azure resources; supports all Azure services visually.
Azure Cloud Shell	Browser-based, pre-authenticated shell supporting both Azure CLI and PowerShell.
Azure CLI	Cross-platform command-line tool using Bash syntax for automating Azure management.
Azure PowerShell	PowerShell module for managing Azure resources using cmdlet syntax.
Azure Arc	Extends Azure management (Monitor, Policy, Defender) to on-premises and multi-cloud resources.
ARM	Azure Resource Manager — the management layer that processes all Azure resource API requests.
ARM Templates	JSON-based declarative IaC files for deploying Azure infrastructure consistently and repeatably.
Bicep	Azure-native DSL that compiles to ARM JSON; cleaner alternative to raw ARM template JSON.
Infrastructure as Code (IaC)	Defining and managing infrastructure through code (ARM, Bicep, Terraform) for repeatability.
Azure Advisor	Free service that analyzes Azure usage and provides personalized best-practice recommendations.
Azure Service Health	Dashboard showing Azure platform health, planned maintenance, and service outages by region.
Azure Resource Health	Shows the health status of your specific Azure resources (VM, SQL DB, etc.).
Azure Monitor	Comprehensive monitoring platform collecting metrics and logs from Azure and hybrid resources.
Log Analytics	Log storage and KQL query engine within Azure Monitor for analyzing log data.
Application Insights	APM service within Azure Monitor for monitoring application performance and behavior.
Action Group	Reusable set of notification and automation actions triggered by Azure Monitor alerts.
Metric Alert	Azure Monitor alert triggered when a resource metric crosses a defined threshold.
KQL	Kusto Query Language — the query language used to analyze data in Log Analytics.

End of Domain 3 — You have completed all three domains of the AZ-900 study guide.

Domain 2: Describe Azure Architecture and Services

All done!

Start Practicing →

Ready to test yourself?

Practice questions for this topic