Azure AZ-900 Fundamentals Management and Governance

Mastering management and governance is the cornerstone of operating effectively and securely in Microsoft Azure. For the AZ-900 exam, you must move beyond simply creating resources and understand how to control, secure, optimize, and monitor your cloud environment. This knowledge is critical for ensuring cost-efficiency, compliance, and operational health, directly impacting the business value of your cloud investments.

Core Management Tools and Interfaces

Your primary dashboard for interacting with Azure is the Azure Portal, a web-based, graphical user interface. It provides a unified console to build, manage, and monitor everything from simple web apps to complex cloud deployments. The portal is excellent for visual exploration and one-off tasks. For automation and repeatable operations, you need scripting tools.

Azure PowerShell and the Azure Command-Line Interface (CLI) are command-line tools for managing Azure resources. Azure PowerShell uses cmdlets (like New-AzVM) and is built on .NET, making it powerful for Windows-centric administrators. The Azure CLI uses commands (like az vm create) and is cross-platform, often preferred for its consistency across Windows, macOS, and Linux. Both tools allow you to script complex deployments, a practice known as Infrastructure as Code (IaC).

Azure Cloud Shell is an interactive, browser-accessible shell that provides the choice of either Bash (with Azure CLI) or PowerShell, pre-installed and authenticated. It persists your files across sessions via an Azure Files mount, making it the perfect tool for quick, authenticated command-line work from any device without local installation. For the exam, know that Cloud Shell is a managed service accessed via the portal or shell.azure.com.

Foundational Governance Controls

Governance in Azure is about establishing guardrails and processes. Azure Policy is a core service for creating, assigning, and managing policy definitions that enforce rules over your resources. These policies can deny deployments that don’t meet standards, audit existing resources for compliance, or even remediate non-compliant resources automatically. For example, a policy could enforce that only certain VM SKUs are deployable or that all storage accounts must use encryption.

A common exam pitfall is confusing Azure Policy with Azure Blueprints. While Policy enforces rules, Blueprints are a packaging tool for repeatable deployments of entire environments. A Blueprint can bundle together resource groups, ARM templates, Policy assignments, and even Role-Based Access Control (RBAC) assignments. You version and publish a blueprint, then assign it to a subscription to consistently deploy a governed environment, like a standardized "development sandbox" or "PCI-compliant application."

Role-Based Access Control (RBAC) is Azure's authorization system for managing who has access to what. You grant access by assigning RBAC roles (like "Virtual Machine Contributor" or "Storage Blob Data Reader") to users, groups, or service principals at a specific scope (management group, subscription, resource group, or resource). The principle of least privilege is key: grant only the permissions necessary to perform a job. Remember, RBAC manages permissions to manage Azure resources, not necessarily to access data within them (e.g., it controls who can delete a database, not who can query the data inside).

For protecting critical resources from accidental deletion or configuration changes, you use resource locks. A Delete lock prevents deletion, while a ReadOnly lock prevents any modifications. Locks are applied at the resource or resource group level and override all user permissions, making them a powerful last line of defense.

Cost Management and Optimization Tools

Controlling cloud spend is a top priority. Azure Cost Management + Billing is the suite of tools for analyzing costs, creating budgets, setting alerts, and optimizing spending. You can view costs broken down by resource, resource group, service, or tag, and forecast future spend. Setting up budgets with alerts is a critical first step to avoid bill shock.

Before deploying, you should estimate costs using the Azure pricing calculator. This tool lets you configure virtual machines, databases, and other services to see their estimated monthly cost. For broader migration planning, the Total Cost of Ownership (TCO) calculator helps compare the costs of running your on-premises infrastructure versus running it on Azure, factoring in hardware, electricity, and datacenter costs.

Azure Advisor is your personalized, automated cloud consultant. It analyzes your resource configuration and usage telemetry to provide actionable recommendations across five categories: Cost, Security, Reliability, Performance, and Operational Excellence. For cost, it might identify underutilized virtual machines you can right-size or shut down. It provides the "what," "why," and "how-to-fix" for each recommendation, making it an essential tool for continuous optimization.

Service Agreements, Lifecycle, and Monitoring

A Service-Level Agreement (SLA) is Microsoft's formal commitment to uptime and connectivity for an Azure service. You must understand how SLAs are expressed. For example, a 99.9% ("three nines") SLA means a service can be down for up to 43.8 minutes per month. SLAs often include financial credits for downtime, not liability for losses. Composite SLAs are calculated by multiplying the SLAs of individual dependent services, resulting in a lower overall availability. If a web app depends on a VM (99.9%) and a database (99.99%), its composite SLA is 99.9% * 99.99% = ~99.89%.

Azure services follow a public lifecycle policy (Modern, Classic, or Retirement). The Modern Policy provides a predictable timeline: when a feature goes GA (General Availability), it enters a minimum support period. Twelve months before retirement, a retirement notification is given, followed by a 12-month retirement period where the service is still supported. You are responsible for migrating off a service before its retirement date.

Azure Monitor is the comprehensive solution for collecting, analyzing, and acting on telemetry from your Azure and on-premises environments. It aggregates two fundamental types of data: Metrics, which are numerical values (like CPU percentage) collected at regular intervals, and Logs, which are rich, textual records of events (like a VM being restarted) queried using the Kusto Query Language (KQL). You use Alert rules in Azure Monitor to notify you proactively when a metric threshold is crossed or a particular log event occurs, enabling you to respond to issues before users are affected.

Common Pitfalls

1. Confusing Governance Tools: Mixing up Azure Policy and Blueprints is a frequent exam trap. Remember: Policy = enforcement of rules (like "no G-series VMs"). Blueprint = packaging of environments (like "deploy a full app with its policies and roles"). Blueprints use Policies; they are not the same thing.
2. Misunderstanding RBAC Scope: A role assignment at the subscription level applies to all resources within that subscription. A common mistake is assigning broad roles (like "Owner") at a high scope when a more restrictive role at a resource group scope would suffice, violating the principle of least privilege.
3. Overlooking Composite SLAs: Candidates often recall a single service's SLA but fail to calculate the composite SLA for a solution with multiple dependencies. If an exam question asks for the potential uptime of an application with multiple Azure components, you likely need to multiply their individual SLAs.
4. Ignoring Azure Advisor: It's easy to think of cost management only in terms of the pricing calculator and budgets. For the exam, you must know that Azure Advisor provides personalized, actionable cost recommendations based on your actual usage, such as identifying idle VMs, which is a step beyond mere estimation and budgeting.

Summary

• Management Tools: Use the Azure Portal for GUI tasks, Azure PowerShell or Azure CLI for scripting and automation, and Azure Cloud Shell for a browser-based, authenticated command-line experience.
• Governance Core: Enforce standards with Azure Policy, package complete environments with Azure Blueprints, control access with Role-Based Access Control (RBAC), and prevent accidents with resource locks.
• Cost Control: Estimate with the Pricing and TCO Calculators, track and analyze with Azure Cost Management + Billing, and get personalized optimization tips from Azure Advisor.
• Operational Fundamentals: Understand Service-Level Agreements (SLAs) for uptime commitments and financial remedies, follow the service lifecycle policy for retirement planning, and use Azure Monitor for comprehensive metrics, logs, and alerting.
• Exam Strategy: Focus on the purpose and key differentiators between similar services (Policy vs. Blueprints), always apply the principle of least privilege for RBAC, and remember to calculate composite SLAs for multi-service solutions.