Cost And Governance Can Decide A Borderline AZ-900 Score
The current Microsoft Learn AZ-900 study guide lists skills measured as of January 14, 2026 and weights Azure management and governance at 30-35% of the exam. That is nearly as large as the architecture and services domain. Candidates often treat it as easy billing vocabulary, then miss scenario questions about pricing estimates, actual cost analysis, tags, RBAC, Azure Policy, resource locks, Advisor, Service Health, Azure Monitor, and deployment tools.
One freshness warning: some competitor pages still put Azure Blueprints, Trust Center, or compliance-product trivia near the center of AZ-900 governance. The current Microsoft outline names Microsoft Purview, Azure Policy, resource locks, portal, Cloud Shell, Azure Arc, infrastructure as code, ARM templates, Advisor, Service Health, and Azure Monitor. Do not let stale or adjacent security-cert content crowd out the official AZ-900 targets.
The Four Cost Jobs AZ-900 Tests
Azure cost questions usually ask one of four jobs: estimate before deployment, compare migration economics, analyze actual spend, or optimize existing resources.
The Azure Pricing Calculator estimates the cost of proposed Azure resources before you deploy them. Use it when a scenario says a team wants to model VM size, storage, bandwidth, region, or support cost before building. The Azure TCO Calculator compares current on-premises costs with an Azure migration scenario. Use it when the question mentions datacenter hardware, software licensing, electricity, facilities, labor, and a migration business case.
Microsoft Cost Management is for actual cloud spend after resources exist. It supports cost analysis, budgets, alerts, exports, anomaly detection, recommendations, and reporting across Microsoft Cloud costs. Azure Advisor gives best-practice recommendations across cost, security, reliability, operational excellence, and performance.
| Reader job | Azure tool | AZ-900 wording clue |
|---|---|---|
| Estimate a planned Azure solution | Pricing Calculator | Before deployment, estimate a VM, storage, bandwidth, or support plan. |
| Compare on-premises cost to Azure | TCO Calculator | Migration business case, datacenter cost, 3-5 year savings. |
| Analyze current spending | Cost Management | Actual usage, invoices, budgets, alerts, cost analysis, exports. |
| Improve existing resources | Azure Advisor | Recommendations, right-size, reserved capacity, best practices. |
Cost Factors: What Actually Changes The Bill
AZ-900 does not ask you to calculate a production bill by hand. It asks whether you understand what affects cost. Region can affect price. Resource type and SKU affect price. Usage volume affects price through compute hours, storage GB, transactions, data transfer, and premium features. Support plan level can affect cost. Reservations and savings plans can lower predictable compute costs. Shutting down unused resources prevents waste. Azure Hybrid Benefit can reduce cost when eligible licenses apply.
Tags are not a discount. Tags are metadata labels such as costCenter, environment, owner, or project. Their cost value is allocation and reporting: teams can group costs by department, workload, or owner. A common wrong answer is to choose tags when the question asks to prevent deployment in the wrong region. Tags organize. Azure Policy enforces.
Budgets and alerts matter because they connect cost management to governance. A budget does not stop all spending by itself. It helps notify stakeholders or trigger workflows when actual or forecasted cost crosses thresholds. If the question asks to be notified before costs exceed a monthly target, budget alerts are stronger than manually checking invoices.
Governance Starts With Scope
Governance tools make more sense when you attach them to scope. Management groups organize multiple subscriptions. Subscriptions are billing, quota, and access boundaries. Resource groups hold resources with a shared lifecycle. Resources are the deployed items. Many governance assignments can be scoped high and inherited downward.
Azure RBAC controls who can do what at which scope. If a question asks whether a user can read a storage account, start a VM, manage a resource group, or assign permissions, think RBAC. Built-in roles such as Owner, Contributor, Reader, and User Access Administrator are classic AZ-900 vocabulary.
Azure Policy controls whether resource states meet organizational standards. If a scenario says only approved regions, required tags, denied public IP addresses, or audit resources missing diagnostic settings, think Policy. Policy evaluates the resource state, not just the user's identity.
Resource locks protect resources from accidental deletion or modification. A CanNotDelete lock allows reads and updates but blocks deletion. A ReadOnly lock makes the resource read-only. Locks are not a substitute for RBAC or Policy; they are last-mile protection against accidental change.
RBAC, Policy, Locks, And Tags: The Fastest Distinctions
Use this rule: RBAC asks who can act. Policy asks whether the resulting resource is compliant. Locks ask whether a resource can be changed or deleted. Tags ask how resources should be labeled, grouped, reported, or automated.
A user with Contributor access might be allowed to create a VM, but Azure Policy can still deny the VM if it is in an unapproved region. A production database might have correct RBAC and still get a CanNotDelete lock to prevent accidental removal. A cost report might group spend by tag even though the tag did not reduce the bill.
| Scenario clue | Best answer | Why |
|---|---|---|
| Give a user read-only access to a resource group | RBAC | Permission assignment to an identity at a scope. |
| Require every resource to have a costCenter tag | Azure Policy | Enforces or audits a resource standard. |
| Stop deletion of a production resource | Resource lock | Protects against accidental deletion. |
| Group monthly costs by department | Tags | Metadata for allocation and reporting. |
| Apply governance across many subscriptions | Management group | Higher-level scope for inherited assignments. |
Monitoring, Health, Advisor, And Deployment Tools
AZ-900 management and governance also includes administration and monitoring. Azure portal is the browser UI. Azure Cloud Shell gives browser-based CLI and PowerShell. Infrastructure as code means repeatable deployments described in files. ARM templates and Bicep are Azure-native IaC options. Azure Arc extends Azure management to resources outside Azure, such as on-premises servers and other clouds.
Azure Monitor collects and analyzes telemetry. Log Analytics stores and queries logs. Azure Monitor alerts notify when conditions are met. Application Insights monitors application performance and availability. Azure Service Health tells you about Azure service incidents, planned maintenance, and health advisories that may affect your resources. Resource Health focuses on the health of individual resources. Azure Advisor provides recommendations across cost, security, reliability, operational excellence, and performance.
The wording usually decides the answer. Azure outage affecting my region points to Service Health. CPU metric crossed a threshold points to Azure Monitor alert. Application request failures and response time points to Application Insights. Recommendations to improve cost or reliability points to Advisor. Querying logs points to Log Analytics.
Purview, Defender For Cloud, And Compliance Language
Microsoft Purview is the data governance, risk, and compliance family. For AZ-900, the key purpose is data governance: discovering, classifying, protecting, and governing data. Microsoft Defender for Cloud is cloud security posture management and workload protection. If a question asks about secure configuration recommendations across cloud resources, Defender for Cloud is more likely. If it asks about data cataloging, classification, lineage, or governance over the data estate, Purview is more likely.
Do not turn AZ-900 into SC-900 or AZ-104. You are not expected to configure advanced compliance workflows. You should know the service purpose and the scenario cue. A good readiness test is whether you can explain RBAC, Policy, locks, tags, Cost Management, Advisor, Monitor, Service Health, Purview, Defender for Cloud, ARM templates, Cloud Shell, and Azure Arc without looking up definitions.
Cost And Governance Scenario Drills
Use short scenario drills to test whether you know the distinction instead of only the definition.
Scenario one: a finance manager wants to estimate the monthly cost of a proposed VM, storage account, and bandwidth before anything is deployed. The best answer is Pricing Calculator, not Cost Management, because there is no actual spend yet. If the same manager asks whether moving an on-premises datacenter to Azure will save money over several years, the better answer becomes TCO Calculator.
Scenario two: a platform team wants developers to deploy resources only in approved regions and include a costCenter tag. RBAC alone is not enough because the developer might be allowed to create resources. Azure Policy is the governance tool that can audit or deny noncompliant resource states. Tags help report costs afterward; they do not enforce the rule by themselves unless a policy requires them.
Scenario three: an application team reports degraded response time. Azure Service Health is useful if the problem is an Azure service incident affecting your region. Azure Monitor and Application Insights are stronger when the issue is your own metrics, logs, dependencies, or application performance. Advisor is not an incident console; it gives recommendations you can act on before or after operational issues.
A Two-Day Review Plan
Day one is cost. Make a table with Pricing Calculator, TCO Calculator, Cost Management, budgets, alerts, Advisor, reservations, savings plans, Azure Hybrid Benefit, and tags. For each, write before deployment, migration comparison, actual spend, optimization, or allocation. Then do 25 practice questions and mark every miss where two cost tools sounded plausible.
Official Sources Checked
- Microsoft Learn AZ-900 study guide: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-900
- Azure Pricing Calculator: https://azure.microsoft.com/en-us/pricing/calculator/
- Azure TCO Calculator: https://azure.microsoft.com/en-us/pricing/tco/calculator/
- Microsoft Cost Management: https://learn.microsoft.com/en-us/azure/cost-management-billing/
- Azure RBAC: https://learn.microsoft.com/en-us/azure/role-based-access-control/
- Azure Policy: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Resource Manager locks: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
- Azure Monitor: https://learn.microsoft.com/en-us/azure/azure-monitor/overview
- Azure Service Health: https://learn.microsoft.com/en-us/azure/service-health/overview
- Azure Advisor: https://learn.microsoft.com/en-us/azure/advisor/advisor-overview
Buy on Amazon
Take courses on Udemy
Learning path on Pluralsight