1 of 8 sections visited
Six factors that influence Azure costs
| # | Factor | How it affects cost |
|---|---|---|
| 1 | Resource type | Each resource has its own set of meters tracking usage. VMs are metered on compute hours; storage on GB stored and operations performed. |
| 2 | Consumption | Pay-as-you-go: more usage = higher bill. Reserved Capacity: commit to fixed usage for 1-3 years for discounts up to 72%. Best for stable, predictable workloads. |
| 3 | Geography / region | Regional electricity costs, labor, taxes, and fees vary. Deploying in a high-cost region (Switzerland) costs more than a lower-cost region (East US). |
| 4 | Network traffic | Inbound data to Azure is generally free. Outbound data (egress) is charged based on billing zones. Data within the same region is typically free or very low cost. |
| 5 | Billing zones | World divided into zones for bandwidth pricing. Zone 1 (US, Europe) lowest rates. Zone 2 (Asia Pacific) higher. Zone 3 (South America, Middle East, Africa) highest. |
| 6 | Subscription type | Free trial: 12 months popular services free + 30-day credit + 25+ always-free services. Enterprise Agreement, PAYG, and CSP subscriptions have different pricing terms and quotas. |
Key savings strategies: Reserved Capacity (up to 72% off for 1-3 year commitments), Azure Hybrid Benefit (bring your own Windows/SQL licenses), shut down idle VMs, right-size over-provisioned resources, deploy in lower-cost regions for non-latency-sensitive workloads.
Three cost tools — which to use when
| Tool | Use it when | What it does |
|---|---|---|
| Pricing Calculator | BEFORE deployment — planning and estimation | Estimates approximate monthly cost of Azure services. Configure service parameters and see real-time cost updates. Export to Excel. Free and public. Shows 1-year/3-year reservation savings. Note: estimates only, not guaranteed billing. |
| Cost Management | AFTER deployment — monitoring and control | Tracks actual spending. Set budgets (spending limits with alerts). Cost Analysis provides visual breakdowns by billing cycle, region, resource group, tag. Configurable email/webhook alerts when spending approaches thresholds. |
| TCO Calculator | MIGRATION DECISION — business case | Compares on-premises infrastructure costs vs Azure. Helps build the business case for cloud migration by quantifying potential savings. |
Resource tags
What tags are
Name-value metadata pairs applied to Azure resources. Example: Name="Department" / Value="Marketing". Each resource can have multiple tags.
Tags are NOT inherited
Critical exam point. Tags do NOT flow down the hierarchy. A tag on a resource group does NOT automatically appear on resources inside it. Each resource must be tagged explicitly, or Azure Policy must enforce automatic tagging on resource creation.
Uses
Cost tracking (filter Cost Analysis by tag to see project-level spending), governance (identify compliance-audit targets), operations (mark dev/test/prod), automation (scripts targeting specific tagged resources).
Microsoft Purview
Unified family of data governance, risk, and compliance solutions covering your entire data estate — not just Azure. Combines Azure Purview and Microsoft 365 compliance into a single platform.
What it governs
Azure storage services, Power BI, SQL databases, on-premises data sources, Amazon S3, SaaS applications — the entire data estate across multi-cloud, on-premises, and SaaS.
Key capabilities
Data discovery and cataloging (unified map of all data assets), sensitive data classification and protection (PII, financial, health data), compliance management (GDPR, HIPAA), access policies across the entire data estate.
Service Trust Portal
Public Microsoft website providing transparency about how Microsoft protects customer data in its cloud services.
What it contains
Third-party audit reports (SOC 1/2/3, ISO 27001, PCI DSS, FedRAMP), technical compliance documentation, compliance guides for specific regulations. Evidence organizations need for regulatory audits.
Access
Basic browsing is public. Accessing specific audit reports requires sign-in and accepting a non-disclosure agreement. My Library feature lets authenticated users save documents and receive update notifications.
Azure Policy
Enforces rules about how Azure resources are configured — ensuring all resources in your environment comply with corporate standards and regulatory obligations automatically.
What policies do
Define rules resources must comply with: "all VMs must be in West Europe region," "all storage accounts must use HTTPS only," "all resources must have a Cost Center tag." Continuously evaluated against existing and new resources.
Enforcement effects
Audit (flag but allow), Deny (prevent creation of non-compliant resources), Modify (automatically add/change configurations), Deploy if not exists (add required resources automatically).
Initiatives
A collection of related policies assigned as a single unit. Instead of assigning 20 individual security policies, create one initiative containing all 20 and assign once. Microsoft provides built-in initiatives for PCI-DSS, HIPAA, CIS Benchmarks.
Inheritance
Policies assigned at management group level are inherited by all subscriptions, resource groups, and resources beneath. Set once at the top, governs the entire estate.
Exam trap: Azure Policy controls what can be created and how it must be configured. Resource Locks control whether existing resources can be modified or deleted. Different tools, different purposes.
Resource locks
Prevent accidental deletion or modification of critical resources. Override RBAC — even Owners cannot delete or modify a locked resource without first removing the lock.
Delete lock
Read ✓ Modify ✓ Delete ✗
Authorized users can read and modify but cannot delete. Use to protect resources you actively maintain from accidental removal.
Read-only lock
Read ✓ Modify ✗ Delete ✗
The most restrictive lock. Users can only read the resource. Use for critical infrastructure that must remain exactly as configured.
Inheritance
Locks ARE inherited (unlike tags). A Delete lock on a resource group applies to ALL resources within — you cannot delete any individual resource without first removing the group-level lock.
Who can remove locks
Requires Microsoft.Authorization/locks/* permission — included in Owner and User Access Administrator roles. Contributor does NOT have this permission. A Contributor cannot delete a locked resource even if they have delete permission on it.
Azure Policy vs resource locks — comparison
| Dimension | Azure Policy | Resource Locks |
|---|---|---|
| Purpose | Enforce resource configuration standards | Prevent modification or deletion of existing resources |
| Inherited? | Yes — downward through hierarchy | Yes — downward through hierarchy |
| Can be bypassed? | No — deny effect is absolute | Only by removing the lock (Owner/UserAccessAdmin) |
| Contributor can override? | No | No — Contributor cannot manage locks |
Azure management interfaces
| Tool | Type | Best for |
|---|---|---|
| Azure Portal | Web-based GUI | Visual exploration, one-time resource creation, monitoring. Always available — replicated across data centers worldwide. Continuously updated with no maintenance windows. |
| Azure Cloud Shell | Browser-based shell | CLI/PowerShell without local installation. Auto-authenticated from portal session. Supports both PowerShell and Bash (Azure CLI). Persistent 5 GB file storage between sessions. |
| Azure PowerShell | Shell (verb-noun cmdlets) | Windows administrators, .NET developers, Windows automation backgrounds. |
| Azure CLI | Shell (Bash commands) | Linux/macOS administrators, Unix shell scripting backgrounds. |
Exam tip: For AZ-900 you do NOT need to write or memorize any commands. Know what each tool is and that PowerShell and CLI both call the same Azure Resource Manager API — same capabilities, different syntax.
Azure Arc
Extends Azure management capabilities beyond Azure cloud — allowing you to manage on-premises servers, servers in other clouds (AWS, GCP), Kubernetes clusters, and databases as if they were native Azure resources.
The problem it solves
Organizations running hybrid or multi-cloud environments manage resources across multiple disconnected management interfaces. Azure Arc creates a single unified management experience in Azure regardless of where physical resources run.
What you gain
Apply Azure Policy to on-premises servers. Use Azure RBAC on non-Azure resources. Monitor in Azure Monitor. Apply Defender for Cloud assessments to non-Azure infrastructure. Manage everything through the Azure Portal, CLI, or PowerShell.
How it works
Install the Azure Connected Machine agent on on-premises or non-Azure servers. The agent projects those servers as Azure resources into Azure Resource Manager so they appear in the Azure Portal.
Azure Resource Manager (ARM)
The deployment and management layer for all of Azure. Every action — clicking the Portal, running CLI, calling the REST API — is processed through ARM. It is the single control plane for all Azure resources.
How it works
Any request from any tool goes to ARM. ARM authenticates the identity, checks RBAC authorization, then forwards the request to the appropriate Azure service. Since all tools go through the same ARM layer, every tool has identical capabilities and results are consistent.
Why it matters
Governance (access control, policies, locks are enforced at ARM — no back-door bypass), auditability (every action logged in the Activity Log), consistency (Portal + CLI + PowerShell all produce identical results).
Infrastructure as Code (IaC) & ARM templates
What IaC is
Managing infrastructure through code files (templates) rather than manual processes. Describe the desired end state; the system creates or modifies resources to match. Enables consistency, repeatability, version control, and peer review of infrastructure changes.
ARM templates (JSON)
JSON files that declaratively define Azure resources. Validated before execution — errors are caught before any resource is created. Independent resources are created in parallel (dramatically faster than sequential). Templates can be downloaded from existing deployments for future reuse.
Bicep
Simpler domain-specific language that compiles to ARM JSON. Cleaner syntax — same deployment that takes 2 slides of JSON requires about half the code in Bicep. Automatic dependency detection (no need to declare dependsOn). Direct parameter references without verbose functions. Microsoft recommended for new IaC work.
Three monitoring tools — which to use when
| Tool | Use it when | Scope | Login required? |
|---|---|---|---|
| Azure Advisor | You want proactive optimization recommendations for existing resources | Your deployed resources | Yes |
| Azure Status page | You want to check for a widespread global Azure outage | ALL Azure services, ALL regions | No (public) |
| Service Health | You want to know if outages or maintenance affect YOUR specific services and regions | Your subscriptions services only | Yes |
| Resource Health | You want to know if a specific resource instance is healthy right now | Individual resource instances | Yes |
| Azure Monitor | You want to collect metrics/logs, set custom alerts, and automate responses | Azure, on-premises, multi-cloud | Yes |
Azure Advisor — 5 recommendation categories
Reliability
Enable VM availability sets, configure geo-redundant storage, add health probes to load balancers, ensure VMs have backup policies.
Security
Enable MFA on privileged accounts, encrypt VM disks, apply NSG rules, update OS patches. Sourced from Defender for Cloud.
Performance
Upgrade to premium SSD, use proximity placement groups, enable read replicas for heavily queried databases.
Cost
Shut down idle VMs (less than 5% CPU), right-size over-provisioned VMs, purchase reserved instances, delete unattached managed disks.
Operational Excellence
Use Azure Resource Graph for inventory, set resource tags, use deployment templates for reproducibility.
Access
Available in Azure Portal, via REST API, and via configurable notifications (email/webhook) when new recommendations appear.
Azure Monitor
What it monitors
Azure resources (natively), on-premises servers (via Azure Monitor Agent), and other cloud resources (AWS, GCP VMs). Unified monitoring across hybrid and multi-cloud.
Metrics
Numerical time-series data — CPU, memory, network, disk, request counts, error rates. Collected at high frequency (often 1-minute intervals). Retained 93 days by default.
Alerts
Metric alerts: trigger when a numerical value crosses a threshold (e.g. CPU exceeds 80%). Log alerts: trigger when a query returns matching results (e.g. 10+ failed logins in 5 minutes). Both can trigger Action Groups.
Action groups
Reusable collections of notification methods and automated actions triggered when an alert fires: email, SMS, webhook, Azure Automation runbook, support ticket creation. Same action group can be linked to multiple alerts across Azure Monitor, Service Health, and Azure Advisor.
Key terms — flash reference
Reserved Capacity
Commit to fixed resource usage for 1-3 years for discounts up to 72%. Best for stable workloads.
Pricing Calculator
Free public tool for estimating costs BEFORE deployment. Estimates only — not guaranteed billing.
Cost Management
Monitor and control costs AFTER deployment. Budgets, cost alerts, Cost Analysis.
Resource tags
Name-value metadata. NOT inherited. Used for cost tracking, governance, and automation.
Microsoft Purview
Unified data governance across entire data estate (Azure, multi-cloud, on-premises, SaaS).
Azure Policy
Enforces resource configuration rules. Inherited. Cannot be bypassed by any user permission. Initiatives group related policies.
Delete lock
Prevents deletion but allows modification. Inherited. Overrides RBAC.
Read-only lock
Prevents both modification and deletion. Inherited. Contributor cannot remove locks.
Service Trust Portal
Public site with third-party audit reports and compliance documentation for Microsoft cloud services.
Azure Arc
Extends Azure management to on-premises and multi-cloud resources. Projects non-Azure resources into ARM.
ARM
Single management layer all Azure tools route through. Authentication, authorization, and request routing.
Bicep
Simpler DSL alternative to JSON ARM templates. Compiles to ARM JSON. Microsoft recommended for new IaC work.
Azure Advisor
Proactive recommendations across 5 categories: Reliability, Security, Performance, Cost, Operational Excellence.
Service Health
Personalized view of Azure health for YOUR services and regions. Configurable alerts for outages and maintenance.
Azure Monitor
Comprehensive monitoring platform — metrics, logs, alerts, action groups. Covers Azure, on-premises, multi-cloud.
A company wants to prevent developers from deploying resources outside approved regions. Even Owners should not bypass this. What to configure?
Azure Policy with Allowed Locations (Deny effect). When set to Deny and assigned at the subscription level, it prevents any resource creation in unapproved regions regardless of RBAC role — even Owners cannot bypass a Policy deny effect.
A critical production database was accidentally deleted by an authorized Contributor. How could this have been prevented?
A Delete resource lock. A Delete lock prevents any user — regardless of RBAC role — from deleting the resource without first explicitly removing the lock. Note: Contributor cannot remove locks (needs Owner or User Access Administrator). Going forward, apply Delete locks to all critical production resources.
Your company receives an alert that Azure is experiencing an outage. You want to know specifically if YOUR deployed resources are affected. Which Service Health component?
Service Health (not Azure Status). Azure Status shows global health of ALL Azure services across ALL regions — no personalization. Service Health is authenticated and knows exactly which services and regions you use, filtering information to show only the impact on your specific deployments. For individual resource impact, check Resource Health.
What are the key differences between Azure Policy and resource locks?▼
Azure Policy controls what resources can be created and how they must be configured. It prevents non-compliant resources from being created in the first place, and continuously monitors existing resources for compliance. It can be set to Audit (flag), Deny (block), Modify (auto-fix), or Deploy (add required resources). Azure Policy cannot be bypassed by any user permission — a Deny policy prevents even Owners from creating non-compliant resources. Resource Locks protect existing resources from accidental modification or deletion. They override RBAC — even an Owner cannot delete a locked resource without first removing the lock. However, locks can be removed by users with the Microsoft.Authorization/locks/* permission (Owner and User Access Administrator only — Contributor cannot). Both are inherited through the management hierarchy, but they serve fundamentally different purposes: Policy = configuration governance for new and existing resources; Locks = protection of specific existing resources.
What is the difference between Pricing Calculator, Cost Management, and TCO Calculator?▼
These three tools serve different purposes at different stages. The Pricing Calculator is used BEFORE deployment for planning and estimation. You add services, configure their parameters, and get an estimated monthly cost. It shows the impact of 1-year and 3-year reservations. It is public and free but provides estimates only — not guaranteed billing amounts. Cost Management is used AFTER deployment to monitor and control actual spending. It tracks real charges, enables you to set budgets with alerts that fire when spending approaches limits, and provides Cost Analysis for visual spending breakdowns by region, resource type, tag, and billing cycle. The TCO (Total Cost of Ownership) Calculator is used as a MIGRATION DECISION tool — it compares your current on-premises infrastructure costs against the estimated cost of running equivalent workloads in Azure, helping build a business case for migration.