AZ-104 Objective 1.3: Manage Azure Subscriptions and Governance

September 14, 2025•35 min read•Microsoft Azure Administrator

AZ-104 Exam Focus: This objective covers Azure governance, which is essential for maintaining control, compliance, and cost management across Azure environments. Understanding Azure Policy, resource locks, tags, resource groups, subscriptions, cost management, and management groups is crucial for Azure administrators. Master these concepts for both exam success and real-world Azure governance.

Understanding Azure Governance

Azure governance provides the framework for maintaining control, compliance, and cost management across your Azure environment. It encompasses policies, resource organization, access control, and monitoring to ensure your cloud resources align with organizational requirements. Governance works closely with RBAC access control to ensure proper security and compliance across your Azure resources.

Governance Components:

Azure Policy: Enforce compliance and governance rules
Resource Locks: Prevent accidental deletion or modification
Tags: Organize and track resources for cost and management
Resource Groups: Logical containers for related resources
Subscriptions: Billing and access control boundaries
Management Groups: Hierarchical organization of subscriptions
Cost Management: Monitor and optimize spending

Implement and Manage Azure Policy

Understanding Azure Policy

Azure Policy is a service that enables you to create, assign, and manage policies that enforce different rules and effects over your resources. These policies ensure compliance with corporate standards and service level agreements.

Policy Components

Policy Definition:

Policy Rule: JSON definition of the policy logic
Parameters: Configurable values for policy flexibility
Effect: What happens when policy is evaluated (Audit, Deny, Modify, etc.)
Conditions: When the policy applies

Policy Effects:

Audit: Logs non-compliant resources but doesn't prevent creation
Deny: Prevents resource creation or modification
Modify: Adds or updates properties during resource creation
DeployIfNotExists: Deploys resources if they don't exist
AuditIfNotExists: Audits if required resources don't exist

Creating and Managing Policies

Azure Portal Method

Step-by-Step Process:

Navigate to Policy: Go to Azure Portal → Policy
Create Policy Definition: Click "Definitions" → "Policy definition"
Define Policy: Enter name, description, and policy rule JSON
Assign Policy: Go to "Assignments" → "Assign policy"
Select Scope: Choose management group, subscription, or resource group
Configure Parameters: Set any required parameters
Review and Create: Review assignment and create

PowerShell Method

Policy Management Commands:

# Connect to Azure
Connect-AzAccount

# Create policy definition
$policyDefinition = @{
    Name = "RequireTag"
    DisplayName = "Require Tag"
    Description = "Requires a specific tag"
    Policy = @'
{
    "if": {
        "not": {
            "field": "tags[Environment]",
            "exists": true
        }
    },
    "then": {
        "effect": "deny"
    }
}
'@
}

New-AzPolicyDefinition @policyDefinition

# Assign policy
$policyAssignment = @{
    Name = "RequireTagAssignment"
    PolicyDefinition = Get-AzPolicyDefinition -Name "RequireTag"
    Scope = "/subscriptions/{subscription-id}"
}

New-AzPolicyAssignment @policyAssignment

# Get policy compliance
Get-AzPolicyState -PolicyAssignmentName "RequireTagAssignment"

Built-in Policy Examples

Common Built-in Policies:

Allowed locations: Restrict resource deployment to specific regions
Allowed virtual machine SKUs: Control VM sizes
Require tag and its value: Enforce tagging requirements
Storage account should use a virtual network service endpoint: Security compliance
SQL servers should have vulnerability assessment configured: Security compliance
Audit VMs that do not use managed disks: Best practice enforcement

Configure Resource Locks

Understanding Resource Locks

Resource locks prevent accidental deletion or modification of critical Azure resources. Locks are applied at the resource or resource group level and can be inherited by child resources.

Lock Types

CanNotDelete Lock:

Purpose: Prevents resource deletion
Effect: Resource can be read and modified but not deleted
Use Case: Critical production resources

ReadOnly Lock:

Purpose: Prevents any modifications
Effect: Resource can only be read
Use Case: Compliance or audit requirements

Managing Resource Locks

Azure Portal Method

Step-by-Step Process:

Navigate to Resource: Go to the resource or resource group
Access Locks: Click "Locks" in the left navigation
Add Lock: Click "Add" to create a new lock
Configure Lock: Enter name, lock type, and notes
Save Lock: Click "OK" to apply the lock

PowerShell Method

Lock Management Commands:

# Create CanNotDelete lock on resource group
New-AzResourceLock -LockName "ProductionLock" -LockLevel CanNotDelete -ResourceGroupName "ProductionRG" -LockNotes "Production environment - do not delete"

# Create ReadOnly lock on resource
New-AzResourceLock -LockName "ReadOnlyLock" -LockLevel ReadOnly -ResourceName "MyStorageAccount" -ResourceType "Microsoft.Storage/storageAccounts" -ResourceGroupName "MyRG"

# Get all locks
Get-AzResourceLock

# Remove lock
Remove-AzResourceLock -LockName "ProductionLock" -ResourceGroupName "ProductionRG"

Apply and Manage Tags on Resources

Understanding Azure Tags

Tags are name-value pairs that help you organize and track Azure resources. They provide metadata for cost management, resource organization, and governance.

Tag Benefits

Key Benefits:

Cost Management: Group resources for billing and cost analysis
Resource Organization: Categorize resources by purpose, owner, environment
Governance: Enforce tagging policies and standards
Automation: Use tags in automation scripts and policies
Reporting: Generate reports based on tag values

Tag Management Strategies

Common Tag Categories

Recommended Tags:

Environment: dev, test, staging, prod
Owner: Team or individual responsible
Project: Project or application name
CostCenter: Financial tracking
Department: Organizational unit
CreatedDate: Resource creation date
BackupRequired: Backup policy indicator

PowerShell Tag Management

Tag Operations:

# Add tags to resource group
$tags = @{
    Environment = "Production"
    Owner = "IT Team"
    Project = "WebApp"
    CostCenter = "12345"
}

Set-AzResourceGroup -Name "MyRG" -Tag $tags

# Add tags to individual resource
$resource = Get-AzResource -ResourceName "MyVM" -ResourceGroupName "MyRG"
$resource.Tags += @{
    BackupRequired = "Yes"
    CreatedDate = (Get-Date).ToString("yyyy-MM-dd")
}
Set-AzResource -ResourceId $resource.ResourceId -Tag $resource.Tags

# Bulk tag resources
$resources = Get-AzResource -ResourceGroupName "MyRG"
foreach ($resource in $resources) {
    $resource.Tags += @{
        Environment = "Production"
        Owner = "IT Team"
    }
    Set-AzResource -ResourceId $resource.ResourceId -Tag $resource.Tags
}

# Get resources by tag
Get-AzResource -TagName "Environment" -TagValue "Production"

Manage Resource Groups

Resource Group Best Practices

Resource groups are logical containers that hold related resources for an Azure solution. Proper resource group management is essential for organization, access control, and lifecycle management.

Resource Group Design Principles

Design Guidelines:

Lifecycle Alignment: Group resources with same lifecycle
Access Control: Use resource groups for RBAC assignments
Billing: Group resources for cost tracking
Deployment: Use resource groups for ARM template deployments
Naming Convention: Consistent naming for easy identification

Resource Group Management

PowerShell Resource Group Operations

Management Commands:

# Create resource group
New-AzResourceGroup -Name "MyResourceGroup" -Location "East US"

# Get resource groups
Get-AzResourceGroup

# Get resources in resource group
Get-AzResource -ResourceGroupName "MyResourceGroup"

# Move resources between resource groups
$resource = Get-AzResource -ResourceName "MyVM" -ResourceGroupName "SourceRG"
Move-AzResource -DestinationResourceGroupName "DestinationRG" -ResourceId $resource.ResourceId

# Delete resource group (with confirmation)
Remove-AzResourceGroup -Name "MyResourceGroup" -Force

# Export resource group template
Export-AzResourceGroup -ResourceGroupName "MyResourceGroup" -Path "template.json"

Manage Subscriptions

Subscription Management

Azure subscriptions are billing and access control boundaries. Proper subscription management is crucial for cost control, security, and governance.

Subscription Types

Subscription Categories:

Free Account: Limited services for learning and testing
Pay-as-you-go: Pay for what you use
Enterprise Agreement: Volume licensing for large organizations
Student: Educational discounts for students
Sponsorship: Microsoft-sponsored subscriptions

Subscription Administration

PowerShell Subscription Management

Administration Commands:

# Get all subscriptions
Get-AzSubscription

# Set default subscription
Set-AzContext -SubscriptionId "subscription-id"

# Get subscription details
Get-AzSubscription -SubscriptionId "subscription-id"

# Get subscription usage
Get-AzConsumptionUsageDetail -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)

# Get subscription billing
Get-AzBillingInvoice -MaxCount 10

Manage Costs by Using Alerts, Budgets, and Azure Advisor

Cost Management Overview

Azure Cost Management provides tools to monitor, analyze, and optimize cloud spending. It includes budgets, alerts, and recommendations to help control costs.

Cost Management Components

Key Features:

Cost Analysis: Visualize and analyze spending patterns
Budgets: Set spending limits and track progress
Alerts: Notifications when spending thresholds are reached
Azure Advisor: Recommendations for cost optimization
Reserved Instances: Cost savings for predictable workloads

Setting Up Budgets and Alerts

Azure Portal Method

Budget Creation Process:

Navigate to Cost Management: Go to Azure Portal → Cost Management + Billing
Create Budget: Click "Budgets" → "Add"
Configure Budget: Set scope, amount, and time period
Set Alerts: Configure alert thresholds (50%, 80%, 100%)
Add Recipients: Specify email addresses for notifications
Save Budget: Create the budget and alerts

PowerShell Cost Management

Cost Management Commands:

# Get cost analysis
Get-AzConsumptionUsageDetail -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)

# Get cost by resource group
Get-AzConsumptionUsageDetail -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) | Group-Object ResourceGroup | Select-Object Name, @{Name="TotalCost";Expression={(Get-AzConsumptionUsageDetail -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) | Where-Object {$_.ResourceGroup -eq $_.Name} | Measure-Object -Property PretaxCost -Sum).Sum}}

# Get Azure Advisor recommendations
Get-AzAdvisorRecommendation

# Get cost recommendations
Get-AzAdvisorRecommendation | Where-Object {$_.Category -eq "Cost"}

Azure Advisor Recommendations

Common Cost Recommendations:

Right-size VMs: Optimize VM sizes for actual usage
Reserved Instances: Purchase reserved capacity for predictable workloads
Unused Resources: Identify and remove unused resources
Storage Optimization: Optimize storage tiers and redundancy
Database Optimization: Right-size database resources

Configure Management Groups

Understanding Management Groups

Management groups provide a level of scope above subscriptions. They help organize subscriptions and apply governance policies across multiple subscriptions.

Management Group Benefits

Key Benefits:

Hierarchical Organization: Organize subscriptions in a tree structure
Policy Inheritance: Apply policies to multiple subscriptions
Access Control: Manage access across subscriptions
Billing: Consolidated billing and cost management
Governance: Centralized governance and compliance

Management Group Structure

Design Principles

Structure Guidelines:

Root Management Group: Top-level container for all subscriptions
Environment-based: Separate groups for production, development, testing
Department-based: Organize by business units or departments
Geographic: Separate groups for different regions
Project-based: Group subscriptions by projects or applications

Management Group Configuration

PowerShell Management

Management Commands:

# Create management group
New-AzManagementGroup -GroupName "Production" -DisplayName "Production Environment"

# Get management groups
Get-AzManagementGroup

# Add subscription to management group
New-AzManagementGroupSubscription -GroupName "Production" -SubscriptionId "subscription-id"

# Remove subscription from management group
Remove-AzManagementGroupSubscription -GroupName "Production" -SubscriptionId "subscription-id"

# Get management group hierarchy
Get-AzManagementGroup -Expand -Recurse

# Delete management group
Remove-AzManagementGroup -GroupName "Production"

Advanced Governance Scenarios

Scenario 1: Multi-Environment Governance

Situation: Organization needs to enforce different policies for development, testing, and production environments.

Solution: Create management groups for each environment, apply environment-specific policies, implement resource locks for production, and set up cost budgets per environment.

Scenario 2: Cost Optimization

Situation: Organization wants to control costs and optimize spending across multiple subscriptions.

Solution: Implement comprehensive tagging strategy, set up budgets and alerts, use Azure Advisor recommendations, and implement policies to enforce cost controls.

Scenario 3: Compliance and Security

Situation: Organization needs to meet regulatory compliance requirements and maintain security standards.

Solution: Implement compliance policies, apply resource locks to critical resources, enforce tagging for audit trails, and use management groups for centralized governance.

Best Practices and Recommendations

Governance Best Practices

✅ Recommended Practices:

Start with Management Groups: Establish hierarchy before implementing policies
Use Built-in Policies: Leverage Microsoft's built-in policies before creating custom ones
Implement Tagging Strategy: Consistent tagging across all resources
Set Up Cost Monitoring: Budgets and alerts for all environments
Apply Resource Locks: Protect critical production resources
Regular Reviews: Periodic review of policies and compliance
Documentation: Document governance decisions and policies

Common Pitfalls to Avoid

⚠️ Common Mistakes:

Over-restrictive Policies: Policies that block legitimate operations
Inconsistent Tagging: No standardized tagging strategy
Missing Cost Controls: No budgets or spending alerts
Poor Resource Group Design: Resources with different lifecycles in same group
Inadequate Locks: Not protecting critical resources
Complex Management Group Structure: Overly complicated hierarchy

Exam Preparation Tips

Key Concepts to Remember

Azure Policy: Audit, Deny, Modify effects and policy assignments
Resource Locks: CanNotDelete and ReadOnly lock types
Tags: Name-value pairs for organization and cost management
Resource Groups: Lifecycle alignment and access control
Subscriptions: Billing and access control boundaries
Cost Management: Budgets, alerts, and Azure Advisor
Management Groups: Hierarchical organization and policy inheritance

Practice Questions

Sample Exam Questions:

What is the difference between Audit and Deny policy effects?
Which PowerShell cmdlet is used to create a resource lock?
How do you apply tags to multiple resources using PowerShell?
What is the purpose of management groups in Azure?
How do you set up cost budgets and alerts?
What are the benefits of using resource groups?
How do you move resources between resource groups?
What is the difference between CanNotDelete and ReadOnly locks?
How do you get Azure Advisor cost recommendations?
What is the maximum depth of management group hierarchy?

AZ-104 Success Tip: Azure governance is essential for maintaining control and compliance in cloud environments. Focus on understanding Azure Policy effects and assignments, resource lock types, tagging strategies, resource group design principles, subscription management, cost management tools, and management group hierarchy. Practice with PowerShell commands for all governance operations and understand how these components work together to provide comprehensive cloud governance.