You're a great admin... on-prem. Now, become a great admin in the cloud and prove it by passing the Microsoft Certified: Azure Administrator Associate exam!
Gauge your current knowledge
Gauge your current knowledge
In Azure, Azure Policy is used to enforce governance rules on resources. It helps ensure that all resources comply with organizational standards by checking for specific configurations during creation or updates. Policies run constantly to catch out-of-compliance resources and can automatically remediate some issues.
You can choose from built-in policy definitions or create custom policies tailored to your needs. Built-in definitions cover common scenarios such as allowed locations, VM sizes, and storage types. Custom policies let you define complex rules using JSON, matching on properties like tags, resource types, or naming conventions.
Policy assignments link a policy definition or initiative to a scope, such as a management group, subscription, or resource group. Initiatives are collections of policies that simplify management and reporting. Assignments inherit down the hierarchy, making it easy to apply consistent rules across many resources.
Resource locks protect Azure resources from accidental changes or deletions. There are two primary lock types: CanNotDelete and ReadOnly. CanNotDelete prevents deletion but still allows updates, while ReadOnly blocks both deletion and modification.
Locks are applied at different scopes, including subscriptions, resource groups, or individual resources. When a lock is in place, users—even with the correct RBAC permissions—cannot perform forbidden actions. This extra layer of protection is ideal for critical resources like production databases or networking components.
If you need to update or delete a locked resource, you must first remove the lock. Azure Portal, CLI, PowerShell, or ARM templates can manage locks. Always document why locks exist so teams understand their purpose and avoid unnecessary troubleshooting.
Tags are name-value pairs that help classify and organize Azure resources. They enable cost tracking, environment identification, and resource grouping beyond the structural hierarchy. Tags make it easier to report on resource usage and allocate budgets accurately.
You can apply tags through the Azure Portal, Azure CLI, PowerShell, or ARM templates during or after resource creation. Common tags include:
Best practices suggest defining a tagging strategy and enforcing it with Azure Policy. This ensures that required tags are present on all resources and minimizes inconsistencies. Well-defined tags improve visibility and simplify automation.
A resource group is a container that holds related Azure resources for a project or workload. It provides a scope for management operations such as deployment, role assignments, and policy enforcement. All resources in a group share the same lifecycle, so deleting the group removes every resource it contains.
When creating resource groups, consider:
You can move resources between groups or subscriptions if needed. However, some resource types have limitations on movement. Regular review of resource groups helps keep the environment tidy and cost-effective.
An Azure subscription is a billing and usage boundary for resources. It defines how resources are charged and provides a scope for RBAC and policies. Each subscription has its own set of limits and quotas for services like VMs, storage, and network resources.
Subscriptions are tied to an Azure Active Directory tenant, allowing you to control who can access and manage resources. You can link multiple subscriptions under a single tenant and organize them with management groups. This structure simplifies permissions and policy application at scale.
Common subscription tasks include creating new subscriptions for separate environments, transferring ownership, and disabling or deleting unused subscriptions. Monitoring usage patterns can help prevent unexpected charges and ensure resources are under the correct subscription.
Azure provides tools to keep spending in check. Budgets let you set spending thresholds, and cost alerts notify you when you approach or exceed these limits. Alerts can trigger email notifications, logic apps, or webhooks to automate cost control actions.
The Azure Advisor service analyzes your environment and offers recommendations to optimize costs, performance, and reliability. For cost savings, Advisor suggests actions like:
Monitoring regularly and acting on these recommendations helps prevent wasteful spending. Combining budgets, alerts, and Advisor insights provides a proactive approach to financial governance.
Management groups provide a hierarchy above subscriptions for applying policies and RBAC at scale. The root management group contains all others and cannot be deleted. Under it, you can create additional groups based on organizational structure, geography, or project type.
Applying policies or role assignments at a management group level automatically inherits down to child groups and subscriptions. This ensures consistent governance and reduces repetitive work. You can also exclude specific subscriptions or groups if needed.
Azure allows up to six levels of management groups, offering flexibility without overcomplicating the hierarchy. Planning your structure upfront is crucial to maintaining clarity and avoiding policy conflicts as the organization grows.
In this section, we explored key governance tools in Azure that help maintain control over resources and spending. We covered how Azure Policy enforces rules, resource locks safeguard critical assets, and tags improve organization and cost tracking. Additionally, we learned about structuring environments with resource groups, subscriptions, and management groups to apply consistent controls.
Cost management features like budgets, alerts, and Azure Advisor recommendations support financial oversight and optimization. Together, these capabilities form a comprehensive governance framework that ensures resources are compliant, secure, and cost-effective in Azure.