Manage Policy, Tags, Locks, and Cost Control for AZ-104
Learn how Azure Policy, tags, locks, management groups, subscriptions, and cost controls fit together for AZ-104 governance scenarios.
Governance questions on AZ-104 are usually about control choice, not product recognition. You need to know whether the situation calls for Azure Policy, a lock, a tag strategy, a different scope boundary, or a cost-management tool.
The control-plane split to remember
Resource groups organize resources. Subscriptions provide billing and broad administrative boundaries. Management groups sit above subscriptions when governance must span multiple subscriptions. Azure Policy evaluates configuration state. Tags add metadata. Locks protect resources from change or deletion. Budgets, cost alerts, and Azure Advisor help you detect spend problems before they become a finance surprise.
What the exam is really asking
Microsoft’s current outline includes policy implementation, resource locks, tags, resource groups, subscriptions, management groups, and costs by using alerts, budgets, and Advisor recommendations. Those objectives all point at one skill: can you choose the smallest governance control that solves the problem without overengineering it?
Common traps
Candidates often use Policy when they really need RBAC, or use locks when they really need Policy. Another frequent miss is assuming tags enforce behavior. Tags classify. Policy enforces. Locks protect. Cost tools surface usage and trend signals, but they do not fix architecture mistakes by themselves.
Lab moves worth practicing
- create a policy assignment at resource group scope
- apply tags consistently and inspect tag inheritance or remediation paths
- add a
CanNotDeletelock and observe the operational impact - create one budget or cost alert and review Advisor recommendations
Control chooser
| Need | Use | Reason |
|---|---|---|
| Restrict allowed regions, SKUs, or required tags | Azure Policy | Policy evaluates and enforces configuration rules |
| Prevent deletion of a production resource | Resource lock | A CanNotDelete lock directly blocks delete operations |
| Classify resources for billing or ownership views | Tags | Tags describe resources but do not enforce behavior by themselves |
| Govern several subscriptions together | Management group | It creates the higher scope boundary |
| Detect overspend early | Budgets, alerts, and Advisor | These tools surface financial signals and optimization guidance |
Quiz
With this chapter complete, move into Storage or use the cheat sheet for a quick governance recap.