Manage Policy, Tags, Locks, and Cost Control for AZ-104
Learn how Azure Policy, tags, locks, management groups, subscriptions, and cost controls fit together for AZ-104 governance scenarios.
Governance questions on AZ-104 are usually about control choice, not product recognition. You need to know whether the situation calls for Azure Policy, a lock, a tag strategy, a different scope boundary, or a cost-management tool.
The control-plane split to remember
Resource groups organize resources. Subscriptions provide billing and broad administrative boundaries. Management groups sit above subscriptions when governance must span multiple subscriptions. Azure Policy evaluates configuration state. Tags add metadata. Locks protect resources from change or deletion. Budgets, cost alerts, and Azure Advisor help you detect spend problems before they become a finance surprise.
What the exam is really asking
Microsoft’s current outline includes policy implementation, resource locks, tags, resource groups, subscriptions, management groups, and costs by using alerts, budgets, and Advisor recommendations. Those objectives all point at one skill: can you choose the smallest governance control that solves the problem without overengineering it?
Common traps
Candidates often use Policy when they really need RBAC, or use locks when they really need Policy. Another frequent miss is assuming tags enforce behavior. Tags classify. Policy enforces. Locks protect. Cost tools surface usage and trend signals, but they do not fix architecture mistakes by themselves.
Lab moves worth practicing
- create a policy assignment at resource group scope
- apply tags consistently and inspect tag inheritance or remediation paths
- add a
CanNotDeletelock and observe the operational impact - create one budget or cost alert and review Advisor recommendations
Control chooser
| Need | Use | Reason |
|---|---|---|
| Restrict allowed regions, SKUs, or required tags | Azure Policy | Policy evaluates and enforces configuration rules |
| Prevent deletion of a production resource | Resource lock | A CanNotDelete lock directly blocks delete operations |
| Classify resources for billing or ownership views | Tags | Tags describe resources but do not enforce behavior by themselves |
| Govern several subscriptions together | Management group | It creates the higher scope boundary |
| Detect overspend early | Budgets, alerts, and Advisor | These tools surface financial signals and optimization guidance |
Azure CLI example: policy plus protection controls
This is a compact version of the control stack AZ-104 wants you to separate mentally.
1# Assign a built-in policy at subscription scope
2az policy assignment create \
3 --name allowed-locations \
4 --scope /subscriptions/<sub> \
5 --policy /providers/Microsoft.Authorization/policyDefinitions/<policy-definition-id>
6
7# Tag a resource for ownership and cost visibility
8az tag create \
9 --resource-id /subscriptions/<sub>/resourceGroups/app-rg/providers/Microsoft.Compute/virtualMachines/web-01 \
10 --tags Environment=Prod Owner=Platform CostCenter=1001
11
12# Prevent accidental deletion
13az lock create \
14 --name protect-web01 \
15 --lock-type CanNotDelete \
16 --resource-group app-rg \
17 --resource-name web-01 \
18 --resource-type Microsoft.Compute/virtualMachines
The point is not memorizing every flag. The point is seeing that policy, tags, and locks solve three different governance problems even when they are applied to the same resource.
Resource group versus subscription versus management group
| Scope boundary | Best use | Common exam mistake |
|---|---|---|
| Resource group | Group resources with a shared lifecycle or app boundary | Treating it as a billing-wide governance scope |
| Subscription | Create a broader administrative and billing boundary | Using it when only one workload needs the control |
| Management group | Apply governance across multiple subscriptions | Forgetting it exists and repeating the same control manually |
This matters because the governance objective explicitly includes resource groups, subscriptions, and management groups. Microsoft is testing whether you know where the control belongs before you choose the control itself.
Quiz
With this chapter complete, move into Storage or use the cheat sheet for a quick governance recap.