- What Domain 3 Actually Covers
- Why 30-35% Changes Everything About How You Study
- Cost Management and Governance: The Budget and Policy Layer
- Azure Governance Tools You Must Know Cold
- Monitoring, Compliance, and Resource Management
- How Domain 3 Questions Are Actually Written
- Fitting Domain 3 Into Your Prep Schedule
- Frequently Asked Questions
- Domain 3 carries 30-35% of the AZ-900 exam weight, making it nearly equal in importance to Domain 1.
- Cost Management tools-Pricing Calculator, TCO Calculator, and Cost Management-are extremely high-frequency exam topics.
- Azure Policy, management groups, resource locks, and blueprints are distinct tools with distinct purposes; know the differences.
- The AZ-900 exam requires a 700/1000 scaled score to pass and contains 40-60 questions in 45 minutes of exam time.
What Domain 3 Actually Covers
Domain 3-Describe Azure management and governance-accounts for 30-35% of your AZ-900 exam score. That means roughly one in three questions will test your understanding of how organizations control costs, enforce compliance, monitor resources, and manage Azure at scale. For many candidates who've spent the bulk of their prep time on cloud concepts or architecture, this domain arrives as an unpleasant surprise on exam day.
Before diving in, it helps to see where Domain 3 sits relative to the full exam. As detailed in the AZ-900 Exam Domains 2026: Complete Guide to All 3 Content Areas, Domain 2 carries the heaviest weight at 35-40%, Domain 1 covers cloud concepts at 25-30%, and Domain 3 sits at 30-35%-solidly the second-heaviest section. Neglecting it is one of the most common reasons candidates fall short of the 700-point passing threshold.
At its core, Domain 3 breaks into three interconnected pillars:
- Cost management and pricing - Understanding Azure's pricing models, cost estimation tools, and strategies to control spending
- Governance and compliance - Using Azure Policy, management groups, resource locks, and related tools to enforce organizational rules
- Monitoring and managing resources - Azure Monitor, Service Health, Azure Advisor, and cloud management interfaces
If you've already worked through AZ-900 Domain 2: Describe Azure architecture and services (35-40%) - Complete Study Guide 2026, you'll recognize that Domain 3 is less about what Azure services do and more about how organizations govern, observe, and pay for those services. The perspective shifts from architecture to administration.
Why 30-35% Changes Everything About How You Study
Candidates often make the mistake of treating Domain 3 as a lighter, "soft" section because it doesn't involve technical service architecture. In reality, the governance and pricing material demands precise recall. The difference between a Pricing Calculator and a TCO Calculator, or between a resource lock and an Azure Policy assignment, is exactly the kind of nuance the exam tests.
The good news: Domain 3 is highly learnable. Unlike Domain 2, which requires understanding dozens of individual Azure services, Domain 3 has a smaller, well-defined set of tools. The challenge is understanding what each tool does, who uses it, and when to choose it over an alternative-which is precisely where exam questions live.
For a broader perspective on the exam's difficulty curve and where most candidates lose points, see How Hard Is the AZ-900 Exam? Complete Difficulty Guide 2026.
Cost Management and Governance: The Budget and Policy Layer
Azure Pricing Models
The exam expects you to understand that Azure pricing is consumption-based by default-you pay for what you use. But it goes deeper than that. You need to know the trade-offs between:
Azure Pricing Model Variations
Candidates must distinguish between consumption-based and fixed pricing structures, and understand when each applies.
- Pay-as-you-go - No upfront commitment; highest per-unit cost but maximum flexibility
- Reserved Instances - 1-year or 3-year commitments to specific VM sizes in exchange for significant discounts
- Spot pricing - Access to unused Azure capacity at steep discounts, with the caveat that workloads can be interrupted
- Azure Hybrid Benefit - Allows customers with existing Windows Server or SQL Server licenses to apply those licenses to Azure workloads, reducing costs
The Two Cost Estimation Tools (and Why They Are Not Interchangeable)
This is one of the highest-yield distinctions in the entire domain. The exam will test whether you know which tool serves which purpose:
| Tool | Primary Purpose | Typical User | Output |
|---|---|---|---|
| Azure Pricing Calculator | Estimate the cost of specific Azure services before deploying | Solution architects, developers planning new workloads | Monthly cost estimate based on selected services and configuration |
| Total Cost of Ownership (TCO) Calculator | Compare the cost of running on-premises infrastructure vs. Azure | IT leaders, finance teams evaluating cloud migration | Side-by-side cost comparison showing potential savings over time |
| Azure Cost Management + Billing | Monitor, analyze, and optimize actual spending on live Azure resources | Cloud finance teams, FinOps practitioners | Real-time dashboards, cost alerts, budget enforcement |
The TCO Calculator is a pre-migration business case tool. The Pricing Calculator is a planning tool for estimating Azure-native costs. Cost Management + Billing is a post-deployment operational tool. Mix these up and exam questions will catch you.
Factors That Affect Azure Costs
The exam also tests conceptual understanding of what drives Azure bills. Key factors include resource type, consumption volume, geographic region (prices vary by region), licensing, and data transfer costs-particularly egress (data leaving Azure to the internet or between regions). Network ingress is generally free; egress is not.
Azure Governance Tools You Must Know Cold
The Governance Hierarchy
Azure's governance model is hierarchical. Understanding how management groups, subscriptions, resource groups, and individual resources relate to one another is foundational for this domain.
Azure Management Hierarchy (Top to Bottom)
Policies and access controls applied at higher levels inherit downward through this structure.
- Management Groups - Containers for multiple subscriptions; used by large enterprises to apply governance at scale
- Subscriptions - Billing and administrative boundary; all resources belong to a subscription
- Resource Groups - Logical containers for related resources; resources in a group share a lifecycle
- Resources - Individual Azure services (VMs, storage accounts, databases, etc.)
Azure Policy
Azure Policy enforces organizational rules by evaluating resources against defined conditions. If a resource violates a policy, it can be flagged, prevented from being created, or automatically remediated. A key concept: policies can be grouped into initiatives (also called policy sets) to apply multiple related rules at once. The exam may ask you to identify which tool enforces compliance rules-the answer is Azure Policy, not RBAC, not resource locks.
Role-Based Access Control (RBAC)
RBAC governs who can do what in Azure. It's identity-based authorization. Roles are assigned to users, groups, or service principals at a specific scope (management group, subscription, resource group, or resource). Know the three built-in roles at a conceptual level: Owner (full access including managing access), Contributor (full access minus managing access), and Reader (view only). RBAC controls actions; it doesn't enforce resource configuration compliance-that's Azure Policy's job.
Resource Locks
Resource locks prevent accidental deletion or modification of critical Azure resources. There are exactly two lock types the exam cares about:
- Delete lock - Users can read and modify the resource but cannot delete it
- ReadOnly lock - Users can read the resource but cannot modify or delete it (similar to giving everyone Reader RBAC)
Locks override RBAC. Even an Owner cannot delete a resource protected by a Delete lock without first removing the lock. This is a favorite exam trick.
Microsoft Purview and the Trust Center
Microsoft Purview is Azure's unified data governance solution-it helps organizations discover, classify, and manage data across hybrid and multi-cloud environments. The Microsoft Trust Center is a public-facing resource where organizations can learn about Microsoft's privacy, security, and compliance commitments. The Service Trust Portal provides audit reports, compliance guides, and other documentation relevant to regulated industries. Know the distinction: Trust Center is the public information hub; Purview is the active governance tool you deploy.
Key Takeaway
RBAC answers "who can access this?" - Azure Policy answers "does this resource comply with our rules?" - Resource Locks answer "can this resource be accidentally changed or deleted?" These three tools often appear in the same exam scenario; pick the one that matches the stated problem.
Monitoring, Compliance, and Resource Management
Azure Monitor
Azure Monitor is the central observability platform for Azure. It collects metrics (numerical performance data) and logs (event-based records) from resources and provides alerting, dashboarding, and integration with third-party tools. Key sub-components you'll encounter on the exam:
- Log Analytics - Workspace where log data is stored and queried using Kusto Query Language (KQL)
- Application Insights - Application performance monitoring for live web applications
- Azure Monitor Alerts - Notify teams or trigger automated actions when metrics cross thresholds
Azure Service Health
Service Health is distinct from Azure Monitor. It communicates the status of Azure services and regions, including planned maintenance, service outages, and health advisories. It's the tool to reference when you want to know if Azure itself is experiencing an issue affecting your resources-not whether your application is performing well.
Azure Advisor
Azure Advisor analyzes your deployed resources and provides personalized recommendations across five categories: Cost, Security, Reliability, Operational Excellence, and Performance. It's a passive recommendation engine-it advises but doesn't enforce. The exam often presents Advisor as the correct answer when a scenario involves getting actionable suggestions to reduce costs or improve security posture on existing resources.
Management Interfaces
The AZ-900 exam expects awareness of how administrators interact with Azure:
| Interface | What It Is | Best For |
|---|---|---|
| Azure Portal | Web-based graphical interface at portal.azure.com | Visual management, one-off tasks, exploration |
| Azure CLI | Cross-platform command-line interface | Scripting, automation on Linux/macOS/Windows |
| Azure PowerShell | PowerShell module for Azure management | Automation in Windows/PowerShell environments |
| Azure Cloud Shell | Browser-based shell supporting both CLI and PowerShell | Quick scripting without local installation |
| Azure Arc | Extends Azure management to on-premises and multi-cloud resources | Hybrid and multi-cloud governance at scale |
| Azure Resource Manager (ARM) | Deployment and management layer underlying all Azure interactions | Template-based deployments, consistent resource management |
How Domain 3 Questions Are Actually Written
Microsoft's AZ-900 questions for Domain 3 typically follow a scenario-answer pattern. You'll see a business situation-a company needs to prevent team members from deleting production resources, a finance director wants to estimate savings from migrating servers to Azure, a compliance officer needs to ensure all VMs have a specific tag-and then you choose the Azure tool that addresses that situation.
Common traps in Domain 3 questions:
- Confusing the Pricing Calculator (estimate Azure costs before deployment) with the TCO Calculator (compare on-premises vs. Azure costs)
- Selecting RBAC when the scenario calls for Azure Policy, or vice versa
- Confusing Azure Advisor (recommendations) with Azure Policy (enforcement)
- Missing that resource locks override RBAC permissions
- Mistaking Service Health (Azure platform status) for Azure Monitor (your resource metrics)
Remember: the AZ-900 is a 45-minute exam with 65 minutes of total seat time. Microsoft does not pre-announce exact item types, but interactive components are possible. There is no penalty for guessing, so never leave a question blank. Working through AZ-900 practice tests that replicate the scenario-based format is one of the most effective ways to sharpen this pattern recognition.
For a full breakdown of question types and what the exam experience actually looks like, see Best AZ-900 Practice Questions 2026: What to Expect on the Exam.
Fitting Domain 3 Into Your Prep Schedule
Given the domain weighting, a rational study allocation looks like this:
Domain 1 - Cloud Concepts (25-30%)
- Cloud service models (IaaS, PaaS, SaaS), shared responsibility, cloud deployment models
- Lighter coverage; get the concepts solid before moving forward
Domain 2 - Azure Architecture and Services (35-40%)
- Compute, networking, storage, identity, and security services
- Highest-weight domain; deserves the most dedicated time
- Reference: Domain 2 Complete Study Guide
Domain 3 - Management and Governance (30-35%)
- Days 1-2: Cost management tools (Pricing Calculator, TCO Calculator, Cost Management + Billing, pricing models)
- Days 3-4: Governance tools (RBAC, Azure Policy, management groups, resource locks, Purview)
- Day 5: Monitoring (Azure Monitor, Service Health, Advisor) and management interfaces
- Days 6-7: Full practice exam sets focused on Domain 3 scenarios on az900exam.com
Full Exam Simulation and Review
- Timed full-length practice exams simulating 45-minute constraints
- Target weak domains based on practice test results; Domain 3 confusion points are usually governance tool distinctions
- Schedule through Pearson VUE once consistently scoring above 750 on practice sets
For a complete study plan with resource recommendations, the AZ-900 Study Guide 2026: How to Pass on Your First Attempt covers the full five-week approach in detail, including which Microsoft Learn paths align with which domains.
One practical note for Domain 3 specifically: because the exam is a closed-book proctored assessment with no access to Microsoft Learn, you cannot look up the difference between Azure Policy and RBAC mid-exam. Everything in this domain needs to be internalized, not just familiar. Build your study sessions around recall practice-cover the concept name, try to explain what it does and when you'd use it, then check your answer. This active recall approach is especially effective for the tool-differentiation content that dominates Domain 3.
Wondering about the career impact of passing? The AZ-900 Salary Guide 2026: Complete Earnings Analysis explores how this certification fits into broader career trajectories, and the Is the AZ-900 Certification Worth It? Complete ROI Analysis 2026 examines the return on a $99 exam investment in concrete terms.
Frequently Asked Questions
Domain 3-Describe Azure management and governance-accounts for 30-35% of the AZ-900 exam. With the exam containing 40-60 questions, you can expect roughly 12 to 21 questions directly from this domain. It is the second-heaviest domain after Domain 2 (35-40%).
RBAC (Role-Based Access Control) governs who can perform actions on Azure resources-it controls identity and permissions. Azure Policy governs whether resources comply with organizational rules-it controls resource configuration and can block non-compliant resources from being created regardless of the user's RBAC role. They work together but solve different problems.
The Azure Pricing Calculator estimates the cost of specific Azure services you're planning to deploy-it's a pre-deployment planning tool. The Total Cost of Ownership (TCO) Calculator compares the cost of running workloads on-premises versus in Azure, generating a business case for cloud migration. They serve completely different audiences and purposes.
No. Microsoft Fundamentals certifications, including the AZ-900, do not expire and renewal does not apply. Once you pass, the credential remains valid on your Microsoft Learn transcript permanently. This is one of the unique advantages of Fundamentals-level certifications compared to Microsoft's role-based or specialty certifications, which require annual renewal.
No. Microsoft explicitly states that Microsoft Learn access is not available during Fundamentals exams. The exam is a fully proctored, closed-resource assessment. You must know all Domain 3 content-pricing tools, governance concepts, monitoring services-from memory. There is no penalty for guessing, so always answer every question even if you're uncertain.