Management Groups
Management groupsContainers that sit above subscriptions, enabling centralized governance across multiple subscriptions. Policies and Azure RBAC assignments made at a management group scope cascade by inheritance to all child subscriptions, resource groups, and resources. sit above subscriptions, enabling centralized governance — policies and Azure RBAC assignments cascade by inheritance to all child subscriptions, resource groups, and resources.
Key limits and facts:
- A single Microsoft Entra tenant supports up to 10,000 management groups
- A management group tree supports up to six levels of depth (not counting the root level or the subscription level)
- Each management group or subscription can have only one parent
- All management groups and subscriptions fold up into the single tenant root management group
- The root management group cannot be moved or deleted
- New subscriptions are placed under the root management group by default
- The root management group's ID equals the Microsoft Entra tenant ID
Azure Policy
Azure PolicyAn Azure service that enforces organizational standards and evaluates resources for compliance. A policy definition contains the rule and the effect to apply; policies are assigned to a scope (management group, subscription, or resource group). enforces organizational standards and evaluates resources for compliance via policy definitions assigned to a scope. An initiativeA policy set that groups multiple policy definitions together for a single assignment, simplifying policy management at scale. groups multiple policies together for a single assignment.
Resource Locks
Resource locksGovernance controls that prevent accidental deletion or modification of Azure resources, overriding any user's RBAC permissions — even Owners cannot delete a locked resource without first removing the lock. prevent accidental deletion or modification of Azure resources, overriding RBAC permissions — even Owners must remove the lock first.
| Lock Type | Portal Name | Read | Modify | Delete |
|---|---|---|---|---|
| CanNotDelete | Delete | Yes | Yes | No |
| ReadOnly | Read-only | Yes | No | No |
ReadOnly is the more restrictive lock — equivalent to applying the Reader role to all users. Locks are inherited by all resources within the locked scope (subscription → resource group → resource).
Tags
TagsName-value pairs (e.g., Environment: Production) applied to Azure resources for organization, billing, and policy enforcement. Tags are NOT inherited by default — a tag on a resource group does not automatically apply to resources within it. are name-value pairs applied to Azure resources for organization, billing, and policy enforcement. Each resource can have up to 50 tags. Use Azure Policy to enforce tag inheritance. Tags enable cost allocation and filtering in Azure Cost Management.
Resource Groups
A resource groupA logical container for Azure resources that share the same lifecycle. All resources in a resource group are deleted when the resource group is deleted. Associated with a single Azure region for metadata storage, but resources inside can span multiple regions.
Resources can be moved between resource groups and subscriptions (with some restrictions).
Subscriptions and Cost Management
Azure Cost ManagementAzure's built-in tool to monitor, allocate, and optimize cloud spending via budgets, alerts, and cost analysis. is Azure's built-in tool to monitor, allocate, and optimize cloud spending.
- Budgets: Set spending thresholds (monthly, quarterly, annually) and trigger alerts when actual or forecast spending reaches a defined percentage. Budget alerts can email stakeholders or trigger an Action Group.
- Azure Advisor: Provides personalized cost optimization recommendations (e.g., resize/deallocate underutilized VMs, purchase reserved instances).
Azure Policy Effects (Evaluation Order)
| Effect | Behavior | Enforces at creation? |
|---|---|---|
| Disabled | Policy rule is not evaluated | No |
| Append | Adds fields (e.g., tags) to a resource request | Modifies request |
| Modify | Adds, replaces, or removes properties/tags on resources | Modifies request |
| Deny | Blocks the resource request; returns HTTP 403 | Yes — prevents creation |
| Audit | Allows creation but marks non-compliant resources in logs | No — observational |
| AuditIfNotExists | Audits if a related (child/extension) resource does not exist | No — observational |
| DeployIfNotExists | Deploys a related resource if it does not exist | No — triggers remediation |
Must Memorize
DeployIfNotExists and Modify require a managed identity on the policy assignment to perform write operations on resources. Without it, these effects cannot take action.
Exam Tip
The recommended starting point is Audit to understand the impact before switching to Deny. This lets you see what would be blocked before blocking it.
Lock Type Comparison
Exam Trap
ReadOnly lock prevents both modification AND deletion. CanNotDelete allows reads and modifications but only blocks deletion. ReadOnly is more restrictive than CanNotDelete.
Management Group Depth
Must Memorize
Management group hierarchy supports up to six levels of depth, NOT counting the root management group or subscription level. The common wrong answer on the exam is "10 levels."
Budget Alerts — What They Do and Don't Do
Exam Trap
Budget alerts notify stakeholders (email or Action Group) — they do NOT automatically stop, restrict, or lock resources unless an automation action (e.g., runbook) is explicitly configured in the Action Group.
Tag Inheritance
Tags are not inherited by default. A tag on a resource group does NOT automatically apply to resources within it. Use Azure Policy (e.g., the built-in "Inherit a tag from the resource group" initiative) to propagate tags.
Create and Assign an Azure Policy
- Azure portal → Policy → Definitions → browse or search for a built-in policy
- Click the policy → Assign policy
- Set the Scope (management group, subscription, or resource group)
- Configure Parameters (if any) and set the Effect override if parameterized
- Click Review + create → Create
- Check compliance at Policy → Compliance
Configure a Resource Lock
- Azure portal → navigate to the Resource, Resource Group, or Subscription
- Click Settings → Locks in the left menu
- Click + Add, enter a Lock name
- Select Lock type: Delete (CanNotDelete) or Read-only (ReadOnly)
- Click OK
Apply Tags to a Resource Group
- Azure portal → Resource groups → select the resource group
- Click Tags in the left menu (or in the Overview blade header)
- Enter tag Name and Value pairs (e.g.,
Environment/Production) - Click Apply
Create a Budget with Alert
- Azure portal → Cost Management + Billing → Cost Management → Budgets
- Click + Add, set Scope (subscription or resource group)
- Enter Budget name, Reset period, Creation date, Expiration date, and Budget amount
- Click Next: Alerts → set Alert conditions (% of budget or absolute amount)
- Add Alert recipients (email) or link an Action group for automated response
- Click Create
View Azure Advisor Cost Recommendations
- Azure portal → Advisor → Cost tab
- Review recommendations (e.g., "Shut down or resize underutilized virtual machines")
- Click a recommendation to see affected resources and potential savings
- Click Implement or dismiss the recommendation
Create a Management Group
- Azure portal → Management groups → + Create
- Enter Management group ID (immutable after creation) and Display name
- Click Submit
- Move subscriptions or child management groups into the new group using drag-and-drop or the Move option
AZ-104 Exam Focus
Exam Trap
"A resource owner can delete a locked resource if they have Owner role." → Resource locks override RBAC permissions. Even an Owner must remove the lock first, then delete the resource.
Exam Trap
"ReadOnly lock prevents deletion only." → ReadOnly lock prevents both modification and deletion. CanNotDelete allows reads and modifications but blocks deletion only.
Exam Trap
"Tags on a resource group automatically apply to all resources inside it." → Tags are not inherited by default. You must use Azure Policy to propagate tags.
Exam Trap
"Azure Policy Deny effect marks resources as non-compliant but allows them to be created." → Deny blocks the request entirely and returns HTTP 403. Only Audit allows creation while marking as non-compliant.
Exam Trap
"DeployIfNotExists requires no special permissions on the policy assignment." → DeployIfNotExists (and Modify) require a managed identity on the policy assignment with sufficient permissions to create or update the target resources.
Exam Trap
"Management group hierarchy supports up to 10 levels of depth." → The limit is six levels of depth, not counting the root management group or subscription level.
Exam Trap
"A budget alert automatically stops resources when the threshold is exceeded." → Budget alerts notify stakeholders (email or Action Group); they do not automatically stop or restrict resources unless an automation action is explicitly configured.
Question — click to flip
Q: How many levels of depth does an Azure management group hierarchy support (excluding root and subscription levels)?
Question — click to flip
Q: Which Azure Policy effect blocks resource creation and returns HTTP 403?
Question — click to flip
Q: What must be done before a resource Owner can delete a resource with a CanNotDelete lock?
Question — click to flip
Q: What is the difference between CanNotDelete and ReadOnly locks?
Question — click to flip
Q: Do tags on a resource group automatically apply to resources inside it?
Question — click to flip
Q: Which Azure Policy effects require a managed identity on the policy assignment?