Azure Virtual Machine Scale Set Duration and Cool Down Explained

Reading Time: 7 minutes

When configuring an Azure Virtual Machine Scale Set (VMSS), there is an option to configure auto scaling rules. Auto scaling is the process of dynamically allocating resources to match performance requirements. As the volume of work grows, an application may need additional resources to maintain the desired performance levels and satisfy service level agreements (SLAs). As demand reduces and the additional resources are no longer needed, they can be automatically removed to minimise costs.

As part of the auto scale configuration inside a Azure Virtual Machine Scale Set, we can set a duration and a cool down period. In this post, I will focus on explaining the differences between both options based on a couple of scenarios.

Want to learn more about scaling in Azure?
If you wish to learn more about Azure VM Scale Sets, visit the following Microsoft Learn link, Azure Virtual Machine Scale Sets Overview.

In addition to Azure VM Scale Sets, you can also configure scaling rules for a number of other Azure services such as Azure App Service Plans. When configuring scaling rules for Azure App Service Plans, you can also set up auto scaling based on metrics such as CPU usage, memory usage, HTTP queue length and more. Basically, the App Service Plan includes a built in VM Scale Set.

For auto scaling best practices and to learn more about the different services in Azure which include built in scaling, visit the following Microsoft Learn link Autoscaling guidance – Best practices for cloud applications.

Note: it is important that you plan and configure your scaling rules correctly to avoid performance issues, unnecessary scaling and costs due to an incorrect configuration. The metrics used in this post are for demo purposes only.

Duration in Azure VM Scale Set

Duration is the time the VM Scale Set will look back at metrics before making a decision to scale.

For example, in the scaling rule below, I have configured

  • If CPU Percentage = greater than 85%
  • for a DURATION of 10 minutes
  • Increase the Instance/VM (Virtual Machine) count by 1

So for this condition to trigger, CPU must be continuously greater than 85% for a duration of 10 minutes. The VM Scale Set will look back at CPU utilisation for the past 10 minutes and if CPU was constantly greater than 85%, it would add another instance/VM.

Below is a screenshot of an Azure VM Scale Set rule. I have used a green arrow to highlight the DURATION field.

Cool down in Azure VM Scale Set

The cool down period comes into effect after a scale-in (remove VM instance) or a scale-out (Add VM instance) event is triggered. For example, if I set a COOL DOWN period of 10 minutes, this instructs the scale set to not scale again for another 10 minutes. You’re simply asking the scale set to take a break within the cool down period to allow the VM Scale Set to stabilise and check whether the additional VM instance has made a difference to the CPU utilisation.

I have used a blue arrow to highlight the COOL DOWN field in the image below.

Let’s take a look at what the above scale rule configuration looks like on a diagram.

In the diagram below we start with 1 VM in our scale set.

1. At 3pm CPU for VM1 goes above the threshold of 85%, and constantly remains above the threshold for a duration of 10 minutes (until 3.10pm).

2. At 3.10pm the scale set looks back at the last 10 minutes from 3.10pm and 3.00pm, and because the duration of CPU was constantly above 85%, the scale set adds another VM, totaling two VM’s in our scale set.

3. At 3.10pm, the cool down period also kicks in and no further scaling operations take place. However, the cool down down period does not pause time or stop the collection of metrics under the hood. As you can see from the diagram above, adding another VM at 3.10pm makes a difference to the CPU as it normalises between 50% and 60% utilisation, but the metrics will still be analysed and collected. The cool down period is only requesting for the VM scale set to pause temporarily and to not add (Scale-out) or remove (Scale-in) any further VM’s in the configured cool down time of 10 minutes.

4. The addition of one additional VM has stabilized the VM Scale Set and operations resume as normal. CPU is averaging between 50% to 60%.

5. At 3.40pm, CPU utilisation increases and is above 85% for a duration of 10 minutes. At 3.50pm, the VM Scale Set looks back at the duration of 10 minutes and makes a decision to add another VM.

That’s how duration and cool down periods perform. I hope this helped you understand the differences.

Now that we understand the differences between duration and cooldown in an Azure VM Scale Set (VMSS), let’s move onto another scenario.

What if after the second VM was added, CPU did not stablise and constantly remained over 85%. Would the VM Scale Set add another VM straight after the cooldown period, or would it wait another duration of 10 minutes before making a decision to add another VM?

Firstly, if you come across a scenario where after the VMSS adds an additional VM, and it does not make a difference, for example CPU had not dropped below 85%, you should consider investigating and possibly reconfiguring your VM Scale Set rule.

However, because we’re learning, we want to know what would happen in this scenario, right? Ok, another diagram below to explain.

To test this scenario, I deployed a new Virtual Machine Scale Set and configured a VM Scale Set rule as follows,

  • If CPU Percentage = greater than 0.1% (Yes, a silly number, but it’s for testing purposes only!)
  • for a DURATION of 10 minutes
  • Increase the VM (Virtual Machine) count by 1
  • COOL DOWN period of 10 minutes

The diagram above shows that I start with 1 Virtual Machine at 3pm. Because of the silly CPU threshold of 0.1% the condition is met instantly and the VM Scale Set looks back at the last 10 minutes (duration) from 3pm and 3.10pm and adds another VM Instance. A cooldown of 10 minutes is triggered to pause any further scaling operations whilst the VM scale set is stablising. However, as you can see from the diagram above, metrics are still being monitored and recorded under the hood. The additional VM has not made a difference as CPU utilisation is still greater than 0.1%.

At 3.20pm, the cooldown period of 10 minutes has expired.

But what happens now?

CPU has constantly been greater than 0.1% throughout the cooldown period and the additional VM has not made a difference. What would happen after the cool down period?

Is another scale operation triggered and a third VM/Instance is added shortly after the COOL DOWN period at point A 3.20PM shown in the diagram below? or does the VM scale set analyse metrics for another 10 minutes of DURATION before adding another VM at point B 3.30pm below?

Another VM is added after the cooldown period at around 3.20pm. The VM Scale Set takes into account the last 10 minutes and metrics included in the cooldown period. Remember, the cooldown period only temporarily pauses scaling operations, but under the hood the time and metrics are still being analysed and recorded.

Below are the scaling logs from my testing,

Let’s zoom in and focus on the time stamp column showing the times the VM Scale Set added a new VM/Instance. Image below.

According to the time stamps above,

  • at 9.07am a VM Scale operation was triggered to add another VM/Instance. Why? Because CPU was greater than 0.1% for a DURATION of 10 minutes. The VM Scale set looked back at the duration from approx 8.57am – 9.07am.

  • when the scale-out triggered, a COOL DOWN period of 10 minutes was also initiated to allow the deployment of the new VM and CPU to stabilise.

  • the 10 minute COOL DOWN period ended at around 9.17am. However, another scale operation was initiated after the COOL DOWN period ended. The VM Scale set did not wait for another 10 minute duration.

  • because I had a CPU threshold of 0.1% set, the VM Scale Set never stablised and was continuously scaling by adding another VM after the cooldown period of 10 minutes.

    What do we learn from this? When the VM Scale Set looks back at the duration, it will include the cool down time and metrics to make a decision if another scale operation is required.

Note: don’t forget to configure a scale-in rule so the scale set can scale-in (remove VM’s) as CPU levels reduce in less busy times. The VM scale set will only add VM’s (Scale-out) but won’t know how to remove VM’s when no longer needed (Scale-In). In my demo, having a CPU threshold of 0.1% would never allow the VM scale set to scale in. Plan and configure your VM Scale Sets as per your requirement.

and that’s it for now. I hope you found this post useful. Any feedback, please free to comment below.

See you at the next post.

Azure Route Tables Explained

Reading Time: 16 minutes

In this post, I discuss the differences between Azure default routes and user defined routes (UDR), including the configuration options available when creating a user defined route.

When we create Virtual Networks in Azure, the Azure platform automatically creates a route table for each subnet located inside a Virtual Network. To simplify, a route table is like a set of instructions. For example, a Virtual Machine asks the route table for directions. “Hello Route table, how do I get to this destination?”. The route table provides the Virtual Machine with the next hop, such as, if you wish to get to this destination, this is how you get there.

The default route table automatically created by Azure includes a number of default system routes. These system routes can not be modified or deleted, however, you can override the routes by creating custom routes, also known as User Defined Routes (UDR’s). These are routes created by the user, as in you, and can be modified and deleted as needed. I’ll cover UDR’s later in this post.

Note: This post is intended to provide a basic understanding of route tables. It is important to carefully plan your routing in your production environment, as incorrect routing configuration could lead to major issues.

How to view the Azure system default routes

One of the ways to view the default routes automatically created by Azure is as follows,

1. Locate a Virtual Machine in the Azure Portal
2. From the left pane, under settings, click Networking.

3. Click the network interface located under the IP configuration drop down menu as shown below.

4. From the left pane, scroll down and click Effective Routes, located under the Help section.

Allow a few seconds for the route table to load. We’ll study the default routes in the next section.

What is visible inside the Route Table

We see a number of active default routes, I have taken a small snippet and displayed it below.

The routes in the diagram are as follows.

Source: Default
These are default routes created by Azure and can not be modified or deleted.

State: Active
The state of the route. In the image above, active, meaning the route is enabled.

Address Prefixes: and Next Hop of Virtual Network
The address space used for my Virtual Network is That’s the IP address name space I configured when I created the Virtual Network. When I configured this address space, Azure automatically created a default route. You may have heard or read that resources inside an Azure VNET (Virtual Network) including resources in different subnets within a VNET can communicate with each other by default. This is the default route which allows that communication to happen.

For example, the below image displays one Virtual Network named VNET1. The VNET (Virtual Network) includes Subnet1 and Subnet 2. Each Subnet includes one Virtual Machine (VM1 and VM2). By default VM1 and VM2 can communicate with each other inside VNET1. If we were to deploy additional Virtual Machines to Subnet1 or Subnet2, all VM’s would be able to communicate with each other. This is the default behavior made possible by this default route.

Address Prefixes: and Next Hop of Internet
When we build a new Virtual Machine (VM) in Azure, did you know that the Virtual Machine has outbound internet connectivity enabled by default? Meaning that I could logon to that Virtual Machine and browse the internet such as and other websites. How? This is the default route which allows outbound Internet. This is like a catch all route, so if a route is not already located in the route table, Azure will route traffic for any address not specified by an address range within a Virtual Network to the Internet. In simple terms, “if a route does not exist, send it to Internet via”. However, there is one important exception to note, if the destination is for one of Azure’s services, Azure routes the traffic directly to the service over Azure’s private backbone network, rather than routing the traffic to the Internet.

You may be thinking, “resources have outbound internet connectivity by default. Is this secure?”. If you have had this thought, it’s good to know that you have security in mind, and you’re right, this is not secure by default. However, this default behavior is due to change in September 2025. Check out the following post for details, Default outbound access for VMs in Azure will be retired September 2025.

Next Hop: None
Traffic destined to these address prefixes is dropped, it goes no where and will not leave the subnet. For example, when I created my VNET, I used an address space of and we can see a default route for that in the route table above. I did not configure any other IP address name spaces such as or or, therefore Azure creates a default route to drop this traffic. Why? because I am not using these private IP ranges. However, if at a later date, I do decide to use one of these IP ranges in my VNET, Azure will automatically amend the next hop of none, to Virtual Networking. So none refers to not allowing traffic destined for that address prefix out of the subnet.

So that is an overview of the default routes, however, there is something to keep in mind. As you enable additional services such as VNET Peering and Virtual Network Gateway to name a couple, Azure will continue to create default system routes. For example, If I was to peer two Virtual Networks, VNET1 to VNET2. Let’s say VNET1 is located in the region UK South and VNET2 in region UK West. I have a requirement to connect the Virtual Networks together to allow resources in VNET1 to communicate with resources in VNET2. Peering would allow me to connect the Virtual Networks and the Azure platform will create a new default route automatically to allow resources to communicate with each other between the Virtual Networks. Below is a route which is created by Azure after I peer to another VNET configured with an IP address name space of This address space belongs to the VNET I established a peer with meaning resources in VNET1 know how to get to resources in the peered Virtual Network of VNET2.

What if we want to override a default route or create additional routes?

We know that the default routes can not be deleted or modified. However, we can create custom routes also known as a User Defined Route (UDR) to override the default routes.

When we create custom/user defined routes, they are combined with the default system routes. However, if there are conflicting route assignments, user defined routes override the default routes. For example, we have a default system route of with next hop to the Internet. This means traffic from a server is allowed to access the internet outbound. We decide to override this route because we want to route our traffic to a Firewall instead of being allowed unrestricted access to the Internet. We could create a custom route of with a next hop of Virtual Appliance, and specify a firewall IP address. We now have a conflict because we have two routes with One route to the Internet and one to a Firewall. In this case the default system route would change from active to invalid, and the custom route sending traffic to the firewall will take priority and display a status of active. As show in the image below.

We will discuss custom/user defined routes including next hop choices in the next sections.

Azure Custom/User Defined Routes Explained

As explained earlier in this post, we can create custom/user defined routes to override the default system routes or create new routes in addition to the default routes. Let’s dig a little deeper.

Let’s say in our scenario we deploy a simple hub spoke topology as shown in the diagram below.

We know that by default VM1 and VM2 are allowed outbound internet connectivity. Can you remember which default route allows this routing to take place? Remember the default system route with next hop of Internet? That’s the one. We also know that Virtual Machines in a VNET can communicate by default, so in VNET1 shown in the image above, VM1 and VM2 both residing in different subnets can communicate with each other. Can you remember which default system route allows this communication to happen within a Virtual Network? We discussed this further up in this post. I’ll let you go and check. 🙂

Creating a custom route table to route traffic to a Firewall
What if there was a requirement to override the default system route of allowing Virtual Machines to route out to the Internet using the default route of and next hop Internet. As an example, let’s say in the diagram below, we wanted to route traffic for VM1 located in VNET1 to a firewall deployed in HubVNet. How would we do this? We would go into the Azure Portal, create a route table and add a custom/user defined route. We’ll cover how to do this in the next section below.

Note: you could also use other methods to deploy resources in Azure such as Powershell, CLI, ARM Templates, Azure Bicep or third party tools such as Terraform. I am focusing on deploying via the Azure Portal in this post.

Let’s go through the process of creating a route table and custom routes.

1. In the Azure Portal, search for Route tables

2. Click Route tables to create a new one
3. Input the details as required. I have inputted a few details below for demo purposes.

Propagate gateway routes: If you plan to associate the route table to a subnet in a virtual network that’s connected to your on premises network through a Virtual Network Gateway, and you don’t want to propagate your on premises routes to the network interfaces in the subnet, set Virtual Network Gateway route propagation to No.

When you disable route propagation, the system doesn’t add routes to the route table of all subnets with your Virtual Network Gateway routes. This process applies to both static routes and BGP (Border Gateway Protocol) routes. Connectivity with VPN connections is achieved using custom routes with a next hop type of Virtual Network Gateway. Route propagation shouldn’t be disabled on the GatewaySubnet. The gateway will not function with this setting disabled. If you set Propagate gateway routes to NO and associate the route table to the spoke subnets, the VMs in those subnets do not get the Virtual Network Gateway routes.

4. Click Review + Create
5. Once created, open the newly created Route Table. It will be an empty table without any routes.
6. Let’s create a User Defined Route. From the left pane, click Routes

7. Click the +Add button

8. We have a few options as shown in the image below.

In the next section we will go through these user defined route configuration options.

Azure User Defined Route configuration options explained

Route name: give the route a suitable name.

Destination Type:

We have two options available in the drop down as shown above. We have,

IP Addresses (Address prefixes)
Here you type the destination IP address range. Where is the resource such as the Virtual Machine wanting to go? For example, in the image below, resources in VNET1/Subnet1 are required to communicate with resources located in VNET2/SubnetA. We would specify the address space of VNET2/SubnetA as, along with some additional configuration we cover later in this post. For now let’s focus on the text highlighted red in the diagram below, destination

Why do we need to create a route for VM1 to communicate with VM3 through HubVNET?
VNET peering is non-transitive by default, which means that traffic from VNET1 won’t be able to reach a resource in VNET2 through a VNET in the middle. As shown in the diagram below.

Another example which may help to understand non-transitive. We have three letters A B C. Non-transitive in this example would mean that A and B can talk to each other. B and C can talk to each other. However if A wanted to talk to C or C wanted to talk to A, they could not go through B to reach each other. The same applies with VNET peering. We would need to create a user defined/custom route for this communicate between VNET1 and VNET2 to be possible as per the diagram below.

Service Tag:
From the destination type drop down, we have another option of Service Tag. A service tag includes a group of IP addresses from an Azure service. Microsoft manages the addresses included in the service tag and automatically updates the service tag as addresses change. Therefore, minimising the complexity of frequent updates to user defined routes and reducing the number of routes you need to create. In simple terms, a service tag is a group of IP addresses managed by Microsoft. If new IP’s are added or decommissioned, Microsoft manage this process so we don’t have to. If there was a requirement for you to route traffic to an Azure Service, you wouldn’t need to specify the IP ranges for that service as you could use a built in managed service tag which already includes all the required IP addresses.

Next hop type
The next hop type determines the type of device that traffic is forwarded to when it matches the address prefix/destination type of the route. For example, if the resource wants to reach a specific Virtual Machine in another Virtual Network, how does it get there? Firstly the destination is matched and then the traffic is forwarded to the next hop type such as a Firewall.

Let’s go through the options in the Next hop type drop down list.

Next hop: Virtual Network Gateway

You’ll notice that when you click Virtual Network Gateway, the option to type a Next hop address is greyed out. This is by design. Going off topic slightly but still related, when we configure peering between Virtual networks, there are configuration options available which we must configure if we require for the VNETs to use an Azure Virtual Network Gateway. I won’t be going into details on VNET peering, but I have created a post explaining VNET peering configuration at the following link Azure Virtual Network Peering Options Explained.

Back to next hop of Virtual Network Gateway, to allow for this to work we need to configure two settings.

1. Configure VNET peering options as documented in the link I shared above.
2. Create a User Defined Route

But why use Virtual Network Gateway as a next hop? you may need to route traffic from a VNET to on premises through a Virtual Network Gateway. You may already be aware that one of the use cases of a Virtual Network Gateway is to connect your Azure environment to on-premises. Or you could use a Virtual Network Gateway to forward traffic from one VNET to another in a hub spoke topology. Example, a Virtual machine in VNET1 needs to communicate with a Virtual Machine in VNET 2 via a VNETHub. A Gateway located in the VNETHub could be used as a forwarder to route traffic from VNET1 to VNET2.

Next hop: Internet

Next hop of Internet is one we came across earlier. There was a default route of with a next hop of Internet.  If you don’t override this route, Azure routes all traffic destined to IP addresses not included in the address prefix of any other route, to the Internet. You may wish to route the traffic to Network Virtual Appliance such as a Firewall or an inspection/logging appliance.

However, if needed, you can specify Internet as a next hop when you want to explicitly route traffic destined to an address prefix directly out to the Internet, or if you want traffic destined for Azure services with public IP addresses kept within the Azure backbone network. As explained earlier in this post, if traffic is destined for Azure services with public IP addresses, that traffic is kept within the Azure private backbone network and does not route out to the Internet.

Next hop: Virtual Appliance
A virtual appliance is a Virtual Machine that typically runs a network application, such as a firewall. You can use a next hop of Virtual Appliance also known as a Network Virtual Appliance (NVA) to route traffic to an Azure Firewall, Cisco Firewall, Palo Alto Firewall, Traffic Inspection Appliance, and more. Azure supports a number of third party appliances available from the Azure Market Place. You can also access the market place from the Azure portal at

For example, as per the image below, we have a route table associated with VNET1/Subnet1 with a destination of which belongs to VNET2. We have a HubVNet between both Virtual Networks. We know that VNET peering is non-transitive so we associate a route table to VNET1/Subnet1 instructing resources that if there is a requirement to communicate with resources in VNET2/SubnetA, the next hop is a virtual appliance. The virtual appliance in this case is an Azure Firewall located in HubVNet.

Next hop: None

Specify none when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination. None also represents a black hole. Packets forwarded to a black hole will not be forwarded at all. You will also notice a number of default routes with a next hop of none. This is because Azure creates system default routes for reserved address prefixes with None as the next hop type. If you decide to add another address prefix in your Virtual Network in future, Azure will amend the default route from none to Virtual Network. In the image below the option to specify a next hop address is greyed out as we’re dropping the traffic, it’s going no where, so we don’t need to specify an address.

Next hop: Virtual Network

We came across next hop of Virtual Network earlier. Can you remember where? It was a default system route created automatically which allows resources to communicate with each other inside a Virtual Network. We also have the option available when creating a User Defined Route with the Next hop address greyed out, as shown in the image below.

A question you may have, if there is already a system route which allows resources to communicate inside a Virtual Network, why would you want to create a user defined route with next hop of Virtual Network?

The default route we visited earlier allows all traffic within the IP address name space of to communicate with each other. Azure automatically added this route for all subnets within the VNET, so if I created three subnets in my VNET, all subnets will include a default route with next hop to Virtual Network of For example, I have the subnets below configured in VNET1,


According to the default route shown in the image below, all resources inside the three Subnets above can communicate with each other within VNET1. This means that traffic sent to any address between and would be routed within the Virtual Network. If I created additional Subnets in future, they would automatically be allowed to communicate with resources in Subnet1, Subnet2 and Subnet3.

But this does not answer why we would want to create a user defined route with next hop of Virtual Network. Let’s move onto a scenario with a possible use case.


1. We have a requirement to force all traffic from to a Network Virtual Appliance (NVA) for inspection and logging purposes. We must override the default route of next hop of Virtual Network. The virtual appliance is located in the same VNET, but in a different subnet. You may be thinking, we could add a route as follows, destination with next hop of the IP address of the Virtual appliance.

Correct, but let’s add a little twist to this scenario,

2. Traffic destined for addresses between and ( remains within SubnetA, rather than being routed to the virtual appliance, because there is no requirement for inspecting or logging the traffic. So the aim here is that if machines within SubnetA communicate with each other within the subnet, there is no requirement to route this traffic to a Virtual Appliance.

The diagram below sums up the above scenario. Traffic from SubnetC needs to be routed to the NVA located in SubnetB for packet inspection/logging. Traffic between VM1 and VM2 inside SubnetA is not routed to the NVA, however, if VM1 or VM2 need to communicate outside of SubnetA, such as communicating with VM3 or VM4 in SubnetC, then that traffic needs to be routed to the NVA first.

How would you accomplish this?

First, we create a User Defined Route with a destination of and next hop of virtual appliance as shown in the image below. This route would override the default system route of with next hop of Virtual Network.

Below is an image showing what the routes would look like once we apply the route table to SubnetA. As you can see the default route has become invalid and all traffic for now routes through an Network Virtual Appliance which has an IP address of

This routes all traffic inside the Virtual network to a Network Virtual appliance.

However, we have one more requirement. We don’t require traffic communicating inside Subnet A (between Virtual Machines) to be routed to the NVA. But, according to the route we created earlier, all traffic from all subnets will be routed to the NVA.

To resolve scenario 2, we create another route as shown in the image below. The image shows a User Defined Route with destination of (SubnetA) and next hop Virtual Network.

This is what the route table looks like now,

We now have two active routes. Traffic for the address prefix is routed to the Virtual Appliance. Traffic for the address prefix (SubnetA) keeps traffic within the Subnet.

So which user defined route will apply first as both meet the criteria? It’s the one with the longer prefix, in this case CIDR notation has a longer prefix and takes priority when traffic is destined for IP’s in the range of – which belongs to SubnetA.

When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. For example, a route table has two routes: One route specifies the address prefix, while the other route specifies the address prefix. Azure directs traffic destined for to the next hop type specified in the route with the address prefix. This process occurs because is a longer prefix than, even though falls within both address prefixes.

So what if there was an IP of Azure directs traffic destined for to the next hop type specified in the route with the address prefix. This process occurs because isn’t included in the address prefix, making the route with the address prefix the longest matching prefix.

If you wish to learn more about longest prefix matching, the following article explains the process in detail. Longest Prefix Match Routing (I am not affiliated with this company).

How to associate a route table to a subnet
Once you have created a route table with your user defined routes, you can attach a route table to a subnet. A route table can be associated to zero or more subnets. Route tables aren’t associated to Virtual Networks. You must associate a route table to each subnet you want the route table associated to.

To associate a route table with a subnet,

1. Search and click Route tables

2. Click the route table you want to associate to a subnet

3. From the left pane, under Settings, click subnets.

4. Click Associate

5. Locate the Subnet and and click OK

and that’s it. I hope you found the post useful.

See you at the next one

Differences between Azure Policy Exclusions, Exemptions and Overrides

Reading Time: 6 minutes

In this blog post I will describe the differences between Azure Policy exclusions, exemptions and overrides.

If you missed out on my previous post on Azure policy inheritance you can find the article at the following link Azure Policy Inheritance explained

Let’s get started and understand the differences and use cases for each.

Azure Policy Exclusions
Azure Policy allows organisations to enforce rules and compliance across resources in Azure. Compliance status is visible within the Azure Policy overview page which provides a single pane of glass view of resources which are compliant or non-compliant in their environments. However, there are requirements where organisations may not want Azure Policy to scan all resources. One of the features of Azure Policy is the ability to exclude certain resources from an Azure policy assignment. This is known as Azure Policy Exclusions. Let’s continue to a couple of examples below where we could use Azure Policy Exclusions.

Your organisation has a policy that audits all storage accounts to ensure the replication for disaster recovery purposes is set to geo-redundant replication.

However, there is one subscription that contains storage accounts used for development and testing purposes that do not need to be scanned by this policy. In this case, you can create a policy assignment that applies to all subscriptions, and exclude the subscription containing the development and testing storage accounts. This way, the policy will apply to all storage accounts except for those in the excluded subscription. Furthermore, those storage accounts from the excluded subscription will not appear on the Azure Policy overview page as non-compliant.

Another Example
Your organisation has a policy that requires all virtual machines to be deployed in a specific region for compliance reasons. However, there is one resource group that contains virtual machines used for disaster recovery purposes that need to be deployed in a different region. In this case, you can create a policy assignment that applies to all subscriptions and resource groups, and exclude the resource group containing the disaster recovery virtual machines. This way, the policy will apply to all virtual machines except for those in the excluded resource group.

Where is the exclude option?

When assigning an initiative/definition the option to exclude appears below the field named scope as shown in the image below.

Let’s move on to Azure Policy Exemptions in the next section below.

Azure Policy Exemptions
The Azure Policy exemptions feature is used to exempt a resource hierarchy or resources from being evaluated. Resources that are exempt are not evaluated because there may be a time bound waiver with an expiration date applied by an engineer. A benefit of exemptions is that they are audited, including the reason why an engineer created an exemption, the name of the engineer, and time the exemption was created. All exemptions can be tracked in the Azure Policy portal. Let’s continue to a use case of an exemption below.

Let’s say we are applying the built-in definition “Storage accounts should disable public network access” with an effect set to audit. We find that the compliance assessment shows that a storage account named “imransstorageaccount” is found to be non-compliant, but it must have public network access enabled for business purposes. How do we get around this non-compliant resource? We can create an exemption and type a reason why “imransstorageaccount” was exempted. Once the exemption is created, “imransstorageaccount” will be shown as exempt in compliance view in Azure Policy.

Note: It is important to regularly review your exemptions to ensure that all eligible items are appropriately exempted and to promptly remove any that no longer qualify for exemption.

Where is the exemption option?
1. Access Azure Policy and click Assignments under the section Authoring. As shown in the image below.

2. Click the ellipsis icon (the three dots) by the policy assignment you wish to exclude and click create exemption,

3. Once the exemption window launches you can select an exemption category of Waiver, for example if you are due to delete/decommission the resource. The second option is mitigated, where you may have resolved the non-compliance issue via a different method. Providing a reason why a resource is exempted allows for the reason to be audited.

You can also apply an exemption expiration date.

The policy exemption isn’t deleted when the expiry date is reached. The object is preserved for record keeping, but the exemption is no longer honored and Azure Policy will scan the resource again and mark it as compliant or non-compliant.

Exemption history can be viewed by clicking Exemptions located under the section Authoring. As shown in the image below.

So what is the difference between Azure Policy exclusions and exemptions?

1. Exemptions can be time bound, for example, exempt for 1 month and then start scanning and reporting on the compliant status again.
2. Exemptions are audited so it is possible to check why a policy was temporary or permanently exempt.
3. Exemptions are configured after the resource has been scanned and appears as non-compliant. We can then create an exemption for the non-compliant resource if required.
4. Azure Policy Exclusions are different. When we create an exclusion, Policy does not scan the excluded scope or mark it as compliant or non-compliant because it is ignored. Exclusions can not be configured to be temporary/time bound with an expiration date.

Azure Policy Overrides (In preview at the time of writing)
Overrides is a feature which offers a capability different to exclusions and exemptions. The overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition and in turn reducing the management overhead. Let me give you examples of use cases below.

You have assigned an initiative which includes/groups together a number of single definitions. Let’s say that one or more of the definitions inside your initiative has an effect of audit, however you wish to change the policy effect to deny. Azure policy override allows you to override the effect from audit to deny so that you don’t have to recreate azure polices or change the effect parameter within the policy template/JSON code. I could simply override an existing effect of deny to audit by editing the existing assigned policy and adding an override of change effect from audit to deny. I can add and remove overrides when needed.

Another example
I have a policy initiative named Security that includes several policy definitions, such as RestrictVMSize and RequireSQLDatabaseAuditing. The default effect of these policy definitions is audit. However, I now want to change the effect of these policy definitions to deny without modifying the underlying policy definitions or amending the parameter effect in the policy definitions template.

To achieve this, I can use Azure Policy overrides to change the effect of the policy definitions to deny. I can create an override for each policy definition and set the effect to deny. If needed, I can remove the override at a later date which will revert the effect back to the original effect of audit without me having to change the JSON file.

Where is the override option?
An override can be applied to a policy at the time of policy assignment or by editing an existing assignment.

1. Click Assignments under the section Authoring.

2. By the assignment name, click the ellipsis icon (…) and click edit assignment.

3. Click the advanced tab

4. Click Add override

5. Click override value and change the effect.

6. In my case, I have a policy which does not allow resources to be deployed to any region apart from UK South. My policy effect is currently set to deny. For demo purposes, I am going to add an override with an effect of audit. Click Add to apply the override and then click review and save.

Now the policy will not deny when resources are built outside of the UK South region but audit only and mark them as non-compliant. I can remove or edit the override when needed. Note an override was added to this policy for demo purposes only. Plan your overrides accordingly.

That’s it. I hope you found the post useful

See you at the next one

Azure Policy Inheritance explained

Reading Time: 7 minutes

In this blog post I will explain how Azure Policy inheritance works using different scenarios/demos. If you are not aware of what Azure Policy is, click the following Microsoft Learn link to learn more, Overview of Azure Policy.

When we assign Azure Policies in our Azure environments we have the option to scope a policy at different levels including Management Groups, Subscriptions and Resource Groups as shown in the image below. The diagram below shows that we can apply Azure Policies at three levels, Management Groups, Subscriptions and Resource Groups.

Like RBAC (Role Based Access Control) permissions, policies also inherit from top down in the Azure Hierarchy. So if I scoped/assigned a policy at the Management Group level, that policy would inherit down to subscription, resource group and the three resources in my diagram, Virtual Machine 1 (VM1), Virtual Machine 2 (VM2) and Virtual Machine 3 (VM3). I have used virtual machines in my example, but this could be any type of Azure resource.

If I was to assign a policy at the Management Group scope allowing engineers in my organisation to deploy Virtual Machines to the Azure UK South region only, that policy would inherit down to the subscription and resource group. Therefore, my engineers would not be able to deploy Virtual Machines to any other region apart from the UK South region in the existing subscription and resources group, and any new subscriptions or resource groups deployed under my Management group in future as the policy would automatically apply.

Let’s go through a few commonly asked questions,

Question 1:
If you apply a policy to the Management group which only allows resources to be deployed in the UK South Region, and that policy is inherited by subscription and resource group, what would we expect to happen if I deployed a new Virtual Machine called VM4 to a different region such as as East US into the resource group?

The deployment would be prevented by the policy and the engineer would not be allowed to deploy to the East US region because the policy scoped to the management group is being enforced. As shown in the image below. I have tried deploying VM4 to the East US region and been denied due to the policy applied at the Management Group level which has inherited all the way down, by design.

Question 2:
In the example above, you tried deploying to resource group named ResourceGroup1 and the policy denied you from trying to build a new VM4 in region East US. What if you create a new resource group name ResourceGroup2 and try deploying VM4 to East US or any other region inside the newly created resource group?

It will be denied, why? because the policy applied to the Management Group applies to all new resource groups under that Management Group. The new resource group ResourceGroup2 inherits the policy from above. Again, the below image shows the policy preventing VM4 from being deployed in East US in a new resource group named ResourceGroup2.

Question 3:
What about the resources (VM1, VM2 and VM3) which were deployed and already exist in Resource Group1 as shown in the diagram below. What would happen if VM1 was located in UK South and VM2 and VM3 were located outside of the UK South region, before you applied the policy? what would happen to existing resources that are already there?

If the three resources, in my case three existing virtual machines VM2 and VM3 were deployed outside of the UK South region and VM1 was deployed in UK South region, then Azure Policy would display VM1 as compliant for being deployed in UK South, and the other two VM2 and VM3 as non-compliant. The Azure policy overview page would report this.

Question 4:
What would happen if you created another policy and assigned at the resource group level, but the new policy assigned to the resource group allowed deployment to East US region only, so denying UK South? You now have one policy applied to the Management Group which allows deployments to UK South region only (inherited down), and a new policy assigned to the resource group which only allows deployments to East US. Which one policy would win? as show in the image below.

I leave the existing policy assigned to the management group, allowing resources to be deployed in UK South only. I have created a new policy and assigned to the resource group which only allows resources to be deployed to East US region. We now have conflicting policies.

The images below show that I have applied a policy to ResourceGroup1, allowing resources to be deployed inside that resource group but to East US region only.

What was the result?

1. Was I able to deploy a new virtual machine called VM4 in ResourceGroup1 in the UK South Region? No, denied as per the image below.

2. Was I able to deploy a new virtual machine called VM4 in ResourceGroup1 in the East US region? No, denied as per the image below.

Are you confused? 🙂

Are you thinking, I thought that adding a policy to ResourceGroup1 directly would override the Policy assigned to the Management Group level and allow me to build resources in East US region?

Or maybe you are thinking the opposite, that the policy assigned at the management group level would still take precedence/priority and allow a resource to be deployed to UK South but not East US.

Or maybe you’re thinking that it would be possible to build resources in ResourceGroup1 in both UK South and East US regions.

Or may be you knew what the result was going to be, in this case, I am not allowed to deploy to any of the regions.

Or you were thinking something else. In that case, please do drop a comment towards the end of this post to let us know.

Why was I not allowed to deploy to any of the regions
This is because both polices are applying together and a deny takes precedence/priority. In this case, both policies are denying. The policy at the management level denies/restricts deployments to East US as it only allows deployments to UK South. The policy at the resource group level denies/restricts deployments to UK South region as it only allows deployments to East US. The most restrictive/deny policy will take effect, in this case both of them are restricting/denying deployments, therefore both policies apply and deny access. As per the diagram below,

Question 5
What would happen if you apply two policies but the same configuration to both Management Group and resource group. So allow deployments to UK South only scoped to the Management Group and allow deployments to UK South region only at the resource group? as per the image below.

You would be allowed to deploy to the UK South region as both policies are allowing at Management Group and Resource Group. In my case I removed the parameter of EAST US region at resource group level and added UK South. You may need to wait up to 30 minutes before new changes take effect.

The result, there was no error/warning when I selected UK South, as shown in the image below.

Question 6
Could you exclude policies from being applied to certain resources? For example, VM1, VM2, VM3 which already exist in a resource group, or if I want to apply a policy but I want to exclude certain resources from the policy. Is this possible?

Yes, you can exclude a subscription, resource group or specific resources so a Azure policy does not apply. There is an exclusions option.

There are also other options available such as exemptions and overrides. For more information on Azure Policy Exclusions, Exemptions , visit my post Differences between Azure Policy Exclusions, Exemptions and Overrides

Question 7
The built in ‘allowed locations’ policy you used is denying you to deploy resources in the regions not specified in the Policy. Is there a deny setting somewhere that you have to enable?

The policy I used already is configured to deny, known as an effect. We can check this by accessing the JSON (Java Script Object Notation) code which is what the policy is using under the hood.

1. Go to Azure Policy
2. Click Assignments from the left pane under the section Authoring
3. Click the three dots … as shown in the image below

4. Click view definition (This will display the JSON code used under the hood, it is how the policy is compiled)
5. Scroll down to “effect”:

You can’t change the effect of a default/built in policy, the option to edit or delete built in policies/initiatives are greyed out. However, you can duplicate an existing definition, give it a new name and amend as required.

A list of effects and explanations which can be used in Azure policies are documented at the following Microsoft Learn page, Understand how effects work – Azure Policy

I hope you found the post useful.

See you at the next post.

Taking a Microsoft Exam from home

Reading Time: 13 minutes

I always booked and took my Microsoft exams from a test centre until the Covid Pandemic halted most of the world. That’s when I discovered that there was also an option to take the exam online from home and since then I have always preferred this option. Taking the exam from the comfort of your own home. It sounds convenient right? It is, but there are a few important points that you should be aware of.

In this post I will post the process of booking an online exam and what you need to watch out for if you don’t want to be warned/disqualified by the moderator. I will share real life stories from my own experience taking exams from home and also from people who have shared their stories with me.

Exam booking process

For the purpose of this post, let’s assume that I am booking to take the AZ-204 Developing Solutions for Microsoft Azure exam from home.

  1. Visit the AZ-204 certification page at Exam AZ-204: Developing Solutions for Microsoft Azure – Certifications. For other exams you could type the exam code into search, for example AZ-104 or AZ-700 and click the certification page.

  2. Scroll down until you reach the schedule exam section. Click the drop down to select your country and click the orange button labelled Schedule exam, as per the image below.

3. Sign in. I use my personal

Why use your personal and not work email address? Because you may leave your existing employer at a later date and the certifications you pass would be linked to your employer provided email address. To avoid the hassle, I always use my personal email address.

4. Ensure your profile details are correct and click next

5. If you are entitled to any exam discounts, they will appear here. For example if you’re a MCT (Microsoft Technical Trainer) you receive 75% discount on the exam. If you’re a Microsoft Employee, a 100% discount is available.

You may be thinking, how does one become a Microsoft Technical Trainer? Click the following link to find out more, How to become a Microsoft Technical Trainer.

There is also an option to check for another discount. For example, If you have attended a Microsoft course or a different Microsoft online event you may be entitled to a 50% exam discount, enter your email address in the field labelled check for another discount. This would be the email address you used to register for the course or online event. Click the button, check discounts to find out if there are any discounts available to you.

When ready, click Next

6. Click Schedule with Pearson VUE

7. Click the option Online with OnVUE to take the exam from home.

There is also the option to take the exam from your nearest test centre if you prefer not to take the exam from home.

8. You’ll find a few tips/checks that you should perform or will require prior to taking the exam, let’s go through each one.

Your computer

It is important that you test your laptop/desktop to ensure it passes the system test. This test will check your device microphone, speakers and webcam. It will then allow you to download a test exam simulation to ensure the exam software will load on your device. Ensure that you perform another test prior to taking the exam on the scheduled day and you use the same device.

Individuals have experienced issues with sitting the exam from company laptops due to being locked down which can block the exam from launching. It is important you test your device.

Click Run system test which will take you through the required checks.

If you wish to check whether your device or operating systems meets the minimum requirements for the exam, click minimum technical requirements.

9. Your testing space

  • Select an empty desk where you will place your laptop or desktop only
  • You can only have a single monitor so if you have several monitors on your desk, you won’t be allowed to use them and they should not be visible on the desk.
  • Remove all objects from the desk apart from your mobile phone. Your mobile phone needs to be placed at arms length on the table so it can be reached in the event of an emergency. For example, the moderator is unable to get in touch with you through your laptop or there has been a power cut.
  • Ensure that no one is in the room. You must be alone
  • Ensure that no one talks to you or calls your name whilst you’re taking the exam
  • The exam will be recorded and the moderator will be watching you for the duration of the exam. Ensure you don’t leave the view of your web cam and do not look around suspiciously
  • If you have a habit of whispering questions to yourself as you read, don’t. It is not allowed and you will be warned by the moderator.
  • Do not place your hand over your mouth, for example, if you have a habit of placing your hand on your chin whilst concentrating, don’t. You will be told off and if you continue, you could be disqualified and the exam will end.
  • If possible, use a personal computer rather than an employer issued computer, as the company provided device may have additional security settings that can interfere with the exam.
  • Ensure your internet connection is reliable. Pearson VUE recommend a wired internet connection and to disconnect from VPN. However, I have taken many exams from home via a wireless connection without issues.
  • Ensure the area where you are taking the exam is well lit. The moderator won’t allow you to take the exam from a dark room with no lights.

True stories:
– An individual was disqualified because his dog was continuously barking. Ensure the room you are in is quiet.

– I have come across people who take the exam from the bathroom. I personally would not do this, however there are people who prefer taking exams from the bathroom. You could be in there for 3 hours so ensure you have a spare bathroom or else you may upset family members if they require access to the bathroom! Will a moderator allow you to take your exam from the bathroom? Yes and no. I have come across people complaining that they were allowed to take the exam from the bathroom and then when taking another exam in future, were told it was not allowed by the moderator.

– Individuals have been asked to remove posters from the wall so if you have posters on the wall or a whiteboard with text, you may be asked to remove those by the moderator.

– I was once warned by the moderator because I was whispering/reading the question to myself. I have learnt from that mistake since and not read questions back to myself whilst in an exam.

10. Your photo ID

On the day of the exam, you will require photo ID. One of the following will do, such as a Passport, Driver’s license, Identification card (national or local), Non-US Military ID (including spouse and dependents) or a Registration card (green card, permanent residence, visa). For an up to date list, click the admission & ID policies link as shown in the image below. I will discuss how you will need to present/upload the photo ID later in this post.

11. What to expect

The short video link available under the What to expect section shown in the image below will guide you through what to expect if you were to visit a test centre to take the exam and additional video demonstrating what to expect when taking the exam online from home.

12. Click the next button

13. Select your preferred language for the exam

If the exam is not available in your native language and you need to take it in a different language, you may request additional time to read and answer the questions. If you take the exam with Pearson VUE, you can use the English as a Second Language (ESL) form.

14. Read and accept the provided agreements and click next

15. Read and agree to online exam and Microsoft Policies. Tick the boxes to accept if you agree. There are a few to accept/tick as you scroll down the page. The information is useful as it provides a reminder of what you need to know and do before the exam.

16. When ready, click the agree button. Visible as you scroll to the bottom of the page

17. What language do you prefer the proctor/moderator speaks. English or Japanese. The moderator will be doing very little or no talking at all. Click Next

18. Confirm your time zone. My time zone is UK (automatically detected) so I will accept and click Yes, that’s right!

19. Select a date and time. Click Explore more times for a list of different times if available.

An advantage of taking the exam from home is that you have access to different times 7 days a week. I prefer to take the exam when everyone in the house has gone to bed, or early morning.

20. When you have decided on the time you wish to take the exam, click Book this appointment

21. Review the information to ensure you are happy. Such as have you selected the correct exam, date, time and so on.

Important: Ensure that your name matches the identification (ID) that is presented at the test center or when you take the exam from home, or you will not be permitted to take your exam.

22. When ready, click Proceed to Checkout to make payment unless you were entitled to a 100% discount earlier, you will be able to complete the process without payment.

That’s it. The exam is booked!

What next, prepare for the exam.

If you have never taken a Microsoft exam before and want to know what to expect. Here is a Microsoft provided exam sandbox demo

Exam day is here

23. You have approached the date of the exam. What does the process look like when checking in for an online exam from home.

Recommended prior to check in

  • Power up your device, close down any apps, such as messaging apps, Microsoft Teams, Skype and so on.
  • Ensure the device is not scheduled to reboot, for example, after windows updates installation
  • Perform a system test to ensure your microphone, speaker, webcam and the test exam software launches. A link to test will be available to you in your email from Pearson VUE. You will be given the opportunity to test your system when you go through the check in process below. I prefer to test my device before so I have enough time to troubleshoot and resolve any issues.

    Check-in process
  • You will be able to check into the exam 30 minutes before the exam start time, no earlier. A link to check in will be available to you via an email or you can login to the Pearson VUE website. For example, if the exam is scheduled for 11.15am, you will be able to check in at 10.45am. Ensure you check in at the start time.
  • As part of the check in process, you will have the opportunity to test your system again, to ensure your microphone, speakers and web cam work. Also, you will be prompted to end any applications/processes running on the system which may prevent the exam software to launch. You will need to close down.
  • You will need to upload your photo (a selfie). On screen you will be presented with a few options to retrieve the upload link, such as scanning a QR code from your mobile, accessing a provided website address or requesting a text with the link to your phone. I usually request for a text message to my phone. Open the provided link and upload your selfie.
  • Take a picture of your photo ID and click upload using the same link provided by Pearson VUE.
  • Next, you will be asked to upload four photos of your surrounding area where you will be sitting to take the exam. A photo of what is in front of your laptop, the back, the left and the right of your laptop. You will upload each photo one at a time.
  • The information uploaded will be verified and the session will start to record. Do not leave your laptop from this point.
  • A moderator will come online at the exam start date, in this case 11.15am and may introduce themselves, a quick hello and ask that you are ready for the exam. The moderator may ask you to show them your surroundings by moving your webcam around the room. Note that in some cases, the moderator does not speak and the exam software will launch. There may also be times when the moderator does not activate the exam at the specified time. I have experienced an exam where the exam launched 15 minutes late, so hang in there and be patient. You may also experience times where the exam starts straight after the check in process, for example, if the exam was scheduled 11.15am and you had uploaded your photos by 11am, the moderator could start the exam at 11am which I prefer instead of waiting. If you’re concerned, use the live chat to contact the moderator but do not leave your laptop.

24. When the exam starts, you will be asked to agree to a few terms and conditions and the exam software will launch on your device in full screen. You should be able to see yourself via the webcam towards the top of the page and a record icon to show that the session is being recorded.

Note: if the exam software does not launch, use the live chat facility to let the moderator know. I once experienced this issue and was waiting for 20-30 minutes after the start time wondering why the exam had not loaded until I used the live chat to contact the moderator. I was to asked to exit the exam and rejoin as the exam software had failed to launch for some reason. The second attempt worked.

Ensure that,

  • you do not leave the laptop and remain in view of the web cam
  • you do not speak to anyone
  • no one walks past or speaks to you
  • there is no background noise
  • you do not whisper questions to yourself
  • you do not cover your mouth
  • you do not look around suspiciously

Reminder: If you have never taken a Microsoft exam before and want to know what to expect. Here is a Microsoft provided exam sandbox demo


A few announcements you may not be aware of if you have not sat a Microsoft exam for some time.

  • Microsoft Learn accessible in the exam (excluding fundamentals exams) announced 22nd August 2023

    You have the option to launch the Microsoft Learn website in the exam so you can double check if you can’t recall the correct answer. A Microsoft Learn icon will be visible in your exam which can be launched into a split screen. More info at the following link Introducing a new resource for all role-based Microsoft Certification exam

    Note: If you do use the Microsoft Learn option be careful when closing it down after use. Do not accidentally exit from the complete exam. If you do come cross this situation where you exit from the whole exam in error, enter the exam again and contact the moderator/proctor.

  • Exam expiration and renewals – announced 15th December 2020

    Exams previously expired after 2 years and you would need to take the exam again to renew for a further two years. The renewal process would involve the same process as in being moderated with the same rules, as if you were taking the exam for the first time. As of December 2020, the exam expiry date was changed from 2 years to 1 year, however the exam can be renewed via the Microsoft Learn website. The renewal is free, a shorter exam, not moderated, no need to clear your desk and is open book. If you fail the exam you can retake the exam as long as you don’t let it expire, so ensure that you don’t renew the exam with a few days spare until expiration. I renew the exams ASAP or at least 2 months before the expiration date. For example, if I receive an email from Microsoft informing me that my exam is due to expire in 6 months and I renew/pass the exam at that point with 6 months remaining until expiration, Microsoft will add the 6 months to my renewal, meaning the next renewal would be in 1 year and 6 months. More info at Microsoft Certification Renewal

  • Free official Microsoft test questions
    Microsoft have launched free practice test questions for a number of certifications. A list of the available practice assessments are available at the following link, Practice Assessments for Microsoft Certifications. There were 39 available at the time of writing and Microsoft continue to add more for other certifications.

  • Microsoft Applied Skills Credentialsannounced October 2023 (Currently Free)
    A new verifiable credential that validates that you have the targeted skills needed to implement critical projects aligned to business goals and objectives. These are free open book Microsoft verified credentials which are currently free and target a specific skill set, for example, securing Azure storage or Azure networking. These are 100% lab/task based where you are presented with a lab machine in which you will be asked to perform a number of tasks in 2 hours. Upon completion, your assessment will be marked within 60 seconds and you will be presented with a verified certificate which you can share with your network on LinkedIn. At the time of writing this post there were 14 Applied Skills assessments available at Browse Credentials | Microsoft Learn

    Announcement page at: Announcing Microsoft Applied Skills, the new credentials to verify in-demand technical skills

  • What is the Microsoft exam retake policy?
    If you don’t pass the exam the first time, you must wait 24 hours before retaking it.

    You may not take a given exam more than five (5) times within a 12 month period from the first attempt. If you failed the exam 5 times, you’ll be eligible to retake it again 12 months from the date of your first attempt.

    You must pay to retake the exam (if applicable)

    I would recommend you visit the following Microsoft link for up to date information on exam policies, exam policies and FAQs

I hope you found this post useful. If you have any questions please feel free to post them below.

All the best in your learning journey.