AZ-900 Azure Fundamentals: Your First Cloud and AI Certification

AZ-900 validates that you can speak the language of cloud and Azure. On the exam, that means you can explain the benefits of cloud computing (elasticity, scalability, reliability, agility), distinguish service types (IaaS vs PaaS vs SaaS), and identify cloud models (public, private, hybrid) and key concepts like shared responsibility. It also checks that you recognize core Azure building blocks: regions/region pairs, availability zones, subscriptions, resource groups, and the idea that Azure services are organized and governed.

Who is it for? This is intentionally broad: students, business stakeholders, sales/marketing, project managers, and aspiring technical roles. If you’re technical, your advantage is speed—your risk is overthinking. AZ-900 rarely rewards “architect-level nuance.” Instead, it rewards selecting the most direct match to the concept being tested, such as identifying when PaaS reduces management overhead, or when governance tools like Azure Policy enforce standards.

Common trap: assuming you need to know exact feature parity between similar services. For example, the exam typically tests “what category of service is this?” or “what problem does it solve?” rather than deep configuration steps. Another trap is mixing up responsibilities: in SaaS you manage far less than in IaaS; in all models, Microsoft secures the cloud infrastructure, while you secure your data, identities, and configurations.

• Core exam outcomes you’re building toward: cloud concepts; Azure architecture/services (compute, networking, storage, identity/security, AI-capable services at fundamentals); and management/governance (cost tools, policy, compliance, resource organization).
• Study mindset: aim for clear definitions plus quick scenario mapping (“Given this need, which service type or control fits?”).

Exam Tip: When two answers both seem true, pick the one that best aligns to the exam’s level: broad purpose and primary benefit, not edge-case behavior.

Registration is straightforward but policy mistakes can derail your attempt. Schedule through Microsoft’s certification dashboard, then choose an authorized delivery provider. You’ll select either an online proctored exam (from home/office) or a test center. Both are valid; pick the format that best reduces risk for you.

For test centers, the environment is controlled and usually less stressful if you don’t have a quiet space. For online proctoring, you need a stable internet connection, a compatible system, and a clear desk/room that meets rules. Expect identity checks: your name must match your government-issued ID, and you may be asked to show the room, your wrists/ears, and remove extra devices.

Policy-related traps are common for first-timers: arriving late, having a mismatch between registration name and ID, using prohibited items (notes, second monitors), or having interruptions (people walking in, phone vibrations). Online sessions can be revoked for reasons that feel minor, so plan carefully.

• Online delivery: test your system early, use a wired connection if possible, and fully close background apps that may trigger flags.
• Test center delivery: verify location, parking, arrival time, and what lockers are provided.
• ID requirements: bring the correct ID(s) and ensure your profile name matches exactly.

Exam Tip: If you choose online proctoring, do a “room rehearsal” the day before: clear your desk, remove papers, unplug extra monitors, and confirm your camera angle. Many candidates lose time (or the attempt) due to avoidable compliance issues.

AZ-900 uses a scaled scoring model. You will receive a score report that indicates pass/fail and often breaks performance into objective areas. Don’t fixate on raw percentages because the exam is not simply “X questions correct = pass.” Different question sets may vary in difficulty, and scaled scoring normalizes results.

Your practical takeaway is to manage risk: build breadth before depth. Since the objectives span cloud concepts, core Azure services, identity/security/AI-capable services at a fundamentals level, and management/governance, neglecting one domain can sink you even if you’re strong elsewhere. Use your results to identify weak areas and focus remediation where it matters most.

Plan your retake strategy proactively. If you don’t pass, your next attempt should not be “do more random practice.” Instead: (1) map missed topics to objectives, (2) re-learn from authoritative content (Microsoft Learn), (3) rebuild recall using flashcards and brief notes, and (4) re-test with timed sets to address pacing and distractor elimination. The goal is to convert uncertainty into fast recognition.

Also understand that “confidence” can be misleading: many AZ-900 questions are written so that two choices are partly correct, but only one is the best answer. Retake preparation should therefore include learning how Microsoft frames “best fit” answers at the fundamentals level.

Exam Tip: Use your score report as a diagnostic, not a judgment. A small deficit in one area often indicates missing vocabulary (e.g., governance tools, pricing concepts, or security principles) rather than needing hands-on labs.

Microsoft Learn should be your primary source because it aligns directly to the exam’s intent and terminology. Your job is to turn Learn modules into an objective-mapped checklist. Start by listing the major domains and subtopics (cloud concepts; Azure architecture/services including compute, networking, storage, identity/security/AI; and management/governance). Then map each Learn module you complete to one or more objectives, marking your confidence level (high/medium/low).

Build two plans: a 2-week sprint and a 4-week steady plan. In the 2-week plan, prioritize coverage and daily review: you want to see every objective at least once, then reinforce weak points with targeted repetition. In the 4-week plan, you can add more spaced repetition cycles and a deeper pass through tricky governance and identity/security content.

• 2-week plan (high intensity): Days 1–4 cloud concepts and core services; Days 5–8 architecture/services including identity/security/AI-capable fundamentals; Days 9–11 management/governance and cost tools; Days 12–14 full review, timed practice, and remediation by objective.
• 4-week plan (lower intensity): Week 1 cloud concepts; Week 2 core Azure services; Week 3 identity/security/AI-capable services + governance; Week 4 consolidation, remediation, and timed practice.

Include a baseline diagnostic early in your plan. Do not treat it as a grade. The point is to discover which objective areas you misread or don’t recognize quickly. Then, update your Learn mapping to emphasize those weak areas in your next study cycle.

Exam Tip: When reviewing Learn, extract “decision rules” into your notes (e.g., “Policy enforces; RBAC authorizes; Blueprints/initiatives organize at scale; consumption-based pricing aligns to OPEX”). Decision rules are what the exam rewards.

AZ-900 commonly uses multiple-choice questions (single answer and multiple answers), matching/drag-and-drop, and short scenario sets (often called caselets). Your performance depends as much on reading discipline as on knowledge. Each format has predictable traps.

For MCQ, the main trap is “true but not best.” Microsoft often provides two plausible services: one that works and one that is purpose-built for the requirement. Anchor on keywords: “managed,” “serverless,” “global,” “identity,” “governance,” “cost,” “compliance,” and “high availability.” Another trap is mixing scope: management groups vs subscriptions vs resource groups—be clear which level is being asked.

For drag-and-drop/matching, the trap is partial mapping. The items are designed so every option looks reusable. Slow down, map one item at a time, and re-check for duplicates. Expect pairings like cloud service model definitions, responsibility boundaries, or governance tool purposes.

For caselets, time management matters. Don’t memorize every detail; instead, identify constraints and requirements. Ask: What is the user trying to achieve—reduce management overhead, increase resilience, control access, or manage cost? Then pick the Azure concept that directly answers that.

• Reading technique: underline mental keywords, and restate the question in your own words before looking at options.
• Elimination: remove options that are correct in general but irrelevant to the stated requirement or scope.

Exam Tip: In caselets, don’t “solve the whole architecture.” The exam is usually testing one objective at a time—such as selecting a governance control, a service type, or a cloud benefit.

Your workflow should convert reading into recall, and recall into speed. Start with compact notes: one page per domain, focusing on definitions, “best for” statements, and common confusions (IaaS vs PaaS; RBAC vs Policy; regions vs availability zones; subscription vs resource group). Then convert those notes into flashcards that test recognition, not essay responses.

Use spaced repetition to avoid the common AZ-900 failure mode: understanding content during study but forgetting details under time pressure. A simple schedule works: review new flashcards the same day, again in 2 days, again in 5–7 days, and again in 14 days. Each review should be fast; if a card is hard, it stays in the frequent-review pile.

Integrate diagnostics without turning them into constant exam simulation. Early on, use diagnostics to identify weak objectives; later, use timed practice to develop pacing and distractor elimination. Track misses by objective category and by mistake type: “didn’t know,” “misread,” or “overthought.” Overthinking is especially common for experienced IT candidates who bring real-world complexity into a fundamentals question.

• Daily routine (15–45 minutes): Learn module + 10–20 flashcards + 5-minute recap notes.
• Weekly routine: objective-mapped review, focusing on your bottom two areas from diagnostics.
• Pre-exam routine: light review of decision rules, rest, and environment prep (especially for online proctoring).

Exam Tip: Your notes should sound like answer choices. If your flashcard prompt is “What is Azure Policy?” your response should match the exam’s framing: “a service to create, assign, and manage policies to enforce rules and assess compliance of resources.” This alignment reduces hesitation on test day.

Cloud computing is the delivery of computing services (compute, storage, networking, databases, analytics, AI services, and more) over the internet with rapid provisioning and pay-as-you-go pricing. For AZ-900, focus on what makes cloud “cloud”: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Questions often describe these traits without naming them directly.

The shared responsibility model is a favorite exam objective because it separates what the cloud provider manages from what the customer must still secure and configure. In general, the provider is responsible for “security of the cloud” (physical datacenters, physical network, physical hosts). The customer is responsible for “security in the cloud” (identities, data, access policies, and configuration). The exact boundary shifts based on service type: IaaS gives you more control (and more responsibility), while SaaS gives you the least control (and least responsibility).

• Always customer: data classification, user access, MFA decisions, and what you upload/store.
• Usually provider: physical security, power/cooling, hardware lifecycle, core platform availability.
• Varies by service type: OS patching, runtime updates, and middleware configuration.

Common trap: Thinking the cloud provider automatically secures your data. The provider secures the underlying infrastructure, but you still must configure access properly (for example, who can read a storage account, how keys are rotated, and whether public access is allowed).

Exam Tip: If the scenario mentions “we don’t want to manage patching” or “reduce administrative overhead,” lean toward PaaS/SaaS. If it mentions “must install custom OS software” or “need full control of the OS,” lean toward IaaS.

Cloud models describe where cloud resources run and who owns/operates the environment. The AZ-900 exam tests that you can identify the best model for a scenario rather than memorize definitions in isolation.

Public cloud (like Azure) is owned and operated by a cloud provider and delivered over the internet to multiple customers using shared infrastructure with isolation. This is the default choice for speed, scalability, and reduced capital expense. It fits scenarios like a startup needing global reach quickly or a team needing to experiment with AI services without building datacenters.

Private cloud is used by a single organization. It may be hosted on-premises or by a third party, but the key is dedicated use. It fits scenarios with strict control requirements, legacy workloads, or specialized compliance needs—though many compliance frameworks can also be met in public cloud when configured properly.

Hybrid cloud combines public and private environments with data and application portability. A classic scenario is “keep sensitive data on-premises but use cloud compute for burst capacity” or “gradually migrate while maintaining existing systems.”

Multi-cloud uses multiple public cloud providers. It may be driven by vendor risk management, regional availability needs, or product feature differences. Multi-cloud is not the same as hybrid: hybrid includes private + public; multi-cloud is multiple publics.

Common trap: Selecting multi-cloud when the scenario only describes “some on-premises and some Azure.” That is hybrid, not multi-cloud.

Exam Tip: Watch for keywords: “on-premises + cloud together” implies hybrid; “two different public providers” implies multi-cloud; “fully provider-hosted” implies public; “single-tenant dedicated” implies private.

Service types describe what level of the technology stack you manage. AZ-900 questions often present a requirement like “developers need a database without managing patching” or “we must install a custom agent,” and you must pick IaaS, PaaS, or SaaS accordingly.

IaaS (Infrastructure as a Service) provides virtualized compute, storage, and networking. You manage the OS, updates, and installed software, plus configuration and data. Typical examples include virtual machines and virtual networks. Choose IaaS when you need OS control, lift-and-shift migrations, or specialized software requirements.

PaaS (Platform as a Service) provides managed runtime environments and platform components. You focus on your application and data while the provider handles much of the underlying maintenance (OS, platform patching, scaling features depending on the service). Typical examples include managed web app hosting and managed databases.

SaaS (Software as a Service) is a complete application delivered over the internet. You manage users and data within the app, but you do not manage the platform or OS. Typical examples include email, collaboration tools, and CRM.

• IaaS: maximum control, maximum responsibility.
• PaaS: balanced control, reduced ops burden.
• SaaS: minimal control, minimal ops burden.

Common trap: Confusing “hosted in the cloud” with PaaS. A virtual machine running your web server is still IaaS because you manage the OS and patches.

Exam Tip: When a question emphasizes “developers deploy code” and “provider manages the platform,” that’s PaaS. When it emphasizes “end users access an application,” that’s SaaS.

Cloud benefits are heavily tested, especially the subtle differences between similar terms. You need to map business outcomes (less downtime, faster releases, handling peak demand) to the correct concept.

High availability (HA) means minimizing downtime through redundancy and resilient design. In Azure terms, think of designing across multiple fault domains or using services with built-in replication. HA is about keeping services running despite failures.

Scalability is the ability to increase capacity to meet demand. Vertical scaling (scale up) increases resources on a single node (more CPU/RAM). Horizontal scaling (scale out) adds more instances. Many cloud-native designs prefer scale out for resilience.

Elasticity is the ability to automatically scale resources up or down based on demand—especially important when demand is unpredictable or seasonal. A common scenario is an e-commerce site during holiday spikes: elasticity prevents overbuying infrastructure for peak days.

Agility is the speed at which you can provision and experiment. Cloud enables rapid environment creation, faster testing, and shorter time-to-market because you aren’t waiting on hardware procurement.

Common trap: Treating scalability and elasticity as identical. Scalability is the capability to grow; elasticity emphasizes automatic and often rapid adjustment, including scaling back down to save costs.

Exam Tip: If the scenario mentions “seasonal spikes” or “unpredictable traffic,” choose elasticity. If it mentions “need to handle growth over time,” choose scalability. If it mentions “minimize downtime,” choose high availability. If it mentions “deploy faster,” choose agility.

AZ-900 frequently checks whether you understand why cloud changes budgeting. The key comparison is CapEx (capital expenditure) vs OpEx (operational expenditure).

CapEx is upfront spending on physical infrastructure—servers, datacenter space, and networking gear. It’s typically large, planned in advance, and depreciated over time. CapEx aligns with on-premises purchases where you must size for peak demand, often resulting in underutilized hardware.

OpEx is ongoing spending for services you consume—monthly bills based on usage. Public cloud primarily shifts costs to OpEx. This supports faster experimentation: you can start small and expand as value is proven.

Consumption-based pricing means you pay for what you use (compute time, storage consumed, requests, outbound data, etc.). This is where the economics meet exam scenarios: unpredictable demand benefits from elasticity and usage-based billing; steady workloads may require cost optimization and reserved capacity strategies (conceptually—detailed pricing mechanics are beyond fundamentals).

Common trap: Assuming “pay-as-you-go” always costs less. Cloud can cost more if resources are left running, overprovisioned, or poorly governed. The exam often expects you to recognize that governance and right-sizing matter.

Exam Tip: When a scenario emphasizes avoiding upfront purchases or “turn it off when not in use,” that points to OpEx and consumption-based pricing. When it emphasizes “large initial investment” or “depreciation,” that’s CapEx.

Cloud management concepts show up as “Which design best meets an uptime requirement?” or “What does an SLA tell you?” At AZ-900 level, you must understand definitions and decision implications rather than implementation details.

SLAs (Service Level Agreements) define expected availability and the terms under which credits may apply if the provider fails to meet the commitment. Higher availability targets usually require more redundancy and may influence architecture choices. An SLA is not a guarantee of zero downtime and it does not replace your responsibility to design resilient apps.

Fault tolerance is the ability of a solution to continue operating when components fail. In the cloud, this is often achieved through redundancy across zones/regions, load balancing, and using managed services designed for resilience. Fault tolerance is a design goal; it’s not a single feature you “turn on” everywhere.

Disaster recovery (DR) focuses on restoring service after a major outage (region failure, large-scale incident, or catastrophic on-premises event). At fundamentals level, know the difference between availability (stay up) and DR (recover). DR planning is often described through recovery objectives: RTO (how fast to restore) and RPO (how much data loss is acceptable). Lower RTO/RPO typically increases cost and complexity.

Common trap: Confusing backups with DR. Backups help restore data; DR is a broader plan to restore the service, dependencies, and operations within required timeframes.

Exam Tip: If a question focuses on “uptime during failures,” think fault tolerance/high availability. If it focuses on “recover after an outage,” think DR, RTO, and RPO. If it asks “what does the provider promise,” that’s SLA.

Section 3.1: Azure geography: regions, region pairs, and sovereign clouds

Azure geography starts with the idea that Microsoft runs datacenters around the world and groups them into regions. A region is a set of datacenters deployed within a latency-defined area and connected with a dedicated regional low-latency network. On the exam, when you see “deploy close to users,” “reduce latency,” or “meet data residency requirements,” you’re usually choosing an Azure region.

Regions are grouped into geographies (for example, Europe, Asia Pacific, United States). Geographies help with data residency and compliance needs, and the exam may use them to hint at regulatory boundaries. Another tested term is region pair: each region is paired with another region in the same geography (where possible) to support disaster recovery and platform resiliency patterns. Microsoft uses region pairs to prioritize one region out of each pair for updates during broad-impact events and to support certain replication behaviors for services.

Exam Tip: If the scenario says “disaster recovery to another location” and mentions “same geography” or “paired region,” think region pairs, not availability zones. Zones are inside one region; pairs are across regions.

Finally, know sovereign clouds. These are special Azure environments designed to meet specific compliance, data sovereignty, and government requirements. Examples include Azure Government and Azure operated in China (via a separate operator). The exam commonly tests that sovereign clouds are separate from the public Azure cloud and may have different services, endpoints, and compliance controls.

• Region = where workloads run; impacts latency and residency.
• Geography = compliance/data residency grouping of regions.
• Region pair = resiliency relationship across two regions in a geography.
• Sovereign cloud = specialized cloud with separate compliance boundaries.

Common trap: Confusing “multi-region” with “multi-zone.” If the prompt says “within a region,” do not choose region pairing; choose availability zones or sets (next section).

Section 3.2: Availability concepts: availability zones and sets

Availability on AZ-900 is about recognizing fault domains and designing for uptime at a fundamentals level. Azure provides two commonly tested constructs: availability zones and availability sets. Both aim to reduce downtime from failures, but they apply in different ways and are not interchangeable in exam language.

Availability zones are physically separate locations within an Azure region. Each zone has independent power, cooling, and networking. If a service or VM is deployed across multiple zones, you can withstand the loss of one zone and continue operating (assuming the architecture is designed to do so). When the question says “protect against datacenter failure within a region,” “zone-redundant,” or “separate physical locations,” choose availability zones.

Availability sets are a logical grouping for VMs that spreads them across fault domains (separate racks/power/network) and update domains (groups that are rebooted together during planned maintenance). Availability sets help reduce the impact of hardware failures and maintenance events, but they don’t provide the same physical separation guarantees as zones. If the question emphasizes “planned maintenance,” “update domain,” or “multiple VMs in the same datacenter,” that points to availability sets.

Exam Tip: Look for the failure type. “Entire datacenter outage” strongly suggests zones. “Rack failure” or “planned maintenance reboots” suggests availability sets.

• Zones = stronger isolation, separate facilities within one region.
• Availability sets = VM distribution across fault/update domains; classic IaaS resiliency construct.

Common trap: Answering “region pair” when the question says “within a region.” Region pairs are for cross-region resiliency; zones and sets are intra-region options.

Section 3.3: Azure resources and resource groups: lifecycle and boundaries

Once you know where Azure runs and how to keep it available, the next exam focus is how Azure is organized. In Azure, a resource is an individual service instance—like a virtual machine, storage account, virtual network, or database. Resources live inside resource groups, which are containers for managing related resources as a unit.

A resource group is primarily a management boundary, not a network boundary. You use it to apply role-based access control (RBAC), policies, and tags; deploy resources together; and delete related resources together. The exam often tests lifecycle: if you delete a resource group, you delete the resources in it. This makes resource groups convenient for environments like dev/test where you want a clean teardown.

However, resources in a resource group do not have to be in the same region—though there are practical and governance reasons to align them. The resource group itself has a location (for metadata), but resources can be deployed to different regions as needed.

Exam Tip: If the scenario asks “manage access and policies for a set of resources” or “delete everything in one action,” the best answer is usually resource group. If it asks about billing, that’s typically at the subscription/account scope, not the resource group.

• Resource = deployable service instance.
• Resource group = container for lifecycle, RBAC, policy, and organization.
• Tags = metadata labels (e.g., CostCenter=123) used for organization and cost reporting.

Common trap: Thinking a resource group enforces network isolation. Network isolation comes from virtual networks, subnets, NSGs, and firewalls—resource groups are about management and governance.

Section 3.4: Management groups, subscriptions, and hierarchy use-cases

AZ-900 expects you to understand the Azure management hierarchy and what each level is used for. The standard hierarchy is: management groups → subscriptions → resource groups → resources. Each level is a scope where governance can be applied and inherited downward.

A subscription is both a billing container and an access control boundary. Many exam questions revolve around “separate billing” or “isolate teams” or “limit access.” Creating additional subscriptions is a common way to separate departments, environments (prod vs. dev), or projects. Subscriptions also have limits/quotas, so another practical reason to use multiple subscriptions is to separate workload scale and quota consumption.

Management groups sit above subscriptions and are designed for organizations with multiple subscriptions. They let you apply Azure Policy and RBAC at a higher level and have those settings inherited by all child subscriptions. When the prompt mentions “apply policy to all subscriptions” or “central governance across the company,” management groups are the correct tool.

Exam Tip: Watch for inheritance language. “Apply to all” and “organize multiple subscriptions” points to management groups. “Separate billing/access boundary” points to subscriptions. “Deploy/manage related items together” points to resource groups.

• Use-case: management group = enterprise governance across many subscriptions.
• Use-case: subscription = billing separation, access boundary, quotas.
• Use-case: resource group = lifecycle grouping and delegated administration.

Common trap: Choosing resource groups to separate billing. Resource groups help with cost reporting (especially with tags), but subscription is the primary billing container for charges and invoices.

Section 3.5: Azure accounts, billing scopes, and pricing basics

To answer billing questions confidently, separate identity concepts (“who signs in”) from commerce concepts (“who pays”). An Azure account is typically an identity (often a Microsoft Entra ID user) used to sign in and manage resources. Billing, however, is organized using billing scopes that depend on the type of customer agreement (for example, Microsoft Customer Agreement or Enterprise Agreement). The exam stays high-level: know that charges roll up through billing constructs and are commonly associated with subscriptions.

At fundamentals level, pricing is driven by a few predictable factors: the service type (compute, storage, networking), the region (prices vary), the consumption amount (hours, requests, GB stored), and options like reservations or licensing benefits. Even without deep calculations, you should recognize keywords such as:

• CapEx vs. OpEx: cloud shifts spending to operational expenditure (pay-as-you-go).
• Pay-as-you-go: pay only for what you use; easy to scale up/down.
• Reservations: commit to 1 or 3 years for discounted pricing on certain resources.
• Azure Hybrid Benefit: use eligible on-prem licenses to reduce Azure costs.

Exam Tip: When the question is about “predictable workloads” and “reduce cost,” reservations are often the best match. When it’s about “existing Windows Server/SQL licenses,” think Azure Hybrid Benefit.

Common trap: Assuming “free account” or “trial” means no billing concepts apply. Even in trials, Azure still meters usage; the difference is who pays and whether credits cover the charges.

Section 3.6: Azure support plans and service lifecycle considerations

Support and service lifecycle appear on AZ-900 as recognition questions: identify which support plan provides certain response times, and understand how Azure communicates service changes. At a fundamentals level, focus on what support is for: technical help, guidance, and response targets—distinct from availability SLAs (which are service-specific).

Azure offers multiple support plans (for example, Basic, Developer, Standard, Professional Direct). Basic is included and covers billing/subscription issues and access to documentation/community resources; paid plans add technical support with faster response times and additional features. The exam typically tests that paid support plans provide technical assistance and that higher tiers generally mean faster responses and more advisory help.

Service lifecycle awareness means knowing that Azure services can be in phases such as preview and general availability (GA). Preview features may have limited support and are not always covered by full SLAs. On the exam, if the scenario emphasizes “production workload requiring SLA” or “mission-critical,” GA services are safer choices than preview offerings.

Exam Tip: Don’t confuse “support plan” with “SLA.” Support plans determine how quickly Microsoft responds to you; SLAs describe service uptime commitments and are tied to the service and architecture (often requiring redundancy).

• Support plan = help and response times.
• SLA = uptime commitment; often improved by zones/sets/replication.
• Preview vs. GA = maturity and production readiness signals.

Common trap: Picking “Basic support” when the question explicitly asks for technical support. Basic is important, but it’s not positioned as the primary technical troubleshooting tier compared to paid plans.

Section 4.1: Compute: VMs, scale sets, App Service, Functions, containers

Compute questions on AZ-900 test your ability to map a workload to the right hosting model. Start by asking: Do I need full OS control (IaaS), or do I want a managed platform (PaaS/serverless)? If the prompt mentions “lift-and-shift,” “custom OS settings,” “legacy software,” or “RDP/SSH,” think Azure Virtual Machines (VMs). VMs provide maximum control, but you manage patching, scaling strategy, and much of the availability design.

If the scenario is “many identical VMs” with automatic scaling, look for Virtual Machine Scale Sets. Scale sets are still IaaS VMs, but they add orchestration for deploying and scaling a fleet—common in stateless web tiers or compute clusters.

For web apps and APIs where you don’t want to manage the OS, Azure App Service is the common “PaaS web hosting” answer. It supports deployment slots, autoscale, and built-in integration patterns without VM administration. When the prompt says “host a web app” or “deploy an API quickly” and doesn’t demand OS access, App Service is a strong default.

When the prompt emphasizes “event-driven,” “run code on demand,” “pay per execution,” or “serverless,” that points to Azure Functions. Functions are ideal for timers, queue-triggered processing, and lightweight APIs. A common trap is choosing Functions for a steady, always-on workload with predictable high utilization; the exam may be hinting that App Service is a better fit for continuously running web apps.

• Containers (e.g., Azure Container Instances or Kubernetes offerings) appear when the scenario mentions “containerized,” “Docker,” portability, or microservices packaging. Containers sit between VMs and PaaS: you package the app and its dependencies, and the platform handles much of the host management.
• How to identify correct answers: “Full control” → VM; “many identical VMs + autoscale” → scale sets; “web app PaaS” → App Service; “serverless event-driven” → Functions; “Docker/container” → container services.

Exam Tip: AZ-900 loves the “least management” option. If two answers can work, the expected choice is usually the more managed service (App Service over VM, Functions over a dedicated server) unless the question explicitly requires OS-level access.

Section 4.2: Virtual networking: VNets, subnets, peering, VPN, ExpressRoute

Networking fundamentals are frequently tested through vocabulary: Virtual Networks (VNets) are the private address spaces you build in Azure, and subnets partition that space for isolation and routing control. If a question mentions “isolate tiers” (web/app/data) or “separate workloads,” subnets are the typical building block.

VNet peering connects two VNets so resources can communicate over the Azure backbone. It’s commonly the best answer when the requirement is “connect two Azure virtual networks privately” without mentioning on-premises. A classic trap is picking VPN for “VNet-to-VNet” connectivity when the prompt is clearly Azure-to-Azure; peering is simpler and is designed specifically for that scenario.

When you must connect an on-premises network to Azure over the public internet with encryption, that’s a VPN Gateway scenario (site-to-site VPN). If the prompt says “encrypted tunnel,” “public internet,” or “cost-effective hybrid connectivity,” VPN is likely correct.

ExpressRoute is the premium hybrid connectivity choice: a private, dedicated connection from on-premises to Microsoft’s network (not the public internet). Look for cues like “private connection,” “high bandwidth,” “low latency,” “regulatory requirements,” or “consistent performance.”

• How to identify correct answers: Azure internal network → VNet/subnet; Azure-to-Azure → peering; on-prem to Azure over internet → VPN Gateway; dedicated private circuit → ExpressRoute.

Exam Tip: If the question uses the word “private” in the context of on-prem connectivity, it’s often steering you to ExpressRoute. If it emphasizes “encrypted over the internet,” steer back to VPN Gateway.

Section 4.3: Network services: load balancer, Application Gateway, DNS, CDN

This section is a top source of AZ-900 confusion because multiple services “distribute traffic,” but at different layers. Azure Load Balancer is primarily a Layer 4 (TCP/UDP) service. If the prompt mentions “distribute network traffic,” “high availability,” or “balance traffic to VMs” without referencing HTTP features, Load Balancer is a likely answer.

Azure Application Gateway is Layer 7 (HTTP/HTTPS) and includes web-aware features such as routing based on URL/path, cookie-based affinity, and integration with a Web Application Firewall (WAF) option. If the question mentions “web traffic,” “SSL termination,” “WAF,” “path-based routing,” or “host multiple websites behind one endpoint,” Application Gateway is typically correct.

Azure DNS hosts DNS domains and records. It is not a content cache and it does not “speed up” downloads by itself; it resolves names to IP addresses. A common trap is selecting DNS when the requirement is performance improvement for static content—DNS helps find the endpoint, but CDN accelerates delivery.

Azure Content Delivery Network (CDN) caches content at edge locations to reduce latency for users distributed geographically. Look for phrases like “static content,” “images/videos,” “global users,” “reduce latency,” or “edge caching.”

• How to identify correct answers: L4 balancing for VMs → Load Balancer; HTTP-aware routing/WAF → Application Gateway; name resolution → DNS; global caching/edge performance → CDN.

Exam Tip: When you see “WAF,” do not pick Load Balancer. When you see “cache at edge,” do not pick DNS. Keywords often determine the layer and therefore the correct service.

Section 4.4: Storage: blob, files, queues, disks; redundancy options overview

Storage questions typically test whether you can match the data shape and access pattern to the right service. Azure Blob Storage is for unstructured objects—documents, images, backups, logs, and large binary files. If the prompt says “object storage,” “store images,” “store backups,” or “unstructured,” choose Blob.

Azure Files provides managed file shares (SMB/NFS) that can be mounted by multiple clients. If the requirement mentions a “shared drive,” “lift-and-shift file server,” or “mount a file share from multiple VMs,” Azure Files is the typical answer. Don’t confuse it with disks: a file share is multi-client; a disk is usually attached to a VM.

Azure Queue Storage is for simple messaging/decoupling between components. If the scenario says “queue messages,” “buffer requests,” or “asynchronous processing,” Queue Storage is a strong fit at the fundamentals level.

Azure Managed Disks are block storage for VMs. If the question mentions “OS disk,” “data disk,” or “storage for a VM,” it’s pointing to disks rather than blob/files.

Redundancy is a frequent “overview” test topic. You don’t need to memorize every detail, but you should recognize the idea: options range from local redundancy (copies within a datacenter) to zone redundancy (across availability zones) to geo-redundancy (across regions). The exam often frames this as “higher durability and availability” versus “lower cost.”

• How to identify correct answers: objects/unstructured → Blob; shared file system → Files; messaging buffer → Queues; VM block storage → Disks; higher resiliency → zone/geo redundancy (at higher cost).

Exam Tip: Watch for the word “mount.” If users or VMs need to mount a share, it’s Azure Files. If the disk is tied to one VM’s storage needs, it’s Managed Disks.

Section 4.5: Databases: Azure SQL, Cosmos DB basics, managed vs self-managed

AZ-900 database items are less about query syntax and more about selecting a managed database service. Azure SQL Database is a managed relational database (PaaS). If the prompt says “relational,” “SQL,” “managed,” “automatic updates,” or “minimize administration,” Azure SQL Database is usually the correct direction. In contrast, “SQL Server on an Azure VM” is self-managed: you control the OS and SQL instance, but you also handle more maintenance. The exam uses this to test “managed vs self-managed” understanding.

Azure Cosmos DB appears when the scenario requires globally distributed data, flexible schema, or very low-latency reads and writes across regions. At a fundamentals level, know that Cosmos DB is a managed NoSQL database designed for scale and global distribution. If the prompt mentions “globally distributed,” “multi-region,” “NoSQL,” “planet-scale,” or “low latency worldwide,” Cosmos DB becomes the likely answer.

Common traps include picking Cosmos DB just because the word “big” appears. “Big data” analytics is not automatically Cosmos DB; the key differentiators are distribution, low-latency at scale, and NoSQL patterns. Likewise, if the data is clearly relational and the question emphasizes SQL features, Azure SQL is more appropriate than Cosmos DB.

• How to identify correct answers: managed relational → Azure SQL Database; global distribution/NoSQL → Cosmos DB; maximum control/legacy dependencies → database on a VM.

Exam Tip: If the requirement says “managed database” or “reduce administrative overhead,” eliminate VM-hosted database options first. AZ-900 wants you to recognize the PaaS benefit.

Section 4.6: Azure AI and analytics fundamentals: Azure AI services, Azure Machine Learning, basic use-cases

Even in a fundamentals exam, Azure increasingly expects you to recognize AI-capable services and when to use them. Azure AI services (often discussed as prebuilt AI APIs) align with scenarios where you want to add vision, speech, language, or decision capabilities without building a model from scratch. If the prompt says “extract text,” “recognize speech,” “translate,” “analyze sentiment,” or “classify images” and it sounds like calling an API, that’s typically Azure AI services.

Azure Machine Learning is for building, training, and deploying ML models with a managed workspace and lifecycle tooling. Choose it when the question hints at data scientists, training models, experiment tracking, or deploying a custom model endpoint. The trap is selecting Azure Machine Learning for simple “use an AI feature” requirements where a prebuilt AI service is sufficient.

Analytics basics show up as “make sense of data” requirements. At AZ-900 level, the key is to recognize when the problem is about running reports/dashboards, processing large volumes of data, or adding intelligence to an app. You are not expected to design a full data platform, but you should be able to map “custom model” versus “prebuilt API,” and understand that managed services reduce operational burden.

• Mini-review decision trees (quick mental mapping): If you need code on demand → Functions; web app hosting → App Service; OS control → VMs. If you need Azure-to-Azure private connectivity → peering; on-prem private circuit → ExpressRoute; encrypted internet tunnel → VPN. If you need object storage → Blob; shared mounted storage → Files; VM storage → Disks; buffered messages → Queues. If you need prebuilt AI capability → Azure AI services; train your own model → Azure Machine Learning.

Exam Tip: “Build and train” points to Azure Machine Learning; “add OCR/translation/speech quickly” points to Azure AI services. Do not overcomplicate these—AZ-900 rewards picking the simplest managed service that meets the requirement.

Section 5.1: Identity: Microsoft Entra ID basics, authentication vs authorization

In Azure, identity is the foundation of secure access. For AZ-900, Microsoft Entra ID (formerly Azure Active Directory) is the identity provider you should associate with users, groups, and applications. The exam expects you to understand what Entra ID does at a high level: it stores and manages identities, supports sign-in, enables Single Sign-On (SSO), and integrates with security controls like Multi-Factor Authentication (MFA) and Conditional Access.

Two terms are commonly tested and frequently confused: authentication and authorization. Authentication answers “Who are you?” (proving identity via password, MFA, certificates, etc.). Authorization answers “What are you allowed to do?” (permissions granted after identity is verified). Most wrong answers happen when candidates swap these terms, so practice spotting them in scenario wording.

• Authentication: Sign-in process; validates credentials; may include MFA and Conditional Access checks.
• Authorization: Permission evaluation; typically enforced through RBAC at a scope (subscription/resource group/resource).

Zero Trust principles often appear as conceptual prompts: “verify explicitly,” “use least privilege,” and “assume breach.” In Azure terms, that translates into requiring strong authentication (MFA/Conditional Access), granting minimal permissions (RBAC), and continuously evaluating posture (Defender for Cloud/monitoring).

Exam Tip: When you see “MFA,” “SSO,” “sign-in,” or “identity provider,” think Microsoft Entra ID and authentication. When you see “permissions,” “roles,” “can create/delete,” think authorization (usually RBAC). A common trap is choosing “Azure Policy” for permission problems—Policy controls resource properties, not user access.

Section 5.2: Access control: RBAC roles, scope, and least privilege

Azure Role-Based Access Control (RBAC) is the primary model for authorization in Azure. AZ-900 questions often test whether you can pick the correct built-in role and understand scope. Roles are sets of permissions; assignments bind a role to a security principal (user, group, service principal, or managed identity) at a given scope.

Know the three classic built-in roles and what they imply:

• Owner: Full access to resources plus the ability to manage access (assign roles).
• Contributor: Can create and manage resources but cannot grant access to others.
• Reader: View-only access.

Scope is another frequent exam lever. RBAC assignments can be applied at the management group, subscription, resource group, or resource level. Permissions inherit downward: a role assigned at the subscription applies to all resource groups and resources in that subscription unless overridden by more specific assignments.

Least privilege is both a security best practice and a consistent exam theme: grant only the permissions needed, at the narrowest practical scope, and prefer assigning roles to groups rather than individuals to simplify management. If a scenario says “a team should manage only resources in one resource group,” the most defensible choice is a role assignment at the resource group scope rather than at the subscription.

Exam Tip: If the requirement includes “must be able to assign permissions,” the role must include access management—typically Owner (or User Access Administrator, which you may see in some items). A common trap is choosing Contributor when the scenario requires granting others access; Contributor cannot manage RBAC assignments.

Section 5.3: Governance: Azure Policy, initiatives, and resource locks

Governance is about enforcing organizational standards and reducing risk at scale. The exam repeatedly distinguishes between controls that govern deployments and configurations (Azure Policy) and controls that govern access (RBAC). Azure Policy evaluates resources against rules and can block non-compliant deployments or audit them for reporting.

At a fundamentals level, remember what Policy does and does not do. Policy can require specific settings (for example, “only allow certain regions,” “require a tag,” “enforce SKUs,” “deny public IP creation”), and it can audit existing resources for compliance. Policy does not grant user permissions; it governs resource properties and allowed states.

• Policy definition: A single rule (deny, audit, append, deploy if not exists).
• Initiative: A collection of policy definitions grouped to achieve a broader goal (often aligned to compliance frameworks).
• Assignment: The act of applying a policy/initiative to a scope (management group/subscription/resource group).

Resource locks are another governance tool and are highly testable because the wording is straightforward. Locks prevent accidental changes even by users who otherwise have permissions. Two lock types are commonly referenced: CanNotDelete (prevents deletion) and ReadOnly (prevents changes). Locks are not a substitute for RBAC, but they are a strong “safety catch” for critical resources.

Exam Tip: If the scenario says “prevent deletion,” “protect from accidental removal,” or “ensure no one deletes the resource group,” choose a lock (CanNotDelete). If the scenario says “only allow resources that meet a standard,” choose Azure Policy. A common trap is picking locks to enforce standards—locks do not validate SKU, region, or tags.

Section 5.4: Compliance and security posture: Defender for Cloud and basic concepts

AZ-900 expects you to recognize the services that help you understand and improve security posture and compliance status. Microsoft Defender for Cloud is Azure’s cloud security posture management (CSPM) and workload protection platform. In exam scenarios, it appears as the place you go for security recommendations, hardening guidance, and a centralized view of security status across subscriptions.

Two tested ideas: (1) secure score (a measurement of posture based on implemented recommendations) and (2) recommendations (actions to reduce risk, such as enabling MFA, turning on encryption, closing management ports, or enabling endpoint protection on VMs). Defender for Cloud can also surface regulatory compliance dashboards that map controls to standards, helping you report compliance progress.

Keep your conceptual boundaries clear. Defender for Cloud helps you assess and improve security; it does not replace identity (Entra ID), authorization (RBAC), or governance enforcement (Azure Policy). In many real environments, Policy and Defender work together: Policy enforces baseline configurations, and Defender highlights gaps and prioritizes fixes.

Exam Tip: If the question mentions “recommendations,” “security posture,” “secure score,” or “regulatory compliance dashboard,” the correct tool is typically Defender for Cloud. A common trap is selecting “Azure Monitor” for security recommendations—Monitor collects telemetry; Defender interprets security posture and suggests improvements.

Section 5.5: Cost management: pricing calculator, TCO, budgets, tags, cost analysis

Cost control is a core Domain 3 skill: the exam wants you to identify which tool supports planning vs tracking vs enforcing accountability. Start with the two planning tools. The Azure pricing calculator estimates the expected monthly cost of Azure services based on selected SKUs, regions, and usage assumptions. The Total Cost of Ownership (TCO) calculator compares on-premises costs to Azure costs to support migration business cases.

Once you are running workloads, Cost Management features help you track and manage spend. Cost analysis lets you explore actual costs over time, by subscription, resource group, service, or tag. Budgets let you set thresholds and trigger alerts when spending approaches or exceeds limits. Budgets do not automatically stop resources; they notify (and can integrate with automation externally), so beware of wording that implies automatic shutdown.

Tags are a practical, testable concept for cost allocation and organization. You can apply key-value tags (for example, Department=Finance, Environment=Prod) to resources and then use them to group costs and charge back/show back. Tags are not security boundaries; they are metadata. Candidates often over-assign governance power to tags—on the exam, they primarily support reporting and organization.

Exam Tip: If the prompt says “estimate costs before deployment,” pick the pricing calculator. If it says “compare on-prem vs cloud,” pick TCO. If it says “alert when spending reaches X,” pick budgets. If it says “break down costs by department,” pick tags + cost analysis. Common trap: choosing budgets to “cap” costs automatically—budgets alert; they don’t enforce a hard stop by default.

Section 5.6: Management tools: Azure portal, CLI, PowerShell, ARM/Bicep basics, Azure Monitor concepts

Azure provides multiple management surfaces, and AZ-900 tests when each is appropriate. The Azure portal is the browser-based GUI, ideal for learning, quick configuration, and visual exploration. The Azure CLI and Azure PowerShell are command-line tools used for scripting, automation, and repeatable operations. The exam often frames CLI/PowerShell as better for automation and repeatability than manual portal clicks.

Infrastructure as Code (IaC) is another key theme. Azure Resource Manager (ARM) is the underlying deployment and management layer, and ARM templates describe resources declaratively in JSON. Bicep is a higher-level, more readable language that compiles to ARM templates. For fundamentals, focus on the “why”: consistent deployments, version control, repeatability, and reduced configuration drift.

Monitoring concepts are tested at a recognition level. Azure Monitor is the umbrella service for collecting and analyzing telemetry. Expect to differentiate metrics (numerical time-series, near real-time, good for performance and alerts) from logs (detailed event data, queried for analysis and troubleshooting). Alerts can be created from metrics and logs to notify operators or trigger actions.

Exam Tip: If the scenario emphasizes “repeatable deployments,” “standardized environments,” or “deploy the same configuration consistently,” select ARM/Bicep. If it emphasizes “monitor performance” or “create alerts,” select Azure Monitor. A common trap is picking Policy for monitoring requirements—Policy evaluates compliance with rules; it does not provide performance telemetry or log analytics.

Section 6.1: Mock exam instructions, timing strategy, and scoring approach

Your first job is to simulate the exam environment. That means: single sitting, no notes, no pausing, and no “just checking one thing.” AZ-900 is designed to test recognition and decision-making more than deep configuration, so your performance depends heavily on reading precision and disciplined pacing.

Timing strategy: aim for a steady pace where you spend less time on straightforward definition items and reserve thinking time for items that compare services or governance tools. If you encounter a question that forces you to debate two plausible answers, make a best choice using elimination and move on. Then, capture it for review. Exam Tip: Your score improves more from preventing avoidable mistakes (misreading “capex vs opex,” confusing “Policy vs RBAC,” mixing “regions vs availability zones”) than from spending extra minutes on one hard item.

Scoring approach: track three categories during your mock review—Correct/Confident, Correct/Guessed, Incorrect. “Correct/Guessed” is a weak area; treat it like incorrect until you can explain why each wrong option is wrong. Also score by objective domain: (1) Cloud concepts, (2) Azure architecture and services, (3) Management and governance, plus AI-capable services at fundamentals level. Exam Tip: If one domain repeatedly yields guessed answers, your next study session should be objective-based, not question-based—re-read the definitions and compare similar terms side by side.

• Run Mock Exam Part 1 (Set A) without interruption.
• Take a 10–15 minute break.
• Run Mock Exam Part 2 (Set B) in one sitting.
• Do review only after both sets are complete to keep the simulation honest.

This structure mirrors the real exam experience: sustained focus, quick recovery from uncertain items, and consistent decision-making under time pressure.

Section 6.2: Mock exam set A: cloud concepts + core architecture

Mock Exam Set A should concentrate on two high-yield objective areas: (1) cloud concepts and (2) core Azure architecture. The exam expects crisp definitions and correct matching of terms to scenarios. In your review, focus on whether you can identify the “keyword trigger” in the prompt that points to the right concept.

Cloud concepts that are frequently tested include: shared responsibility model, consumption-based pricing, scalability vs elasticity, high availability vs fault tolerance, and the differences between CapEx and OpEx. Common trap: questions that sound like “cloud is cheaper” when the correct answer is actually “cloud shifts spending from CapEx to OpEx” or “pay-as-you-go improves cost transparency.” Exam Tip: When you see words like “unpredictable demand,” think elasticity; when you see “grow steadily,” think scalability.

Core architecture topics include regions, region pairs, availability zones, data residency, subscriptions, management groups, resource groups, and Azure Resource Manager (ARM). The exam often checks whether you understand scope and hierarchy. A classic trap is mixing up what a resource group does (a logical container for resources) with what a subscription does (billing boundary + quota/limits + access control boundary). Another trap is assuming “availability zones” exist in every region; the safer phrasing is that some Azure regions support availability zones.

Also expect “core services awareness” at a fundamentals level: knowing that Azure Virtual Network is the networking foundation, that Azure Storage is durable storage with multiple redundancy options, and that compute can be IaaS (VMs) or PaaS (App Service). Exam Tip: If the prompt emphasizes “no server management,” steer toward PaaS/SaaS options; if it emphasizes “full control of OS,” that’s an IaaS signal.

In Set A, your goal is not to memorize product marketing lines, but to align the scenario keyword with the correct model/service type/architecture term—and to eliminate distractors that are true statements but not the best answer for the asked requirement.

Section 6.3: Mock exam set B: Azure services + management and governance

Mock Exam Set B should emphasize Azure services (compute, networking, storage, identity, security) plus management and governance (cost, policy, compliance). This is where AZ-900 frequently uses “compare and choose” wording—your job is to identify the primary requirement and map it to the right tool.

Services: expect baseline recognition of Azure compute (Virtual Machines, App Service, Containers), networking (Virtual Network, VPN Gateway, ExpressRoute, DNS), and storage (Blob, Disk, Files, access tiers). Traps commonly appear when two services both “connect networks” but differ by context: VPN Gateway is encrypted over the public internet; ExpressRoute is private connectivity through a provider. Another trap is storage type confusion: “shared file access over SMB” points to Azure Files; “unstructured object storage” points to Blob. Exam Tip: If the prompt mentions “mount a drive” for multiple machines, Azure Files is usually the target; if it mentions “static content” or “images,” Blob is often best.

Identity and security: be ready for Azure Active Directory (Microsoft Entra ID) basics, MFA, Conditional Access, and the difference between authentication (who you are) and authorization (what you can do). RBAC is authorization at Azure resource scope; Azure Policy enforces standards by evaluating resources against rules. A frequent exam trap is swapping these: RBAC does not enforce “must have tags” rules; Policy does. Exam Tip: When the requirement is “prevent deployment unless compliant,” think Policy. When the requirement is “allow user X to manage Y,” think RBAC.

Management and governance: know cost management tools at a conceptual level—budgets, alerts, total cost of ownership (TCO) concepts, and the difference between Azure Advisor (recommendations) and Cost Management (spend tracking and budgeting). Compliance topics often include the Microsoft Trust Center, service trust documentation, and the idea of compliance offerings (not “guarantees”).

AI-capable services at fundamentals level: the exam may ask what Azure AI services do broadly (vision, language, speech) or where Azure Machine Learning fits (model training/management platform). Don’t overthink implementation details. The exam is checking whether you select the service category that matches the workload: “extract text from images” aligns to vision/OCR capabilities; “sentiment analysis” aligns to language. Exam Tip: If an option is a “platform to build and manage ML models,” that’s Azure Machine Learning; if it’s “prebuilt APIs for tasks,” that’s Azure AI services.

Section 6.4: Answer review method: objective mapping and error patterns

This section is your Weak Spot Analysis engine. Reviewing answers is where most learning occurs—if you do it methodically. Start by mapping every missed or guessed item to an exam objective domain and a specific concept pair (for example: “Policy vs RBAC,” “region vs availability zone,” “IaaS vs PaaS,” “VPN vs ExpressRoute”). This turns random misses into a targeted study plan.

Use a three-pass review method:

• Pass 1 (Why correct): Write one sentence explaining why the chosen answer meets the requirement in the prompt.
• Pass 2 (Why wrong options are wrong): For each distractor, write a short reason it fails the prompt (too much management, wrong scope, wrong service type, wrong connectivity model, etc.).
• Pass 3 (Trigger words): Identify the exact phrase that should have guided you (e.g., “enforce,” “budget,” “private connection,” “no OS management,” “data residency”).

Common error patterns on AZ-900 are predictable. Misread errors include missing “most cost-effective” or “minimize administrative effort.” Concept confusion errors include mixing governance tools (Policy, RBAC, Blueprints—note that some older materials emphasize Blueprints; the exam trend is toward Policy/Initiatives) and mixing availability constructs (zones vs region pairs). Process errors include changing an answer from correct to incorrect after second-guessing without new information.

Exam Tip: Track “second-guess flips.” If you frequently change answers, impose a rule: only change if you can point to a specific requirement in the question that your original choice fails. Otherwise, keep the first answer.

After review, create a mini remediation list of 5–10 items. Each item should be phrased as a contrast statement (e.g., “RBAC assigns permissions; Policy enforces rules”) and practiced until recall is instant.

Section 6.5: High-frequency exam objectives: rapid recall sheet

This Final Rapid Review is a recall sheet of concepts that appear repeatedly on AZ-900. The exam is not looking for deep engineering detail; it is looking for accurate identification, correct comparisons, and appropriate tool selection. Use the list below as your last 24–48 hour drill. If you hesitate on an item, that’s a signal to revisit the definition and one practical example.

• Cloud models: Public vs private vs hybrid; hybrid often appears with “regulatory/data residency” or “existing datacenter integration.”
• Service types: IaaS (more control/more management) vs PaaS (less management) vs SaaS (consume application).
• Economics: CapEx vs OpEx; consumption-based pricing; scaling to match demand.
• Reliability terms: High availability vs disaster recovery; availability zones vs regions; region pairs support resilience strategies.
• Hierarchy and scope: Management groups > subscriptions > resource groups > resources.
• Governance tools: RBAC = permissions; Azure Policy = enforce/deny/audit; Cost Management = track/budget; Advisor = recommendations.
• Networking: VNet basics; VPN over internet vs ExpressRoute private; NSG filters traffic.
• Storage: Blob (objects) vs Files (SMB) vs Disk (VM disks); redundancy is a durability/availability concept.
• Identity/security: MFA, Conditional Access concepts; shared responsibility model boundaries.
• AI fundamentals: Azure AI services = prebuilt APIs; Azure Machine Learning = build/train/manage ML lifecycle.

Exam Tip: When two options both sound “Azure-ish,” anchor on the requirement verb. “Enforce,” “deny,” “audit” align to Policy; “recommend” aligns to Advisor; “track spend” aligns to Cost Management; “assign permissions” aligns to RBAC.

Drill this sheet aloud. AZ-900 is fast-paced, and instant recall reduces cognitive load so you can focus on the question’s nuance.

Section 6.6: Exam day readiness: environment checks, pacing, and retake plan

Your Exam Day Checklist should remove surprises. Whether you test online or in a center, plan for a stable environment and a consistent pacing strategy. For online proctoring, validate your system requirements early (camera, microphone, network stability), and ensure your testing space is clear of notes and additional screens. For test centers, arrive early enough to handle check-in without rushing.

Pacing plan: start with a calm first pass. Your goal in the first segment is accuracy on the easy-definition items and steady momentum. For any item that becomes a time sink, commit to a best answer by elimination and move forward. Exam Tip: Eliminate options that violate the requirement type: if the requirement is governance enforcement, a monitoring tool is unlikely to be correct; if the requirement is “no server management,” an IaaS VM is unlikely to be correct.

Mindset and error control: read the last line of the question twice. Many AZ-900 items hinge on “best,” “most cost-effective,” “minimize administrative effort,” or “provide the highest availability.” These words determine which correct-sounding option is actually correct. Also watch for scope language: “subscription,” “resource group,” “tenant,” and “management group” are not interchangeable.

Retake plan (just in case): if you do not pass, do not restart from scratch. Use your objective-mapped Weak Spot Analysis from Section 6.4. Remediate the top two objective areas first, then re-run a full mock under timed conditions. Exam Tip: A focused retake strategy is usually: fix terminology confusions, then fix governance-tool selection, then fix architecture hierarchy/scope questions—those areas yield the fastest score gains.

Finish strong: the exam rewards clarity. If you can define the key terms, recognize the service category, and choose the governance tool that matches the verb in the requirement, you are exam-ready.