AZ-900 in 5 Days: Azure Cloud Essentials for AI Beginners

AZ-900 is organized around three big domains. Think of these as your navigation map for the next five days: (1) cloud concepts, (2) Azure architecture and services, and (3) Azure management and governance. Microsoft updates weightings over time, but the theme stays stable: define cloud models, identify Azure’s core constructs, and explain how Azure is managed, secured, and paid for.

Describe cloud concepts covers shared responsibility, public/private/hybrid cloud, and service models (IaaS/PaaS/SaaS). The exam loves precise definitions. A common trap is mixing responsibility boundaries: in SaaS, Microsoft manages the application; you still manage users, data classification, and access. In IaaS, you manage the OS and above, while Microsoft manages the physical hardware and hypervisor.

Azure architecture and services

Management and governanceExam Tip: When a prompt says “enforce” or “deny noncompliant deployments,” your best mental trigger is Azure Policy, not RBAC.

AZ-900 is not a lab exam; it’s a timed, objective-based test delivered in a typical Microsoft certification interface. You should be prepared for several question styles: single-answer multiple choice (MCQ), multiple response (“select all that apply”), matching (pair terms with definitions), and short case-style prompts where a mini-scenario is followed by a question about the best service or concept.

For MCQ, your job is often to identify the one option that is most definitionally correct. Many wrong answers are “almost true” but violate a boundary. Example patterns: a choice might describe a feature of availability sets when the question asked about availability zones, or it might describe CapEx vs OpEx incorrectly. Train yourself to look for the noun the question is really targeting (SLA, region, subscription, RBAC, policy, TCO) and match it to the cleanest definition.

For multiple response, do not assume there are always two correct answers—there may be one, two, three, or more depending on the interface. Read each option independently and mark only what you would defend with a definition. Exam Tip: In multiple response, avoid “bundle thinking” (e.g., selecting a group of options because they sound related). Instead, validate each option against the question’s verb: “identify,” “ensure,” “reduce costs,” “increase reliability,” or “control access.”

Matching items test vocabulary. These are high-yield if you build a term bank: shared responsibility, defense-in-depth, zero trust, SLA, preview vs GA, and core constructs (resource, resource group, subscription, management group). Case-style prompts frequently try to distract you with irrelevant details; underline the requirement (cost, reliability, identity, governance) and answer to that requirement only.

Registration is straightforward, but policy missteps cause the most preventable failures: late check-in, invalid ID, or a noncompliant testing environment. You typically register through Microsoft’s certification dashboard and schedule via Pearson VUE. Choose between an online proctored exam (at home/office) or a test center appointment.

Online proctoring is convenient but strict. You’ll need a quiet room, stable internet, and a clear desk. Expect to show your workspace via webcam and comply with rules like no phones, no notes, and no additional monitors. Your name in your Microsoft profile should match your government-issued ID exactly. If you anticipate interruptions (shared living space, unreliable network), a test center can be the safer option.

Test center

Know the essentials: acceptable ID types, rescheduling/cancellation windows, and what constitutes a policy violation. Exam Tip: Treat online proctoring like a “zero tolerance” environment—no glancing off-screen, no reading aloud, no leaving the camera view. If you think you’ll naturally do any of these when stressed, book a test center.

Microsoft exams use a scaled scoring model. You do not need to know the exact raw number of questions correct; you need to exceed the passing threshold on the scaled score. Different questions can carry different weights, and some items may be unscored (used for future exam calibration). This is why “I felt good on most questions” does not always equal a pass—and why you should avoid spending too long on any single item.

Approach scoring strategically: aim for consistent competence across all three domains rather than perfection in one. Fundamentals exams often include “definition checks” that are quick wins if you’ve practiced recall. Exam Tip: If you’re stuck between two answers, choose the option that matches the requirement word-for-word and aligns with official terminology. Exams reward the Microsoft definition, not community slang.

Time management matters more than people expect. If the interface allows review, flag uncertain questions and move on, then return with remaining time. Many candidates lose points by over-investing early and rushing later, where easier questions appear.

For retakes, plan a diagnostic approach rather than repeating the same study. After an attempt, use the score report to identify weak domains (e.g., governance vs architecture). Build a targeted 48–72 hour remediation sprint: revisit definitions, redo missed concept areas with active recall, and tighten your elimination strategy. The fastest improvement usually comes from fixing terminology confusion (e.g., Policy vs RBAC, regions vs zones, CapEx vs OpEx) rather than “studying harder.”

As an AI beginner, your risk is trying to “learn Azure” as a giant platform instead of preparing for an objectives-based exam. Your five-day plan should be lab-light: you will use minimal hands-on exposure to make concepts concrete, but most gains come from active recall and targeted correction of misunderstandings.

Use timeboxing: schedule two focused blocks per day (for example, 60–90 minutes each) and a short review block (15–20 minutes). In each block, study one objective cluster (e.g., cloud models) and then immediately close your materials and write or say the definitions from memory. This is active recall—the single highest-yield method for fundamentals exams.

Maintain an error log. Each time you miss or hesitate on a concept, record: (1) the concept, (2) what you thought, (3) what’s correct, and (4) the “trigger phrase” that should cue the right answer next time. Example: Trigger phrase “enforce standards during deployment” → Azure Policy. Exam Tip: Your error log is more valuable than extra reading. Re-reading feels productive but often doesn’t change your exam behavior.

For lab-light learning, do tiny, purposeful actions: locate where subscriptions appear in the portal, find resource groups, and observe how a resource has properties like region and pricing tier. Avoid building complex deployments; AZ-900 rarely rewards step-by-step configuration knowledge. Your goal is recognition: “What is this service category?” and “What problem does it solve?”

Microsoft Learn is your primary source of truth because it uses Microsoft’s own terminology and aligns closely to the exam objectives. Your job is to convert Learn modules into a measurable tracking system. Start by listing the exam objectives as a checklist: cloud concepts (shared responsibility, service models, benefits), pricing/SLA/lifecycle planning, architecture primitives (regions, subscriptions, resources), core services (compute/network/storage), identity and security basics, and management/governance (cost management, monitoring, compliance).

Then map each Learn module to one or more objectives. After each module, perform a quick “objective proof” step: can you explain the objective in two or three sentences without notes? If not, mark that objective as “yellow” and schedule it for spaced repetition on Day 3 and Day 5.

Spaced repetition for AZ-900 can be simple: review yesterday’s error log for 10 minutes before starting new content, and re-test yourself on older definitions every other day. Keep a single-page “definition sheet” that you rewrite from memory daily—shared responsibility boundaries, IaaS/PaaS/SaaS, SLA meaning, region vs zone, and governance tools (RBAC, Policy, Blueprints conceptually, tags, cost management, monitor). Exam Tip: If a term appears in multiple modules (e.g., Azure Policy), it’s a signal that the exam expects you to distinguish it from similar tools under time pressure.

Finally, use objective mapping to build your five-day arc: Day 1 cloud concepts and economics; Day 2 architecture primitives and core services; Day 3 identity/security and governance fundamentals; Day 4 integrated review with error-log drilling; Day 5 final pass, terminology tightening, and exam readiness checks (registration, ID, environment). This keeps your effort aligned to what is tested, not what is merely interesting.

Cloud computing is the on-demand delivery of compute, storage, networking, and higher-level services over the internet with pay-as-you-go pricing and rapid provisioning. In exam terms, cloud is not “someone else’s computer” (a common oversimplification); it’s a consumption-based model with elastic capacity, managed services, and shared responsibility boundaries.

AZ-900 frequently connects cloud definitions to financial models: CapEx (capital expenditure) vs OpEx (operational expenditure). CapEx is upfront spending—buying servers, racks, networking gear, and licensing, then depreciating the asset over time. OpEx is ongoing spending—paying for what you use, monthly or hourly, and treating it as an operating cost. Public cloud strongly aligns with OpEx because you avoid large up-front hardware purchases and can scale spend with usage.

Exam Tip: If a scenario emphasizes “avoid large upfront costs,” “pay only for what you use,” or “quickly provision without buying hardware,” the answer is almost always tied to OpEx and cloud consumption.

Common exam trap: assuming cloud is always cheaper. The exam expects you to know cloud can optimize costs but doesn’t guarantee lower cost if you overprovision, leave resources running, or choose the wrong tier. Identify whether the question is testing the pricing model (OpEx) vs the deployment location (public/private/hybrid).

• CapEx keywords: upfront purchase, depreciation, fixed capacity, datacenter build-out.
• OpEx keywords: pay-as-you-go, variable spend, consumption-based, operational expense.

For AI workloads, OpEx is especially relevant: model training or batch inference can be bursty. Cloud lets you run expensive compute only when needed, rather than owning peak capacity year-round.

The shared responsibility model explains which security and operational tasks are handled by the cloud provider versus the customer. AZ-900 tests this constantly, often indirectly. The core idea: the more managed the service, the more Microsoft is responsible for; the more you control (like virtual machines), the more you are responsible for.

Microsoft is always responsible for security of the cloud: physical datacenters, hardware, core networking, and the foundational platform. You are always responsible for security in the cloud: your data, identities, access rules, and configuration choices. The boundary shifts by service model: IaaS places more duties on you (OS patching, configuration), while PaaS/SaaS shifts those duties to Microsoft.

Exam Tip: When you see “who is responsible for patching the operating system,” first determine if the resource is a VM (IaaS) or a managed service (PaaS). OS patching on a VM is typically the customer’s responsibility.

Security implications that show up on AZ-900 include identity and access management (IAM), data protection, and configuration management. Even if Microsoft manages infrastructure, misconfigurations (public storage access, overly broad permissions, exposed keys) are still your risk. The exam likes “least privilege” thinking: grant only needed access, then monitor.

Common trap: assuming compliance is fully “handled by Azure.” Azure provides compliant services and tools, but you must implement controls (policies, access restrictions, data handling) to meet your organization’s requirements. Another trap is treating encryption as purely provider responsibility; you choose whether to enable encryption options, manage keys, and control access.

Service models describe how much you manage versus the provider. AZ-900 questions often present a workload and ask which model fits. Use the “control vs convenience” lens: more control usually means more management.

IaaS (Infrastructure as a Service): You rent virtualized compute, storage, and networking. You manage the OS, runtime, patches, and most configuration. Typical beginner examples: deploying a virtual machine to run a custom application, lifting-and-shifting an on-prem server, or needing admin-level control for specialized software.

PaaS (Platform as a Service): You deploy apps without managing servers. The provider manages OS, patching, and much of the platform. You manage your application code and data. Beginner examples include hosting an API without worrying about server maintenance, or using managed databases. For AI beginners, PaaS is common for hosting inference endpoints where you want faster deployment and less operational overhead.

SaaS (Software as a Service): Fully managed software delivered over the internet. You manage users and data settings, not the application or platform. Examples include email, CRM systems, or collaboration suites.

Exam Tip: Look for verbs in the scenario: “install,” “configure OS,” “RDP/SSH,” and “full control” usually point to IaaS. “Deploy code,” “managed runtime,” “built-in scaling” points to PaaS. “Use the app” points to SaaS.

Common distractor pattern: a scenario that requires custom OS control but mentions “managed.” Don’t be fooled—if you must install drivers, change kernel settings, or control the OS, it’s IaaS. Another trap: equating PaaS with “no responsibility.” You still own application security, identities, and data governance.

Deployment models describe where cloud resources run and who owns the environment. The exam expects you to differentiate public, private, and hybrid cloud, and to recognize why an organization might choose each.

Public cloud: Services provided over the internet and shared across multiple customers with strong logical isolation. Azure is a public cloud. Public cloud is typically fastest to adopt and aligns strongly with OpEx.

Private cloud: Cloud-like environment dedicated to one organization. It can be on-premises or hosted by a third party. Organizations choose private cloud when they need strict control, specialized compliance, or must keep workloads in a dedicated environment.

Hybrid cloud: A combination of public cloud and private/on-prem environments connected to share data and applications. This is extremely common in real life and on the exam: gradual migration, latency-sensitive systems on-prem, regulatory constraints, or disaster recovery designs are frequent reasons.

Multicloud: Using services from more than one public cloud provider (e.g., Azure plus another provider). Multicloud can reduce vendor dependency or satisfy regional/service needs, but increases complexity in governance, identity, and monitoring.

Exam Tip: If the scenario says “some data must remain on-premises” or “integrate with existing datacenter,” choose hybrid. If it says “avoid vendor lock-in” or “use best-of-breed from multiple providers,” think multicloud—but remember multicloud is not required for high availability by itself.

Common trap: confusing hybrid with multicloud. Hybrid is about mixing on-prem/private with public cloud. Multicloud is about multiple public clouds. Another trap: thinking “private cloud” automatically means “more secure.” Security depends on controls and configuration; private cloud changes ownership and isolation, not the need for good security practices.

Cloud benefits are a high-frequency AZ-900 topic. The exam tests whether you can match the benefit to the scenario language. Learn to separate similar terms.

Scalability is the ability to increase or decrease resources to meet demand. It can be vertical (bigger machine) or horizontal (more instances). Elasticity is a form of scalability emphasizing automatic, rapid scaling—often in response to real-time load changes.

Reliability includes high availability and fault tolerance—designing so the service continues operating despite failures. High availability aims to minimize downtime; fault tolerance aims to keep operating even when components fail. In cloud conversations, these relate to redundancy and resilient architecture.

Predictability typically shows up in two ways: predictable performance (consistent service when designed correctly) and predictable costs (using tools, budgets, and right-sizing). The cloud provides cost transparency and metering, but you must apply governance to avoid surprises.

Governance is about enforcing standards and controlling resources—think policies, tagging, access control, and cost controls. Governance matters for AI because data access, key management, and resource sprawl can quickly become risks.

Exam Tip: If the scenario uses phrases like “automatically add/remove resources based on demand,” that’s elasticity. If it says “handle increased demand by adding capacity,” that’s scalability. If it says “continue operating if a datacenter component fails,” think reliability/fault tolerance.

Common trap: selecting “high availability” when the scenario is really about performance during spikes (scalability/elasticity). Another trap: selecting “governance” when the scenario is about cost predictability; governance tools support cost control, but the benefit being tested may be “predictable costs” rather than governance itself.

This section prepares you for how AZ-900 asks cloud concept questions without turning the chapter into a quiz. The exam commonly uses short business prompts and then offers answer choices that differ by one keyword (IaaS vs PaaS, scalability vs elasticity, hybrid vs multicloud). Your job is to identify which objective is being tested.

Scenario prompt patterns to recognize:

• Management burden: Mentions patching, OS access, installing software, or needing administrative control. This is usually testing service model (IaaS vs PaaS).
• Location constraints: Mentions “must stay on-prem,” “legacy integration,” “data residency,” or “gradual migration.” This usually tests deployment model (hybrid/private/public).
• Demand variability: Mentions seasonal traffic, unpredictable load, batch jobs, or “scale automatically.” This tests scalability vs elasticity and cloud benefits.
• Security ownership: Mentions who handles updates, who controls data, or who is responsible for access. This tests shared responsibility.

Distractor patterns: A frequent distractor is a “more advanced” sounding option that doesn’t match the requirement. For example, choosing multicloud when the prompt only needs hybrid connectivity, or choosing fault tolerance when the prompt is simply asking for reduced downtime (high availability). Another distractor is mixing finance and technology: a question about OpEx may include tempting words about “faster provisioning,” but the key requirement is cost structure.

Exam Tip: Underline the constraint in your mind (control, location, cost, or uptime). Then eliminate options that do not address that single constraint. AZ-900 rewards precise matching more than deep engineering detail.

Final trap to avoid: over-assuming Azure-specific services in this domain. “Cloud concepts” questions often remain provider-agnostic; answer from principles (responsibility boundary, deployment model, benefit) rather than naming a product unless the question explicitly asks for it.

Azure’s global infrastructure is organized into geographies, regions, and region pairs. The exam expects you to know the purpose of each, not to memorize every region name. A region is a set of datacenters within a latency-defined perimeter. A geography is a broader boundary (often aligned to a country/market) used for data residency and compliance needs. If a question mentions legal requirements like “data must remain within the country/market,” your first thought should be geography/region selection.

Region pairs matter for resiliency and platform behavior. Each Azure region has a paired region in the same geography. Microsoft uses region pairs to prioritize recovery and to reduce the likelihood of simultaneous disruptions affecting both regions. Certain services use region pairs for replication options and for planning disaster recovery (DR). The test often checks whether you understand that region pairs are about cross-region resiliency, whereas availability zones (next section) are about resiliency within a region.

Common trap: confusing “global” with “multi-region.” Some services are global (for example, DNS) but your deployed resources still live in a region. If the scenario asks where a VM runs, the answer is always “in a region,” even if the service is managed via global endpoints.

Exam Tip: When you see “disaster recovery,” “regional outage,” or “business continuity across datacenters,” consider region pairs or multi-region design. When you see “data residency” or “compliance boundary,” think geography/region selection first.

Availability zones (AZs) are physically separate locations within an Azure region, each with independent power, cooling, and networking. AZs are designed to protect against datacenter-level failures while keeping low latency (because they’re inside the same region). AZ-900 expects you to describe what zones are and what they’re for, not to implement them.

High availability (HA) questions typically describe needing uptime even if “one datacenter goes down.” That phrase is your hint that you need zone redundancy. Azure services may be zonal (pinned to a specific zone) or zone-redundant (replicated across zones). Many services offer zone-aware options, but not every service is available in every region with zones. So the correct exam reasoning is: choose a region that supports availability zones, then choose a zone-redundant deployment option when available.

Common trap: selecting “region pair” for a requirement that is clearly intra-region. Region pairing helps with regional outages, but it does not automatically make a single-region deployment highly available. If the prompt says “must remain in one region” yet needs protection from a datacenter failure, availability zones are the best fit.

• Use zones for: datacenter outage protection within a region, low latency HA.
• Use multiple regions / region pair for: regional outage protection, broader DR.

Exam Tip: Pay attention to phrases like “within the same region,” “same country,” or “minimal latency.” Those cues typically push you toward availability zones over multi-region designs.

Azure organizes and governs assets using a clear hierarchy: Management Group (MG) > Subscription > Resource Group (RG) > Resource. AZ-900 tests whether you can choose the correct level for governance, billing, access control, and lifecycle management. Think of this as “where do I apply rules and where do I pay?”

Management groups are for organizing multiple subscriptions under a single governance umbrella. If a scenario mentions a large enterprise with many subscriptions and a need to apply policies consistently, management groups are the target scope. Subscriptions are primarily a billing and boundary unit (also used for quotas/limits). If the question mentions “separate billing,” “separate environments,” or “separate limits,” subscription is a strong answer.

Resource groups are logical containers for resources that share the same lifecycle. This is a frequent exam point: resources in an RG can be deployed, managed, and deleted together. However, RGs are not for “network proximity” and they do not force all resources to be in the same region. Many resources are regional, but the RG itself is a management construct (metadata). A classic trap is assuming the RG’s location controls resource location.

Finally, resources are the actual instances (VMs, storage accounts, VNets, databases, etc.). RBAC and Azure Policy can be applied at multiple scopes; the exam often asks which scope is most efficient to meet a requirement. If you must enforce a rule everywhere, use MG or subscription; if only for a project, use RG.

Exam Tip: For “apply governance across many teams/subscriptions,” choose management group. For “billing boundary,” choose subscription. For “group by app lifecycle,” choose resource group. Avoid the trap of using RG as a “region container.”

Compute questions in AZ-900 usually test whether you can match a workload requirement to the right compute model: virtual machines, containers, or serverless. You are not expected to size instances or write deployment templates, but you are expected to understand trade-offs like management effort, portability, scaling style, and billing patterns.

Virtual Machines (VMs) provide full OS control and are a go-to answer for “lift-and-shift,” custom software, or when you need to install agents and control the operating system. The trap is assuming VMs are always best because they are familiar. If the prompt emphasizes fast start, lightweight packaging, and consistent runtime, look at containers.

Containers (for example, on Azure Kubernetes Service or container instances) package an app and its dependencies with less overhead than a VM. They are well-suited for microservices and portable deployments. AZ-900 often checks that you know containers share the host OS kernel, making them lighter than VMs, but not a replacement for scenarios needing full OS isolation.

Serverless (for example, Azure Functions) is designed for event-driven execution where you focus on code, not infrastructure. It’s a strong match for bursts, triggers, and intermittent workloads. The common exam misstep is equating serverless with “no servers exist.” Servers exist, but Azure manages them; you manage code and configuration.

Exam Tip: If the requirement says “run code when a file is uploaded,” “pay only when it runs,” or “event-driven,” think serverless. If it says “migrate an existing server,” think VM. If it says “package and deploy consistently across environments,” think containers.

Networking fundamentals are tested through simple connectivity and naming scenarios. The core building block is the Azure Virtual Network (VNet), which provides private IP space segmentation, subnets, and a boundary for many networking controls. If you need private communication between Azure resources, VNets (and subnet design) are usually in the answer set.

To connect on-premises to Azure, you’ll typically choose between VPN Gateway and ExpressRoute. VPN uses the public internet with encryption; ExpressRoute provides private connectivity through a connectivity provider and is typically associated with more consistent performance and higher reliability. The exam does not require you to know exact throughput tiers, but it does expect you to pick ExpressRoute when the scenario emphasizes “private connection,” “dedicated,” or “no internet.”

DNS fundamentals show up as well: DNS maps names to IP addresses. Azure provides DNS hosting options, and name resolution is essential for apps and services to find each other. A frequent trap is overcomplicating DNS when the question is simply asking what DNS is used for (name resolution), not how to configure records.

• VNet: private networking in Azure (subnets, segmentation).
• VPN Gateway: encrypted tunnel over the public internet.
• ExpressRoute: private, dedicated connectivity (no public internet path).
• DNS: translates names to IP addresses for service discovery.

Exam Tip: If the question says “secure connection over the internet,” pick VPN. If it says “private connectivity with predictable performance,” pick ExpressRoute. If it says “private network boundary in Azure,” pick VNet.

Azure storage fundamentals are centered on the storage account, which is the container for many storage services and settings (like redundancy and access). AZ-900 expects you to recognize the main storage types and when each is appropriate: Blob, Files, Disk, and Queue. You should also be able to interpret basic scenarios and select the best fit.

Blob storage is object storage for unstructured data: images, videos, backups, logs, and datasets commonly used in AI workflows. If the scenario mentions storing large amounts of unstructured data, blob is usually correct. File storage provides managed file shares (SMB/NFS options in many cases) and is commonly chosen for “shared drive” or “lift-and-shift file share” wording.

Disk storage is block storage typically attached to VMs (OS disks and data disks). If the question mentions “attach storage to a VM” or “persistent disk for a VM,” disk is the right concept. Queue storage supports messaging patterns—decoupling components with simple message queues. If you see “buffer,” “decouple,” or “asynchronous processing,” queues are a strong match.

Common trap: selecting Blob for a traditional file share requirement. Blob is not an SMB file share; Azure Files is the usual answer when the prompt says “mount,” “shared folder,” or “SMB.” Another trap is using Queue when the requirement is long-term data retention; queues are for messaging, not archival storage.

Exam Tip: Match the storage type to the data shape: objects → Blob, shared files → Files, VM-attached blocks → Disks, messages between components → Queues. When two answers seem plausible, look for keywords like “mount,” “attach,” or “asynchronous.”

Section 4.1: Microsoft Entra ID basics and identity in Azure

Identity is the entry point to Azure. Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud-based identity and access management service. In exam terms: Entra ID is where users, groups, and app identities are defined and where sign-in is validated for Microsoft cloud services (Azure, Microsoft 365, and thousands of SaaS apps). When you see “sign-in,” “single sign-on (SSO),” “MFA,” or “conditional access,” your mental pointer should go to Entra ID.

AZ-900 frequently tests the distinction between authentication and authorization. Authentication answers: “Who are you?” Authorization answers: “What are you allowed to do?” Entra ID participates in both, but don’t conflate them. Authentication is the act of verifying identity (password, certificate, MFA, device-based signals). Authorization is granting permissions to resources—often implemented through Azure role-based access control (RBAC), covered next.

Entra ID also supports identities beyond end users: applications and services can authenticate using service principals and managed identities. For fundamentals, you don’t need implementation steps, but you should recognize the benefit: managed identities reduce secret management because Azure can issue tokens to an Azure resource securely.

• Keyword mapping: “Users logging in” → Entra ID; “MFA/Conditional Access” → Entra ID; “permissions to a resource” → RBAC; “app-to-Azure authentication without secrets” → Managed identities.
• Common trap: confusing Entra ID with Active Directory Domain Services (AD DS). AD DS is traditional on-prem domain services; Entra ID is cloud identity. Azure AD DS is a managed domain service for domain join/LDAP/Kerberos scenarios—not the same thing as Entra ID.

Exam Tip: If a question describes SSO to cloud apps, user sign-in, or identity protection, it is almost never a “networking” service answer. It’s Entra ID (identity), not VNets (connectivity).

Section 4.2: Access management: RBAC concepts and least privilege

Once identity is confirmed, Azure must decide what actions the identity can perform. Azure role-based access control (RBAC) is the primary authorization system for Azure resources. RBAC answers “who can do what at which scope.” The exam expects you to know the RBAC building blocks: security principal (user/group/service principal/managed identity), role definition (a set of allowed actions), scope (management group, subscription, resource group, or resource), and role assignment (linking principal + role + scope).

Scope is a frequent testing angle. Permissions “inherit” down the hierarchy: a role assigned at a subscription applies to all resource groups/resources under it. This is great for consistency, but it’s also where over-permissioning happens. AZ-900 emphasizes least privilege: grant only the permissions required, at the narrowest scope that meets the need. If the question says “allow a team to manage only a specific resource group,” that implies assigning roles at the resource group scope rather than the subscription.

Know the intent of common built-in roles: Owner (full access including permission management), Contributor (manage resources but cannot grant access), and Reader (view only). Many exam distractors attempt to push you toward Owner when Contributor is safer and aligns with least privilege.

• Common trap: mixing up RBAC (Azure resource permissions) with Entra roles (directory-level admin roles). If the scenario is about Azure resources like VMs, storage accounts, or VNets, it’s usually RBAC.
• How to identify correct answers: look for the scope requirement (resource vs resource group vs subscription) and the action (view, manage, delegate access).

Exam Tip: If the question mentions “manage access,” you likely need an RBAC role that includes permission assignment capability (often Owner or User Access Administrator). If it does not mention delegating permissions, Contributor is a common correct answer over Owner.

Section 4.3: Security tooling overview: Defender for Cloud and baseline security posture

AZ-900 focuses on understanding the security “layer cake” in Azure: identity controls (Entra ID, RBAC), network controls (firewalls, NSGs, private connectivity), and continuous posture management. Microsoft Defender for Cloud is Azure’s core service for security posture management and threat protection across workloads. The exam often frames this as “improve security recommendations,” “assess security configuration,” or “protect workloads” at a high level.

Defender for Cloud provides secure score, policy-driven recommendations, and can enable enhanced protections for specific resource types. Do not confuse it with Microsoft Sentinel (a SIEM/SOAR). Sentinel is for security event collection, correlation, and incident response; Defender for Cloud is for posture and workload protection recommendations and alerts.

Connectivity and protection concepts show up here too: Azure uses defense-in-depth. Expect to recognize baseline concepts like network segmentation (VNets/subnets), filtering (Network Security Groups), perimeter protection (Azure Firewall), and private access patterns (Private Link). Fundamentals questions rarely demand the exact configuration but will expect you to know what each control is generally for.

• Common trap: assuming “the cloud provider secures everything.” The shared responsibility model still requires you to secure identities, configure access, patch OS on IaaS VMs, and secure data.
• Identify the tool: “recommendations/secure score” → Defender for Cloud; “collect and correlate security logs across many sources” → Sentinel; “govern and enforce standards” → Azure Policy (related to posture).

Exam Tip: If a question asks how to “get security recommendations” or “assess security posture” across Azure resources, Defender for Cloud is the highest-probability answer in AZ-900.

Section 4.4: Application and integration services overview (App Service, Functions, Logic Apps concepts)

This section is where many AI beginners benefit: most AI solutions are delivered as applications and APIs, and AZ-900 wants you to recognize the managed services that host them. Start with the mental model: App Service for hosted web apps and APIs (PaaS), Azure Functions for event-driven serverless code, and Logic Apps for workflow automation and integration using connectors.

App Service is ideal when the scenario says “host a web application,” “REST API,” “minimal infrastructure management,” or “built-in scaling.” Functions is likely when you see “run code on demand,” “triggered by an event,” “short-lived,” or “serverless.” Logic Apps shows up when the scenario says “workflow,” “orchestration,” “connect to SaaS,” “no-code/low-code,” or “automate approvals and notifications.”

Integration often includes messaging patterns even at fundamentals: decoupling components improves reliability. While deep messaging services (Service Bus, Event Grid) may appear elsewhere, the exam often wants you to choose a service that reduces operational burden and matches the trigger/workflow story.

• Common trap: picking VMs for everything. If the question implies you want the platform to handle patching and runtime management, App Service/Functions/Logic Apps usually beat IaaS VMs.
• Selection cues: “API hosting” → App Service; “event trigger” → Functions; “workflow with connectors” → Logic Apps.

Exam Tip: In AZ-900, the word “serverless” is a strong signal. If you see “serverless compute,” default to Azure Functions unless the scenario is specifically workflow-oriented (then Logic Apps).

Section 4.5: Data services overview (Azure SQL, Cosmos DB concepts) and storage selection cues

AZ-900 expects you to categorize data services, not design schemas. Two flagship database services commonly tested are Azure SQL and Azure Cosmos DB. Azure SQL (Azure SQL Database/Managed Instance) is a managed relational database for SQL workloads—think structured data, relational constraints, and T-SQL compatibility. Cosmos DB is a globally distributed NoSQL database designed for low latency and elastic scaling, often used for high-throughput apps, IoT, or user-facing systems requiring global distribution.

Questions frequently revolve around “relational vs non-relational” language. If you see “tables, rows, joins, SQL,” that leans Azure SQL. If you see “schema-less, JSON documents, key-value, graph, global distribution,” that leans Cosmos DB. Another common cue is “planet-scale” or “multi-region replication,” which is closely associated with Cosmos DB’s design goals.

Storage selection cues also appear at fundamentals: Blob storage for unstructured objects (images, audio, model artifacts), Files for SMB-compatible file shares, Disks for VM block storage, and Queues/Tables for simple messaging or NoSQL key-value patterns (depending on the specific storage option described). For AI beginners, remember that datasets and model outputs are often blobs; relational metadata often fits Azure SQL.

• Common trap: assuming Cosmos DB is “just Azure SQL but faster.” It is a different model (NoSQL) and is chosen for distribution/scale patterns more than for relational features.
• How to identify correct answers: match the data structure words (“joins” vs “documents”), and match the availability/performance story (global low-latency vs traditional relational reporting).

Exam Tip: If the question emphasizes “global distribution” and “low latency worldwide,” Cosmos DB is a frequent correct answer, even when multiple databases could technically store the data.

Section 4.6: AI-related services overview for beginners (Azure AI services categories, not deep implementation)

AZ-900 includes only a light overview of AI offerings, but it does test whether you can recognize the main categories and describe them at a high level. For beginners, organize Azure AI into three buckets: prebuilt AI services, AI development platforms, and search/knowledge experiences. Prebuilt services (often branded under Azure AI Services) provide ready-to-use capabilities such as vision, speech, language, and document processing—useful when a scenario asks for “add OCR,” “transcribe audio,” or “detect objects” without building a model from scratch.

For model-building and end-to-end ML operations, the platform story is Azure Machine Learning (workspace-based environment for training, deployment, and MLOps concepts). The exam may not require MLOps depth, but it may ask you to choose the service intended for building/training models versus calling an API.

For “find information in large content,” “index documents,” or “search over enterprise content,” look toward Azure AI Search as the search and retrieval layer (often paired with AI enrichment). Even if generative AI is mentioned broadly, AZ-900 aims at recognizing service categories rather than implementation specifics.

Responsible AI and security considerations matter at fundamentals: know that Azure emphasizes responsible use principles (fairness, reliability/safety, privacy/security, inclusiveness, transparency, accountability). On exam questions, this can appear as “consider privacy,” “avoid bias,” or “ensure human oversight.”

• Common trap: choosing Azure Machine Learning when the scenario says “use a prebuilt API” for vision/speech/language. Conversely, choosing a prebuilt service when the scenario says “train a custom model.”
• How to identify correct answers: “prebuilt capability via API” → Azure AI Services; “train/deploy models” → Azure Machine Learning; “index and search content” → Azure AI Search.

Exam Tip: If the question includes “no ML expertise required” or “pretrained model,” pick the prebuilt AI services category over a training platform.

Section 5.1: Azure management tools and when to use each (Portal/CLI/PowerShell/Cloud Shell)

AZ-900 expects you to identify Azure’s primary management surfaces and select the right one for a given situation. The Azure portal is the browser-based GUI; it’s excellent for discovery, learning, and one-off tasks where visual feedback helps (viewing resource properties, setting up simple policies, checking health alerts). The Azure CLI is command-line oriented and cross-platform; it’s commonly used in automation, scripts, and CI/CD scenarios. Azure PowerShell is the PowerShell module set for Azure; it’s favored in Windows-centric environments and for admins who already script with PowerShell objects and pipelines.

Cloud Shell is not a separate tool family as much as a hosted environment that gives you a ready-to-use shell (Bash with Azure CLI or PowerShell) in the browser, already authenticated to your tenant. Cloud Shell is especially useful for exams because it often appears as the “no local setup” option: you can run CLI/PowerShell commands without installing anything. It also includes common utilities and can mount an Azure Files share for persistence.

• Portal: interactive, visual; great for learning and configuration checks.
• CLI: lightweight, cross-platform; strong for repeatable commands and automation.
• PowerShell: object-based scripting; strong for admin automation in PowerShell ecosystems.
• Cloud Shell: quick access to CLI/PowerShell in-browser; avoids local installation.

Exam Tip: When a scenario says “admin needs to manage Azure from a web browser without installing tools,” the expected answer is usually Azure Cloud Shell, not “Azure CLI” alone.

Common trap: confusing Cloud Shell with the Azure portal. Cloud Shell is launched from the portal, but it is a shell environment that runs commands. Another trap: assuming PowerShell only works on Windows—modern PowerShell is cross-platform, but AZ-900 questions typically focus on the administration style (PowerShell scripting) rather than OS support.

Section 5.2: Resource organization and governance patterns (naming, tagging, RG strategy)

Governance starts with organization. On AZ-900, you must describe how Azure resources are grouped and identified so that cost, access, and compliance can be managed consistently. The most practical unit is the resource group (RG): a logical container for related resources. Many governance actions—like applying role assignments, tags, and policies—are commonly done at the RG or subscription scope.

A common pattern is to group by lifecycle and ownership: put resources that should be deployed, updated, and deleted together in the same RG. For example, an AI proof-of-concept might have a resource group that contains the compute, storage, and an Azure AI service instance for that POC; when the POC ends, deleting the RG cleans up the whole set. Alternatively, shared services (networking, log workspaces) often live in separate RGs to avoid accidental deletion.

Naming conventions and tagging are not just “nice to have”—they show up indirectly in exam questions about cost tracking and governance. A naming convention helps humans quickly identify the resource purpose and environment (dev/test/prod). Tags are key-value metadata used for reporting and management; they don’t enforce behavior, but they improve visibility and allow cost allocation (for example, tag by CostCenter, AppName, Environment, Owner).

• Naming: supports clarity and reduces misconfiguration in large environments.
• Tagging: enables cost allocation, filtering, and operational ownership.
• RG strategy: align with lifecycle, ownership, and blast radius for changes/deletion.

Exam Tip: If the question is about “tracking costs by department” or “showback/chargeback,” tags are often the fastest path. If the question is about “apply settings to many resources,” think scope (management group/subscription/RG) plus policy—not tags.

Common trap: thinking tags “secure” resources or “prevent” actions. Tags are metadata only. They help organize and report; enforcement is done with Azure Policy and access controls (RBAC).

Section 5.3: Azure Policy basics, initiatives, and compliance thinking

Azure Policy is the governance feature that evaluates resources against rules. On AZ-900, the key idea is enforcement and compliance at scale. Policies can audit resources (report non-compliance) or deny non-compliant deployments (prevent creation/update that violates the rule). You will see questions where an organization needs to ensure standards like “only deploy in approved regions,” “require specific tags,” or “disallow public IPs.” These are classic Azure Policy cases.

An initiative (also called a policy set) groups multiple policies into a single assignment. If you want a consistent baseline across many subscriptions—such as a security standard—an initiative is easier to assign and manage than dozens of individual policies. Exam questions may describe “a collection of policies” or “a standard applied across the org”; that wording is pointing you to initiatives.

Compliance thinking: Azure Policy provides compliance results (compliant/non-compliant resources) and can trigger remediation for certain policies using managed tasks. For AZ-900, focus on the idea that policy helps you prevent drift and maintain guardrails, rather than manual review. Also be clear on scope: policies can be assigned at management group, subscription, resource group, or resource scope.

Exam Tip: If the requirement is “ensure all new resources meet the standard,” choose a policy with Deny. If the requirement is “identify existing resources that violate the standard,” choose Audit (or compliance reporting). Look for verbs: “prevent” vs “report.”

Common trap: mixing up Azure Policy with RBAC. RBAC answers “who can do what.” Policy answers “what is allowed to be deployed/configured.” Another trap: using resource locks to enforce standards—locks prevent deletion or modification, but they don’t validate configuration rules like location, SKU, or required tags.

Section 5.4: Cost management fundamentals (pricing factors, budgets, alerts, tags, calculators)

Cost questions on AZ-900 are less about doing math and more about recognizing the drivers of spend and the tools used to estimate and control it. Pricing factors commonly tested include: resource type and SKU (performance tier), usage/consumption (time running, transactions), region (prices vary), data transfer (especially egress), and licensing (where applicable). For AI-related workloads, the trap is forgetting that data egress and always-on compute can dominate costs even when the “AI service” seems inexpensive.

For estimation, Microsoft provides calculators such as a pricing calculator (to estimate Azure services) and a TCO calculator (to compare on-premises costs to Azure). The exam frequently frames this as “before migrating, estimate cost” (use calculators) vs “after deployment, track and optimize spend” (use Cost Management).

In Azure Cost Management, budgets let you set a spending threshold for a scope (subscription or resource group) and configure alerts when actual or forecasted spend reaches a percentage. Budgets do not automatically shut down resources by themselves; they are primarily for visibility and alerting (automation can be added, but AZ-900 usually focuses on the alerting concept). Tags help allocate costs to teams/apps/environments so that reports can break down spend meaningfully.

• Pricing factors: SKU, usage, region, data transfer, and licensing.
• Budgets: thresholds + alerts for actual/forecasted spend.
• Tags: cost allocation (CostCenter/Project/Env) and reporting filters.
• Calculators: Pricing Calculator (estimate Azure) and TCO (compare vs on-prem).

Exam Tip: If the scenario says “notify when spending approaches $X,” that is a budget with alerts. If it says “estimate monthly cost before deploying,” that is the Pricing Calculator. If it says “compare current datacenter to Azure,” that is TCO Calculator.

Common trap: selecting tags as a control mechanism to “limit” spend. Tags do not cap spending; budgets and alerts help you detect and act, but they are not the same as hard enforcement.

Section 5.5: Monitoring and operations (Azure Monitor, alerts, Log Analytics concept, Service Health)

AZ-900 tests that you can describe the basic monitoring stack and distinguish between “what’s happening in my resources” and “what’s happening in Azure itself.” Azure Monitor is the umbrella service for collecting and acting on telemetry: metrics (numeric time-series like CPU percentage), logs (records/events), and alerts (notifications/actions triggered by metric or log conditions). You do not need deep query language skills for AZ-900, but you should know that logs are commonly centralized in a Log Analytics workspace for analysis and correlation.

Alerts are a common exam focus: they can be created from metrics (fast, near real-time) or logs (richer context). The scenario wording matters: “CPU > 80% for 5 minutes” strongly implies a metric alert; “error pattern found in application logs” implies a log alert. Azure Monitor also integrates with dashboards and can route notifications via action groups.

Service Health is different: it provides visibility into Azure platform issues. If there’s an outage affecting a region or a specific Azure service, Service Health is where you check incidents, planned maintenance, and health advisories. This is frequently tested because it’s the correct answer when “your resources are fine, but the platform is having problems.”

Exam Tip: If a question asks “where to see Azure outages that may impact your subscription,” choose Azure Service Health. If it asks “monitor performance and create alerts for a VM/app,” choose Azure Monitor.

Common trap: confusing “monitoring” with “governance.” Monitoring detects and notifies; governance prevents and standardizes. Also avoid the trap of assuming Service Health monitors your application code—Service Health is about the Azure platform and service incidents, not your app’s internal errors.

Section 5.6: Exam-style practice: governance scenarios, cost/reliability cues, and quick elimination techniques

On AZ-900, management and governance items often present short scenarios with a single “best fit” service. Your advantage comes from cue recognition and elimination. First, identify whether the question is about how to manage (tool choice), how to control (policy/locks), how to pay/track (cost management), or how to observe (monitoring/health). Then match to the smallest correct feature.

Governance cues: words like “must,” “only,” “require,” “deny,” and “standard” point to Azure Policy/initiatives. If the requirement is “apply multiple rules as a package,” that’s an initiative. If the requirement is “prevent accidental deletion/modification,” that’s a resource lock (ReadOnly or Delete). A common elimination technique is to remove answers that only provide visibility (tags, reports) when the requirement is enforcement.

Cost cues: “forecast,” “threshold,” “notify,” “budget,” “cost breakdown by department,” and “estimate before purchase.” Budgets and alerts address thresholds; tags address allocation; calculators address estimation. Reliability cues: “Azure-wide incident,” “region outage,” “planned maintenance,” which map to Service Health; whereas “resource performance,” “collect metrics/logs,” and “create alert rules” map to Azure Monitor and Log Analytics concepts.

Exam Tip: When two answers both sound plausible, prefer the one that directly satisfies the verb in the requirement: estimate (calculator), track (Cost Management reports + tags), enforce (Policy), prevent deletion (locks), detect platform incident (Service Health), alert on resource condition (Azure Monitor).

Common trap patterns to watch: (1) picking RBAC when the question is actually about configuration standards (Policy), (2) picking tags when the question is about prevention, and (3) picking Azure Monitor when the question is explicitly about a Microsoft-side outage (Service Health). The fastest path to points is recognizing these mismatches and eliminating them.

The AZ-900 exam environment rewards calm pacing. Your mock exam should mirror that: complete two parts back-to-back (or in the same day), using a timer and a strict “one pass + one review” approach. On pass one, answer every item you can within a short decision window, and mark uncertain ones for review. On pass two, return only to marked items and make final choices. This prevents the common trap of spending too long early, then rushing through easier points later.

Time management strategy for fundamentals exams: allocate time by question difficulty rather than by topic. Most AZ-900 items are short conceptual prompts with 2–4 plausible choices. If you can’t justify an answer in under a minute, mark it and move on. Your review pass is where you resolve ambiguity with elimination.

Exam Tip: When you see “best” or “most cost-effective,” translate it to “which option matches the requirement with the fewest extra features.” Distractors often add unnecessary capabilities (and cost) that are not asked for.

Common pacing traps: (1) rereading the same question repeatedly (usually a sign you need to extract the requirement keywords), (2) chasing unfamiliar acronyms (AZ-900 rarely requires obscure terms), and (3) changing correct answers during review without new evidence. Only change an answer if you can articulate a concrete reason tied to the prompt’s requirement.

Mock Exam Part 1 is designed to cover all official domains in a balanced way, with an emphasis on cloud concepts and Azure architecture basics. As you work, actively label each item in your head: “cloud concept,” “core architecture,” “service category,” “security/identity,” or “management/governance.” This mental tagging trains you to match the question to the correct objective area quickly—exactly what the real exam tests.

In this part, you should expect frequent comparisons and boundary questions, such as who manages what in shared responsibility, or what changes between IaaS, PaaS, and SaaS. The exam loves edge cases: for example, many learners over-assign responsibility to Microsoft in IaaS (you still manage OS, patches, and most configurations). Another common trap is confusing availability and durability—availability is uptime (SLA), durability is likelihood your data remains intact.

Exam Tip: When a prompt mentions “global,” “low latency,” or “disaster recovery,” check whether the best match is a region pair, availability zones, or a multi-region design. Zone = within a region; region pair = two regions in the same geography; multi-region = broader design choice.

Also watch for “fundamentals-level service matching.” If a question asks for “object storage,” the answer is typically Azure Blob Storage; if it asks for “managed file shares,” Azure Files; if it asks for “disk for VMs,” Azure Disk Storage. For networking, train your reflexes: VNet is the private network boundary, VPN Gateway/ExpressRoute connect on-prem, and NSGs filter traffic at subnet/NIC scope. Your goal isn’t memorization—your goal is correct category mapping.

Mock Exam Part 2 shifts the weight toward identity, access, security, governance, pricing, SLAs, and monitoring—areas where AZ-900 distractors are subtle. The exam often tests whether you can distinguish tools that “sound alike” but serve different purposes: Microsoft Entra ID (Azure AD) for identity, Azure Policy for enforcing rules, Azure RBAC for authorization, and Azure Monitor for collecting telemetry (metrics/logs/alerts).

Pricing and lifecycle planning frequently appear as scenario-like prompts: you’ll be asked which factor affects cost (region, egress, reserved instances, storage tier), how SLAs behave in composite systems (multiple components reduce overall SLA), and what improves reliability (availability zones, load balancing, replication). A classic trick is to offer “more monitoring” as a reliability fix—monitoring helps detect issues, but it doesn’t inherently increase availability unless paired with resilient design.

Exam Tip: If the requirement is “control or prevent,” think governance (Policy, Blueprints/landing zones, management groups). If the requirement is “see or measure,” think monitoring (Azure Monitor, Log Analytics, alerts). If the requirement is “who can do what,” think RBAC. If the requirement is “prove compliance,” think compliance tools and reports.

For AI beginners, AZ-900 includes high-level awareness of AI-related Azure services. The exam does not expect model training detail; it expects service identification and responsible use awareness. If the prompt mentions “prebuilt vision/speech/language APIs,” think Azure AI Services. If it mentions “building, training, and deploying models,” think Azure Machine Learning. Distractors will sometimes include general compute services (VMs) when the question is clearly about managed AI capabilities.

Your score only matters if you extract lessons from each miss. Use a structured answer review framework for every marked or incorrect item: (1) restate the requirement in one sentence, (2) identify the domain/objective being tested, (3) justify the correct option using a definition or feature-purpose statement, and (4) explain why each wrong option fails the requirement. This “why wrong” step is where your future points come from—because distractors on AZ-900 are engineered around near-misses.

Apply elimination systematically. First remove options that are the wrong category (e.g., monitoring tool offered when governance is needed). Next remove options that solve a different problem (e.g., encryption at rest proposed when the requirement is access control). Finally, choose between the remaining options by matching scope: subscription vs. resource group vs. resource; region vs. zone; identity vs. authorization.

Exam Tip: Build a personal “confusion pair list” during review: RBAC vs. Policy, NSG vs. Azure Firewall, availability zones vs. region pairs, CapEx vs. OpEx, TCO vs. pricing calculator, Azure Advisor vs. Azure Monitor. The exam repeatedly tests these pairs.

When you review pricing/SLA questions, write out the causal logic. Example patterns: “More services in series = lower end-to-end SLA,” “Reserved instances reduce cost for predictable usage,” “Outbound data transfer can be a cost driver,” and “Higher redundancy tiers cost more but increase availability/durability.” Your objective is to be able to defend the right choice without “I’ve seen this before.”

After both mock parts and your answer review, categorize your misses under the official AZ-900 domain names. This prevents random re-study and ensures your time targets the objectives Microsoft grades. Create a simple remediation table with three columns: Domain, Symptom (what you did wrong), Fix (what you will drill). Then run a short, focused loop for each weak domain.

Describe cloud concepts: shared responsibility, cloud models, and cloud benefits. If you missed these, drill boundary statements (“In IaaS, customer manages OS and apps”) and model tradeoffs (elasticity, scalability, OpEx). Trap: confusing SaaS responsibilities—customers still manage data, users, and access.

Describe cloud concepts: pricing, SLAs, and lifecycle planning for reliability. If you missed these, practice mapping “requirement keywords” to design choices: uptime needs → zones/replication; cost predictability → reservations; budgeting → Azure Cost Management. Trap: thinking SLAs apply automatically to your whole solution; they apply per service and architecture matters.

Describe Azure architecture and services: core architectural components. If you missed these, drill hierarchy: management groups → subscriptions → resource groups → resources. Trap: thinking a resource can belong to multiple resource groups (it can’t).

Compute, networking, and storage fundamentals. If you missed these, re-map common workloads to services (VMs vs. App Service vs. Containers) and storage types (Blob/Files/Disks). Trap: choosing a “more powerful” service when a simpler managed service fits the requirement.

Identity, access, security, and AI-related services overview. If you missed these, drill: Entra ID for identity, RBAC for permissions, MFA/Conditional Access for stronger auth, Defender for Cloud for security posture, and AI Services vs. Azure ML. Trap: mixing authentication (who you are) with authorization (what you can do).

Management and governance: cost, monitoring, compliance. If you missed these, drill distinctions: Policy (enforce), Monitor (observe), Advisor (recommend), Cost Management (track/optimize), compliance offerings (standards and reports). Trap: selecting monitoring tools to “prevent” misconfigurations.

Use a written checklist for exam day to remove avoidable stress. Confirm your testing mode (online proctored vs. test center) and follow the strictest interpretation of allowed items. For online proctoring, ensure a clean desk, stable internet, and a quiet room; expect to show your workspace and comply with rules about phones, papers, extra monitors, and interruptions. For test centers, arrive early with valid ID and store personal items as required.

Pacing plan: commit to a steady first pass, marking uncertain questions without spiraling. If you notice fatigue, reset with a brief posture/breathing reset and continue—AZ-900 punishes overthinking more than it punishes not knowing one niche fact. On review, only revisit marked items; do not “second-guess sweep” the entire exam unless you have extra time and a clear reason.

Exam Tip: Before you click “End,” run a quick mental scan for the most common trap categories: governance vs. monitoring tools, RBAC vs. Policy, zones vs. region pairs, and service-type matching (Blob/Files/Disks; VNet/VPN/ExpressRoute; VM/App Service/Containers).

Final 30-minute review: focus on must-know comparisons and key terms rather than reading long notes. Recite definitions aloud: shared responsibility, CapEx vs. OpEx, SLA vs. SLO conceptually, region vs. availability zone, subscription vs. resource group, authentication vs. authorization, and the purpose statements for Azure Policy, RBAC, Azure Monitor, and Cost Management. Your confidence builder is clarity: if you can define it and state its purpose, you can beat the distractors.