AZ-900 Practice Test Bank: 200+ Questions

Section 1.1: AZ-900 exam overview, provider background, and certification value

AZ-900 is Microsoft’s foundational certification exam for Azure. It is intended for beginners, business stakeholders, students, career changers, and technical professionals who need a validated baseline understanding of cloud concepts and Azure services. The exam does not assume prior experience managing Azure resources in production, but it does expect you to recognize service categories, understand cloud value propositions, and identify the correct Azure concepts in common business and technical scenarios.

Microsoft positions this exam as a fundamentals credential, which means the focus is breadth over depth. You should be able to explain what cloud computing is, distinguish public, private, and hybrid cloud models, understand benefits such as high availability and scalability, and identify major Azure components like regions, subscriptions, virtual machines, storage, Entra ID, and governance tools. A common beginner trap is underestimating the exam because it is “fundamentals.” In reality, the wording can be precise, and answer choices often include related but incorrect Azure services.

The certification has value beyond passing a single test. It establishes baseline cloud literacy, supports entry into more advanced Azure certifications, and can strengthen resumes for help desk, support, analyst, sales engineering, project coordination, and early-career cloud roles. It is also useful for non-technical professionals who work with Azure-based solutions and need to communicate accurately with architects, administrators, and security teams.

Exam Tip: Expect Microsoft to test whether you know the purpose of a service, not whether you can configure it. If you know what problem a service solves and which category it belongs to, you are already aligning well with AZ-900 expectations.

When evaluating certification value, remember that AZ-900 is often used by employers as evidence of terminology fluency and conceptual readiness. It does not prove operational expertise, but it does show that you can speak the language of Azure and understand the fundamental decision points that appear in real organizations. That is why this exam matters as both a learning milestone and a career signal.

Section 1.2: Skills measured and official exam domains by name

Your study plan should begin with the official domain names because the exam is structured around them. For AZ-900, candidates should expect objectives aligned to the following areas: Describe cloud concepts, Describe Azure architecture and services, and Describe Azure management and governance. Depending on Microsoft’s periodic refreshes, weighting may shift, but these domain names remain the best organizing framework for note-taking and practice review.

Describe cloud concepts covers foundational material such as shared responsibility, cloud models, and cloud pricing ideas. This is where Microsoft checks whether you understand why organizations adopt cloud services and how responsibilities differ between IaaS, PaaS, and SaaS. The classic exam trap here is confusing “benefits of cloud” with “features of a specific Azure service.” Stay at the concept level unless the question clearly asks about Azure products.

Describe Azure architecture and services is the broadest domain for many learners. It includes architectural components such as regions, availability zones, region pairs, subscriptions, management groups, and resource groups. It also includes core service categories like compute, networking, storage, and databases. The exam often tests whether you can distinguish category boundaries. For example, know the difference between a compute offering and a storage offering, or between logical organization constructs and physical infrastructure concepts.

Describe Azure management and governance focuses on identity, access, security, compliance, policy, resource management, and cost management. This domain can be deceptively tricky because many services sound similar. You should know the purpose of Microsoft Entra ID, role-based access control, Azure Policy, resource locks, Microsoft Defender for Cloud, and cost tools at a fundamentals level. The exam is not asking for deep implementation steps, but it does expect accurate selection of the right governance or security concept.

Exam Tip: Build a one-page domain map. Under each official domain, list key terms, what they do, and one sentence about how Microsoft is likely to test them. This makes practice-bank review much more effective because every question can be tied back to a measurable objective.

Always remember that the exam is designed to reward objective alignment. If a question mentions billing hierarchy, think subscriptions and management structures. If it mentions identity and sign-in, think Entra ID. If it mentions rules that enforce standards, think policy and governance. Mapping wording to domain intent is one of the fastest ways to improve your score.

Section 1.3: Registration process, identification rules, and exam delivery options

Registering for AZ-900 is straightforward, but exam candidates lose unnecessary time and money when they ignore logistics. Typically, you schedule through Microsoft’s certification portal and select an authorized exam delivery option. You may be able to choose an in-person test center or an online proctored exam, depending on availability and local policy. Before booking, verify current requirements directly on Microsoft’s official certification pages because testing rules, rescheduling windows, and regional policies can change.

For in-person delivery, the main concerns are arrival time, approved identification, and comfort with the testing environment. For online delivery, you must also prepare your room, computer, internet connection, webcam, microphone, and desk setup according to proctoring rules. Candidates are often surprised by how strict remote testing can be. Items on your desk, multiple monitors, unstable network connections, or failure to complete system checks can delay or cancel the exam experience.

Identification rules matter. Your registered name should exactly match your government-issued identification where required by the provider. Even small mismatches can create check-in issues. If your profile, middle name, or surname formatting is inconsistent, resolve it before exam day. Do not assume a testing center or online proctor will “make an exception.”

Exam Tip: Treat registration as part of exam preparation. Schedule early enough to create a deadline, but leave time for review and unexpected life events. If testing online, run the system check several days before the exam and again on exam day.

Choose the delivery option that best supports your performance. Some learners prefer a quiet test center because it reduces technical uncertainty. Others prefer home testing because it removes travel stress. Be honest about your environment. If your home internet is unreliable or you cannot guarantee a clean, interruption-free room, a test center may be the better strategic choice. Logistics are not separate from performance; they directly affect your focus and confidence.

Section 1.4: Scoring model, passing expectations, and question format overview

AZ-900 uses a scaled scoring model, and the commonly cited passing benchmark is 700 on a scale of 100 to 1000. Candidates should understand two important points. First, scaled scoring does not mean every question is worth the same amount. Second, your goal is not perfection. Your goal is to demonstrate sufficient understanding across the measured domains. That means weak performance in one area can hurt you, especially if it is a heavily weighted section, so broad preparation is safer than trying to specialize.

The exam may include different question styles, such as standard single-choice items, multiple-choice items, and scenario-based prompts. Some questions test simple recognition, while others test application. In scenario wording, the trap is often extra information. Beginners sometimes overread and assume the exam requires advanced design knowledge. Usually, the best answer is still the one that matches the specific concept or service described by the scenario.

Time management is part of the skill set. Even if the exam is not known for extreme time pressure, you should still pace yourself. Do not spend too long trying to force certainty on one difficult item. If a question is unclear, eliminate obviously wrong choices, select the best remaining option, and move on. Fundamentals exams often punish hesitation more than complexity.

Exam Tip: Read every answer choice fully before selecting. Microsoft frequently places one answer that sounds generally Azure-related and another that precisely matches the tested concept. The precise match is usually correct.

When reviewing score expectations, remember that you do not need to know every detail of every service SKU or technical implementation step. You do need to avoid preventable misses caused by confusing similar terms, rushing past qualifiers like “most appropriate” or “best describes,” and failing to distinguish broad cloud principles from Azure-specific products. Practice should train your reasoning, not just your memory.

Section 1.5: How to study effectively using practice banks and answer reviews

Practice banks are most effective when used as a diagnostic tool, not as a memorization shortcut. The goal is not to remember answer positions. The goal is to build pattern recognition for official exam objectives. Start by studying the domain outline, then use practice questions to test recall and decision-making. After each session, review every explanation, including for questions you answered correctly. A correct guess does not equal mastery, and a lucky result can hide weak understanding.

A beginner-friendly study routine often works best in cycles. First, learn a topic in plain language. Second, answer a targeted set of practice questions. Third, review explanations and identify why distractors were wrong. Fourth, summarize the lesson in your own notes. This process is far more effective than repeatedly taking full-length tests without analysis. If you keep missing questions about subscriptions, resource groups, or governance tools, stop and revisit the concept before attempting more volume.

Answer reviews should be active. Ask yourself whether the mistake came from vocabulary confusion, concept confusion, or careless reading. For example, did you mix up Azure Policy and RBAC because both relate to control? Did you confuse high availability with scalability because both sound like cloud benefits? These error patterns matter. Strong candidates improve fastest when they categorize mistakes and then fix the root cause.

Exam Tip: Keep an “error log” with three columns: topic, why I missed it, and the corrected rule. Before the exam, review this log instead of rereading everything. It is one of the fastest ways to sharpen weak areas.

Use timed practice gradually. Begin untimed to build understanding, then shift to timed mixed sets so you can practice context switching between cloud concepts, architecture, identity, security, and cost questions. That mixed practice better reflects the real exam experience. The more comfortable you become with changing topics quickly, the less likely you are to lose points from mental fatigue or domain switching on test day.

Section 1.6: Common beginner mistakes and exam-day readiness strategy

The most common beginner mistake is studying Azure as if AZ-900 were an administrator exam. Candidates often spend too much time on deployment steps, portal navigation details, or advanced architecture patterns and too little time on service purpose, cloud principles, governance, and cost terminology. Another frequent error is learning isolated definitions without understanding contrasts. The exam often tests pairs or groups of related ideas: resource group versus subscription, authentication versus authorization, CAPEX versus OPEX, availability zone versus region, or Azure Policy versus resource locks.

Another trap is reading too quickly. Fundamentals questions may appear simple, but wording matters. Phrases like “best solution,” “primary benefit,” or “what does this service provide” are clues about scope. If the prompt asks for identity, a governance or monitoring tool is wrong even if it is useful in real life. If the prompt asks for a cloud model, an Azure service name is probably wrong. Learn to classify the question before evaluating answers.

On exam day, use a repeatable readiness checklist. Sleep adequately, confirm your appointment time, prepare identification, and avoid last-minute cramming that increases anxiety. If testing online, clear your desk, close applications, and complete check-in early. If testing at a center, arrive with extra time so you can settle mentally before starting. Confidence comes from routine.

Exam Tip: In your final review window, focus on distinctions and high-yield fundamentals: cloud models, shared responsibility, Azure architectural components, core service categories, identity and governance tools, and pricing principles. Do not try to learn a large new topic the night before.

Your exam-day strategy should be simple: read carefully, identify the domain being tested, eliminate distractors, choose the answer that most directly fits the objective, and keep moving. AZ-900 rewards calm, structured thinking. If you prepare with intention and review mistakes honestly, this exam becomes very manageable and serves as a strong launch point for deeper Azure learning.

Section 2.1: Describe cloud concepts - what cloud computing means

Cloud computing means delivering IT resources and services over the internet instead of relying only on local hardware or traditional on-premises infrastructure. For the AZ-900 exam, you should think of cloud computing as an operational and financial model, not just a hosting location. Organizations can provision servers, storage, networking, databases, and software when needed, often in minutes rather than weeks or months. This faster access to resources is one of the main reasons cloud adoption appears so often in exam questions.

The exam usually tests cloud computing through value propositions. These include lower upfront costs, faster deployment, global access, flexible scaling, and reduced maintenance effort. If a scenario mentions that a company wants to launch quickly, avoid purchasing physical servers, or support changing demand, the question is likely targeting a cloud benefit. Cloud providers such as Microsoft make resources available as standardized services, and customers consume those services as needed.

Another exam objective hidden inside this topic is shared responsibility. Although this chapter focuses on cloud principles and models, you should already be aware that cloud does not eliminate all customer responsibilities. The provider always manages some parts of the environment, but the customer still manages some elements depending on whether the solution is IaaS, PaaS, or SaaS. Questions may describe cloud computing as a way to reduce management overhead, but never assume it means zero responsibility.

Exam Tip: If a question asks for the best description of cloud computing, choose the answer that emphasizes on-demand delivery of computing resources over the internet with flexible consumption. Avoid answers that describe only virtualization, only remote access, or only data center hosting.

Common traps include confusing cloud computing with colocation or outsourcing. A company can outsource infrastructure management without using true cloud characteristics such as self-service, elasticity, and measured usage. Likewise, simply hosting applications in another company’s facility does not automatically make the solution cloud. On the exam, look for signals such as rapid provisioning, scalable resources, and pay-for-use pricing. Those signals strongly indicate a cloud-based approach rather than a traditional hosting arrangement.

Section 2.2: Consumption-based model, agility, elasticity, and scalability

The consumption-based model is one of the most important AZ-900 concepts because it explains why cloud services are financially attractive. Instead of buying infrastructure upfront as a capital expense, organizations can consume resources as needed and pay based on usage. This shifts spending toward operational expense. For example, a company can run more virtual machines during a busy period and fewer afterward, paying according to actual use rather than maximum projected demand.

Agility refers to the ability to provision and adjust resources quickly. In exam language, agility supports faster innovation, quicker deployment, and better responsiveness to business needs. If a scenario says a team needs to deploy a test environment today instead of waiting weeks for hardware procurement, agility is the key benefit. Cloud platforms enable this through self-service portals, automation, and standardized services.

Scalability and elasticity are related but not identical. Scalability is the ability to increase or decrease capacity to meet workload requirements. This can happen vertically, such as increasing CPU or memory on a system, or horizontally, such as adding more instances. Elasticity goes further: it is the ability to scale automatically or dynamically in response to demand. If the question stresses sudden spikes, automatic adjustment, or matching resources to real-time demand, elasticity is the better term.

Exam Tip: When you see wording like “rapidly increase resources during peak usage and reduce them afterward,” the exam is often pointing to elasticity. When the wording is broader, such as “increase capacity as business grows,” scalability is often the better answer.

Common exam traps include selecting cost savings as the only benefit of the consumption model. While cloud can reduce waste, its deeper value is flexibility. Organizations do not need to overprovision for rare peak demand. Another trap is assuming scalability means infinite performance. Cloud resources still have limits, but the model makes capacity adjustments much easier than in traditional environments.

To identify the correct answer, isolate the business problem first. Is the challenge unpredictable demand? That suggests elasticity. Is it faster deployment of new resources? That suggests agility. Is it paying only for what is consumed instead of maintaining unused capacity? That points to the consumption-based model. The exam rewards precise matching of terms to the scenario, so avoid choosing broad but less exact answers.

Section 2.3: High availability, fault tolerance, disaster recovery, and reliability

AZ-900 expects you to understand foundational reliability terms because they are core to cloud value. Reliability is the overall ability of a system to perform as expected over time. In cloud scenarios, reliability is often supported by redundancy, automated monitoring, and geographically distributed infrastructure. If a question asks why organizations trust critical workloads to the cloud, reliability is usually one of the major reasons.

High availability means designing services to remain operational with minimal downtime, usually by reducing single points of failure. A highly available application may use multiple servers, zones, or regions so that if one component fails, the service continues. Fault tolerance is related but stronger. It means a system can continue operating even when a component fails, often without interruption. Not every highly available system is fully fault tolerant, and that distinction can matter on the exam if answer choices are very close.

Disaster recovery focuses on restoring service after a major event such as a regional outage, natural disaster, or significant system failure. Disaster recovery is about recovering operations and data within acceptable recovery time and recovery point objectives, even though AZ-900 usually keeps this at a conceptual level. If the scenario involves a catastrophic event and restoring business operations, think disaster recovery rather than ordinary high availability.

Exam Tip: If the failure described is routine or localized, such as a server or rack failure, think high availability or fault tolerance. If the failure is large scale and the goal is restoring service after the event, think disaster recovery.

A frequent exam trap is selecting backup when the question is really about availability. Backups help recover data, but they do not automatically keep an application running during an outage. Another trap is treating redundancy and reliability as identical. Redundancy is a design technique; reliability is the outcome. Questions may describe duplicated resources across multiple locations. That design improves reliability, but the test may ask for the resulting benefit, not the mechanism.

When choosing an answer, look at the effect the organization needs. “Minimize downtime” suggests high availability. “Continue operating despite component failure” suggests fault tolerance. “Recover after a major outage” suggests disaster recovery. “Deliver consistent service over time” suggests reliability. These distinctions are exam favorites because the terms sound similar but are not interchangeable.

Section 2.4: Public cloud, private cloud, and hybrid cloud comparisons

The AZ-900 exam frequently asks you to compare deployment models. Public cloud refers to services offered over the internet by a cloud provider and shared across multiple customers, while each customer’s data and resources remain logically isolated. Public cloud is attractive because it offers high scalability, global reach, rapid deployment, and minimal infrastructure management by the customer. If a company wants to avoid building and maintaining its own hardware, public cloud is often the most direct answer.

Private cloud refers to cloud resources used exclusively by one organization. It may be hosted on-premises or by a third party, but the environment is dedicated rather than broadly shared. Private cloud can offer more control and may align with specific compliance, customization, or legacy integration needs. However, it often requires more management effort and may not provide the same level of elasticity or cost efficiency as public cloud.

Hybrid cloud combines public cloud and private infrastructure, allowing data and applications to move between them when appropriate. This is the correct choice when an organization must keep some systems on-premises but also wants cloud benefits for other workloads. Hybrid is one of the most commonly tested models because many real organizations transition gradually rather than moving everything at once.

Exam Tip: If a question includes regulatory limits, data residency concerns, legacy systems that must remain on-premises, or phased migration requirements, hybrid cloud is often the strongest answer.

Common traps include assuming private cloud automatically means more secure. Security depends on implementation and controls, not simply the deployment model. Another trap is choosing hybrid just because a company has both cloud and on-premises technology today. The key is integration and combined operation, not merely coexistence. If the scenario emphasizes a dedicated environment for one organization, that points to private cloud. If it emphasizes provider-managed internet-delivered services with no exclusive hardware requirement, that points to public cloud.

To identify the right answer, first ask who owns or shares the environment, then ask where workloads must run, and finally ask whether the organization needs to connect cloud and on-premises resources in a unified way. The exam typically rewards the model that best meets control, flexibility, and compliance needs without adding unnecessary complexity.

Section 2.5: Infrastructure as a Service, Platform as a Service, and Software as a Service

Service models are among the highest-yield AZ-900 topics. Infrastructure as a Service, or IaaS, provides fundamental computing resources such as virtual machines, storage, and networking. The customer still manages operating systems, applications, and data, while the provider manages the physical infrastructure. IaaS is the best fit when a company needs maximum control over the environment but still wants cloud flexibility. Exam scenarios that mention custom operating system configuration or lift-and-shift migration often point to IaaS.

Platform as a Service, or PaaS, provides a managed platform for building, deploying, and running applications. The provider manages the underlying infrastructure and operating environment, while the customer focuses on application code and data. If the scenario says developers want to deploy an application without managing servers, patches, or runtime infrastructure, PaaS is usually correct. This model is a frequent exam favorite because it highlights reduced administrative overhead.

Software as a Service, or SaaS, delivers complete software applications over the internet. Users simply access the application, often through a browser or client app, while the provider manages almost everything behind the scenes. Business software such as email, collaboration tools, and customer relationship management commonly falls into this category. If the scenario is about consuming a ready-to-use application rather than building or hosting one, SaaS is the best answer.

Exam Tip: Think of the models in terms of control versus convenience. IaaS gives the most customer control and the most management responsibility. SaaS gives the least control over the underlying platform and the least management burden. PaaS sits in the middle.

A common trap is choosing IaaS simply because cloud servers are involved somewhere in the background. If the customer does not manage the virtual machines or operating systems, it is probably PaaS or SaaS. Another trap is confusing PaaS with SaaS. PaaS is for developers building or deploying applications; SaaS is for end users consuming finished software.

To identify the correct answer on the exam, look for who manages what. If the organization manages the OS, choose IaaS. If the organization manages application logic but not the platform, choose PaaS. If the organization just uses the software, choose SaaS. Questions often include distractors that are technically possible but not the best fit, so choose the most managed option that still satisfies the requirement.

Section 2.6: Exam-style practice set on core cloud concepts and model selection

This section focuses on how AZ-900 tests cloud concepts rather than presenting direct quiz items. Microsoft often frames foundational topics in short business scenarios and asks you to identify the cloud benefit, deployment model, or service model that best matches the need. Your task is not to design a full architecture. Instead, you must extract the one requirement the exam writer wants you to notice.

Start by classifying the scenario. If it talks about reducing upfront purchases or paying only when resources are used, that signals the consumption-based model. If it emphasizes rapid deployment and responsiveness, think agility. If it describes changing demand and matching capacity dynamically, decide whether the wording fits scalability or elasticity. For resilience scenarios, separate normal operational continuity from large-scale recovery. This alone eliminates many wrong answers.

Next, determine whether the question is asking about a deployment model or a service model. Deployment model questions compare public, private, and hybrid cloud based on where and how resources are used. Service model questions compare IaaS, PaaS, and SaaS based on who manages the application stack. Mixing these categories is a classic exam mistake. Public cloud versus private cloud is not the same type of choice as IaaS versus PaaS.

Exam Tip: Before reading the options, mentally label the scenario: benefit, reliability term, deployment model, or service model. This prevents distractors from pulling you into the wrong category.

Another strong technique is to look for trigger phrases. “Must remain on-premises” suggests private or hybrid. “Delivered as a complete application” suggests SaaS. “Developers deploy code without managing servers” suggests PaaS. “Need control of the operating system” suggests IaaS. “Automatically adjusts to traffic spikes” suggests elasticity. These phrases are common because AZ-900 emphasizes conceptual recognition.

Common traps include choosing an answer that is true in general but not the best answer for the specific requirement. For example, many workloads can run in either public or hybrid cloud, but if the scenario clearly requires part of the environment to stay on-premises, hybrid is better. Likewise, both IaaS and PaaS can host applications, but if the goal is to avoid managing operating systems, PaaS is more precise.

As you review practice questions in the test bank, train yourself to explain why each incorrect answer is wrong. That skill is essential for exam readiness. AZ-900 rewards clear distinctions, not vague familiarity. If you can consistently map the requirement to the exact cloud concept or model being tested, you will handle this objective area with confidence.

Section 3.1: OpEx versus CapEx, pricing benefits, and financial flexibility

One of the most tested cloud concepts in AZ-900 is the difference between capital expenditure (CapEx) and operational expenditure (OpEx). CapEx refers to upfront spending on physical infrastructure such as servers, networking equipment, datacenter facilities, and storage systems. Traditionally, organizations had to predict demand, buy hardware in advance, and maintain excess capacity for future growth or unexpected spikes. That creates financial risk because the business pays before it fully knows whether that capacity will be used.

OpEx, by contrast, aligns much more closely with the cloud model. Instead of purchasing and owning infrastructure, the organization consumes services and pays as it uses them. This provides financial flexibility because costs can increase or decrease with actual demand. From an exam perspective, the key idea is not merely “monthly billing.” The tested concept is that cloud services reduce large upfront costs and shift spending toward usage-based or recurring operating costs.

AZ-900 questions also connect OpEx to pricing benefits such as pay-as-you-go consumption, economies of scale, and the ability to stop paying for resources when they are no longer needed. If a company launches a temporary marketing campaign, cloud services can support short-term demand without requiring permanent capital purchases. If business activity declines, the organization can reduce services and spending. This elasticity is a major economic advantage of cloud computing.

• CapEx: high upfront investment, longer planning cycles, ownership of hardware
• OpEx: ongoing service consumption, pay for what you use, easier adjustment to demand
• Cloud pricing benefit: reduced need to overprovision for peak capacity
• Financial flexibility: easier experimentation, faster deployment, lower entry barriers

A common exam trap is assuming the cloud always means lower total cost in every scenario. The exam usually expects you to identify flexibility, scalability, and reduced upfront investment, not to make an absolute claim that cloud is always cheapest. Another trap is mixing cost savings with agility. They are related, but they are not identical. If a question emphasizes rapid scaling or quick deployment, agility may be the main point. If it emphasizes avoiding large hardware purchases, the focus is CapEx versus OpEx.

Exam Tip: If the scenario mentions avoiding initial infrastructure purchases, preserving cash, or paying only for current usage, think OpEx and cloud financial flexibility first. If it mentions owning servers and depreciating assets over time, think CapEx.

The exam also expects you to understand operational advantages tied to cloud economics. These include faster provisioning, global reach, improved resource utilization, and reduced need to maintain idle capacity. In introductory questions, the best answer is often the one that highlights flexibility rather than a technically advanced pricing mechanism.

Section 3.2: Shared responsibility model and cloud security ownership basics

The shared responsibility model is a cornerstone cloud concept and appears frequently because it helps explain what the cloud provider secures and what the customer must still manage. In Azure, Microsoft is always responsible for the security of the cloud, meaning the physical datacenters, underlying hardware, host infrastructure, and foundational service operations. Customers remain responsible for security in the cloud to varying degrees depending on the service model in use.

The exam often tests this by comparing IaaS, PaaS, and SaaS. In Infrastructure as a Service, the customer has more responsibility, including operating systems, applications, data, identities, and many network controls. In Platform as a Service, Microsoft manages more of the underlying platform, but the customer still owns data, access, configuration, and application-level security considerations. In Software as a Service, Microsoft manages even more of the stack, but the customer still remains responsible for data governance, user access, and correct usage of the service.

At AZ-900 level, you should be comfortable recognizing broad ownership boundaries rather than memorizing every detailed matrix row. Questions may ask who is responsible for physical security, patching an operating system in a virtual machine, or securing user identities. Physical security belongs to Microsoft. Guest operating system patching in customer-managed virtual machines typically belongs to the customer. Identity and access decisions remain strongly customer-oriented across cloud models.

Another exam angle is understanding that moving to the cloud does not eliminate customer security duties. Many candidates incorrectly assume that because Azure is secure, all compliance and security obligations shift to Microsoft. That is a trap. Customers still decide who gets access, how data is classified, whether multifactor authentication is used, and how resources are configured.

• Microsoft secures the physical infrastructure and foundational platform components
• Customers secure identities, data, endpoints, and many configuration choices
• IaaS means more customer responsibility than PaaS or SaaS
• Shared responsibility changes by service type, but never disappears for the customer

Exam Tip: If the question mentions physical datacenter security, power, cooling, or host infrastructure, the answer points to Microsoft. If it mentions user permissions, information protection, or resource configuration, the answer usually points to the customer.

A common trap is overthinking hybrid scenarios. For AZ-900, stay with the basic principle: the provider secures the cloud foundation, and the customer remains accountable for what they deploy, access, and store. This section also supports later governance topics because security ownership and administrative scope are closely related on the exam.

Section 3.3: Describe Azure architecture and services - regions and region pairs

Azure’s global infrastructure is built around geographies and regions, and the AZ-900 exam expects you to understand these terms clearly. A region is a set of one or more datacenters deployed within a specific geographic area and connected through a low-latency network. Organizations choose regions based on factors such as service availability, data residency considerations, latency requirements, and business continuity planning.

Exam questions may describe a company wanting resources close to users in Europe or needing to address data residency expectations in a certain market. In such cases, the tested concept is usually region selection or geography awareness. A geography is a market area that typically contains two or more regions and helps preserve data residency and compliance boundaries. Not every question will require deep geography knowledge, but you should know that regions sit within larger geographic structures.

Region pairs are another important introductory concept. Azure pairs many regions within the same geography, creating a relationship that supports certain recovery and platform update strategies. Microsoft often emphasizes that region pairs can help with disaster recovery planning and prioritized recovery in broad outage scenarios. You do not need to memorize every pair for AZ-900, but you should understand the purpose of the concept and why it matters for resiliency and continuity.

A common trap is confusing region pairs with availability zones. Region pairs involve two separate regions. Availability zones are separate physical locations within a single region. If a question asks for protection from a region-wide failure, region pair concepts become more relevant. If the question asks for redundancy within a single region, availability zones are the better fit.

• Region: one or more datacenters in a specific area
• Geography: a broader market boundary containing multiple regions
• Region pair: paired regions used to support resiliency and recovery considerations
• Selection factors: compliance, latency, service availability, business continuity

Exam Tip: Watch for wording such as “within the same region” versus “in another region.” That wording usually tells you whether the exam is testing availability zones or region pairs.

From a practical study standpoint, learn how to identify the main business reason in the scenario. If the issue is local performance, think region proximity. If the issue is regulatory boundaries, think geography and data residency. If the issue is large-scale recovery strategy, think region pairs. The exam rewards clean conceptual alignment more than memorization of infrastructure maps.

Section 3.4: Availability zones, datacenters, and resiliency design basics

Availability zones are physically separate locations within an Azure region. Each zone has independent power, cooling, and networking, which allows workloads designed across multiple zones to tolerate certain local failures without losing regional presence. At the AZ-900 level, you do not need advanced architecture patterns, but you do need to know why availability zones exist and how they differ from regions and datacenters.

Start with the hierarchy. Datacenters are the physical facilities that house infrastructure. A region contains one or more datacenters. In supported regions, availability zones represent separate physical locations inside that region. This distinction matters because exam questions often place these three terms together. If the question asks about the most basic physical site, the answer is datacenter. If it asks about a deployment boundary in one city or area, it is likely a region. If it asks about higher resiliency inside that same region, availability zones are the key concept.

Questions in this area commonly test resiliency design basics. If a workload is distributed across availability zones, it gains protection against failures affecting one zone. This can improve availability and fault tolerance. However, availability zones are not the same as a full cross-region disaster recovery design. They increase resilience inside a region, while cross-region strategies address larger outages that affect an entire region.

A common trap is choosing availability zones when the scenario actually requires geographic separation. Another trap is assuming every Azure region supports availability zones. The exam may hint that support varies, so avoid making universal assumptions beyond the core concept.

• Datacenter: physical facility
• Region: collection of datacenters in one area
• Availability zone: separate physical location within a region
• Use case: improve resiliency and availability for zonal or zone-redundant workloads

Exam Tip: If the question says “independent power, cooling, and networking within a region,” it is almost certainly describing availability zones.

For exam strategy, connect architecture terms to failure scope. Local facility issue points toward datacenter or zone design. Single-region high availability points toward availability zones. Broader disaster recovery beyond one region points toward region pairs or multi-region strategy. Keeping the failure scope in mind helps you choose the best answer quickly and avoid distractors that sound technically impressive but solve the wrong problem.

Section 3.5: Resources, resource groups, subscriptions, and management groups

This is one of the highest-value architecture topics for AZ-900 because it tests your ability to distinguish Azure’s logical organization and governance boundaries. A resource is an individual manageable item in Azure, such as a virtual machine, storage account, virtual network, or database. Resources are placed into resource groups, which act as logical containers for resources that share a lifecycle, management need, or deployment pattern.

Resource groups are often misunderstood. They are not primarily billing boundaries and they are not above subscriptions. They exist within a subscription and help organize resources for deployment, management, automation, and access control. A resource group can contain different types of resources, and many exam questions test whether you know that resources can be managed together at the resource group scope. However, candidates should be careful not to assume every resource must always share the same lifecycle just because they are in the same group; the exam usually focuses on basic organizational purpose.

A subscription is a key Azure boundary for billing, access control, and service limits. Many organizations use multiple subscriptions to separate departments, environments, projects, or cost centers. If an exam scenario emphasizes invoicing, spending separation, or account-level access segmentation, subscription is a strong answer candidate.

Management groups sit above subscriptions and allow centralized governance across multiple subscriptions. This is especially important when applying policies or compliance standards consistently in large organizations. If the question asks how to organize several subscriptions under one administrative hierarchy, management groups are the right concept. Resource groups cannot contain subscriptions, and subscriptions cannot be nested inside resource groups. That structural confusion appears frequently in distractor answers.

• Resource: an Azure service instance or manageable item
• Resource group: logical container for resources within a subscription
• Subscription: billing and access boundary containing resource groups and resources
• Management group: governance layer above subscriptions

Exam Tip: Read for the governing scope. One application’s components often suggest a resource group. One department’s bill often suggests a subscription. Many subscriptions under centralized policy suggest a management group.

Common traps include selecting resource group when billing is the issue, or choosing subscription when the question is about applying governance across many subscriptions. The exam wants you to map the need to the correct administrative level. If you visualize the hierarchy as management groups at the top, subscriptions in the middle, and resource groups underneath, many questions become straightforward.

Section 3.6: Exam-style practice set on cloud concepts and core Azure architecture

This chapter’s mixed practice mindset should mirror how AZ-900 presents content: not as isolated definitions, but as short business or technical scenarios requiring you to identify the best concept. When reviewing your practice results, do not only ask whether you got an item right. Ask why the wrong options were wrong. That habit is one of the fastest ways to improve performance on foundational certification exams.

In cloud economics questions, identify whether the scenario emphasizes lower upfront cost, elasticity, or reduced ownership of infrastructure. In security ownership questions, determine whether the prompt refers to physical infrastructure, platform management, or customer-controlled identities and data. In Azure architecture questions, identify the relevant scope: global location, in-region resiliency, billing boundary, or governance hierarchy.

For single-choice items, the best answer is usually the one that matches the core scope exactly. For multiple-choice items, beware of partially true statements. AZ-900 often includes answer choices that are generally plausible but do not fit the specific requirement. For scenario-based items, underline mentally what the organization is trying to achieve: resilience within one region, disaster recovery across regions, organizing resources for deployment, or applying policy across subscriptions.

One effective study method is to build a comparison table from this chapter. Put CapEx and OpEx side by side. Put region, geography, region pair, datacenter, and availability zone side by side. Put resource, resource group, subscription, and management group side by side. The exam frequently measures your ability to distinguish related concepts quickly.

• Look for clue words: upfront cost, physical security, same region, multiple subscriptions, billing, governance
• Eliminate distractors by scope mismatch
• Do not choose advanced solutions when a foundational concept answers the question directly
• Review every wrong answer until you can explain the distinction in one sentence

Exam Tip: If two answer choices both sound correct, ask which one is more fundamental to the exact requirement stated. AZ-900 usually rewards the simplest accurate cloud or Azure concept, not the most feature-rich service.

As you prepare for mock exams, use this chapter to strengthen pattern recognition. Many questions can be solved by spotting whether the problem is financial, operational, physical, logical, or governance-related. That exam-style reasoning is what turns memorized facts into dependable score improvements.

Section 4.1: Describe Azure architecture and services - compute services overview

Azure compute services answer one central question: how should a workload run in the cloud? For AZ-900, you should know the major compute choices at a high level and understand the tradeoff between control and management. The more control you want over the operating system and environment, the more responsibility you take on. The more managed the service is, the less infrastructure work you perform.

The exam commonly groups Azure compute into four broad categories: virtual machines, containers, platform-managed web and application hosting, and serverless computing. Azure Virtual Machines provide the most traditional infrastructure model and are ideal when an organization needs full OS control, custom software installation, or support for legacy applications. Containers package applications and dependencies together for portability and consistency. Azure App Service provides a managed platform for hosting web apps and APIs without managing underlying servers. Serverless offerings such as Azure Functions execute code in response to events and typically charge based on execution or consumption patterns.

A common exam trap is assuming that the newest or most cloud-native option is always the best answer. That is not how AZ-900 frames decisions. If a company must migrate an application that depends on a specific operating system configuration, a virtual machine may be the correct answer even if App Service sounds simpler. Likewise, if the requirement highlights rapid deployment, scalability, and reduced infrastructure management for a web application, App Service may be the better fit than virtual machines.

Exam Tip: When you see phrases like “lift and shift,” “full control,” or “custom OS configuration,” think virtual machines first. When you see “managed web hosting,” “deploy code,” or “host web apps and APIs,” think App Service. When you see “event-driven” or “run code without managing servers,” think serverless.

The exam is testing whether you can distinguish service models, not administer them. Focus on the defining purpose of each option and be careful not to overcomplicate the scenario. If the question asks for a service to host a website quickly with minimal infrastructure management, choosing virtual machines is usually too heavy. If the question asks for support of a legacy application with specific OS dependencies, choosing a highly abstracted service may be too limited.

Section 4.2: Virtual machines, containers, App Service, and serverless options

Virtual machines are Infrastructure as a Service and are one of the easiest services to recognize on the AZ-900 exam. They provide virtualized computing with full control over the guest operating system. You choose the image, size, storage, and networking, and you are responsible for much of the maintenance within the VM. This makes them useful for legacy apps, custom line-of-business software, development environments, and workloads that need direct OS access.

Containers package an application and its dependencies into a consistent unit that can run across environments. For AZ-900, understand the concept more than the orchestration details. Azure supports containers through services such as Azure Container Instances and Azure Kubernetes Service. Container Instances are good for quickly running containers without managing virtual machines. AKS is used for orchestrating containerized applications at scale. The exam may use container language to signal portability, microservices, or rapid deployment.

Azure App Service is a Platform as a Service offering for hosting web apps, REST APIs, and mobile back ends. It abstracts away much of the infrastructure so developers can focus on code. This makes it a favorite exam answer when the scenario emphasizes managed hosting, autoscaling, easy deployment, or integration with development workflows. It is especially attractive when there is no stated need for OS administration.

Serverless options, especially Azure Functions, are designed for event-driven code execution. Instead of provisioning servers, you write code that runs when triggered by events such as HTTP requests, timers, or messages. On the exam, serverless is often associated with intermittent workloads, automatic scaling, and paying for actual execution rather than reserved capacity. That said, do not confuse all PaaS with serverless. App Service is managed, but Azure Functions is the stronger match when the requirement is event-driven execution.

Exam Tip: A classic distractor is between App Service and Functions. If the scenario is “host a website or API,” lean App Service. If the scenario is “run code when an event occurs,” lean Azure Functions. Another common distractor is between VMs and containers. If the need is application portability and lightweight packaging, think containers. If the need is a full server environment, think VMs.

Remember that AZ-900 asks for the best fit. Many workloads could technically run on multiple services, but the exam rewards the service that most directly aligns with the stated requirement and management preference.

Section 4.3: Virtual networks, VPN Gateway, ExpressRoute, DNS, and load balancing

Networking questions on AZ-900 usually test whether you understand the role of each core service in connectivity and traffic flow. Azure Virtual Network, or VNet, is the foundational networking service that allows Azure resources to communicate securely with each other, the internet, and on-premises networks. If the exam asks about isolating resources, defining private IP ranges, or creating a logical network in Azure, VNet is the key concept.

VPN Gateway provides encrypted connectivity between Azure and another network over the public internet. This is often the right answer for hybrid scenarios that require secure communication but do not justify a dedicated private circuit. ExpressRoute, by contrast, provides private connectivity between on-premises infrastructure and Microsoft cloud services without traversing the public internet in the same way. ExpressRoute is usually associated with higher reliability, lower latency expectations, and enterprise-grade private connections.

Azure DNS hosts DNS domains and provides name resolution using Azure infrastructure. The exam may present this simply as a service for managing DNS records. Do not confuse DNS with load balancing. DNS resolves names to IP addresses; it does not itself distribute traffic across instances in the way a load balancer does.

Load balancing concepts can appear in broad form on AZ-900. You should know that Azure provides services to distribute incoming traffic across multiple resources to improve availability and performance. At this level, the exam is less about deep feature comparison and more about recognizing the purpose: spreading traffic and improving resilience.

Exam Tip: Watch for the wording “private dedicated connection” versus “secure connection over the internet.” The first points to ExpressRoute; the second points to VPN Gateway. Another trap is treating VNet as though it is only for internet-facing resources. A VNet is primarily about logically organizing and securing network communication in Azure.

When selecting the correct answer, identify the problem category first. Need a logical private network? VNet. Need hybrid encrypted tunnel over the internet? VPN Gateway. Need private enterprise circuit? ExpressRoute. Need domain name hosting and resolution? Azure DNS. Need traffic distribution? Load balancing service. That sequence helps you eliminate distractors quickly under exam pressure.

Section 4.4: Storage accounts, blob, file, queue, table, and redundancy options

Azure storage is a heavily tested foundational area because it combines service recognition with practical scenario matching. A storage account is the top-level Azure resource that provides access to storage services. For AZ-900, know the common storage types inside or associated with Azure Storage: Blob storage, Azure Files, Queue storage, and Table storage. The exam frequently asks you to match the data type or access pattern to the correct service.

Blob storage is used for massive amounts of unstructured object data such as images, videos, backups, and documents. If a question mentions object storage, unstructured content, or large-scale static data, Blob storage is usually the best fit. Azure Files provides managed file shares that can be accessed using standard file-sharing protocols. If the scenario calls for shared file access across systems or replacing a traditional file server, Azure Files is the likely answer.

Queue storage is used for storing messages so that application components can communicate asynchronously. If the requirement involves decoupling parts of an application or handling messages reliably between services, Queue storage is the strong match. Table storage is a NoSQL key-attribute store for structured, non-relational data. Candidates sometimes confuse it with relational databases because of the word “table,” but it is not a relational database service.

Redundancy options are also important. Azure offers several replication choices to improve durability and availability. At the AZ-900 level, you should recognize the basic idea that data can be replicated locally within a single datacenter or region, across zones, or to a secondary geographic region. The exam may use labels such as locally redundant storage, zone-redundant storage, and geo-redundant storage to test whether you understand increasing resilience and geographic protection.

Exam Tip: Do not let names mislead you. “Table” storage is not the default answer for relational data, and “Files” is not for hosting website objects at internet scale. Focus on the access model: object, file share, message queue, or NoSQL key-attribute data.

Another common trap is choosing the most complex redundancy option automatically. The exam may ask for the option that keeps multiple copies within a single datacenter versus across zones or regions. Read carefully and match the resilience requirement exactly rather than assuming more redundancy is always what the question asks for.

Section 4.5: Relational and non-relational databases including Azure SQL and Cosmos DB

Database questions on AZ-900 focus on the distinction between relational and non-relational services and the use cases that define them. Relational databases store structured data in tables with predefined schemas and support SQL queries, joins, and transactional consistency. In Azure, Azure SQL Database is the flagship managed relational database service you are most likely to see on the exam.

Azure SQL Database is a Platform as a Service offering based on the SQL Server engine, but managed by Azure. It is the best fit when a scenario requires a relational database, SQL-based querying, structured schema, and reduced administrative overhead compared with managing SQL Server on virtual machines. If the requirement is specifically to migrate an existing SQL Server workload with minimal app changes, Azure SQL Database may be a better exam answer than a VM-hosted SQL Server when the scenario emphasizes managed service benefits.

Non-relational databases are designed for flexible schemas, high scale, and specialized access patterns. Azure Cosmos DB is the major non-relational database service emphasized in AZ-900. It is globally distributed, supports low-latency access, and is commonly associated with applications that need elastic scalability and worldwide responsiveness. When the scenario mentions globally distributed applications, multi-region data access, or NoSQL design, Azure Cosmos DB is a strong signal.

A classic exam trap is confusing Blob or Table storage with Cosmos DB simply because all can store non-relational data. Cosmos DB is a full database service built for globally distributed, high-performance, low-latency applications. Storage services are not interchangeable with it just because they hold data. Likewise, candidates may over-select SQL because they recognize it first, even when the scenario clearly describes schema flexibility and global distribution.

Exam Tip: If you see “structured relational data,” “SQL queries,” or “managed relational database,” think Azure SQL Database. If you see “globally distributed,” “NoSQL,” “millisecond latency,” or “planet-scale application,” think Azure Cosmos DB.

The exam does not usually require deep knowledge of database engines, indexing, or consistency tuning. It tests whether you understand the business and architectural fit. Pick the service that aligns with the data model and scale pattern described, and avoid answering based on familiarity alone.

Section 4.6: Exam-style practice set on selecting the right Azure service

This final section brings the chapter together by focusing on how to reason through service-selection items in AZ-900 style. The exam often gives you a short business requirement and several plausible services. The winning strategy is to identify the core requirement category first, then eliminate options that solve a different problem. This sounds simple, but many incorrect answers happen because candidates choose a service they recognize rather than the one the requirement actually calls for.

Start with these mental filters. If the scenario is about running applications, ask what level of control is required: full OS control, managed web hosting, containerized deployment, or event-driven execution. If the scenario is about connectivity, ask whether it needs private network isolation, secure hybrid access over the internet, dedicated private connectivity, name resolution, or traffic distribution. If the scenario is about data, ask whether the need is object storage, file sharing, message queuing, NoSQL storage, relational SQL, or globally distributed NoSQL database access.

One major exam trap is selecting based on broad possibility rather than best fit. For example, yes, a website can run on a VM, but if the question stresses minimal infrastructure management, App Service is usually better. Yes, data can be stored in many places, but if the need is globally distributed NoSQL with low latency, Cosmos DB is the stronger match than general storage services. Yes, you can connect networks in multiple ways, but if the requirement specifies a private dedicated connection, ExpressRoute is more appropriate than VPN Gateway.

Exam Tip: Pay attention to adjectives. Words like “managed,” “legacy,” “event-driven,” “shared,” “globally distributed,” “private,” and “dedicated” often determine the answer. They are not filler; they are clues.

Also remember that AZ-900 may include single-choice, multiple-choice, and scenario-style items. In multiple-choice formats, more than one service may appear partially correct. Only select options that satisfy the exact requirement. Read every option carefully, and do not assume that familiar services are automatically included. The most successful candidates slow down just enough to classify the requirement before jumping to the answer.

By the end of this chapter, your goal is not only to recognize Azure service names, but to understand the practical decision logic behind them. That reasoning skill is what consistently improves scores across practice exams and the real certification test.

Section 5.1: Describe Azure management and governance - Microsoft Entra ID and authentication basics

Microsoft Entra ID, formerly Azure Active Directory, is Microsoft’s cloud-based identity and access management service. For AZ-900, you should know that it helps users sign in to applications and services, supports identity for cloud and hybrid environments, and provides a foundation for security and governance in Azure. When exam questions mention users signing in to Azure, Microsoft 365, SaaS applications, or using single sign-on, Microsoft Entra ID is usually the relevant service.

Authentication is the process of verifying identity. In plain terms, it answers the question, “Who are you?” Common authentication methods include passwords, multifactor authentication, passwordless methods, and federation. The AZ-900 exam often tests whether you can distinguish authentication from later access decisions. If a user successfully signs in, that means authentication has occurred. It does not automatically mean that user has permission to perform all actions.

Single sign-on, or SSO, allows users to sign in once and access multiple applications without repeatedly entering credentials. This improves user experience and can strengthen security when combined with centralized identity management. Multifactor authentication, or MFA, requires two or more verification factors, such as something you know and something you have. This is one of the simplest ways to reduce the risk of unauthorized access due to stolen passwords.

You should also recognize Conditional Access at a high level. Conditional Access applies identity-driven controls based on signals such as user, device, location, or risk. Although AZ-900 does not require advanced policy design knowledge, it may ask which feature can require MFA under certain conditions or limit access based on context. That points to Conditional Access, not basic RBAC and not Azure Policy.

Exam Tip: If the scenario is about sign-in, identity verification, MFA, SSO, or user directory services, think Microsoft Entra ID. If the scenario is about controlling what a signed-in user is allowed to do inside Azure resources, shift your thinking toward authorization and RBAC.

A common trap is confusing Microsoft Entra ID with a traditional on-premises Active Directory Domain Services deployment. On the exam, remember that Microsoft Entra ID is a cloud identity service, while classic domain services are associated with Windows Server domain join, Group Policy, and on-premises domain controllers. Another trap is assuming identity equals governance. Identity supports governance, but governance in Azure also includes policies, locks, organizational structure, cost controls, and compliance tools.

From an exam objective perspective, Microsoft is testing whether you understand identity as a management foundation. Azure administration begins with knowing who is requesting access. That is why identity concepts appear early in governance and security questions. If a scenario emphasizes secure access to cloud applications across many users and locations, Microsoft Entra ID is frequently the best answer.

Section 5.2: Authorization, role-based access control, and Zero Trust principles

Authorization determines what an authenticated identity is allowed to do. This is different from authentication, which proves who the identity is. In Azure, the primary mechanism for authorization is Azure role-based access control, or Azure RBAC. RBAC lets you assign roles to users, groups, service principals, or managed identities at different scopes, including management group, subscription, resource group, or resource level.

For AZ-900, you should know common built-in roles such as Owner, Contributor, and Reader. Owner has full access including the ability to delegate access to others. Contributor can create and manage resources but cannot assign roles. Reader can view resources but cannot make changes. Exam questions often test these differences. If a person must manage resources but not control access assignments, Contributor is usually the best answer. If the person only needs visibility, Reader is more appropriate than Contributor.

The exam also expects you to understand least privilege. This principle means giving identities only the permissions they need to perform their tasks, no more. Least privilege is central to Azure governance and to Zero Trust security thinking. Zero Trust assumes no user, device, or workload should be trusted automatically, even if it is inside a network boundary. Instead, organizations verify explicitly, use least-privileged access, and assume breach when designing controls.

Zero Trust is not a single product. It is a security strategy. On the exam, when a question asks about minimizing implicit trust, continuously validating access, or limiting permissions, Zero Trust is the concept being tested. Be careful not to confuse it with a specific service such as a firewall or a policy engine. RBAC can support Zero Trust, but RBAC itself is not the same thing as the broader model.

Exam Tip: If the question asks how to grant access to manage Azure resources, choose RBAC. If it asks how to enforce organizational rules on resource properties or deployment conditions, choose Azure Policy. Permissions and policy compliance are related, but they solve different problems.

A classic exam trap is a scenario that says a user can sign in but cannot create a virtual machine. That is not an authentication failure. It is an authorization issue, likely solved through RBAC. Another trap is assuming RBAC can block a resource from being created in a nonapproved region because of organizational standards. That is a policy problem, not a permissions problem.

Microsoft is testing your ability to match the correct control to the correct need. Authorization is about actions. Zero Trust is about strategic access design. RBAC is the operational mechanism you will most often see in Azure questions about who can read, create, update, or delete resources at a given scope.

Section 5.3: Azure Policy, resource locks, tags, and governance at scale

Azure Policy helps enforce organizational standards and assess compliance across resources. It can evaluate existing resources and control future deployments based on defined rules. For example, an organization may want to allow only certain regions, require specific tags, permit only approved resource SKUs, or deny the creation of resources that do not meet standards. On the AZ-900 exam, Azure Policy is usually the best answer when the question involves compliance, enforcement, or standardization across many resources.

Resource locks are different. Locks protect resources from accidental changes. The two main lock types are CanNotDelete and ReadOnly. A CanNotDelete lock prevents deletion but still allows authorized changes other than deletion. A ReadOnly lock prevents modifications and deletion. Questions often compare locks and policies, so remember the distinction: Policy governs what should be deployed or compliant; locks protect existing resources from accidental administrative actions.

Tags are metadata labels applied to Azure resources. They are useful for organizing resources by department, environment, application, owner, or cost center. Tags can support cost tracking and reporting, but tags do not enforce permissions by themselves. On the exam, if the requirement is to categorize resources for reporting or chargeback, tags are a strong answer. If the requirement is to force resources to include a tag, Azure Policy is likely involved, because Policy can require tags.

Governance at scale often involves management groups and subscriptions. Management groups allow administrators to organize multiple subscriptions and apply governance consistently above the subscription level. This is useful for large enterprises that need broad policy or access assignment coverage. If a question asks how to apply a policy across many subscriptions, a management group is often the best scope.

Exam Tip: Ask yourself what the organization is trying to accomplish: enforce standards, prevent accidental deletion, or categorize resources. Enforce standards equals Azure Policy. Prevent accidental deletion equals locks. Categorize and report equals tags. This quick mental sorting method helps with tricky options.

Common traps include believing tags can stop noncompliant deployments or that RBAC can enforce required metadata. Tags alone do neither. Another trap is assuming a lock overrides every kind of access. A lock protects the resource from certain management actions, but it is not the same as removing all permissions. The exam may also test whether you know that policies can audit, deny, or enforce settings, making them a key compliance tool.

From the exam objective perspective, this section belongs squarely within governance and compliance support. Microsoft wants you to understand how organizations keep Azure environments orderly, consistent, and aligned with internal rules. When you see wording such as standards, compliance, required configuration, allowed locations, or required tags, Azure Policy should immediately come to mind.

Section 5.4: Cost Management, pricing tools, budgets, and the Azure calculator

Cost control is a major part of Azure management and governance. AZ-900 commonly tests whether you know the difference between estimating cost before deployment and monitoring or controlling cost after resources are running. The Azure pricing calculator is used to estimate expected costs for planned services. You can model services, sizes, regions, and usage assumptions to create a forecast before deployment. If a question asks how to estimate the monthly cost of a planned solution, the calculator is the best fit.

Azure Cost Management is used after or during deployment to analyze spending, identify cost trends, review resource costs, and optimize cloud consumption. It provides visibility into actual usage and costs. Budgets can be created to help track spending against a threshold. Alerts can notify stakeholders as spending approaches or exceeds budget targets. This makes budgets a governance control for financial accountability, though they do not by themselves stop resource consumption unless paired with additional automation.

You should also recognize the Total Cost of Ownership, or TCO, calculator. Its purpose is to compare estimated on-premises infrastructure costs with Azure costs. If the exam asks about building a business case for migration by comparing current datacenter spending with projected Azure spending, that points to the TCO calculator rather than the pricing calculator.

Pricing in Azure can also be influenced by factors such as resource type, consumption, region, performance tier, and licensing model. The AZ-900 exam may refer broadly to the consumption-based model, where organizations pay for what they use. However, do not assume every cost-related answer is simply “pay-as-you-go.” Microsoft often wants you to identify the specific tool used for estimation, optimization, or monitoring.

Exam Tip: Pricing calculator equals estimate before deployment. Cost Management equals track and analyze actual spending. Budgets equal spending thresholds and alerts. TCO calculator equals compare on-premises costs with Azure migration scenarios.

A very common trap is confusing budgets with hard spending caps. Budgets alert and report; they are not automatically the same as enforcing service shutdown. Another trap is selecting the pricing calculator when the scenario asks about reviewing current subscription costs. Once workloads are running, Cost Management is the more accurate choice.

Microsoft includes these topics because governance is not only about security and compliance; it is also about financial discipline. Organizations need to understand expected cost, monitor actual cost, and align cloud consumption with business value. A test-ready learner can quickly identify whether the scenario is planning-focused, operations-focused, or financial-comparison-focused.

Section 5.5: Service Level Agreements, lifecycle concepts, and support plan options

Service Level Agreements, or SLAs, describe Microsoft’s commitment to uptime and service availability for Azure services. In AZ-900, you are not expected to memorize every SLA percentage, but you should understand what an SLA represents and how service design can affect overall availability. An SLA is typically expressed as a percentage of uptime over a billing period. Higher availability often requires more resilient architecture, such as using multiple instances or availability options, depending on the service.

The exam may ask conceptually what happens when services are combined. When multiple components are required for an application to function, the overall availability can be affected by each component’s SLA. This means combined solutions may have lower effective availability than a single component. The key exam idea is that architecture decisions matter. SLAs are not just numbers on paper; they influence design and business expectations.

Lifecycle concepts are also tested at a high level. You should know terms such as public preview, generally available, and deprecated or retired. Public preview means a feature is available for evaluation but may have limited support or not be recommended for production. General availability, or GA, means the service is production-ready and fully released. Retired services are no longer supported. Questions may ask which type of release is appropriate for production workloads or which phase carries more risk.

Support plans are another basic governance and administration topic. Azure offers different support options with different response times, technical scope, and cost. The exam generally tests whether you understand that higher-tier support plans provide faster response times and broader support coverage. You do not need every pricing detail, but you should know the purpose of support plans and recognize that support needs vary by organizational criticality.

Exam Tip: If the question focuses on uptime commitments, think SLA. If it focuses on whether a feature is ready for production, think lifecycle stage such as preview versus general availability. If it focuses on access to Microsoft technical assistance and response targets, think support plans.

Common traps include assuming preview features have the same production assurances as GA services, or believing all support plans include the same response speed for critical issues. Another trap is overthinking SLA questions. The exam is usually testing the concept that redundancy and architecture improve resilience, not requiring detailed mathematical analysis.

Microsoft tests these areas because management and governance include service expectations and operational support, not only permissions and policies. A cloud administrator must understand what the platform promises, what release stage a feature is in, and what support relationship the organization has chosen.

Section 5.6: Exam-style practice set on management, governance, and compliance scenarios

When you face scenario-based AZ-900 questions on management and governance, your goal is to identify the exact problem category before looking at answer choices. This prevents confusion between tools that sound similar. Start by asking: Is this an identity problem, a permissions problem, a compliance problem, a cost problem, or a service commitment problem? Once you classify the scenario correctly, the best answer becomes much easier to spot.

For identity scenarios, focus on sign-in, MFA, SSO, and directory-based access. That points to Microsoft Entra ID and related authentication controls. For permissions scenarios, think RBAC and scope. Ask whether the user needs read-only visibility, resource management ability, or full delegation rights. For compliance and standardization scenarios, think Azure Policy. If the wording emphasizes accidental deletion prevention, think resource locks instead of policy.

For organization and reporting scenarios, tags often appear as a practical answer, especially for cost-center or department tracking. For broad enforcement across many subscriptions, management groups matter because they provide scale. For financial scenarios, separate planning from monitoring. Estimating a new deployment points to the pricing calculator. Comparing on-premises costs with Azure migration points to the TCO calculator. Reviewing actual spending and setting threshold alerts points to Cost Management and budgets.

Questions on SLAs and support often reward calm reading. If the scenario asks whether a feature is suitable for production, look for general availability rather than preview. If it asks about service uptime commitments, think SLA. If it asks how to obtain faster responses for critical technical incidents, think support plan level. Avoid importing assumptions from hands-on experience that go beyond the exam’s intended scope.

Exam Tip: Eliminate wrong answers by function. RBAC does not enforce resource standards. Policy does not replace sign-in controls. Tags do not grant access. Locks do not estimate cost. Support plans do not change an SLA. This process of elimination is extremely effective in AZ-900 because distractors are often real Azure features used for different purposes.

Another smart exam strategy is to watch for scope clues. Words like “across all subscriptions,” “for one resource group,” or “for a single virtual machine” help identify whether the solution should be applied at management group, subscription, resource group, or resource level. Microsoft likes to test not just what a feature does, but whether you understand where it should be applied for efficient governance.

Finally, remember that AZ-900 is about recognition and reasoning, not deep administration. If you can explain why Microsoft Entra ID fits identity, RBAC fits permissions, Azure Policy fits standards enforcement, locks fit protection, tags fit organization, Cost Management fits spend analysis, and SLAs and support plans fit service expectations, you are well prepared for this objective domain.

Section 6.1: Full-length mixed mock exam covering all official exam domains

Your full mock exam should feel like the real AZ-900 experience: mixed topics, changing context, and frequent shifts between technical terms and business-oriented language. This matters because the official exam does not group all cloud concepts together and then all governance topics together. Instead, it mixes them, forcing you to identify the domain from the wording of the question. That is a test skill in itself. If you cannot quickly recognize whether a question is really about pricing, identity, storage, or resiliency, you lose time and confidence.

In Mock Exam Part 1, aim to answer in a steady rhythm rather than perfect certainty. Mark mentally whether a prompt is asking about cloud benefits, architectural components, service categories, or governance controls. This classification step helps prevent common mistakes. For example, candidates often see the words security and immediately think Microsoft Defender for Cloud, even when the actual concept being tested is Microsoft Entra ID or Azure RBAC. Likewise, the word availability can trigger thoughts about availability zones when the better answer is often autoscaling, load balancing, or region design.

In Mock Exam Part 2, maintain the same discipline while watching for wording traps. AZ-900 often includes answer options that are true statements but not the best answer to the scenario. The exam is testing fitness of match, not just factual familiarity. If a scenario emphasizes cost predictability, the best answer may be a pricing or support concept rather than a technical service. If it emphasizes compliance tracking or policy enforcement, governance tools usually fit better than identity tools.

• Watch for keywords such as "upfront," "consumption-based," "high availability," "least privilege," "organized management," and "policy enforcement."
• Separate global Azure concepts from resource-level administration concepts.
• Identify whether the exam is testing what a service is, what it is used for, or how it differs from another service.

Exam Tip: During a full mock, do not stop to research a doubtful item. Finish the entire set first. The AZ-900 rewards broad composure across many short decisions, and over-fixating on one item can hurt your performance more than one uncertain answer ever will.

After each full mock, capture three things: topics you missed, topics you guessed correctly, and topics you answered correctly but slowly. All three categories matter. Slow correctness often signals weak mastery that can collapse under pressure on exam day.

Section 6.2: Detailed answer review and elimination strategy for tricky questions

The review phase is where your score improves. Many learners look only at wrong answers, but for AZ-900 you should also review correct answers that felt uncertain. The goal is to build a repeatable elimination method. Start by identifying the exact tested objective behind each tricky item. Was it really about cloud models, or was it about responsibility boundaries? Was it really about Azure networking, or was it testing whether you know that Azure virtual networks differ from content delivery or internet routing services?

A strong elimination strategy begins by removing options that belong to the wrong category. If a question asks about organizing resources for lifecycle and access management, eliminate answers that describe geographic deployment concepts. If a question asks about assigning permissions, eliminate answers that provide policy evaluation without granting access. This is one of the most common AZ-900 traps: governance and authorization are related, but they are not the same thing. Azure Policy evaluates and enforces standards. Azure RBAC grants access permissions. Microsoft Entra ID authenticates identities. The exam regularly checks whether you can keep those roles separate.

Another common trap is selecting the broadest-sounding answer. Broad terms like security, management, or availability often seem safe, but the best answer is usually the most precise. For example, if the need is to reduce administrative overhead and use a fully managed database, a database platform service fits better than a virtual machine. If the need is to host event-driven code without managing servers, a serverless service fits better than a general compute service.

Exam Tip: When two options look correct, ask which one directly solves the stated requirement with the least extra assumption. The official exam often rewards the answer that most specifically addresses the stated business or technical need.

Write short review notes in a structured format: tested concept, why the correct answer fits, why each distractor fails. This approach converts review into pattern recognition. Over time, you will notice recurring distractor styles such as replacing a management tool with a security tool, swapping a regional concept for an availability concept, or confusing pricing benefits with support benefits. Those patterns are exactly what careful review is meant to expose.

Section 6.3: Performance breakdown by Describe cloud concepts

The Describe cloud concepts objective sounds introductory, but it often determines whether candidates settle into the exam confidently. This domain tests whether you understand the economic and operational logic of cloud computing, not just the vocabulary. Review your weak spot analysis here in three groups: cloud models, cloud benefits, and pricing principles. If you missed questions in this domain, determine whether the issue was definition confusion or scenario interpretation.

Cloud models are frequent sources of avoidable errors. You must distinguish public cloud, private cloud, and hybrid cloud based on ownership, control, and integration. The exam may also frame this in terms of migration or regulatory needs. Shared responsibility is another major tested concept. The exact responsibility split depends on the service model, so be careful not to answer from a one-size-fits-all perspective. In infrastructure as a service, customers manage more than they do in platform as a service or software as a service. Candidates often overestimate what Microsoft manages in IaaS and underestimate what Microsoft manages in SaaS.

Benefits such as high availability, scalability, elasticity, agility, fault tolerance, and disaster recovery must be distinguished precisely. Scalability means handling increased demand by adding resources. Elasticity emphasizes automatic or dynamic adjustment to demand. Agility refers to faster provisioning and responsiveness. If your mock results show confusion among these terms, spend time comparing them side by side rather than rereading generic cloud definitions.

Pricing principles also matter. Understand the difference between CapEx and OpEx, consumption-based pricing, and factors that affect total cost. This domain may also test whether you know why the cloud can reduce upfront investment while improving flexibility. That is a business-value concept, not just a billing definition.

• Review where shared responsibility changes across IaaS, PaaS, and SaaS.
• Compare scalability versus elasticity using simple examples.
• Reinforce cloud model definitions with business scenarios.

Exam Tip: If a question mentions avoiding large upfront purchases, think OpEx first. If it mentions customer control over operating systems, think IaaS. If it emphasizes consuming a complete application, think SaaS.

Scoring weakly here usually means your foundation needs tightening. Fix this domain before memorizing more Azure service names, because later objectives assume you already think clearly about cloud fundamentals.

Section 6.4: Performance breakdown by Describe Azure architecture and services

This objective is broad and often carries the most visible service-recognition questions on the exam. Your weak spot analysis should break results into architectural components, compute, networking, storage, and databases. Many candidates know the names of services but lose points because they cannot match the requirement to the correct category. The exam may describe a need for isolated networking, globally redundant storage, managed relational data, or event-driven compute without naming the service directly. Your task is to infer the right fit.

Start with architecture. Be clear on regions, availability zones, region pairs, subscriptions, management groups, and resource groups. These are not interchangeable. Regions are geographic areas containing datacenters. Availability zones are separate physical locations within a region that support resiliency. Resource groups organize related resources for management. Subscriptions provide billing and management boundaries. Management groups sit above subscriptions for governance at scale. The exam frequently tests these distinctions with wording designed to make two options sound almost right.

Next, review compute services based on use case. Virtual machines support control and customization. Containers package applications consistently. App services support web hosting with less infrastructure management. Serverless offerings fit event-driven execution. In networking, know the purpose of virtual networks, VPN gateways, ExpressRoute, DNS, and load balancing at a high level. In storage, distinguish blobs, files, queues, and tables conceptually, and recognize redundancy options as resilience choices. For databases, differentiate managed relational and non-relational services without overcomplicating the technology.

Exam Tip: On architecture and services questions, first identify whether the requirement is about hosting, connecting, storing, or organizing. That single classification step often reveals the right answer category before you evaluate the exact service name.

One common trap is choosing the most familiar service instead of the most managed service. Another is confusing organizational hierarchy with physical deployment geography. If a question asks how to apply consistent administration across several subscriptions, the answer is not a region or resource group. If it asks how to increase resiliency within a region, a management boundary is not the answer. Match the requirement carefully to the layer being tested.

Section 6.5: Performance breakdown by Describe Azure management and governance

This domain tests whether you can distinguish identity, access, security posture, governance controls, compliance support, and cost management. These topics are closely related in practice, which is exactly why they are frequently confused on the exam. Your review should separate them into functional buckets: who a user is, what a user can access, what standards resources must follow, how your environment is monitored for security, and how spending is tracked or optimized.

Begin with identity and access. Microsoft Entra ID is for identity and authentication. Azure RBAC is for authorization to Azure resources. Multifactor authentication strengthens sign-in assurance. Conditional access evaluates sign-in conditions and can enforce requirements. These concepts connect, but they do not replace one another. This distinction is one of the highest-value review points in the chapter. Many distractors exploit the fact that candidates treat all security features as interchangeable.

Next, governance. Azure Policy enforces or audits standards. Resource locks prevent accidental deletion or modification. Tags support organization and reporting. Management groups and subscriptions provide administrative scope. For compliance and security posture, review Microsoft Defender for Cloud, the Service Trust Portal, and broad concepts like compliance offerings and secure score. For cost management, focus on pricing calculators, total cost of ownership concepts, budgets, and cost analysis tools.

Exam Tip: Ask whether the requirement is to identify a person, grant a permission, enforce a rule, detect security risk, or monitor cost. Those are five different functions, and AZ-900 often places their tools side by side in the answer options.

Typical traps include selecting Azure Policy when access permissions are needed, choosing RBAC when compliance enforcement is needed, or confusing budgeting tools with pricing estimation tools. Another recurring issue is not reading whether the question asks for prevention, detection, or reporting. A lock prevents accidental change. A policy enforces or audits compliance. A security dashboard helps assess posture. A calculator estimates cost before deployment. A cost analysis view helps evaluate actual spending patterns after resources are running.

Use your mock exam results to identify which of these categories causes the most hesitation. Then revisit the official objective language. The exam is designed around functional understanding. If you can explain what each service is for in one sentence and contrast it with adjacent services, you are close to exam-ready.

Section 6.6: Final review plan, confidence checks, and last-minute exam tips

Your final review should be structured, calm, and selective. Do not attempt to relearn the entire course in one sitting. Instead, use your weak spot analysis from Mock Exam Part 1 and Mock Exam Part 2 to create a short list of concepts that still produce confusion. The ideal last review window focuses on high-frequency contrasts: public versus private versus hybrid cloud, CapEx versus OpEx, IaaS versus PaaS versus SaaS, regions versus availability zones, resource groups versus subscriptions versus management groups, Entra ID versus RBAC versus Policy, and pricing calculators versus cost analysis tools.

Run a confidence check by explaining each of those contrasts out loud without notes. If you can state the purpose of each item and describe one reason it is not the neighboring item, your understanding is probably stable enough for the exam. If you cannot, revisit that concept briefly with examples. Avoid chasing low-probability details. AZ-900 is a fundamentals exam, so clear conceptual separation matters more than memorizing obscure feature lists.

On exam day, manage your mindset as carefully as your content knowledge. Read each question stem before looking at the answers. Identify the tested objective, then evaluate options. If an option is true in general but does not answer the stated need, eliminate it. If a question uses business language, translate it into Azure concepts. For example, reduced upfront spending suggests OpEx. Centralized policy enforcement suggests governance tools. High resiliency within a region suggests availability zones.

• Sleep adequately before the exam.
• Arrive early or prepare your online testing environment in advance.
• Avoid heavy last-minute cramming of unfamiliar content.
• Use a steady pace and do not panic over one difficult item.

Exam Tip: Confidence on AZ-900 comes from pattern recognition, not memorizing hundreds of isolated facts. Trust the method you practiced: identify the domain, extract the requirement, eliminate mismatched categories, then choose the most precise answer.

Finish this chapter by reviewing your personal checklist: exam logistics confirmed, identity documents ready if needed, testing device prepared, notes closed, and strategy clear. You are not aiming for perfection. You are aiming for consistent, well-reasoned choices across the official objective areas. That is exactly what this final review is designed to build.