AZ-900 Practice Test Bank: 200+ Questions

Section 1.1: AZ-900 exam purpose, audience, and certification value

AZ-900 is Microsoft’s entry-level Azure certification exam. Its purpose is to confirm that a candidate understands foundational cloud ideas and the basic capabilities of Microsoft Azure. The intended audience is broad: students, career changers, sales professionals, project managers, business stakeholders, and early-career IT learners can all benefit from it. It is also appropriate for technical professionals who are new to Azure and want a structured starting point before pursuing role-based certifications.

What the exam tests is important: not configuration depth, but service recognition and conceptual understanding. You should expect questions about cloud computing models, shared responsibility, regions and availability, pricing ideas, identity services, governance tools, and the purpose of major Azure offerings such as compute, storage, and networking. A common trap is assuming the exam is purely vocabulary-based. It is not. The exam often checks whether you can apply a concept to a simple business requirement. For example, it may require you to identify the most appropriate category of service or determine which cloud benefit best explains a scenario.

The certification value is strongest when you treat AZ-900 as a gateway. It helps establish cloud credibility, supports career conversations, and gives you language used across Azure documentation and later exams. It is especially useful for building confidence before moving into administrator, developer, security, or data-focused Azure paths. Employers often view AZ-900 as evidence that a candidate can discuss cloud basics intelligently, even if they are not yet an implementer.

Exam Tip: Fundamentals exams reward precision with basic concepts. If you cannot clearly explain terms like public cloud, hybrid cloud, CapEx, OpEx, high availability, and identity, you are likely to miss easy points later when those concepts appear inside service-based questions.

To get the most certification value, think beyond passing. Build a personal glossary, connect each concept to a real use case, and track which domain feels weakest. That habit will improve both your exam performance and your readiness for more advanced Azure learning.

Section 1.2: Exam registration, delivery options, and identity requirements

Registration and logistics may seem minor compared with technical study, but they are part of exam readiness. AZ-900 candidates typically schedule through Microsoft’s certification portal and select an available delivery option. Depending on region and current availability, you may be able to choose a test center appointment or an online proctored exam. Both options require planning, and both can create avoidable stress if handled late.

For test center delivery, plan travel time, parking, check-in timing, and accepted identification. For online delivery, plan your room setup, internet stability, webcam, microphone, and system compatibility. Many candidates underestimate the strictness of online proctoring rules. Desk clutter, background noise, unsupported devices, poor lighting, or identification mismatches can delay or even prevent exam launch. This is not a content problem, but it becomes a score problem if it disrupts your concentration.

Identity requirements are critical. Your registered exam name should match your identification documents exactly or very closely according to the provider’s rules. Review accepted forms of ID well before exam day. If you are using online proctoring, complete any required system tests in advance rather than minutes before your appointment. If you are testing from home, inform others not to interrupt you, since unexpected room entries can trigger security issues.

Exam Tip: Schedule the exam only after you have a realistic study timeline. An early date can motivate you, but a rushed date can create panic. The best date is one that gives you enough review cycles to cover all domains at least twice and complete meaningful practice analysis.

Strategically, choose the delivery method that best protects your focus. Some learners prefer the controlled environment of a test center. Others perform better at home. Neither is universally better; what matters is minimizing distractions and uncertainty. Exam success starts before the first question appears, and logistics are part of that preparation.

Section 1.3: Question types, scoring concepts, retake rules, and passing mindset

AZ-900 can include several item styles, not just standard multiple-choice questions. You may encounter single-answer items, multiple-answer items, drag-and-drop style interactions, matching, or short scenario-based prompts. The exact mix can vary, and that is why flexible exam technique matters. Do not assume that every question is asking for a memorized definition. Sometimes the exam is testing whether you can connect a requirement to the correct service category or cloud principle.

Scoring concepts matter because candidates often obsess over counting questions rather than mastering accuracy. Microsoft exams use scaled scoring, and the passing score is commonly reported as 700 on a scale of 100 to 1000. That does not mean you need 70 percent correct in a simple one-to-one way. Different questions may carry different value, and unscored beta or evaluation items can appear in some testing contexts. Your practical takeaway is simple: answer every question carefully and do not try to reverse-engineer your score during the exam.

Retake rules can change over time, so always verify the current policy from Microsoft before scheduling a second attempt. As a mindset principle, however, prepare as if you want to pass once. A retake should be a fallback, not a plan. Candidates who assume they can “just try it” often discover that weak fundamentals make later preparation harder because they carry forward incorrect assumptions.

Exam Tip: Read every answer choice completely before selecting one. In fundamentals exams, distractors are often plausible because they are real Azure terms. The correct answer is usually the one that matches the requirement most exactly, not the one that sounds most advanced.

A strong passing mindset combines calm with discipline. If a question feels unfamiliar, use elimination. Remove answers from the wrong category first. For example, if the requirement is about identity, governance tools and storage services are probably distractors. If the requirement is about cost behavior, technical deployment services are likely irrelevant. This kind of category-based elimination is one of the fastest ways to improve score consistency.

Section 1.4: Official exam domains overview and weighting strategy

The official AZ-900 skills outline is the most important study map you have. While exact wording and percentages may be updated by Microsoft, the major themes typically include cloud concepts, Azure architecture and services, and Azure management and governance. These domains align closely to what this course covers: cloud computing principles, shared responsibility, cloud models, consumption-based pricing, core Azure components, compute, networking, storage, identity, cost management, SLAs, compliance, and resource governance.

Your weighting strategy should reflect two truths. First, domain percentages matter because they influence how much study time each area deserves. Second, difficult weak areas deserve extra time even if their weight is lower. For example, if cloud concepts carry less weight than Azure services but you consistently miss cloud model and pricing questions, you are leaking points in a section that should be very learnable. Fundamentals candidates often gain the fastest improvement by fixing misunderstandings in high-frequency core concepts.

A practical approach is to create a three-column tracker: domain, confidence level, and error pattern. Under cloud concepts, note whether your mistakes involve public versus private cloud, elasticity versus scalability, or CapEx versus OpEx. Under architecture and services, note whether you confuse Azure Virtual Machines, App Services, virtual networks, blob storage, and Entra ID. Under management and governance, track confusion around Azure Policy, role-based access control, resource groups, subscriptions, SLAs, and pricing tools.

Exam Tip: The exam loves distinctions between related concepts. Learn not just what a service does, but what category it belongs to and what it does not do. Many wrong answers are correct Azure products placed in the wrong problem space.

Always study from the latest official outline, because Microsoft can adjust the blueprint. Build your revision plan around the domains, not around random internet lists of topics. If a topic is not aligned to the current objective areas, it is lower priority than a tested concept you still cannot explain clearly.

Section 1.5: Study methods for beginners using practice questions and review cycles

Beginners do best with structured repetition, not marathon memorization. Start with a simple cycle: learn a topic, summarize it in your own words, answer a small batch of related practice questions, review every explanation, and then revisit the topic after a short delay. This process works because it turns passive reading into active recall. In AZ-900 preparation, active recall is essential. If you cannot explain why one service fits a scenario better than another, your understanding is not yet exam-ready.

Practice tests are most effective when used diagnostically. Do not only record your score; record why you missed each item. Did you misread the requirement? Confuse similar services? Forget a definition? Fall for a distractor that sounded more technical? These are different problems and require different fixes. A misread issue calls for slower reading. A category confusion issue calls for a comparison chart. A definition gap calls for flashcards or a glossary. A distractor problem calls for more elimination practice.

Use review cycles intentionally. One useful beginner schedule is:

• Cycle 1: Learn one domain at a time and answer small focused question sets.
• Cycle 2: Mix domains together to simulate real exam switching.
• Cycle 3: Rework only missed or guessed questions and explain each answer aloud.
• Cycle 4: Take a timed practice set and evaluate pacing, confidence, and weak areas.

Exam Tip: A guessed correct answer is still a study signal. If you cannot explain why it is right and why the others are wrong, treat it as unfinished learning.

For beginners, concise notes beat giant notebooks. Build short comparison pages such as “Azure compute options,” “storage types,” “networking basics,” and “governance tools versus identity controls.” These comparison notes make exam elimination much easier because they sharpen boundaries between similar terms. Your goal is not to memorize everything about Azure; it is to become reliable at recognizing the tested purpose of each concept.

Section 1.6: Common mistakes, time management, and test-day readiness

Several common mistakes repeatedly hurt AZ-900 candidates. The first is overcomplicating fundamentals questions. When a question asks for a basic cloud or service concept, some candidates choose the answer that sounds most sophisticated rather than the one that best matches the objective. The second is studying service names without learning category boundaries. For example, knowing that a product exists is not enough if you cannot tell whether it belongs to identity, governance, networking, or storage. The third is ignoring weak areas because they feel boring or repetitive. Fundamentals points are often won by mastering exactly those “simple” distinctions.

Time management on AZ-900 is usually more forgiving than on advanced technical exams, but poor pacing still causes errors. Move steadily. Do not spend too long on one uncertain item early in the exam. If the platform allows review, mark difficult items and return later with a fresh perspective. Many candidates answer better after seeing later questions that trigger a forgotten concept. However, do not rely on that. Your best defense is disciplined reading the first time.

Before exam day, complete a final readiness check. Confirm your appointment, identification, delivery method, and environment. Review your domain tracker and spend your last study session on high-yield distinctions, not on entirely new topics. Revisit core cloud concepts, pricing ideas, major Azure services, governance tools, and frequently confused pairs of terms. Sleep matters more than one last hour of panicked cramming.

Exam Tip: In the final 24 hours, prioritize clarity over volume. A calm review of key distinctions is far more useful than trying to absorb large new notes when your brain is already saturated.

On test day, read carefully, eliminate aggressively, and trust the preparation process. Your objective is not perfection. It is consistent, informed decision-making across the official domains. If you can identify what the question is really testing, remove distractors from the wrong category, and stay calm through uncertain items, you will perform far better than candidates who studied longer but practiced less strategically.

Section 2.1: Describe cloud computing and the value of cloud services

Cloud computing refers to the delivery of computing services over the internet. These services can include servers, storage, databases, networking, analytics, and software. In exam language, cloud computing is typically described as providing on-demand access to a shared pool of configurable resources that can be provisioned and released quickly with minimal management effort. If that definition feels formal, simplify it this way: instead of buying and maintaining everything yourself, you consume IT capabilities as services.

The value of cloud services is one of the most frequently tested themes in AZ-900. Microsoft wants you to know why organizations move from traditional on-premises environments to cloud platforms. Core benefits include high availability, scalability, elasticity, agility, geo-distribution, and disaster recovery. High availability means services remain accessible despite failures. Scalability means resources can be increased to handle more demand. Elasticity goes further, allowing resources to automatically increase or decrease as demand changes. Agility refers to how quickly resources can be provisioned. Geo-distribution allows services to be deployed in multiple geographic regions, and disaster recovery supports business continuity after disruptions.

Another major cloud value proposition is financial flexibility. Traditional environments often require large upfront capital expenditures for hardware, facilities, and capacity planning. Cloud services shift many costs into operational expenditure, where organizations pay for usage over time. This supports experimentation, faster project starts, and less wasted capacity. On the exam, if the scenario emphasizes avoiding large upfront purchases, reducing hardware management, or launching quickly, cloud adoption is usually the best conceptual fit.

A common exam trap is confusing cloud benefits that are related but not identical. For example, high availability is not the same as disaster recovery. High availability focuses on keeping services running during component failures, while disaster recovery focuses on restoration after a major outage or regional event. Similarly, scalability is not the same as elasticity. Scalability can be manual or planned, while elasticity implies dynamic adjustment based on demand.

• High availability = maximize uptime
• Scalability = handle growth
• Elasticity = automatically adapt to changing demand
• Agility = provision resources quickly
• Fault tolerance = continue operating despite failures

Exam Tip: If a question highlights sudden or unpredictable spikes in demand, look for elasticity rather than simple scalability. If it emphasizes reducing time to deploy new resources, the concept being tested is usually agility.

To identify the correct answer, first isolate the business need, then match it to the cloud concept. Distractors often mention a real cloud feature but solve a different problem. The exam rewards selecting the most precise benefit, not just any positive statement about the cloud.

Section 2.2: Describe the shared responsibility model

The shared responsibility model explains how security, management, and operational duties are divided between the cloud provider and the customer. This is a foundational AZ-900 objective because many learners incorrectly assume that moving to the cloud means the provider is responsible for everything. That is false, and Microsoft regularly tests this misunderstanding. The correct principle is that responsibilities vary depending on the service model being used.

At a high level, the cloud provider is always responsible for the security of the cloud, meaning the physical datacenters, hardware, networking infrastructure, and foundational platform components it operates. The customer is always responsible for security in the cloud to some degree, including data, identities, access management, and configuration choices. As you move from Infrastructure as a Service to Platform as a Service to Software as a Service, more responsibility shifts to the provider.

In Infrastructure as a Service, the provider manages the physical infrastructure, but the customer still manages operating systems, applications, network controls, and data. In Platform as a Service, the provider manages more of the platform stack, such as the operating system and runtime environment, while the customer focuses mainly on applications and data. In Software as a Service, the provider manages nearly everything related to the application platform itself, but the customer still owns data governance, user access, and how the service is configured and used.

A frequent exam trap is assuming that SaaS removes responsibility for data protection or identity management. It does not. Even with SaaS, the customer remains responsible for things like account permissions, classification of sensitive information, and ensuring users follow governance policies. Another trap is confusing provider responsibility for infrastructure availability with customer responsibility for correct configuration. If a breach occurs because permissions were assigned too broadly, that is generally a customer-side responsibility.

Exam Tip: On AZ-900, think in layers. If the layer is physical hardware or host infrastructure, the provider is usually responsible. If the layer involves customer data, user access, or application-level settings, the customer usually retains responsibility.

To answer shared responsibility questions correctly, identify the service model first. Then ask which layer the question is targeting: physical environment, operating system, application runtime, data, or identity. Eliminating answers becomes much easier once you classify the layer. Remember that Microsoft is not testing advanced security architecture here; it is testing whether you understand that cloud responsibility is divided, not transferred completely.

Section 2.3: Describe cloud models including public, private, and hybrid

AZ-900 expects you to compare the main cloud models: public cloud, private cloud, and hybrid cloud. These are not service models like IaaS, PaaS, and SaaS; they describe where resources are hosted and how the environment is managed. This distinction matters because the exam often places both sets of terms in the same answer list to see whether you can tell them apart.

A public cloud is owned and operated by a third-party provider such as Microsoft, and resources are delivered over the internet to multiple customers. The major benefits include reduced upfront cost, rapid provisioning, broad scalability, and the provider handling much of the infrastructure management. For most AZ-900 scenarios involving quick deployment, global scale, or avoiding datacenter ownership, public cloud is the best match.

A private cloud is used by a single organization. It may be hosted on-premises or by a third party, but the environment is dedicated to one customer. Private cloud is often associated with greater control, custom security requirements, or strict regulatory needs. However, exam candidates should be careful not to assume private cloud is automatically more secure in every scenario. The more accurate statement is that it offers greater control and isolation, not guaranteed superiority in all security outcomes.

A hybrid cloud combines public cloud and private infrastructure, allowing data and applications to move between them. Hybrid models are commonly used when an organization needs to keep some workloads on-premises while taking advantage of public cloud scalability, backup, bursting, or modernization. If the exam mentions legacy systems, data residency constraints, phased migration, or integration between on-premises resources and Azure, hybrid cloud is usually the concept being tested.

Another cloud model sometimes discussed in broader learning is multicloud, where an organization uses services from more than one cloud provider. While this may appear in study discussions, the core AZ-900 focus is public, private, and hybrid. Do not overcomplicate the exam objective.

• Public cloud: shared provider-managed infrastructure, fast and scalable
• Private cloud: dedicated environment for one organization, more control
• Hybrid cloud: combines both to meet mixed business and technical needs

Exam Tip: If a scenario says a company must keep certain systems on-premises but wants to use cloud services for other workloads, choose hybrid cloud unless the wording clearly suggests a different concept.

Common distractors include confusing “hybrid” with “multicloud” or treating “private” as a service model. Read the question stem carefully. If it asks where workloads are hosted and how environments are combined, it is testing cloud models, not IaaS/PaaS/SaaS.

Section 2.4: Describe consumption-based pricing and cloud economics

One of the defining characteristics of cloud computing is consumption-based pricing. Instead of purchasing fixed hardware capacity in advance, organizations pay for the resources they use. In exam terms, this model helps reduce large upfront capital expenditures and replaces them with operational expenditures that can scale with demand. Microsoft expects AZ-900 candidates to understand this shift because it is central to cloud value, budgeting, and service adoption.

CapEx, or capital expenditure, refers to money spent upfront on physical assets such as servers, datacenter space, and networking equipment. OpEx, or operational expenditure, refers to ongoing costs for products and services consumed over time. In a traditional on-premises model, organizations often invest heavily in infrastructure before they know exactly how much capacity they will need. In the cloud, they can provision what they need, when they need it, and often stop paying when the resource is no longer required.

This economic model supports flexibility, but it also introduces the need for cost awareness. Consumption-based pricing does not automatically mean lower cost in every situation. Poorly managed resources, overprovisioning, or unused services can still create waste. For AZ-900, you are not expected to perform advanced cost optimization calculations, but you should understand that the cloud can improve cost efficiency when aligned to real usage patterns. This is especially valuable for test questions involving variable workloads, short-term projects, or development environments.

A common exam trap is assuming cloud means “free until fully used” or “always cheaper than on-premises.” Those statements are too broad. The better idea is that cloud enables organizations to align spending more closely with consumption. If demand is temporary or unpredictable, the cloud often provides stronger economic advantages. If the scenario emphasizes avoiding overbuying hardware for peak usage that only occurs occasionally, the correct reasoning is consumption-based pricing combined with elasticity.

Exam Tip: Watch for wording such as “pay only for what you use,” “reduce upfront costs,” “scale spending with demand,” and “avoid purchasing excess capacity.” Those phrases almost always point to consumption-based pricing and OpEx thinking.

To identify the best answer, determine whether the question is asking about budgeting structure, resource efficiency, or technical scaling. Cost questions often include distractors based on performance or availability benefits, but the correct answer will focus on financial behavior: variable spending, lower initial investment, and improved alignment between usage and cost.

Section 2.5: Describe serverless, scalability, elasticity, and reliability concepts

This section brings together several cloud concepts that are easy to confuse on the exam: serverless computing, scalability, elasticity, and reliability. All are related to how cloud solutions respond to demand and maintain service quality, but they are not interchangeable. Microsoft frequently tests them by presenting a business scenario and asking you to pick the concept that best fits.

Serverless computing does not mean there are literally no servers. It means the cloud provider manages the infrastructure required to run the code or workflow, and the customer focuses on the application logic. Serverless is often event-driven and can scale automatically. It is especially useful when workloads are intermittent or unpredictable because organizations avoid maintaining idle infrastructure. On AZ-900, if the scenario mentions executing code in response to events, paying per execution, or minimizing infrastructure management, serverless is a likely answer.

Scalability refers to the ability of a system to handle increased workload by adding resources. This can be vertical, such as increasing CPU or memory on a machine, or horizontal, such as adding more instances. Elasticity is related but more dynamic. It is the ability to automatically add or remove resources in response to changing demand. The exam often uses changing website traffic as an example. If growth is planned and sustained, scalability may be enough. If demand rises and falls frequently, elasticity is the stronger term.

Reliability is the ability of a system to recover from failures and continue functioning. In practical terms, reliable systems are designed to handle disruptions gracefully. High availability, redundancy, and fault tolerance all contribute to reliability, but they are not exact synonyms. Reliability is the broader operational outcome.

Common traps include choosing scalability when the scenario clearly requires automatic adjustment, which would be elasticity, or selecting high availability when the question actually asks about overall resilience and recovery, which is reliability. Another trap is assuming serverless is always the cheapest or best option. The exam usually presents it as a fit for specific workload patterns, not as a universal answer.

Exam Tip: Ask what the system must do: grow to meet demand, automatically expand and shrink, recover from failure, or run code without managing servers. That single question often reveals the correct concept immediately.

Use elimination aggressively. If the requirement is “automatic” response to traffic, remove answers that only imply manual growth. If the emphasis is minimizing infrastructure administration for event-driven tasks, serverless becomes the best conceptual match.

Section 2.6: Exam-style practice set for Describe cloud concepts

This final section is designed to help you think like the exam without presenting actual quiz items in the chapter text. Your task on AZ-900 is rarely to recite a definition in isolation. More often, Microsoft presents a short scenario, a business requirement, or a comparison statement and asks you to select the best cloud concept. That means strong performance depends on applied understanding and disciplined elimination, not just memorization.

When practicing foundational cloud concept questions, start by identifying the category being tested. Is the item about business value, shared responsibility, cloud models, pricing, or workload behavior? Once you classify the topic, your answer choices become easier to evaluate. For example, if the stem asks who manages a layer of the stack, you are in shared responsibility territory. If it asks how an organization can avoid large upfront hardware costs, that is cloud economics. If it asks where workloads should reside when some must remain on-premises, that is a cloud model question.

One of the most effective study strategies is to build “signal words” for each concept. Public cloud often signals rapid deployment and reduced infrastructure ownership. Hybrid cloud often signals coexistence with on-premises systems. Elasticity signals automatic response to changing demand. Reliability signals recovery and continued operation during failure. Serverless signals event-driven execution with minimal infrastructure management. Shared responsibility signals dividing duties between provider and customer.

Common distractors in this domain include answers that are true statements about the cloud but do not answer the exact requirement. For instance, a question about pricing may include a technically correct answer about scalability. That answer is still wrong if the requirement is financial rather than operational. This is why precise reading matters.

Exam Tip: Before selecting an answer, paraphrase the question in your own words. If you can restate the requirement clearly, distractors become much easier to reject.

As you review this chapter, make sure you can do four things confidently: define cloud computing in practical business language, distinguish provider and customer responsibilities, compare public/private/hybrid approaches, and connect pricing and scaling concepts to real workload behavior. Those skills will improve both your accuracy on cloud-concept questions and your readiness for later Azure service topics.

Section 3.1: Describe Azure regions, region pairs, sovereign regions, and availability zones

Azure organizes its global infrastructure into regions, and this is one of the first architecture topics the AZ-900 exam tests. A region is a geographic area that contains one or more datacenters connected through a low-latency network. Regions matter because organizations choose them for reasons such as compliance, latency, data residency, and disaster recovery planning. If a company wants its applications close to users in Europe, it may deploy resources in a European Azure region. If it must keep data inside a certain country or legal boundary, region choice becomes even more important.

Do not confuse a region with an availability zone. An availability zone is a physically separate location within a single Azure region. Zones are designed to improve resiliency. If one zone experiences a failure, resources in another zone may continue operating. On the exam, when the requirement is protection against datacenter-level failure within the same region, availability zones are often the right concept. When the requirement is geographic separation across broader areas, the answer is more likely regions or region pairs.

Region pairs are another tested concept. Many Azure regions are paired with another region in the same geography. This supports certain disaster recovery and platform update strategies. Microsoft can prioritize recovery for one region in a pair if a broad outage occurs. Candidates sometimes overcomplicate this topic. For AZ-900, know the basic purpose: region pairs support resiliency and business continuity planning across regions.

Sovereign regions are specialized Azure environments created to meet strict regulatory or government requirements. These are separate from the standard public Azure regions. If a question mentions government-only usage, highly regulated national requirements, or isolated cloud environments, sovereign regions should come to mind.

Exam Tip: If the wording says “within a region,” think availability zones. If it says “across geographies” or “paired region for recovery,” think regions or region pairs. If it emphasizes government or strict national boundaries, think sovereign regions.

A common trap is assuming every high-availability question points to availability zones. Not necessarily. Zones address physical separation inside a region, but business continuity across larger outages may require multiple regions. Another trap is thinking a region is just a billing label. It is a deployment location with performance, compliance, and resiliency implications. On the exam, the correct answer usually aligns with the scope of the failure or policy requirement described.

Section 3.2: Describe Azure resources, subscriptions, management groups, and resource groups

This topic is about Azure’s logical organization model, and Microsoft tests it because it affects governance, billing, and administration. At the lowest level, an Azure resource is an individual service instance such as a virtual machine, storage account, virtual network, or database. Resources are what you actually deploy and use. However, resources do not exist in isolation. Azure provides a hierarchy to organize them.

A resource group is a logical container for resources. Resources that share a common lifecycle are often placed in the same resource group. For example, all components of a development web application might be grouped together. Resource groups help with organization, permissions, automation, and deletion. A key exam point is that a resource group is not the same thing as a subscription. It does not represent billing ownership in the same way. It is a management container inside a subscription.

A subscription is a broader boundary used for billing, access control, and service limits. Organizations often use multiple subscriptions to separate departments, environments, or workloads. On exam questions, if the requirement focuses on cost tracking, usage boundaries, or access separation at a higher level, subscription is frequently the correct answer.

Management groups sit above subscriptions and allow centralized governance across multiple subscriptions. This is important for enterprises that want to apply policies and administrative control consistently. For AZ-900, you do not need to know advanced implementation details. You do need to know that management groups help organize and govern multiple subscriptions together.

Exam Tip: Remember the hierarchy from broadest to narrowest: management groups, subscriptions, resource groups, resources. That order appears repeatedly in study materials and is a reliable memory anchor for the exam.

A common trap is assuming resources in the same resource group must always be in the same region. Azure allows flexibility depending on the resource types, so avoid oversimplified assumptions. Another trap is choosing a resource group when the question is really about billing or enterprise-wide governance. If billing is central to the requirement, think subscription. If many subscriptions need common policy application, think management groups. If the question asks where a VM or storage account logically resides, think resource group.

The exam is really testing whether you understand scope. Resource groups manage related resources. Subscriptions define billing and access boundaries. Management groups govern multiple subscriptions. If you can identify that scope quickly, these questions become much easier.

Section 3.3: Describe core compute services including virtual machines, containers, and Azure Functions

Compute services are central to the Azure architecture domain because they represent how workloads actually run in the cloud. On AZ-900, you are expected to recognize the main Azure compute options and choose the best fit for a stated business requirement. The exam typically does not ask for configuration steps. It asks whether you understand the operating model of each service.

Azure Virtual Machines provide infrastructure-as-a-service compute. A VM gives the customer control over the operating system, installed software, and many configuration details. This makes VMs suitable when an organization needs maximum flexibility, legacy software support, or direct operating system access. If a question mentions lifting and shifting an existing server-based app to Azure with minimal redesign, virtual machines are often a strong answer.

Containers package an application and its dependencies into a lightweight, portable unit. They are faster to start and more efficient than full virtual machines because they do not require the same level of overhead. On the exam, containers are the right mental model when the requirement emphasizes portability, consistency across environments, and modern application deployment. Do not confuse containers with virtual machines: containers virtualize at the application layer, while VMs virtualize at the hardware level.

Azure Functions is a serverless compute service used for event-driven execution. It is ideal when code should run in response to triggers such as timers, HTTP requests, or messages. On AZ-900, Functions often appears when the requirement is to run small pieces of code without managing underlying servers. This is one of the easiest places to score points if you recognize the phrase “event-driven” or “run code on demand.”

Exam Tip: Ask how much infrastructure management the customer wants. Full server control points to virtual machines. Lightweight application packaging points to containers. No server management with trigger-based execution points to Azure Functions.

A classic trap is choosing VMs simply because they seem universal. VMs can run many things, but they are not always the most appropriate answer. Another trap is confusing Azure Functions with containers because both can support modern apps. The difference is the execution model: Functions is serverless and event-based, while containers package and run applications more generally. Microsoft tests your ability to choose the simplest appropriate service, not the most powerful one.

In practice questions, read for cues such as control, portability, scalability, and management overhead. Those words usually reveal which compute service the exam wants you to identify.

Section 3.4: Describe core networking services including VNets, VPN, ExpressRoute, DNS, and load balancing

Networking questions on AZ-900 usually test service recognition rather than engineering design. You need to know what each core networking service does and in what kind of scenario it is commonly used. The most fundamental service is the Azure Virtual Network, or VNet. A VNet is a private network in Azure that allows Azure resources to communicate securely with each other, the internet, and on-premises environments depending on configuration. If the exam asks for network isolation or private communication among Azure resources, VNet is a key answer choice.

A VPN connection allows encrypted connectivity between Azure and another network over the public internet. It is a common solution when a company wants secure connectivity but does not require a dedicated private circuit. ExpressRoute, by contrast, provides a private dedicated connection between on-premises infrastructure and Microsoft cloud services. On the exam, if the requirement stresses private connectivity that does not traverse the public internet, ExpressRoute is usually the correct choice.

Azure DNS provides domain hosting and name resolution services. Questions on this topic are usually straightforward: if the scenario involves translating names to IP addresses in Azure-managed DNS zones, Azure DNS is the concept being tested.

Load balancing distributes traffic across multiple resources to improve availability and performance. Microsoft may phrase questions around distributing user requests, avoiding single-server overload, or supporting high availability. You are not expected to master every load-balancing product at this level, but you should understand the broad purpose.

Exam Tip: Public internet plus encrypted tunnel suggests VPN. Private dedicated enterprise connection suggests ExpressRoute. Private network in Azure suggests VNet. Traffic distribution suggests load balancing. Name resolution suggests DNS.

A common trap is treating VPN and ExpressRoute as interchangeable. Both connect environments, but the connection model is different. Another trap is thinking a VNet alone provides all hybrid connectivity. A VNet is the Azure private network foundation, but VPN or ExpressRoute may be needed to extend connectivity to on-premises networks. If the question asks what the company wants to achieve, focus on the business need first, then match the service.

For exam success, memorize the plain-language purpose of each networking service. AZ-900 rewards clarity of understanding more than technical detail.

Section 3.5: Describe core storage services including blobs, files, disks, redundancy, and migration options

Storage is another high-value AZ-900 topic because Microsoft wants candidates to recognize the major storage types and when each is used. Azure Blob Storage is object storage for massive amounts of unstructured data, such as images, video, backups, logs, and documents. On the exam, if the scenario mentions unstructured data or scalable object storage, blobs are usually the best fit.

Azure Files provides fully managed file shares in the cloud. This is different from blob storage because it supports file-sharing scenarios using familiar file access approaches. If the requirement sounds like a traditional shared file system for users or applications, Azure Files should come to mind before blobs.

Managed disks are block-level storage volumes for Azure virtual machines. If a question is about VM operating system storage or attached storage for a virtual machine, disks are the likely answer. Candidates often lose points by choosing a more general storage service when the question clearly references a VM storage need.

Redundancy options are also tested at a high level. Azure offers multiple ways to replicate data for durability and availability. For AZ-900, know the broad idea that some redundancy options keep copies within a datacenter, some across zones in a region, and some across regions. You do not need exhaustive engineering depth, but you should understand that redundancy choice affects resiliency and data protection.

Migration options may appear in simple service-recognition form. Microsoft may ask which service or approach helps move data into Azure or migrate workloads. At this exam level, recognize that Azure supports storage migration and data transfer options for bringing existing information into the cloud.

Exam Tip: Unstructured object data points to Blob Storage. Shared file access points to Azure Files. Storage attached to VMs points to managed disks. Resiliency wording often indicates a redundancy concept rather than a storage type.

A common trap is assuming all storage is interchangeable. It is not. Blob, file, and disk storage solve different problems. Another trap is focusing only on capacity and ignoring access pattern. The exam often reveals the correct answer through how the data will be accessed. Ask: Is this object data, a shared file system, or VM-attached storage? That question usually narrows the correct answer immediately.

Section 3.6: Exam-style practice set for Describe Azure architecture and services

This final section is about how to think through architecture-and-services questions on the AZ-900 exam. Rather than memorizing isolated facts, train yourself to identify the tested objective behind the wording. Microsoft commonly writes questions that appear broad, but a single keyword reveals the intended answer. For example, “private dedicated connectivity” points toward ExpressRoute, “event-driven code” points toward Azure Functions, and “unstructured data” points toward Blob Storage.

When working through practice questions, first classify the scenario into one of the major categories covered in this chapter: global infrastructure, resource hierarchy, compute, networking, or storage. Once you know the category, compare answer choices based on scope and purpose. A large percentage of incorrect answers can be eliminated because they belong to the wrong layer entirely. If the requirement is about organizing resources for billing and governance, a compute service is automatically wrong. If the requirement is about traffic distribution, a storage service is automatically wrong.

Exam Tip: Elimination is especially effective in AZ-900 because distractors are often real Azure services that solve different problems. Wrong answers are usually not nonsense; they are valid services used in the wrong context.

Watch for common traps. “High availability” may refer to zones, regions, or load balancing depending on the scenario. “Secure connection” could mean VPN or ExpressRoute, and the phrase “over the public internet” is often the deciding clue. “Application hosting” could refer to VMs, containers, or Functions, and the key differentiator is how much infrastructure management is expected.

Your study goal is not to become an Azure architect after one chapter. Your goal is to recognize the exam patterns. Build a quick mental checklist: What is the requirement? What layer is being tested? What scope is involved? Which service most directly satisfies that requirement? If you use that process during practice, your accuracy will increase because you are reasoning like the exam writers expect.

Before moving to the next chapter, make sure you can explain in plain language what each major service in this chapter does. If you can teach the difference between a region and an availability zone, a subscription and a resource group, a VM and Azure Functions, a VPN and ExpressRoute, and blobs and files, then you are building exactly the service recognition skill that AZ-900 rewards.

Section 4.1: Describe Azure identity, access, and security basics with Microsoft Entra ID

Microsoft Entra ID, formerly known as Azure Active Directory, is Microsoft’s cloud-based identity and access management service. For AZ-900, you should know it is used to manage identities for users, groups, and applications, and it helps control access to both cloud applications and many on-premises-connected environments. On the exam, Microsoft often tests whether you understand that Microsoft Entra ID is not the same thing as Active Directory Domain Services running on a traditional Windows Server domain. That distinction is a classic trap.

Microsoft Entra ID provides centralized identity management. Users can sign in once and access approved resources based on organizational policies. It supports single sign-on, application integration, and identity protection scenarios. In Azure, identity is foundational because nearly every resource and management action relies on verifying who is requesting access. If the question mentions user sign-in to Microsoft 365, Azure, or SaaS apps, Microsoft Entra ID is usually central to the answer.

At the fundamentals level, also understand the concept of identities in Azure. An identity can represent a person, a service, or a device. The exam may refer to users and groups, but it may also mention service principals or managed identities. The key idea is that Azure can assign permissions to identities so resources can be accessed securely without embedding credentials in code.

Security basics in this area include identity-based security, centralized access control, and secure authentication methods. Microsoft Entra ID helps reduce the risk of weak or duplicated access practices by storing identity information in a managed cloud service. It also supports modern security controls that are difficult to maintain consistently in disconnected systems.

• Microsoft Entra ID is a cloud identity service.
• It manages users, groups, and application identities.
• It supports single sign-on to cloud apps and Azure resources.
• It is not the same as on-premises Active Directory Domain Services.
• It is a core building block for authentication and access control in Azure.

Exam Tip: If the answer choices include Windows Server Active Directory, Active Directory Domain Services, and Microsoft Entra ID, look for whether the scenario is about cloud identity and SaaS sign-in. If yes, Microsoft Entra ID is usually the correct choice.

A common exam trap is assuming every directory-related requirement points to a traditional domain controller. AZ-900 questions are usually testing service purpose, not deep implementation detail. If the requirement is broad cloud identity, Microsoft Entra ID is the expected answer.

Section 4.2: Describe authentication, authorization, conditional access, and role-based access control

This section is one of the most important in the chapter because Microsoft frequently tests the difference between authentication and authorization. Authentication answers the question, “Who are you?” Authorization answers, “What are you allowed to do?” Many candidates know the words but miss scenario questions because they do not separate identity verification from permission assignment. If a user proves their identity with credentials or multifactor authentication, that is authentication. If Azure decides whether the user can read a storage account or manage a virtual machine, that is authorization.

Conditional Access builds on authentication by evaluating sign-in conditions and enforcing policies. For example, access might require multifactor authentication when a user signs in from an unfamiliar location or from an unmanaged device. On AZ-900, you do not need to configure Conditional Access, but you should recognize its purpose: applying access decisions based on signals and policy conditions.

Azure role-based access control, or Azure RBAC, is the primary authorization model for Azure resources. It allows organizations to assign roles to users, groups, and service principals at different scopes, such as management group, subscription, resource group, or individual resource. This lets Azure enforce least privilege, meaning users receive only the permissions they need. The exam may ask you to identify the best way to grant access to manage or view resources without giving full control. That is usually an RBAC question.

Be careful with wording. Authentication methods include passwords, passwordless sign-in, multifactor authentication, and federation scenarios. Authorization methods include role assignment and policy enforcement. Conditional Access is not the same as RBAC. Conditional Access decides whether and under what conditions access is allowed. RBAC determines what actions are permitted after access is granted.

• Authentication verifies identity.
• Authorization determines permissions.
• Conditional Access applies policy-based sign-in decisions.
• Azure RBAC assigns permissions to Azure resources.
• Least privilege is a key access-control principle.

Exam Tip: When you see words like sign-in, verify, credential, or MFA, think authentication. When you see words like read, write, delete, manage, or assign access, think authorization and RBAC.

A frequent distractor is confusing Azure Policy with Azure RBAC. Azure Policy focuses on compliance and resource rules, such as allowed locations or required tags. Azure RBAC focuses on who can perform actions on resources. If the scenario asks about permission to create or manage a resource, RBAC is the better fit.

Section 4.3: Describe database services including relational, non-relational, and managed database options

AZ-900 expects you to distinguish broad categories of database services rather than perform database administration. Start with relational databases. Relational data is stored in tables with rows and columns, and relationships are defined between tables. Structured business data such as customer records, invoices, inventory, and transactional systems commonly use relational databases. In Azure, key managed relational offerings include Azure SQL Database, Azure SQL Managed Instance, and database engines available through Azure virtual machines.

Non-relational databases are often used when data does not fit strict tabular structures or when global scale, flexible schema, or very high throughput is important. Azure Cosmos DB is the most recognizable non-relational service for the exam. It is a fully managed database service designed for modern app development with global distribution and flexible data models. If a question mentions low-latency global access or document-style data, Azure Cosmos DB should come to mind.

Managed database options are important because Microsoft often tests the cloud value proposition. A managed database service reduces administrative burden. Microsoft handles much of the patching, availability, backups, and platform maintenance. That means if the scenario emphasizes minimizing management overhead, improving scalability, or using a platform service instead of managing servers, a managed Azure database option is likely correct.

Do not overcomplicate the distinction between database hosting models. Running SQL Server inside an Azure virtual machine offers more control over the operating system and database engine environment, but it also requires more customer management. Azure SQL Database is more platform-managed. Azure SQL Managed Instance sits between traditional SQL compatibility and platform management. At the AZ-900 level, the exam usually tests those broad tradeoffs, not detailed feature matrices.

• Relational databases store structured data in tables.
• Azure SQL Database is a managed relational database service.
• Azure Cosmos DB is a non-relational, globally distributed database service.
• Managed services reduce administrative effort.
• Virtual machine hosting provides more control but more management responsibility.

Exam Tip: If the requirement mentions structured transactions, SQL compatibility, or tabular records, lean relational. If it mentions flexible schema, globally distributed apps, or document data, consider Azure Cosmos DB.

A common exam trap is choosing a storage service instead of a database service. Blob storage stores unstructured objects, but it is not a relational database. Read the requirement carefully: if the question is about querying structured business records and relationships, use a database answer, not general storage.

Section 4.4: Describe analytics and data services including data warehousing and big data concepts

Analytics services are designed to process, transform, aggregate, and analyze data at scale. The AZ-900 exam does not expect you to be a data engineer, but it does expect you to identify which Azure services align to reporting, warehousing, and big data scenarios. A data warehouse is optimized for analytical queries rather than day-to-day transaction processing. It consolidates data from multiple sources so organizations can run reporting and business intelligence workloads efficiently.

In Azure fundamentals content, Azure Synapse Analytics is a core service to recognize for analytics and data warehousing. It combines big data and data warehousing capabilities, making it suitable for enterprise analytics scenarios. If the requirement mentions large-scale reporting, integrated analytics, or combining data ingestion and analysis, Synapse is often a strong choice.

Big data refers to very large and complex datasets that require specialized tools and distributed processing. On the exam, you may not see deep architecture language, but you should understand the general concept: big data solutions are built to process volume, velocity, and variety beyond what a small traditional database workflow can handle comfortably. Azure services in this space support large-scale processing, analytics pipelines, and data exploration.

You should also understand the difference between operational databases and analytical stores. Operational systems capture transactions. Analytical systems help identify trends, summarize information, and support decision-making. The exam may describe business leaders wanting dashboards or historical trend analysis. That wording usually points to analytics rather than transactional databases.

• Data warehousing focuses on analytics and reporting.
• Operational databases support day-to-day transactions.
• Azure Synapse Analytics is associated with analytics and warehousing.
• Big data solutions process large, diverse, or fast-moving datasets.
• Analytics services support business insights and decision-making.

Exam Tip: If a scenario emphasizes dashboards, trend analysis, enterprise reporting, or combining data from many sources, think analytics or warehousing instead of standard transactional databases.

One trap is assuming that any database can serve equally well as a warehouse. The exam wants you to recognize purpose-built services. Another trap is confusing storage of raw data with analysis of that data. Storing information is not the same as extracting insights from it. Read for the business goal: capture transactions, store objects, or analyze data.

Section 4.5: Describe Azure management tools, monitoring tools, AI services, and developer support services

This section combines several service families that often appear as recognition questions on AZ-900. First, management tools. You should know the purpose of the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI at a high level. The Azure portal is a browser-based graphical interface. PowerShell and CLI provide command-line management options. Cloud Shell offers a ready-to-use shell experience in the browser. When the exam asks how administrators can create, manage, or automate Azure resources, these tools are central answer choices.

Monitoring tools are another frequent objective. Azure Monitor is the core service for collecting, analyzing, and acting on telemetry from Azure and on-premises environments. It can track metrics, logs, and alerts. At a basic level, understand that monitoring helps organizations observe system health, performance, and operational issues. If the scenario mentions visibility, alerting, diagnosing failures, or tracking resource performance, Azure Monitor is the likely answer.

AI services are tested at a very high level in AZ-900. Microsoft wants you to recognize that Azure offers AI capabilities through managed services rather than requiring every organization to build machine learning platforms from scratch. Azure AI services provide prebuilt capabilities for vision, speech, language, and related intelligent features. The exam usually tests awareness, not model design.

Developer support services include tools that help teams build, deploy, and collaborate more efficiently. Azure DevOps is commonly tested for pipelines, repositories, work tracking, and software lifecycle support. GitHub and GitHub Actions may also appear in broader cloud development discussions, but Azure DevOps remains a classic fundamentals service to know. The key exam skill is matching developer collaboration and deployment automation needs to the correct service category.

These topics may be blended in scenario form. For example, a company may want to deploy an app, monitor performance, and add AI-driven capabilities. That would involve developer support, monitoring, and AI services working together rather than a single product solving everything.

• Azure portal is the graphical management interface.
• Azure CLI and Azure PowerShell support command-line management and automation.
• Azure Monitor provides observability, metrics, logs, and alerts.
• Azure AI services provide prebuilt AI capabilities.
• Azure DevOps supports planning, coding, building, testing, and deploying applications.

Exam Tip: Watch for verb clues. “Manage resources” suggests portal, CLI, or PowerShell. “Observe performance” suggests Azure Monitor. “Add speech or vision intelligence” suggests Azure AI services. “Automate software delivery” suggests Azure DevOps.

A common trap is choosing Azure Monitor for security governance or choosing Azure DevOps for infrastructure permission management. Each tool has a primary purpose. Stay anchored to the exact requirement in the scenario.

Section 4.6: Exam-style practice set for Describe Azure architecture and services

This final section is about test strategy rather than new content. In the architecture and services domain, many AZ-900 items are mixed scenarios that combine identity, data, analytics, monitoring, AI, and developer services. Your goal is to identify the dominant requirement first, then eliminate options that belong to the wrong service family. This works especially well because Microsoft often includes distractors that are real Azure services but not the best fit for the specific need.

Start by scanning for trigger words. Identity words include sign-in, user, permission, access, and MFA. Database words include relational, table, transaction, and globally distributed documents. Analytics words include dashboard, reporting, trend, warehouse, and insights. Monitoring words include logs, metrics, alert, availability, and performance. Developer support words include pipeline, repository, release, and sprint. AI words include speech, vision, language, and intelligent predictions.

Then apply elimination. If the requirement is clearly about verifying identity, remove storage, analytics, and DevOps choices immediately. If the requirement is about analyzing historical business data, remove operational identity services and simple storage options. The exam rewards clarity of category. You do not need to know every feature of every service; you need to know the best-fit purpose of the major services.

Another important strategy is to watch scope. Some answer choices may technically work but are too broad or too narrow. For example, a virtual machine can host many tools, but if Azure provides a managed service specifically built for the requirement, the managed service is often the stronger AZ-900 answer. This is especially true in database and AI questions.

Exam Tip: On fundamentals exams, prefer the service that most directly matches the business requirement with the least unnecessary management overhead, unless the question explicitly asks for maximum control or custom hosting.

Common traps in this chapter include confusing authentication with authorization, Entra ID with on-premises Active Directory, Azure RBAC with Azure Policy, analytics with transactional databases, and monitoring with security or governance services. Before your exam, review these pairs until you can explain the difference in one sentence each. If you can do that, you will answer mixed architecture scenarios with much stronger accuracy.

As part of your final review plan, revisit the official objective wording and practice classifying Azure services by category. That method improves both recall and elimination speed. In a timed exam, fast category recognition is one of the most valuable beginner skills you can build.

Section 5.1: Describe factors that can affect costs in Azure and cost optimization basics

Azure uses a consumption-based model for many services, which means organizations typically pay for what they use. For AZ-900, you should know the major factors that affect cost rather than memorize detailed pricing. These factors include resource type, usage amount, region, performance tier, storage replication choice, outbound data transfer, and subscription or licensing agreements. For example, a virtual machine running continuously in a premium size costs more than a smaller VM used occasionally. Storage with geo-redundancy generally costs more than locally redundant storage because it provides additional durability and resilience.

Region matters because prices can vary by geography. Service tier matters because higher-performance or enterprise-grade options cost more. Time matters too: a stopped but provisioned virtual machine may still incur charges for attached storage, networking components, or reserved capacity. On the exam, do not assume that "turned off" always means "no charge." Questions often test whether you understand that associated resources may continue billing.

Cost optimization basics focus on matching resources to actual need. Common strategies include rightsizing underutilized services, deleting unused resources, selecting the appropriate pricing tier, using auto-scaling where suitable, and reviewing spending trends regularly. In beginner scenarios, the most likely correct answer is the option that reduces waste while preserving required functionality. For example, using a lower-cost SKU for nonproduction workloads is a classic optimization approach.

Another tested idea is that architecture decisions influence cost. High availability, premium disks, faster processors, and broader geographic deployment can all increase spending. This does not make them bad choices; it simply means organizations must balance cost against performance, resilience, and compliance requirements.

• More resources usually mean higher cost.
• Higher availability and redundancy options often increase cost.
• Different regions may have different pricing.
• Data egress can affect total bill.
• Unused resources still attached to a solution may continue generating charges.

Exam Tip: If an answer choice mentions reducing waste, reviewing utilization, or selecting a more appropriate service tier, it is often aligned with Azure cost optimization. Watch for distractors that improve governance or security but do not directly reduce cost.

A common trap is confusing cost reduction with policy enforcement. Azure Policy can require standards, but it is not the primary tool for estimating or analyzing cost. Keep the purpose of each feature separate in your mind.

Section 5.2: Describe tools for cost management including calculators, budgets, and tagging

AZ-900 expects you to distinguish between Azure cost planning tools and Azure cost monitoring tools. The Azure Pricing Calculator is used before deployment to estimate the expected cost of services. It helps compare service configurations and forecast monthly pricing based on planned usage. If a company wants to model the cost of a solution before purchasing, the Pricing Calculator is the likely answer.

The Total Cost of Ownership, or TCO, Calculator is different. It is used to compare the estimated cost of running workloads on-premises versus moving them to Azure. If an exam question asks about justifying migration financially or comparing data center costs to cloud costs, the TCO Calculator is the better match. This distinction appears often in practice questions.

After deployment, organizations use Microsoft Cost Management features to analyze actual spending, identify trends, and create budgets. Budgets do not cap usage automatically in the basic AZ-900 sense; instead, they provide alerts when spending thresholds are reached. That subtle point is a frequent exam trap. A budget warns and helps track spending, but it does not itself stop resources from consuming more unless additional automation is configured outside the basic concept being tested.

Tagging is another important cost management practice. Tags are name-value pairs applied to resources so organizations can group, organize, and report on costs by department, project, environment, or owner. If the requirement is to identify which department created the highest Azure cost, consistent tagging is a strong answer. Tags improve visibility and chargeback or showback reporting, but tags do not enforce compliance rules by themselves.

Support plans may also appear in cost-related questions. Azure offers different support options, and higher levels provide faster response times or broader technical support. The exam usually tests awareness that support choice affects total Azure spending, not detailed memorization of every plan feature.

• Pricing Calculator: estimate planned Azure costs before deployment.
• TCO Calculator: compare on-premises cost with Azure cost.
• Cost Management: analyze current and historical spending.
• Budgets: create spending thresholds and alerts.
• Tags: organize resources and track cost allocation.

Exam Tip: If the wording says estimate, plan, or forecast, think calculator. If it says monitor, analyze, or alert on actual spending, think Cost Management and budgets. If it says categorize by department or project, think tags.

The most common distractor is choosing Azure Policy when the real requirement is cost visibility by business unit. Policy can require tags, but tagging is the cost-reporting mechanism the question is usually targeting.

Section 5.3: Describe governance and compliance features including Azure Policy, resource locks, and blueprints concepts

Governance in Azure means establishing rules and controls so resources are deployed and managed consistently. The AZ-900 exam focuses on a few foundational features. Azure Policy evaluates resources against defined rules. It can enforce standards such as allowed locations, allowed resource types, required tags, or approved SKUs. When a question asks how to ensure resources comply with organizational rules, Azure Policy is usually the correct answer.

Resource locks protect resources from accidental change or deletion. There are two familiar concepts to recognize: delete locks prevent deletion, and read-only locks prevent modification. These locks are useful when the goal is to protect important resources from administrators making unintended changes. This is a classic exam scenario. If the requirement is specifically to prevent accidental deletion, resource locks are more direct than policy.

Blueprints concepts have historically been used to define repeatable sets of Azure resources, policies, role assignments, and templates for standardized deployments. On AZ-900, you are not expected to design advanced blueprint architectures, but you should understand the idea of deploying a governed environment consistently across subscriptions or teams. Even when blueprint language appears, focus on the concept of standardization at scale.

Good governance also includes role-based access control, management groups, and subscriptions as organizational boundaries, but the exam objective in this chapter emphasizes policy, locks, and blueprint-style standardization. Questions often test whether you can separate enforce standards from protect resources. Policy governs what should be allowed. Locks protect a resource after it exists.

• Azure Policy: enforce and assess rules and standards.
• Resource locks: prevent accidental deletion or modification.
• Blueprints concepts: deploy standardized environments with governance artifacts.

Exam Tip: Read the verb in the question carefully. "Enforce" or "require" points toward Azure Policy. "Prevent deletion" points toward resource locks. "Deploy a standardized set of governance controls repeatedly" points toward blueprints concepts.

A common trap is selecting tags when the requirement is mandatory tagging. Tags are labels, but Azure Policy is what can require them. Another trap is using locks to control who can create resources. Locks are not the same as access control or policy enforcement.

Section 5.4: Describe privacy, compliance, trust, and Microsoft service trust resources

Many organizations move to Azure only after confirming that the platform meets privacy, security, and regulatory expectations. The AZ-900 exam does not expect legal expertise, but it does expect you to know that Microsoft provides official resources describing compliance offerings, audit documentation, privacy commitments, and trust information. The most important named resource to remember is the Microsoft Service Trust Portal.

The Service Trust Portal is where organizations can review information related to compliance reports, certifications, regulatory documentation, privacy details, and other trust-related materials for Microsoft cloud services. If a question asks where a company should go to review audit reports or learn whether Azure supports specific compliance standards, the Service Trust Portal is the best answer.

Privacy in Azure also connects to the shared responsibility model. Microsoft is responsible for the security and compliance of the cloud platform itself, while customers are responsible for how they configure and use services, protect identities, classify data, and secure workloads. Exam questions may blend these ideas. For instance, a question might ask who is responsible for data classification in Azure. That remains the customer’s responsibility, even though Microsoft provides a compliant cloud platform.

Trust is broader than a single portal. It includes transparency about service operations, data handling, resiliency commitments, and regulatory certifications. Compliance refers to meeting standards and legal requirements. Privacy concerns the handling and protection of personal and sensitive information. On the exam, these terms may appear together, but the main task is usually identifying the Microsoft resource that provides evidence and documentation.

Exam Tip: If the requirement is to review compliance reports, certifications, or audit-related documents, choose the Microsoft Service Trust Portal. Do not confuse it with cost tools, governance tools, or operational monitoring services.

A common trap is assuming Azure Policy proves compliance automatically. Policy can help enforce standards, but the Service Trust Portal is where Microsoft publishes compliance and trust documentation. Another trap is overgeneralizing the shared responsibility model; customers still own many governance and data decisions even in the cloud.

Section 5.5: Describe service lifecycle in Azure including public preview, general availability, and service level agreements

Azure services move through lifecycle stages, and AZ-900 expects you to know the basic meaning of these stages. Public preview means a feature or service is available for customers to try, but it is still being evaluated and may have limited support, changing functionality, or reduced production guarantees. Public preview is valuable for early testing, but it is generally not the best choice when a scenario requires full production support and strong commitments.

General availability, often called GA, means the service is fully released for production use. GA services are typically backed by standard support and formal commitments. In exam questions, if the requirement emphasizes production readiness or full support, GA is usually the correct answer over public preview.

Service level agreements, or SLAs, define Microsoft’s commitment for uptime and connectivity for specific services. An SLA is typically expressed as a percentage, such as 99.9 percent availability. Higher percentages generally mean less allowable downtime over a given period. You do not usually need to calculate downtime precisely for AZ-900 unless the question is very simple, but you should understand that an SLA is a formal service commitment, not a guarantee that outages will never happen.

Questions may also test composite thinking. If a workload spans multiple services, the overall availability can be affected by the design and by each service’s SLA. Redundancy and architecture choices matter. A common trap is believing that every Azure service automatically has the same SLA or that preview services have the same commitments as GA services. They do not.

• Public preview: available for evaluation, not ideal for strict production requirements.
• General availability: fully released and production-ready.
• SLA: documented uptime or availability commitment for a service.

Exam Tip: If the scenario mentions mission-critical production workloads, avoid choosing public preview unless the question specifically asks about early access or testing. If it asks about documented uptime commitments, that is SLA territory.

Lifecycle questions are often paired with governance and risk language. The exam wants to know whether you can recommend the right stage for the right business need. Stable production use points to GA. Experimentation points to preview. Formal availability commitments point to SLAs.

Section 5.6: Exam-style practice set for Describe Azure management and governance

This section focuses on how to think through governance-heavy AZ-900 questions without turning the chapter into a quiz. The key exam skill is identifying the core requirement and ignoring attractive but secondary features. Management and governance questions often include multiple Azure tools that all sound useful. Your job is to select the one that most directly solves the stated problem.

Start by classifying the question into one of four buckets: cost estimation, cost monitoring, governance enforcement, or trust/compliance information. If a scenario happens before deployment and asks about expected monthly spend, think Pricing Calculator. If it is about comparing on-premises costs with Azure, think TCO Calculator. If it is about actual spending and thresholds, think Cost Management and budgets. If it is about organizing charges by team, think tags.

For governance, separate standards from protection. Questions about allowed regions, required tags, or permitted SKUs align with Azure Policy. Questions about preventing accidental deletion align with resource locks. Questions about standardized repeated deployments with built-in governance controls align with blueprints concepts. For trust and compliance, the Service Trust Portal is the anchor term to remember.

For lifecycle language, ask whether the scenario is experimental or production. Public preview fits early testing. General availability fits stable production use. SLA questions usually ask you to identify that Microsoft is providing a documented uptime commitment.

Exam Tip: Eliminate answers that are helpful in general but do not directly satisfy the requirement. For example, tags are useful, but if the requirement is to make tags mandatory, Azure Policy is the stronger answer. Budgets are useful, but if the requirement is to forecast future cost before deployment, the Pricing Calculator is the correct fit.

Common traps in this domain include confusing budgets with spending caps, confusing policy with locks, confusing calculators with monitoring tools, and confusing compliance documentation with governance enforcement. If you master those distinctions, you will answer a large percentage of AZ-900 management and governance questions correctly. As you review, build a one-page comparison sheet of commonly confused features. That final comparison exercise is one of the best ways to strengthen exam-day recall.

Section 6.1: Full mixed-domain mock exam covering Describe cloud concepts

This first mock-exam section targets the cloud concepts objective, but it should still feel mixed and realistic. The AZ-900 exam expects you to identify foundational ideas quickly: what cloud computing means, why organizations adopt it, how the shared responsibility model changes by service type, and how public, private, and hybrid cloud models differ. Candidates often assume this domain is the easiest, yet it produces many avoidable misses because the wording appears simple while the answer choices are intentionally close together.

In full mixed-domain practice, cloud concepts questions often test whether you can separate benefits from guarantees. For example, high availability, scalability, elasticity, fault tolerance, and disaster recovery are related, but not interchangeable. The exam may describe a scenario that sounds like growth in demand and ask for the matching concept. If demand rises and falls automatically, think elasticity. If the question is about increasing capacity to support more workload, think scalability. If the emphasis is on staying operational during a failure, that points toward availability or resiliency. The test rewards precision, not just general positivity about the cloud.

Another heavily tested area is the shared responsibility model. You must know that responsibility changes across IaaS, PaaS, and SaaS. A common trap is to think Microsoft handles everything because Azure is a cloud platform. That is never true. Customers still manage data, identities, access, and many configuration choices. In IaaS, customers manage more of the stack; in SaaS, Microsoft manages more. When answer choices include operating systems, applications, network controls, and physical hardware, determine the service model first before choosing what remains the customer’s responsibility.

Exam Tip: If an item compares IaaS, PaaS, and SaaS, sketch the stack mentally from bottom to top: physical datacenter, networking, servers, virtualization, operating system, runtime, application, and data. This helps eliminate choices that assign responsibility to the wrong side.

Cloud models are another frequent source of confusion. Public cloud means services offered over the internet and shared across tenants, private cloud means dedicated cloud-like infrastructure for one organization, and hybrid cloud combines both. The trap is that hybrid is not simply “using more than one technology.” It specifically means integrating private and public environments in a coordinated way. Community cloud is less emphasized at this level, so if it appears, read carefully and do not overcomplicate it.

Consumption-based pricing also appears regularly in mock exams. Focus on the idea that costs align with usage, allowing organizations to trade capital expenditure for operational expenditure. However, not every Azure cost is purely variable every second of the day. The exam is testing the economic model, not an advanced billing edge case. If a question asks why cloud can improve financial flexibility, think reduced upfront investment, pay-as-you-go consumption, and the ability to scale spending with demand.

• Differentiate CapEx from OpEx without hesitation.
• Know the motivations for moving to cloud: agility, reach, scalability, and cost flexibility.
• Map benefits precisely instead of using them as synonyms.
• Treat shared responsibility as a sliding scale across service models.

During your mock review, label each miss with one of four causes: concept confusion, term confusion, service-model confusion, or pricing confusion. That turns this section from a score exercise into a diagnostic tool.

Section 6.2: Full mixed-domain mock exam covering Describe Azure architecture and services

This section reflects the largest knowledge area for many candidates: Azure architecture and core services. On the exam, this domain tests your ability to recognize fundamental building blocks such as regions, region pairs, availability zones, subscriptions, resource groups, and management groups, then connect those concepts to common Azure services in compute, networking, storage, and identity. The challenge is not depth. AZ-900 does not expect advanced deployment expertise. The challenge is breadth and clear distinction between similar offerings.

Expect mixed-domain practice here to move rapidly among topics. A question may ask about virtual machines, then one on containers, then one on Azure Virtual Desktop, then one about serverless options such as Azure Functions. Your job is to know the basic fit of each service. Virtual machines provide the most control over the operating system. Containers package applications and dependencies with lightweight portability. Azure App Service supports managed web app hosting. Azure Functions is event-driven and serverless. If you understand the default use case, you can eliminate most distractors immediately.

Networking items often test recognition rather than design. Know what Azure Virtual Network does, what a subnet is, the role of VPN Gateway and ExpressRoute, and when a load balancer is relevant. The trap is to confuse connectivity with traffic distribution. VPN Gateway and ExpressRoute connect environments; Load Balancer distributes traffic; DNS resolves names. Similarly, candidates often mix up Network Security Groups with Azure Firewall. At this level, remember that NSGs filter traffic to and from Azure resources, while Azure Firewall is a managed network security service with broader centralized rule capabilities.

Storage questions commonly compare blob, file, queue, and table storage, while also touching on redundancy options like LRS, ZRS, and GRS. The exam usually tests simple matching. Blob storage is for unstructured object data, file storage provides shared file shares, queue storage supports message storage, and table storage is NoSQL key-value style storage. A common trap is choosing by familiarity rather than by the exact data type described in the prompt.

Exam Tip: When architecture questions mention identity, default to Microsoft Entra ID concepts such as authentication, users, groups, and single sign-on. Do not confuse identity and access management with authorization tools like RBAC, even though they are closely related in practice.

Core architecture concepts are also heavily tested. Know that resources are created in subscriptions, organized in resource groups, and can be grouped further under management groups. Regions represent geographic areas hosting datacenters. Availability zones provide separate physical locations within a region for higher resiliency. The exam may present two correct-sounding concepts and ask for the one that best matches a management, organization, or resiliency requirement. Read for scope words such as “within a region,” “across subscriptions,” or “for billing and access boundaries.”

• Match compute choices to management level and workload type.
• Separate connectivity services from traffic management services.
• Match storage options to data format and access pattern.
• Remember Azure hierarchy: management groups, subscriptions, resource groups, resources.

As you review your mock performance, flag any service pairs you repeatedly confuse. Those repeated confusions are exactly what the exam is likely to exploit.

Section 6.3: Full mixed-domain mock exam covering Describe Azure management and governance

This mock-exam section targets management and governance, a domain where AZ-900 often measures whether you can connect a business requirement to the correct administrative feature. The exam frequently asks which Azure service or tool helps control cost, enforce standards, protect resources, assign permissions, or satisfy compliance reporting needs. Candidates sometimes struggle here because the answers all sound “administrative,” but each tool serves a different purpose.

Start with cost management. You should know the difference between pricing calculators, total cost of ownership comparisons, Cost Management analysis, and budgets. The pricing calculator estimates expected cloud costs before deployment. TCO is used for comparing on-premises and cloud costs. Cost Management helps monitor and analyze usage and spending. Budgets allow proactive spending thresholds and alerts. The exam trap is to choose a monitoring tool when the task is actually estimation, or to choose budgeting when the prompt is about comparing environments.

Governance controls such as Azure Policy, resource locks, and tags are also common. Azure Policy evaluates and enforces organizational standards. Locks help prevent accidental deletion or modification. Tags organize resources for management, reporting, and cost tracking. Role-based access control determines who can do what at different scopes. A classic trap is mixing policy and RBAC. Policy controls what is allowed or required for resources. RBAC controls permissions for users, groups, and identities. If the question is about preventing noncompliant resource configurations, think Policy. If it is about granting read-only or contributor access, think RBAC.

Service level agreements and support plans also appear in management and governance. Be prepared to recognize what an SLA represents: a commitment regarding availability, usually as a percentage over time. Do not confuse an SLA with actual achieved uptime or with a technical design pattern. If the exam asks about combining services, remember that composite availability can change depending on architecture. At AZ-900 level, the key is understanding that SLAs communicate expected service availability and may guide service selection.

Compliance topics test broad awareness rather than legal expertise. Microsoft provides documentation and offerings aligned to standards, regulations, and trust requirements. Candidates sometimes overthink these items and search for technical implementation detail that is not required. Usually the exam wants you to recognize that Azure offers compliance resources, trust documentation, and governance tooling to support organizational requirements.

Exam Tip: For governance questions, ask yourself whether the requirement is about money, permissions, standards, protection, or reporting. That one mental classification often narrows four choices down to one or two.

• Use Cost Management for monitoring and analysis, not predeployment estimation.
• Use Azure Policy for standards enforcement, RBAC for permissions, and locks for accidental-change protection.
• Use tags for organization and cost grouping, but do not treat them as a security boundary.
• Interpret SLAs as service commitments, not architecture guarantees in every scenario.

When reviewing this section, note whether your mistakes come from not knowing the tools or from misreading the requirement category. Both issues can be fixed quickly with targeted review.

Section 6.4: Detailed answer review, rationale patterns, and distractor analysis

The answer review stage is where score improvement actually happens. Many learners take mock exams, glance at the percentage, and move on. That is not enough. For AZ-900, you should perform structured rationale analysis after every mock set. The goal is to identify not only the right answer, but the exam writer’s logic and the trap that made a distractor attractive. This builds the pattern recognition you need on test day.

Start by sorting every missed question into categories. Some misses come from pure knowledge gaps: you simply did not know the service or term. Others come from near-miss confusion, such as mixing up Azure Policy and RBAC, or Azure Functions and App Service. A third category is overreading, where you chose an advanced or highly specific option even though the prompt asked for a basic fundamentals concept. The fourth category is language drift, when you respond to a familiar phrase in the answer choices instead of the actual requirement in the question stem.

Look for recurring rationale patterns. Correct answers on AZ-900 are usually the most direct fit, aligned to the exam objective wording. Distractors often share one of these traits: they are related but solve a different problem, they operate at the wrong scope, they are technically possible but not the best beginner-level answer, or they describe a valid Azure feature from the wrong domain. For example, a governance question may tempt you with a networking service simply because both sound administrative. The exam expects you to choose by purpose, not by familiarity.

Exam Tip: If two answer choices both seem correct, compare them on scope, primary purpose, and exam-level simplicity. AZ-900 usually prefers the broad, official, foundational answer over a niche implementation detail.

During rationale review, rewrite your reason for each miss in one sentence. Examples include: “I confused cost estimation with cost monitoring,” or “I saw identity and chose RBAC, but the requirement was authentication.” This simple habit exposes whether your problem is terminology, concept mapping, or attention to scope. Once you can name the error, you can fix it.

Distractor analysis is especially important because Microsoft often builds answer sets from related services. That means every option may look legitimate. Elimination should therefore be active and explicit. Ask: Which options are in the wrong category? Which one addresses administration instead of deployment? Which one is about analysis instead of enforcement? Which one is more advanced than the requirement? Removing choices for clear reasons reduces second-guessing and makes the remaining answer easier to defend.

• Review every wrong answer and every lucky guess.
• Track repeated confusions between similar services.
• Write a short error statement for each miss.
• Practice elimination based on purpose, scope, and service category.

By the end of this step, you should have a small, high-value list of weak areas. That list becomes the foundation of your final revision plan rather than a vague feeling that you need to “study everything again.”

Section 6.5: Final domain-by-domain revision plan and confidence checkpoints

Your final review plan should be short, focused, and tied directly to the AZ-900 objectives. Do not spend the last stage collecting more random notes. Instead, create a domain-by-domain checklist based on weak spot analysis from your mock exams. The purpose is to close gaps efficiently while protecting confidence. Beginners often damage their performance by cramming too broadly and leaving themselves mentally overloaded.

For cloud concepts, verify that you can explain cloud computing, public versus private versus hybrid cloud, CapEx versus OpEx, consumption-based pricing, and the shared responsibility model across IaaS, PaaS, and SaaS. Your checkpoint is this: can you distinguish related terms quickly without needing examples? If not, review concise definitions and make side-by-side comparisons.

For Azure architecture and services, prioritize common exam pairings. Review regions, availability zones, subscriptions, resource groups, and management groups. Then revise compute choices, networking fundamentals, storage types, and Microsoft Entra ID. Your checkpoint is whether you can match a simple workload description to the most suitable service category. If a prompt mentions web hosting, event-driven execution, shared files, object storage, identity, or private connectivity, you should immediately think of the likely Azure service family.

For management and governance, focus on cost tools, governance controls, RBAC, Policy, locks, tags, SLAs, compliance, and support options. Your checkpoint is whether you can classify a requirement as cost, access, standard enforcement, resource protection, or reporting. If classification is slow, you need more comparison practice.

Exam Tip: Confidence should come from repeatable recognition, not from vague familiarity. If you cannot explain a term in one clean sentence, you do not know it well enough for final review.

A practical final plan for the last two to three study sessions is simple. Session one: review all misses from cloud concepts and architecture. Session two: review all misses from management and governance and redo only the questions you got wrong. Session three: perform a short mixed review of the most commonly confused service pairs and governance tools. Avoid taking too many full mocks back-to-back at the end; targeted correction is usually more valuable than another broad score snapshot.

• Create a one-page weak-area sheet organized by official domain.
• Review service comparisons, not isolated definitions.
• Use confidence checkpoints to decide what still needs work.
• Stop expanding scope in the final phase; narrow and sharpen instead.

The strongest final review is not the longest one. It is the one most directly aligned to your error patterns and the official exam blueprint.

Section 6.6: Exam-day strategy, time control, and last-minute review tips

Exam day should feel familiar because you have already practiced under mixed-domain conditions. Your main goal is to protect clarity. The AZ-900 exam is manageable for prepared beginners, but simple mistakes increase when candidates rush, panic at unfamiliar wording, or change correct answers without strong evidence. A calm process matters as much as final recall.

Start with logistics. Confirm your registration details, identification requirements, test-center or online-proctor instructions, and internet or room setup if testing remotely. Remove avoidable stress before exam time. Then do a light content review only. The final hours are for reinforcing key distinctions, not learning new services. Revisit your one-page weak-area sheet, especially high-confusion pairs such as Policy versus RBAC, availability zones versus regions, and pricing calculator versus Cost Management.

During the exam, classify the question before reading all answer choices deeply. Ask: Is this cloud concepts, architecture and services, or governance? Then look for trigger terms that reveal the tested objective. Read carefully for scope words like “best,” “most appropriate,” “within a region,” “used to estimate,” or “used to enforce.” These words often separate two plausible options. If a question seems hard, eliminate what is clearly wrong, choose the best remaining answer, mark it if the interface allows, and move on. Do not spend too long wrestling with one item early in the exam.

Exam Tip: Your first answer is often correct when it is based on clear reasoning. Change an answer only if you identify a specific misread term, scope issue, or concept error.

Time control on AZ-900 is usually less about speed and more about discipline. Avoid perfectionism. The exam tests foundational understanding, so if you know the category and the primary purpose of each service, many answers become straightforward. Preserve extra time for flagged items and a final pass. On review, do not reopen every question. Check only those where you remember a concrete reason for uncertainty.

For a final checklist, make sure you have reviewed cloud models, shared responsibility, pricing basics, core architecture hierarchy, compute and storage service recognition, networking essentials, identity basics, governance tools, cost management, SLAs, and compliance resources. Also remind yourself that distractors are designed to be familiar. Familiar is not enough. The right answer is the one that best matches the stated requirement.

• Handle logistics early to reduce test-day stress.
• Review distinctions, not entire chapters.
• Classify each question by objective before choosing.
• Use elimination confidently and avoid unnecessary answer changes.

Finish the exam the way you prepared for it: calm, systematic, and focused on the best match. That approach turns your study work into points on the score report.