AZ-900 Practice Test Bank: 200+ Questions & Answers

Section 1.1: AZ-900 by Microsoft and the Azure Fundamentals certification path

AZ-900, Microsoft Azure Fundamentals, is the entry point for candidates who want to validate broad cloud and Azure awareness. It is suitable for technical and non-technical learners, including students, sales professionals, project managers, analysts, and aspiring cloud administrators. Microsoft positions this certification as foundational, which means the exam emphasizes recognition, understanding, and service differentiation rather than hands-on implementation depth.

From an exam-prep standpoint, think of AZ-900 as a vocabulary-and-decision exam. You need to know the language of Azure well enough to identify what service category or management concept fits a described need. This includes knowing the difference between cloud models, understanding the shared responsibility model, recognizing core Azure resources and regions, and distinguishing among common services in compute, networking, storage, and identity.

AZ-900 is also the beginning of a larger certification path. Candidates often continue into role-based certifications after passing this exam, such as Azure Administrator, Azure Developer, Azure Security, or data and AI tracks. However, a common mistake is studying AZ-900 as if it were a junior administrator exam. That leads to spending too much time on portal steps and too little time on objective language. For this exam, broad understanding beats deep configuration detail.

Exam Tip: If an answer choice sounds operationally complex but the question objective is foundational, pause. AZ-900 usually rewards the simplest accurate cloud or Azure concept, not an advanced implementation detail.

What the exam tests here is whether you understand Azure as a platform and how Microsoft organizes its offerings. You should be able to explain what Azure is, why organizations adopt cloud services, and how Azure fundamentals connect to later learning paths. A common trap is assuming all Microsoft cloud products are Azure services in the same sense. Read carefully: some questions focus on Azure-specific services, while others focus on broader concepts such as cloud economics, global infrastructure, or identity.

Your mindset should be this: AZ-900 is the map, not the entire journey. Master the map first. Once you can categorize services and objectives quickly, the rest of your study becomes much easier and your confidence rises on scenario-based questions that ask for the best fit rather than a perfect technical design.

Section 1.2: Official exam domains and how Describe cloud concepts is weighted

The first major domain is Describe cloud concepts. On the official skills outline, this domain usually carries a meaningful but smaller share than the Azure services domain. Even so, it is dangerous to neglect because these questions are often fast points if you know the terminology precisely. This area covers cloud computing benefits, cloud service types, and cloud deployment models, along with financial and operational ideas such as elasticity, scalability, high availability, fault tolerance, disaster recovery, and consumption-based pricing.

You should expect Microsoft to test distinctions such as Infrastructure as a Service versus Platform as a Service versus Software as a Service, and public versus private versus hybrid cloud. You should also understand how shared responsibility shifts depending on the service model. Many candidates lose points because they know the definitions in isolation but cannot apply them when wording changes. For example, a scenario may not say “PaaS” directly; it may describe a managed application-hosting environment where the customer focuses on code instead of underlying servers.

Another tested area is cloud economics. You need to recognize when a scenario points to capital expenditure versus operational expenditure, and how consumption-based pricing works. Questions may also assess whether you understand that cloud services can reduce upfront hardware purchases, increase agility, and align costs to usage. The trap is assuming cloud always means lower total cost. The exam usually tests that cloud changes cost structure and flexibility, not that it guarantees savings in every case.

Exam Tip: When you see words like quickly scale, pay only for what is used, avoid large upfront purchase, or provider manages the underlying infrastructure, those phrases often map directly to this domain.

To identify correct answers, look for the option that best matches the business benefit or service model described. Eliminate choices that are too specific or belong to later governance or architecture domains. A classic trap is confusing high availability with scalability, or disaster recovery with fault tolerance. AZ-900 expects you to know these concepts at a clear, practical level. If the scenario is about surviving a datacenter or regional issue, think resilience concepts. If the scenario is about handling changing demand, think scalability or elasticity.

Because this domain is foundational, build speed here. These should become your confidence questions early in the exam. Strong performance in cloud concepts creates time for more careful reading later when similar Azure services appear in the architecture section.

Section 1.3: Official exam domains and how Describe Azure architecture and services is weighted

The largest domain on AZ-900 is typically Describe Azure architecture and services. This weighting matters because it represents the broadest scoring opportunity and also the section where candidates most often confuse similar services. Microsoft expects you to recognize core architectural components such as regions, region pairs, availability zones, subscriptions, management groups, and resource groups. You must also distinguish major service categories across compute, networking, storage, and identity.

In compute, focus on what each service category is for rather than deep deployment steps. You should know the basic role of virtual machines, containers, serverless functions, and app-hosting services. In networking, understand virtual networks, VPN and ExpressRoute concepts at a foundational level, plus load balancing and name resolution basics. In storage, know the differences among blob, file, queue, and table-oriented offerings at the level expected for the exam. In identity, Microsoft commonly tests Microsoft Entra ID, authentication, authorization, and single sign-on concepts.

The exam is not asking you to architect a production landing zone. It is asking whether you can match a requirement to the most appropriate Azure service type. For example, is the need for raw virtualized infrastructure, managed web hosting, event-driven code execution, centralized identity, or scalable object storage? That is the decision skill this domain measures.

Exam Tip: If two answer options seem close, ask yourself whether one is a broad platform category and the other is a more specialized service. AZ-900 often rewards the answer that most directly satisfies the requirement with the least unnecessary complexity.

Common traps include mixing up Azure architectural scopes. Resource groups are not subscriptions. Availability zones are not regions. Identity services are not governance tools. Another frequent trap is selecting a service because its name sounds familiar rather than because its purpose matches the scenario. Read nouns and verbs carefully: host, store, authenticate, route, monitor, and govern all point to different families of services.

Because this is the heaviest domain, your study plan should devote the most time here. But study by comparison, not by isolated memorization. Build mini-charts that explain when to choose one service over another. If you can explain the difference between common tested services in one sentence each, you are preparing the right way for AZ-900.

Section 1.4: Official exam domains and how Describe Azure management and governance is weighted

The third major domain is Describe Azure management and governance. While usually smaller than the architecture-and-services domain, it is highly testable because Microsoft wants candidates to understand that cloud success is not just about deploying resources. It is also about controlling cost, enforcing standards, meeting compliance requirements, protecting workloads, and monitoring environments.

This domain includes cost management concepts, service-level agreements at a high level, governance tools such as Azure Policy and resource locks, and management tools such as the Azure portal, Azure CLI, Azure PowerShell, and infrastructure templates at a foundational awareness level. It also includes security and compliance ideas involving Microsoft Defender for Cloud, Microsoft Purview, and trust-related concepts, plus monitoring capabilities such as Azure Monitor, Log Analytics, and alerts in broad terms.

A major exam skill here is distinguishing between similar-sounding tools by purpose. Governance is about control and standardization. Monitoring is about visibility and operational insight. Security posture tools assess and improve protections. Cost management focuses on budgeting, analysis, and optimization. The trap is choosing a tool because it is related to Azure administration generally, even if it does not directly solve the stated problem.

Exam Tip: When a question mentions enforcing rules automatically across resources, think governance. When it mentions collecting telemetry or triggering alerts, think monitoring. When it mentions reducing or analyzing cloud spend, think cost management.

Microsoft also likes to test the difference between responsibility and capability. For example, just because Azure provides compliant services does not mean the customer has no compliance responsibilities. Similarly, cloud security is shared. Questions may indirectly test whether you understand these boundaries.

To answer correctly, first identify the category the question lives in: cost, governance, security, compliance, or monitoring. Then pick the answer that directly maps to that category. Avoid over-reading. AZ-900 rarely requires advanced implementation detail in this domain. Instead, it tests whether you know which Azure tool or concept belongs to which management outcome. Learners who create a one-line purpose statement for every governance and management tool usually perform much better here.

Section 1.5: Registration process, exam delivery options, IDs, scoring, and result reports

Before exam day, make the logistics easy on yourself. Register through Microsoft’s certification site, where you can review the official exam page, pricing, language availability, and scheduling options. Delivery may be available through a test center or an online proctored experience, depending on your region and current provider rules. Each option has advantages. Test centers reduce home-setup risk, while online delivery offers convenience if your environment meets technical and policy requirements.

When scheduling, choose a date that creates commitment but still leaves room for at least one full-length practice cycle and one final review week. Too many candidates delay scheduling until they “feel ready,” which often leads to inconsistent study. Put a date on the calendar and study backward from it.

You must also prepare identification and environment requirements. Government-issued ID rules can vary by provider and country, so verify the exact current policy on the official scheduling page. For online proctoring, review system checks, webcam and microphone rules, room requirements, and prohibited materials well in advance. Technical problems and check-in issues create unnecessary stress if handled at the last minute.

Scoring on Microsoft exams is typically reported on a scaled basis, with a passing score commonly shown as 700 on a scale up to 1000. Do not misinterpret this as a simple percentage. Because exam forms can vary, scaled scoring helps maintain fairness across versions. Result reports generally indicate pass or fail and provide domain-level performance feedback rather than a line-by-line item review.

Exam Tip: Domain feedback is study gold if you do not pass. Use the score report to diagnose weak objective areas instead of restarting from scratch. Rebuild your plan around the lowest domains first.

Retake policies can change, so always confirm the current official rules. In general, if you need a retake, do not rush into it emotionally. Review your report, analyze practice-bank performance by objective, and correct your weak areas systematically. One more common trap: candidates assume a failed fundamentals exam means they are not suited for cloud. Usually it means they need better blueprint alignment and more exposure to exam wording, not more advanced technical depth. Logistics, calm preparation, and familiarity with the testing process can protect easy points and reduce day-of-exam errors.

Section 1.6: Study roadmap, practice bank usage, time management, and elimination strategy

Your AZ-900 study roadmap should follow the exam blueprint rather than random curiosity. Start with cloud concepts, move into Azure architecture and services, then finish with management and governance. This order works because cloud concepts create the language needed to understand Azure services, and service understanding makes governance tools easier to classify. For beginners, a practical plan is to study in short daily sessions, then review weak areas every few days using mixed practice questions.

A 200-plus question practice bank is most useful when used in phases. In phase one, work by domain and review every explanation carefully, even when you answer correctly. In phase two, switch to mixed sets to improve recognition speed and objective switching. In phase three, take timed mock exams and analyze patterns in your mistakes. Do not just count scores. Classify each wrong answer: knowledge gap, misread keyword, confused services, or second-guessing.

Time management on AZ-900 is usually very manageable if you avoid overthinking. Move steadily, answer the straightforward items, and mark only those that truly need a second look. Because this is a fundamentals exam, your biggest enemy is often not time pressure but hesitation caused by similar terms. Trust your preparation and return later only if you can name the exact reason you are uncertain.

Exam Tip: Use elimination before recall. Even if you do not know the answer immediately, you can often remove two options because they belong to the wrong domain or solve a different problem.

A strong elimination strategy follows a simple sequence. First, identify the objective category: cloud concept, Azure service, or governance tool. Second, underline the requirement mentally: cost, identity, compute, storage, compliance, monitoring, or availability. Third, eliminate answers that are true statements but do not directly address the requirement. This is a common AZ-900 trap: a distractor may be technically accurate yet still not be the best answer.

For final review, create a condensed sheet of comparisons: cloud models, service types, regions versus zones, subscriptions versus resource groups, monitoring versus governance, and identity versus access control. If you can explain these distinctions quickly, you will be positioned well for the actual exam. The practice bank should not just test you; it should train your decision process. That process is what turns foundational knowledge into a passing score.

Section 2.1: Define cloud computing, high availability, scalability, elasticity, and reliability

Cloud computing is the delivery of computing services over the internet. These services include servers, storage, networking, databases, analytics, and software. On the AZ-900 exam, cloud computing is not defined by one Azure product. It is defined by how resources are delivered: on demand, at scale, and usually with usage-based billing. If a question describes requesting resources quickly without buying physical equipment, that is a cloud characteristic.

High availability means systems are designed to remain accessible even when parts fail. This usually involves redundancy, failover, and geographically distributed resources. Reliability is closely related, but it is broader: a reliable service performs as expected over time. In exam wording, high availability focuses on uptime and minimizing downtime, while reliability focuses on dependable operation and recovery from failures. Do not treat them as identical even though they overlap.

Scalability is the ability to increase or decrease resources to meet demand. This can be vertical scaling, such as adding more CPU or memory to a server, or horizontal scaling, such as adding more instances. Elasticity goes one step further. It is the ability to automatically or dynamically scale resources up and down as demand changes, often in near real time. If demand spikes during business hours and falls overnight, elasticity is the better term because it implies adjustment with changing workloads.

• High availability = keep services up
• Reliability = consistent and recoverable operation
• Scalability = ability to handle growth
• Elasticity = dynamic adjustment to workload changes

Exam Tip: If a question mentions “unexpected traffic spikes” or “automatic resource adjustment,” think elasticity. If it says “support future growth” without implying automatic fluctuation, think scalability.

A common trap is assuming every resilience-related phrase means disaster recovery. AZ-900 can mention backup or recovery, but many questions are simply testing whether you know the difference between uptime, dependable service, and growth capacity. Read the verb carefully. “Remain available” points to high availability. “Expand capacity” points to scalability. “Adjust automatically” points to elasticity.

Another exam pattern is pairing these terms with business scenarios. A retailer expecting more users during a holiday campaign needs scalability, and if demand rises and falls rapidly, elasticity. A hospital requiring critical systems to stay accessible needs high availability. A company that wants applications to continue operating despite hardware failure is testing reliability and availability concepts. The correct answer is often the broadest term that directly matches the stated need, not the most advanced-sounding one.

Section 2.2: Explain predictability, security, governance, and manageability benefits of cloud services

Cloud services provide business and operational benefits beyond simply hosting workloads somewhere else. AZ-900 frequently tests whether you understand these benefits in plain language. Predictability means you can forecast performance and cost more effectively by using cloud tools, templates, monitoring, and standardized service offerings. In Azure, organizations can estimate costs, choose service tiers, and monitor usage patterns. On the exam, predictability is often tied to both performance expectations and financial planning.

Security in the cloud includes physical security, network controls, identity services, encryption, and threat detection. However, one of the biggest exam traps is forgetting the shared responsibility model. The cloud provider is always responsible for some parts of security, but the customer still has responsibilities, especially around data, identities, device settings, and access configuration. A question may describe secure facilities or provider-managed patching, but that does not mean the customer has no security responsibilities at all.

Governance refers to setting rules and standards to ensure resources meet organizational and regulatory requirements. In practical terms, governance helps control what can be deployed, where it can be deployed, and how it must be configured. The exam may describe enforcing standards, controlling subscriptions, or ensuring resources comply with corporate policies. That is governance, not merely security. Security protects systems and data; governance ensures resources are deployed and managed according to rules.

Manageability is another common benefit. Cloud environments can be managed using portals, command-line tools, APIs, templates, and automation. This allows administrators to deploy, monitor, and update resources efficiently. Manageability also includes central visibility and policy-driven control. If the scenario emphasizes easier administration across many resources, the tested concept is likely manageability.

• Predictability helps estimate performance and spending
• Security is shared between provider and customer
• Governance enforces standards and compliance
• Manageability improves administration through tools and automation

Exam Tip: When the prompt mentions “rules,” “standards,” “allowed locations,” or “required configurations,” think governance. When it mentions “protection,” “access,” “threats,” or “encryption,” think security.

A common mistake is selecting security when the real focus is governance or compliance. Another is choosing manageability when the question is really about cost predictability. Always identify the business outcome in the scenario: reduce risk, enforce standards, simplify administration, or improve forecasting. Microsoft often uses ordinary business language rather than product names, so your concept recognition matters more than memorization.

Section 2.3: Compare public cloud, private cloud, and hybrid cloud deployment models

Deployment models are a favorite AZ-900 topic because they are easy to ask but easy to confuse. A public cloud is owned and operated by a cloud provider and delivers resources over the internet to multiple customers. Azure is a public cloud platform. Customers typically benefit from reduced maintenance burden, rapid provisioning, and consumption-based pricing. If the scenario says the company does not want to buy and maintain its own hardware, public cloud is often the best match.

A private cloud is a cloud environment dedicated to a single organization. It can be hosted in the organization’s own datacenter or by a third party, but the key idea is dedicated use rather than shared multi-tenant infrastructure. Private cloud may offer more direct control and customization, but usually with higher management overhead and cost. Exam questions may position private cloud as preferable when an organization requires complete control over infrastructure or has strict internal requirements.

Hybrid cloud combines public cloud and private or on-premises infrastructure, allowing data and applications to move between them as needed. This is one of the most tested distinctions. If the scenario says a company must keep some resources on-premises while extending other workloads to Azure, that is hybrid cloud. If the question mentions migration in phases, bursting to the cloud, or meeting regulatory needs while still using cloud services, hybrid is usually correct.

Exam Tip: The phrase “keep some systems on-premises” is one of the strongest clues for hybrid cloud. Do not choose private cloud unless the scenario clearly excludes public cloud usage.

Common traps include confusing hybrid cloud with a simple company network connection to Azure. A connection alone does not define the model; the key is that workloads or resources exist across both environments. Another trap is assuming private cloud always means on-premises. It can be hosted elsewhere, but it remains dedicated to one organization.

On AZ-900, the correct answer typically depends on the business requirement:

• Need maximum provider-managed simplicity and rapid provisioning: public cloud
• Need dedicated environment for one organization: private cloud
• Need a combination of on-premises and cloud resources: hybrid cloud

When reviewing answer choices, look for the one that directly satisfies the stated constraint. Microsoft often includes a technically possible but less precise option to distract test-takers. Pick the deployment model that best aligns with the scenario, not the one that merely sounds secure or flexible.

Section 2.4: Compare infrastructure as a service, platform as a service, and software as a service

Service models test your ability to identify who manages what. In infrastructure as a service, or IaaS, the provider supplies core infrastructure such as virtual machines, storage, and networking, while the customer manages the operating system, applications, and much of the configuration. If a scenario mentions creating virtual machines and retaining control of the OS, that points to IaaS.

Platform as a service, or PaaS, provides a managed platform for application development and deployment. The provider manages more of the stack, including the operating system and runtime environment, while the customer focuses mainly on applications and data. PaaS is often the right answer when developers want to deploy applications without managing servers or patching the OS. On the exam, phrases like “focus on application code” and “avoid infrastructure management” strongly suggest PaaS.

Software as a service, or SaaS, is fully managed software delivered over the internet. Users simply access the application, usually through a browser or client app. The provider manages almost everything behind the scenes. Microsoft 365 is a classic SaaS example. If the organization only wants to use software and not build or host it, SaaS is the correct model.

• IaaS: most customer control, most customer management
• PaaS: balance between control and convenience
• SaaS: least customer management, ready-to-use software

Exam Tip: Watch for the hidden management clue. If the question says the company wants to manage the operating system, choose IaaS. If it wants to avoid OS management but build apps, choose PaaS. If it just wants end-user software, choose SaaS.

A very common trap is choosing SaaS anytime software is mentioned. Remember, all three models involve software in some way. The real question is whether the company is consuming finished software, building on a managed platform, or controlling virtual infrastructure. Another trap is choosing IaaS because it sounds more powerful. AZ-900 rewards the most appropriate service model, not the one with the most control.

These distinctions also connect to shared responsibility. Moving from IaaS to PaaS to SaaS generally shifts more operational responsibility to the provider. The exam may not always say “shared responsibility model,” but it may test the concept indirectly by asking which model reduces customer management effort the most. In those cases, SaaS usually wins, unless the scenario requires application development, in which case PaaS is the better fit.

Section 2.5: Describe consumption-based pricing, CapEx versus OpEx, and cloud economics

Cloud economics is central to the value proposition of Azure and appears frequently on AZ-900. Consumption-based pricing means customers pay for the resources they use, typically measured by time, storage, transactions, bandwidth, or service tier. This model contrasts with buying hardware upfront regardless of actual usage. If the exam asks which cloud benefit allows an organization to align spending with demand, consumption-based pricing is a strong answer.

Capital expenditure, or CapEx, refers to upfront spending on physical infrastructure such as servers, datacenter equipment, and networking hardware. Operational expenditure, or OpEx, refers to ongoing costs incurred as services are consumed. Cloud computing often shifts spending from CapEx to OpEx. This does not always mean cloud is cheaper in every situation, but it does mean costs become more flexible and easier to align with usage patterns.

AZ-900 also tests broader economic ideas. The cloud can reduce the need to overprovision for peak demand, lower maintenance overhead, and improve agility by enabling faster deployment. However, the exam is not asking for a finance lecture. It is usually asking whether you understand why organizations like the ability to pay for what they use and avoid large initial purchases.

Exam Tip: If a question emphasizes “no upfront hardware cost,” think OpEx over CapEx. If it emphasizes “pay only for used resources,” think consumption-based pricing.

Common traps include assuming consumption-based pricing always means the lowest total cost. The exam objective is about the pricing model, not a universal promise of savings. Another trap is confusing predictable monthly subscriptions with consumption-based usage. Some services may combine both concepts, but the key cloud principle being tested is flexibility and usage alignment.

When answering pricing questions, focus on the business driver:

• Reduce upfront investment: cloud supports OpEx
• Match cost to demand: consumption-based pricing
• Avoid overbuying infrastructure for future peaks: cloud elasticity and economics

Microsoft may frame cloud economics as a business decision rather than a technical one. For example, a startup wanting to launch quickly without purchasing servers is really a pricing and agility scenario. A seasonal business wanting to avoid paying year-round for peak capacity combines elasticity with consumption-based cost benefits. The best exam answers are the ones that connect financial outcomes to cloud operating models.

Section 2.6: Describe cloud concepts practice set with scenario-based and best-answer questions

This final section is about test strategy rather than new theory. AZ-900 cloud concept questions are often scenario-based or best-answer items. That means several options may seem reasonable, but only one is the most directly aligned with the requirement. Your method should be consistent: first identify the objective domain, then extract the keyword clue, then remove distractors that belong to another concept family.

For example, if the scenario focuses on uptime, compare high availability and reliability carefully. If it focuses on changing demand, compare scalability and elasticity. If it mentions keeping some resources on-premises, compare hybrid and private cloud. If it mentions not wanting to manage servers while deploying custom applications, compare PaaS and SaaS. This structured comparison is exactly what separates a passing score from a near miss.

Best-answer questions frequently include one broad cloud truth and one precise answer tailored to the scenario. Choose precision. If a company wants ready-to-use email and collaboration software, SaaS is better than the more general statement that “cloud computing reduces infrastructure management.” The latter may be true, but it is not the best answer. Microsoft wants you to match the requirement to the correct concept or service model.

Exam Tip: On fundamentals exams, the simplest accurate answer is often the correct one. Do not add assumptions that the prompt does not state.

Here are practical habits for this domain:

• Underline mental clue words such as automatic, on-premises, dedicated, managed platform, and upfront cost
• Separate deployment model questions from service model questions
• Do not confuse governance with security or elasticity with scalability
• Choose the answer that satisfies the exact stated goal, not a loosely related benefit

Another common trap is answer inflation: picking the option that sounds most advanced or most secure even when the requirement is simpler. Hybrid cloud is not automatically better than public cloud. IaaS is not automatically better than PaaS. Private cloud is not automatically more appropriate just because regulation is mentioned. Read what must happen, not what might happen.

As you move into practice questions for this course, use answer logic deliberately. Ask why each wrong answer is wrong. That habit builds exam readiness faster than memorizing isolated definitions. In the cloud concepts domain, AZ-900 rewards clean distinctions, careful reading, and confidence with the language of business needs translated into cloud terms.

Section 3.1: Describe Azure regions, region pairs, sovereign regions, and availability zones

Azure is built from datacenters distributed around the world, and the exam expects you to understand how Microsoft organizes that footprint. An Azure region is a geographic area containing one or more datacenters connected by a low-latency network. Regions matter because they affect compliance, data residency, latency, and service availability. If a company wants its applications closer to European users, storing and running workloads in a European region can reduce latency and may help satisfy residency expectations. On AZ-900, when you see wording about choosing where resources are deployed geographically, think region.

Region pairs are another testable concept. Many Azure regions are paired with another region in the same geography. The point of the pairing is to support disaster recovery and planned maintenance sequencing. Microsoft can prioritize recovery for one region in a pair if a broad outage occurs. You do not need advanced disaster recovery architecture for AZ-900, but you should know that region pairs help improve resiliency and business continuity planning.

Sovereign regions are specialized Azure environments created to meet government or regulatory needs. These are isolated instances of Azure designed for specific jurisdictions, such as government or national compliance requirements. Exam questions may mention stricter legal boundaries, public sector workloads, or separate operational requirements. Those clues often point to sovereign regions rather than standard commercial Azure regions.

Availability zones are physically separate locations within an Azure region. Each zone has independent power, cooling, and networking. Their purpose is fault isolation inside a single region. This distinction is heavily tested: regions provide geographic distribution; availability zones provide resiliency within a region. If a question asks how to protect against a datacenter-level failure without moving to another geography, availability zones are the strongest answer.

• Region = geographic deployment location
• Region pair = paired regions for resiliency and recovery planning
• Sovereign region = isolated cloud environment for specific compliance or government needs
• Availability zone = separate physical location within a region for high availability

Exam Tip: Do not confuse availability zones with regions. Zones are inside a region. If the question mentions low latency and fault tolerance in the same metropolitan area, that usually signals availability zones, not a second region.

A common trap is selecting region pairs when the business need is high availability against a localized datacenter outage. Region pairs are broader and useful for regional disaster recovery strategy, while availability zones are the direct answer for protection against failure of a single datacenter facility within one region. Read the failure scope carefully.

Section 3.2: Describe resources, resource groups, subscriptions, management groups, and hierarchy

Understanding Azure hierarchy is essential because AZ-900 uses it to test both organization and governance. Start at the lowest practical level: a resource is an individual Azure service instance, such as a virtual machine, storage account, or web app. Resources are what you actually create and consume. If a scenario asks what represents a specific deployable service, the answer is resource.

Resources are placed into resource groups. A resource group is a logical container for resources that share a lifecycle, permissions pattern, or management purpose. It does not mean the resources must all be the same type, nor does it mean they must all live in the same exact location. In exam scenarios, if the wording emphasizes managing related resources together, deleting them together, or applying access control at a grouped level, resource group is the likely answer.

A subscription sits above resource groups and provides a boundary for billing, quotas, and access control. This is one of the most common tested distinctions. If the question mentions cost tracking, usage reporting, or creating separate environments for departments with distinct billing, think subscription. A subscription can contain multiple resource groups, and those resource groups contain resources.

Management groups sit above subscriptions. They allow organizations to apply governance consistently across multiple subscriptions. Large enterprises use them to organize subscriptions by department, geography, or business function, then apply policies and access controls at scale. If an exam item asks how to govern several subscriptions at once, management groups are the answer.

The hierarchy can be remembered simply: management groups, subscriptions, resource groups, resources. Microsoft likes to test whether you understand where governance and billing apply. Subscriptions are a billing boundary. Resource groups are not. Management groups help organize many subscriptions. Resources are the actual deployed services.

• Resource: individual service instance
• Resource group: logical grouping of resources
• Subscription: billing and access boundary
• Management group: governance layer above subscriptions

Exam Tip: If a question asks for the smallest unit you can create and manage directly, choose resource. If it asks for a way to organize related services for deployment or administration, choose resource group. If it asks for billing separation, choose subscription.

A frequent trap is assuming resource groups are billing containers. They are not. Costs are associated to the subscription, though reporting can be filtered in ways that make resource groups useful for analysis. On the exam, do not let reporting language distract you from the official hierarchy role of each object.

Section 3.3: Describe Azure compute services including virtual machines, containers, and Azure Virtual Desktop

This section maps directly to a major AZ-900 objective: knowing when to use different compute options. Azure virtual machines are Infrastructure as a Service. They provide the highest level of control among the common compute choices in this chapter because you manage the guest operating system, installed software, and many configuration details. On the exam, virtual machines fit lift-and-shift migrations, custom software requirements, legacy applications, and situations where you need direct OS access.

Containers package an application and its dependencies into a portable unit. They are lighter weight than full virtual machines because they do not require a complete guest OS for every instance. The AZ-900 angle is usually about portability, consistency across environments, and rapid deployment. If the scenario emphasizes fast scaling, microservices, or application packaging with fewer infrastructure concerns than a VM, containers are often the best fit. However, containers still differ from fully serverless options because you are still thinking in terms of application runtime packaging and orchestration rather than event-triggered execution.

Azure Virtual Desktop is another service the exam may use in scenario language. It delivers virtual desktops and remote applications from Azure. If a question describes employees needing secure remote desktop access, centralized desktop management, or remote application delivery across distributed workforces, Azure Virtual Desktop should stand out. It is not the same thing as a general virtual machine, even though both rely on compute resources. Azure Virtual Desktop is a desktop and app virtualization solution.

The exam often rewards choosing the least management-heavy service that still satisfies the need. A custom line-of-business app requiring specific OS-level configuration suggests a VM. A containerized web component that needs consistency across environments suggests containers. A remote desktop access solution for users suggests Azure Virtual Desktop.

• Virtual machines: maximum flexibility and OS control
• Containers: lightweight, portable app packaging
• Azure Virtual Desktop: centralized desktop and app delivery

Exam Tip: Watch for user-facing versus app-hosting clues. If the prompt is about employees using desktops or published applications remotely, that points to Azure Virtual Desktop, not simply a VM deployment.

A common trap is selecting virtual machines because they seem universally capable. In reality, AZ-900 best-answer questions often favor containers or managed platforms when full OS control is unnecessary. Always ask: Is direct server administration actually required? If not, a higher-level service may be the intended answer.

Section 3.4: Describe serverless options including Azure Functions and event-driven workloads

Serverless is a favorite fundamentals exam topic because it highlights cloud efficiency and abstraction. In Azure, Azure Functions is the core serverless compute example. With Functions, you run code in response to triggers such as HTTP requests, timers, messages, or events. The main exam idea is that you do not manage the underlying server infrastructure directly. This aligns well with event-driven workloads and bursty demand patterns.

If a scenario says code should run only when something happens, such as when a file is uploaded, a queue message arrives, or an API endpoint is called occasionally, Azure Functions is likely the right answer. The service is ideal for short-lived execution, automation, integrations, and lightweight backend processing. AZ-900 does not expect you to know advanced implementation details, but it does expect you to recognize the phrase event-driven as a strong signal.

Serverless also connects naturally to consumption-based pricing concepts from earlier cloud topics. Since functions can scale based on demand and may incur charges tied to execution, they represent an efficient model for unpredictable workloads. The exam may contrast this with a continuously running VM, which can be less cost-efficient for infrequent tasks.

Do not confuse serverless with “no servers exist.” The servers still exist, but Microsoft manages them. Your focus is on code and triggers rather than operating systems and infrastructure patching. That distinction matters because exam questions may test the management responsibility model alongside architecture choices.

Exam Tip: Keywords such as trigger, event, run on demand, automatic scaling, and minimal infrastructure management usually point to Azure Functions or another serverless-style choice.

A common trap is choosing containers for every modern application scenario. Containers are excellent for portability and microservices, but if the workload is primarily event-triggered and does not need continuously running application instances, Azure Functions is often the intended answer. Another trap is choosing virtual machines for simple automation jobs. On AZ-900, that usually signals overprovisioning and unnecessary management effort.

• Best for event-driven code execution
• Reduces infrastructure management overhead
• Supports automatic scaling based on demand
• Fits intermittent or unpredictable workloads

When matching scenarios to the right Azure service, think serverless whenever the business requirement focuses on responding to events efficiently rather than maintaining full-time server capacity.

Section 3.5: Describe application hosting choices such as App Service and related web hosting options

Azure App Service is a Platform as a Service offering for hosting web apps, REST APIs, and mobile back ends. For AZ-900, the important idea is that App Service lets you deploy application code without managing the underlying virtual machines directly. This makes it one of the most important services to recognize in web hosting scenarios. If a company wants to host a website quickly, scale more easily, and reduce infrastructure administration, App Service is often the strongest answer.

The exam frequently tests App Service against virtual machines. Both can host web applications, but the key distinction is management responsibility. A VM requires you to manage the operating system, patching, and much of the application environment. App Service abstracts much of that away and is therefore often the preferred answer when the question emphasizes managed hosting, rapid deployment, or minimizing administrative overhead.

App Service also fits scenarios involving standard web applications and APIs where deep OS customization is not the main concern. That is the clue to watch. If the prompt focuses on hosting a website or API with built-in platform features and simplified scaling, App Service is usually the intended choice. If the prompt instead emphasizes full control of the server environment or custom legacy dependencies, a VM may still be more appropriate.

Related web hosting choices can include containers or serverless patterns depending on the architecture. Containerized web apps may be a fit when packaging consistency matters. Azure Functions may fit API endpoints or backend operations that are event-driven. Still, for broad “host a web app” wording on AZ-900, App Service is the most exam-friendly and likely answer.

Exam Tip: When a scenario says host a web application without managing infrastructure, think App Service first. Microsoft loves this distinction because it maps cleanly to PaaS versus IaaS.

A common trap is choosing the most powerful option instead of the most appropriate option. Virtual machines can host almost anything, but they are usually not the best answer when the requirement is simply managed web hosting. The exam rewards cloud-native simplicity.

• App Service = managed hosting for web apps and APIs
• VMs = more control, more administration
• Functions = event-driven code rather than full traditional web hosting
• Containers = useful when packaging portability is central

This is where service matching becomes critical. Read for intent: website hosting, API delivery, custom server control, event response, or portability. Once you identify the intent, the correct Azure service becomes much easier to select.

Section 3.6: Azure architecture and compute practice set with detailed answer explanations

This final section is designed to reinforce exam thinking rather than present raw memorization. The AZ-900 exam often uses short scenarios with one or two decisive clues. Your job is to identify the tested objective quickly and eliminate answers that are technically possible but not the best fit. In architecture and compute questions, start by classifying the scenario: geographic design, organizational hierarchy, compute hosting model, or event-driven processing. That first move dramatically improves accuracy.

For geography-related scenarios, ask what failure or compliance boundary is being discussed. If the concern is global placement or legal residency, think regions or sovereign regions. If the concern is datacenter-level resiliency within one region, think availability zones. If the concern is broader disaster recovery planning across paired geographies, think region pairs. One keyword can determine the whole answer.

For hierarchy questions, identify whether the prompt is about billing, grouping, or governance. Billing boundaries point to subscriptions. Logical grouping of related services points to resource groups. Cross-subscription governance points to management groups. The actual deployed item is the resource. Many wrong answers on AZ-900 are attractive because they sound administratively related. Focus on the exact job each layer performs.

For compute questions, determine how much control the organization wants and how much infrastructure management it wants to avoid. Full OS control suggests virtual machines. Portability and lightweight application packaging suggest containers. Remote desktop delivery suggests Azure Virtual Desktop. Event-triggered code with minimal infrastructure management suggests Azure Functions. Managed web hosting suggests App Service. These distinctions appear repeatedly because they test foundational cloud judgment.

Exam Tip: Eliminate by management model. If the scenario stresses reduced administration, remove VM choices first unless a requirement specifically demands OS-level control. This one strategy can improve scores significantly on service-selection questions.

Another useful technique is to translate business language into Azure language. “We need separate billing for departments” means subscriptions. “We need to keep related app components together” means resource groups. “We need a website without managing servers” means App Service. “We need code to run when a message arrives” means Azure Functions. “We need employees to access desktops remotely” means Azure Virtual Desktop. This translation skill is exactly what fundamentals questions are measuring.

The most common trap in this chapter is choosing an answer based on familiarity rather than fit. Candidates often pick virtual machines because they know what a server is, or choose regions when the question really asks about availability zones. Slow down just enough to identify the core requirement. On AZ-900, best-answer logic matters more than technical possibility. If you train yourself to map keywords to service categories and to compare choices by management responsibility, you will perform much more confidently on architecture and compute items.

Section 4.1: Describe Azure virtual networks, subnets, peering, DNS, VPN Gateway, and ExpressRoute

Azure networking starts with the Azure Virtual Network, often called a VNet. A VNet is the logical network boundary for Azure resources such as virtual machines. On the exam, think of a VNet as Azure's version of a private network in the cloud. It enables Azure resources to communicate securely with each other, with the internet, and with on-premises environments depending on how connectivity is configured. If a question asks for network isolation or a place to organize cloud resources by IP range, VNet is a strong signal.

Within a VNet, you create subnets. A subnet is a smaller IP address range inside the virtual network. Microsoft commonly tests the idea that subnets help organize resources and apply network controls more precisely. For example, you may place web servers in one subnet and database servers in another. The trap is assuming a VNet and a subnet are interchangeable. They are not. The VNet is the overall private network; the subnet is a segmented portion of that network.

VNet peering allows two Azure virtual networks to connect so that resources in each can communicate privately using the Microsoft backbone network. This is commonly tested against VPN Gateway. Peering connects VNets to each other; VPN Gateway connects networks securely, often between Azure and on-premises or between VNets through VPN scenarios. If the question is about fast private communication between Azure virtual networks, peering is usually the cleaner answer.

Azure DNS is used for domain name resolution. The exam may test basic awareness that DNS translates names to IP addresses. Do not overthink it. If the scenario involves resolving a host name to a network address, DNS is the concept being tested. Azure provides DNS-related services, but at the AZ-900 level, the key is understanding the purpose rather than configuration details.

VPN Gateway provides encrypted connectivity over the public internet. It is a common answer when an organization wants secure communication between an on-premises network and Azure without using a dedicated private circuit. ExpressRoute, by contrast, provides a dedicated private connection between on-premises infrastructure and Microsoft cloud services. It does not rely on the public internet in the same way as VPN Gateway.

Exam Tip: If the question emphasizes encrypted connection over the internet, choose VPN Gateway. If it emphasizes dedicated private connectivity, higher reliability, or avoiding the public internet, look for ExpressRoute.

Common exam traps include confusing VNet peering with ExpressRoute and assuming all private communications require the same service. Read for the exact connectivity target: Azure-to-Azure, Azure-to-on-premises, or name resolution. The exam is testing whether you can identify the right Azure networking building block from the requirement wording.

Section 4.2: Describe network security concepts including NSGs, Azure Firewall, and DDoS protection

Once you understand how Azure resources connect, the next tested area is how Azure controls and protects that traffic. The three names you must know clearly are Network Security Groups, Azure Firewall, and Azure DDoS Protection. These services all relate to network security, but they operate differently. The exam often places them side by side as answer options, so role clarity matters.

A Network Security Group, or NSG, filters network traffic to and from Azure resources in a virtual network. It uses rules that allow or deny traffic based on source, destination, port, and protocol. NSGs are commonly associated with subnets and network interfaces. If an exam item asks for basic traffic filtering within a VNet or controlling inbound and outbound traffic at a resource or subnet level, NSG is usually correct.

Azure Firewall is a managed, stateful firewall service for controlling and logging traffic centrally. Where NSGs are commonly thought of as distributed filtering rules, Azure Firewall is the broader centralized security control. On AZ-900, Microsoft may test that Azure Firewall helps manage network traffic using a central policy point. If the requirement mentions centralized control, application-level filtering awareness, or one managed firewall for multiple networks, Azure Firewall is a stronger fit than NSGs.

Azure DDoS Protection is designed to help protect Azure resources from distributed denial-of-service attacks. This is a different problem from standard traffic filtering. DDoS attacks attempt to overwhelm services with malicious traffic volume. The trap is choosing NSG or Firewall just because the scenario mentions security. If the threat is specifically a volumetric availability attack, DDoS Protection is the concept being tested.

Exam Tip: Match the service to the security goal. Need packet or port filtering at subnet or NIC level? Think NSG. Need centralized managed network traffic control? Think Azure Firewall. Need defense against denial-of-service attacks? Think DDoS Protection.

Another common trap is thinking these services are mutually exclusive. In practice, they can complement one another. But on the exam, you should choose the answer that best matches the stated need. If the scenario asks for limiting RDP or SSH access to a subnet, NSG is likely enough. If it asks for broad centralized traffic inspection and control across environments, Azure Firewall is more likely. If uptime is threatened by traffic floods, DDoS Protection is the best-fit answer.

The exam tests recognition, not implementation steps. Focus on what each service is for, what scope it commonly applies to, and which problem statement most directly points to it.

Section 4.3: Describe Azure storage services including blob, disk, file, and archive storage

Azure storage is a favorite AZ-900 topic because Microsoft can test it from many angles: type of data, access method, cost, lifecycle, and common workload. The essential storage services to separate are Blob Storage, Disk Storage, and Azure Files, along with the concept of archive storage for infrequently accessed data.

Blob Storage is designed for massive amounts of unstructured data. Think text files, images, videos, backups, logs, or documents. If the question mentions object storage, unstructured data, or internet-scale storage, Blob Storage should come to mind. It is not presented as a mounted operating system disk for a VM. That difference matters.

Azure Disk Storage provides persistent disks for Azure virtual machines. These are the virtual hard drives used by VMs for operating systems and application data. If the question asks what storage a VM uses for its OS disk or attached data disk, the answer is Disk Storage, not Blob or Azure Files.

Azure Files offers managed file shares in the cloud using standard file-sharing protocols. It is useful when multiple systems need access to shared files in a familiar file-share model. The exam often contrasts Azure Files with Blob Storage. Blob is object storage; Azure Files is shared file storage. If the wording includes lift-and-shift file shares, shared access, or SMB-style file access, Azure Files is often the correct choice.

Archive storage refers to a low-cost tier for data that is rarely accessed and can tolerate retrieval delay. It is commonly associated with Blob Storage lifecycle and tiering concepts. The exam may present this as a cost optimization scenario. If data must be retained long term but is rarely read, archive is a strong clue. Do not confuse archive with backup service names unless the question explicitly asks about backups.

Exam Tip: Identify the access pattern first. VM disk requirement means Disk Storage. Shared file access means Azure Files. Large unstructured object data means Blob Storage. Rarely accessed long-term retention means archive tier.

Common traps include assuming all Azure storage is basically the same or choosing Azure Files whenever the word file appears. Microsoft tests storage by use case. A video file stored for web access is usually a blob, not an Azure File share. A VM boot volume is a disk, not a blob answer on the exam. Read the workload carefully and ask: Is this object storage, a mounted VM disk, or a shared file system?

Section 4.4: Describe storage redundancy options, migration basics, and data management principles

After learning storage types, you must understand how Azure keeps data durable and available. AZ-900 commonly tests storage redundancy choices at a conceptual level. You are not expected to design every storage architecture, but you should recognize that Azure offers different redundancy models to balance cost, availability, and geographic protection.

Locally redundant storage keeps multiple copies of data within a single datacenter. Zone-redundant storage spreads copies across availability zones in one region. Geo-redundant storage replicates data to a secondary region. Geo-zone-redundant storage combines zone-level and regional protection concepts. The exam does not usually require deep replication mechanics, but it does expect you to know the trade-off direction: more redundancy across broader scope generally means greater resilience and potentially higher cost.

Migration basics also appear in foundational questions. At this level, focus on the idea that Azure provides tools and services to move data and workloads into Azure. You may see Azure Migrate referenced in broader migration contexts. The exam is not asking you to perform migration projects; it is asking whether you recognize migration as a planned process of discovery, assessment, and movement. If the scenario is about evaluating on-premises resources before moving them, migration assessment tools are the theme.

Data management principles include selecting the right storage for the right access pattern, lifecycle management, and aligning protection level to business requirements. A company does not need premium performance and geo-redundant protection for every archive workload. Likewise, mission-critical data should not be matched with the cheapest option without regard to availability needs. These are foundational cloud decision principles Microsoft likes to test.

Exam Tip: Separate storage type from redundancy type. Blob, Disk, and Files answer what kind of storage is used. LRS, ZRS, GRS, and GZRS answer how copies of data are protected.

A frequent exam trap is choosing a redundancy option when the question actually asks for a storage service, or choosing a storage service when the question asks how data should be replicated. Another trap is assuming archive data cannot still require redundancy. Access tier and redundancy are different dimensions.

For data management, watch for keywords such as durability, availability, regional protection, cost optimization, and lifecycle. These clues help narrow the answer. On AZ-900, the correct answer usually comes from identifying whether the business priority is local resilience, zone resilience, or cross-region resilience, then selecting the simplest matching redundancy model.

Section 4.5: Describe identity, access, and security services including Microsoft Entra ID, SSO, MFA, and Conditional Access

Identity is one of the most important AZ-900 exam domains because nearly every Azure environment depends on it. The key directory and identity service to know is Microsoft Entra ID, previously known as Azure Active Directory. On the exam, Microsoft Entra ID is the cloud-based identity and access management service used to manage users, groups, and application access. It is not the same thing as an Azure subscription, a resource group, or a virtual network.

Single sign-on, or SSO, allows a user to sign in once and access multiple applications without repeatedly entering credentials. This is commonly tested as a convenience and productivity feature, but it also helps centralize identity management. If the scenario mentions reducing repeated sign-ins across cloud applications, SSO is the right concept.

Multifactor authentication, or MFA, adds another layer of verification beyond just a password. This could include a code, mobile app approval, or biometric factor depending on implementation. On AZ-900, the tested idea is simple: MFA increases sign-in security. If the business need is to reduce risk from compromised passwords, MFA is a likely answer.

Conditional Access goes one step further by applying access policies based on conditions such as user, location, device state, or risk. The exam may present this as controlling access differently depending on sign-in context. For example, requiring MFA only when users connect from untrusted locations is a classic Conditional Access scenario. The trap is choosing MFA alone when the question really asks for policy-based enforcement logic.

Exam Tip: Think in layers. Microsoft Entra ID is the identity platform. SSO improves the sign-in experience. MFA strengthens authentication. Conditional Access decides when and under what conditions access is allowed or extra verification is required.

Another common distinction is authentication versus authorization. Authentication verifies who a user is. Authorization determines what the user can access. The exam may not always use those exact words, but the logic appears often. Signing in with MFA is authentication. Being granted access to a specific application or resource is authorization.

Do not confuse directory services with on-premises Windows Server Active Directory unless the question explicitly compares them. For AZ-900, focus on the cloud identity service role of Microsoft Entra ID and the security controls built around modern sign-in. Microsoft wants you to recognize how these services support secure access in cloud environments without needing deep administrative detail.

Section 4.6: Networking, storage, and identity practice set in AZ-900 exam style

To finish this chapter, shift from memorization to exam-style recognition. AZ-900 often blends domains into one business requirement. You may see a company that needs secure connectivity to Azure, low-cost long-term data retention, and stronger user sign-ins. Although those needs sound related, they map to different service families: networking, storage, and identity. Your task on test day is to isolate the exact requirement and avoid being distracted by extra details.

Start by identifying the noun and the action in the scenario. If the subject is users or sign-in rules, you are likely in the identity domain. If the subject is files, disks, backups, or retention, you are in storage. If the subject is traffic flow, connectivity, name resolution, or traffic filtering, you are in networking. This simple classification strategy helps eliminate many distractors quickly.

When comparing answer options, ask three questions. First, what problem is being solved? Second, what is the scope: user, data, VM, subnet, VNet, region, or on-premises connection? Third, does the answer name a service category or a feature inside that category? For example, Conditional Access is more specific than Microsoft Entra ID, and archive tier is more specific than Blob Storage in a retention scenario.

Exam Tip: On foundational exams, the correct answer is usually the Azure service that most directly addresses the stated requirement, not the broadest or most complicated option. Avoid overengineering in your head.

Common mixed-domain traps include choosing VPN Gateway when the requirement is actually VNet peering, choosing Azure Files when object storage is needed, and choosing MFA when the scenario requires policy-driven access decisions through Conditional Access. Another trap is forgetting that security can appear in all three domains: NSGs protect network traffic, storage redundancy protects data availability, and MFA protects identities.

For retention practice, create your own quick comparison grid after reading this section. List service name, purpose, and keyword clue. For example: ExpressRoute equals private dedicated connection; Azure Firewall equals centralized managed traffic control; Blob Storage equals unstructured object data; Disk Storage equals VM disks; Microsoft Entra ID equals cloud identity; Conditional Access equals policy-based access control. That kind of repetition is highly effective for AZ-900 because the exam rewards accurate service recognition.

As you prepare for mixed-domain questions, train yourself to read slowly enough to catch the deciding keyword but quickly enough to avoid second-guessing obvious service matches. Confidence comes from pattern recognition, and pattern recognition comes from linking each Azure term to a single clear job.

Section 5.1: Describe cost management concepts, calculators, tagging, and reservations

AZ-900 expects you to understand that Azure uses a consumption-based pricing model, but the exam goes further by testing which tools help estimate, organize, and reduce costs. The pricing calculator is used before deployment to estimate the expected cost of Azure services. If a question asks how an organization can compare expected monthly costs for virtual machines, storage, or networking before making a purchase decision, the pricing calculator is the likely answer. The Total Cost of Ownership, or TCO, calculator is different: it helps compare the cost of running workloads on-premises versus running them in Azure.

Cost Management is commonly tested as the service used to analyze spending, create budgets, review cost trends, and identify where money is being consumed after resources are deployed. That makes it operational and ongoing, not just predeployment estimation. A frequent exam trap is mixing up the pricing calculator and Cost Management. One estimates future spend; the other monitors and manages actual spend.

Tags are another important exam topic. Tags are name-value pairs applied to Azure resources for organizational purposes such as department, owner, environment, or cost center. They help with cost tracking and reporting, especially across large environments. However, tags do not enforce compliance by themselves. If the question says a company wants to require every resource to include a department tag, Azure Policy is the enforcement mechanism, while tags are the metadata itself.

Reservations are used to reduce cost when a company commits to using certain Azure resources for a one-year or three-year term. On the exam, reservations are associated with predictable workloads and long-term savings. They are not the best choice for highly variable or short-lived workloads. If the scenario emphasizes stable, always-running resources and a desire to lower cost, reservations should stand out as the correct answer.

• Pricing calculator: estimates Azure service costs before deployment
• TCO calculator: compares on-premises costs to Azure costs
• Cost Management: analyzes and controls actual Azure spending
• Tags: organize resources and support cost reporting
• Reservations: reduce cost for predictable long-term usage

Exam Tip: Look for time clues. “Before migration” suggests TCO or pricing calculator. “After deployment” suggests Cost Management. “Need to identify spending by department” suggests tags, often combined with Cost Management reports.

A common trap is assuming tags automatically stop noncompliant deployments. They do not. Another trap is believing reservations improve availability or performance. Their primary exam-tested value is cost savings through commitment.

Section 5.2: Describe Azure Service Level Agreements, service lifecycle, and preview versus GA services

An Azure Service Level Agreement, or SLA, is a formal commitment from Microsoft regarding uptime and connectivity for a service. The AZ-900 exam often tests basic interpretation rather than detailed contract language. For example, you may need to recognize that a 99.9% SLA allows more downtime than a 99.99% SLA. Higher availability percentages mean less allowable downtime. Questions may also test the idea that combining services can affect the overall solution-level availability.

The exam also expects you to understand service lifecycle terms. General Availability, or GA, means a service is fully released for production use and is backed by Microsoft support commitments and SLAs where applicable. Preview services are still being tested or refined. They may have limited functionality, can change before final release, and often do not carry the same SLA or production guarantees as GA offerings. If the question mentions a mission-critical production workload, GA is generally the safer and more test-correct choice.

Microsoft also uses terms such as public preview and private preview. At the AZ-900 level, the most important distinction is simple: preview means not fully released for general production expectations, while GA means broadly available and supported for production use. Do not overcomplicate it.

A common exam trap is choosing preview because it offers the newest feature set. The exam usually prioritizes reliability, supportability, and business suitability. If an organization requires guaranteed support levels, contractual uptime expectations, or compliance confidence, preview is usually not the best answer.

Exam Tip: When you see words like “production,” “business-critical,” “guaranteed uptime,” or “supported service,” think GA and SLA-backed offerings. When you see “testing new features” or “try upcoming functionality,” preview may be acceptable.

Remember that not all Azure services or configurations have the same SLA by default. In some scenarios, adding redundancy or using multiple instances improves availability design. AZ-900 may frame this concept broadly, so focus on the principle that architecture decisions can affect achievable uptime.

Questions in this area test whether you can distinguish marketing excitement from governance discipline. Newer is not always the correct exam answer. Supported, stable, and contractually backed often wins in governance-focused scenarios.

Section 5.3: Describe governance tools including Azure Policy, resource locks, and management groups

Governance tools are central to this chapter and are frequently tested because they help organizations standardize and control Azure environments at scale. Azure Policy is used to create, assign, and manage rules that enforce or audit resource properties. For instance, a company may require that resources be deployed only in approved regions, must include specific tags, or cannot use certain SKU sizes. Azure Policy is about compliance rules and enforcement.

Resource locks solve a different problem. They protect resources from accidental deletion or modification. There are two common lock types: delete locks, which prevent deletion, and read-only locks, which prevent changes. On the exam, if the requirement is to stop administrators from accidentally deleting a production resource, resource locks are the best fit. If the requirement is to ensure all storage accounts use secure settings, Azure Policy is the correct tool.

Management groups help organize subscriptions. They allow governance settings, such as policy assignments or access controls, to be applied above the subscription level. This is especially useful for large enterprises with multiple subscriptions. If a scenario mentions applying consistent governance across many subscriptions, management groups should immediately come to mind.

A classic exam trap is confusing Azure Policy with RBAC. Role-Based Access Control governs who can perform actions. Azure Policy governs whether resources comply with rules. Another trap is confusing resource locks with policy. Locks protect existing resources against accidental changes; policy governs deployment and compliance behavior.

• Azure Policy: enforce or audit standards
• Resource locks: prevent accidental deletion or modification
• Management groups: organize and govern multiple subscriptions

Exam Tip: Ask yourself whether the scenario is about structure, rules, or protection. Structure across subscriptions points to management groups. Rules about allowed settings point to Azure Policy. Protection from accidental admin actions points to resource locks.

At the AZ-900 level, you do not need to memorize advanced policy syntax. Focus instead on business outcomes: standardization, compliance, and risk reduction. Governance questions are often easier when you translate technical wording into plain language first.

Section 5.4: Describe deployment and management tools including Azure portal, Cloud Shell, ARM, and Bicep concepts

Azure provides multiple ways to deploy and manage resources, and the exam expects you to know the role of each. The Azure portal is the web-based graphical interface used to create, configure, and monitor Azure services. It is intuitive and often the default choice for interactive management. If a scenario describes a user who wants to manage resources visually through a browser, the Azure portal is the best answer.

Azure Cloud Shell provides a browser-accessible command-line environment. It supports tools such as Azure CLI and PowerShell without requiring local installation. On the exam, Cloud Shell is useful when the question emphasizes command-line access from almost anywhere, quick scripting, or not wanting to install admin tools on a local device.

Azure Resource Manager, or ARM, is the Azure deployment and management framework. ARM templates use declarative JSON files to define infrastructure as code. The key tested idea is consistency and repeatability. If a company wants to deploy the same environment multiple times with standardized configuration, ARM templates are a strong answer. Bicep is a more readable domain-specific language that simplifies authoring ARM deployments. Bicep ultimately deploys through Azure Resource Manager, but it is easier to read and maintain than raw JSON in many cases.

One exam trap is treating ARM as if it were only a template format. ARM is the management layer; ARM templates are one deployment method using that layer. Another trap is assuming the portal is the best answer for repeatable deployment at scale. The portal is convenient, but infrastructure as code tools such as ARM templates and Bicep are better for consistency.

Exam Tip: Watch for clue words. “Browser GUI” points to Azure portal. “Command line in browser” points to Cloud Shell. “Repeatable deployment” or “infrastructure as code” points to ARM templates or Bicep.

Bicep has become especially important in exam wording because Microsoft wants candidates to recognize the concept of simplified declarative deployment. You are not expected to write Bicep code for AZ-900, but you should know that it helps define Azure resources in a cleaner syntax while still using the ARM deployment model.

Section 5.5: Describe monitoring and compliance tools including Azure Monitor, Service Health, Defender for Cloud, and the Trust Center

Monitoring and compliance questions often appear similar, so you must distinguish each service by purpose. Azure Monitor collects and analyzes telemetry from Azure resources and applications. It helps track metrics, logs, alerts, and performance trends. If a scenario asks how to observe resource performance, generate alerts, or analyze operational data, Azure Monitor is likely correct.

Azure Service Health is different. It provides information about Azure service issues, planned maintenance, and advisories that may affect your subscribed services and regions. If the scenario is about knowing whether a Microsoft-side outage is affecting your environment, Service Health is the right answer. A common trap is choosing Azure Monitor when the problem concerns broader Azure platform incidents rather than the health metrics of your own resources.

Microsoft Defender for Cloud focuses on security posture management and threat protection. At the AZ-900 level, know that it helps identify security recommendations, assess secure configuration, and improve protection across Azure and hybrid resources. If a question asks which tool gives security recommendations or helps strengthen cloud security posture, Defender for Cloud is the best fit.

The Microsoft Trust Center is an information resource that provides details about Microsoft security, privacy, compliance, and transparency practices. It is not an active monitoring or enforcement tool. If the question asks where an organization can review Microsoft compliance documentation or understand how Microsoft handles data protection and regulatory commitments, the Trust Center is appropriate.

• Azure Monitor: metrics, logs, alerts, operational visibility
• Service Health: platform incidents, planned maintenance, advisories
• Defender for Cloud: security posture and protection recommendations
• Trust Center: compliance and trust documentation

Exam Tip: Separate “what is happening in my resources” from “what is happening in Microsoft’s platform.” The first often points to Azure Monitor. The second often points to Service Health.

Another trap is assuming the Trust Center enforces compliance. It does not. It informs customers about Microsoft’s compliance and security practices. Defender for Cloud, by contrast, gives actionable security insights. This distinction is heavily testable because both include security and compliance language but serve different roles.

Section 5.6: Azure management and governance practice set with detailed rationales

When practicing AZ-900 governance questions, focus less on memorizing isolated definitions and more on pattern recognition. Governance items usually present a business requirement in plain language and expect you to map that requirement to the proper Azure capability. If the organization wants to reduce spending on long-running resources, think reservations. If it wants to assign costs by department, think tags plus cost analysis. If it wants to enforce standards such as allowed regions or required tagging, think Azure Policy. If it wants to avoid accidental deletion, think resource locks. If it wants to organize several subscriptions under a common governance structure, think management groups.

For deployment questions, identify whether the scenario favors manual administration or repeatable automation. A visual one-time setup often suggests the Azure portal. Browser-based command-line access suggests Cloud Shell. Standardized deployments at scale suggest ARM templates or Bicep. For monitoring questions, decide whether the issue concerns your workloads or the Azure platform itself. Workload telemetry suggests Azure Monitor. Platform incidents suggest Service Health. Security posture suggestions indicate Defender for Cloud. Compliance documentation points to the Trust Center.

One of the best-answer traps in this chapter is choosing an answer that is true but not the most precise. For example, tags can help organize resources, but if the question asks how to require tags, Azure Policy is more precise. The portal can create resources, but if the question asks how to deploy the same configuration consistently many times, ARM or Bicep is more precise. Cost Management can show spending, but if the question asks how to estimate costs before deployment, the pricing calculator is more precise.

Exam Tip: In scenario-based items, underline the actual task mentally: estimate, analyze, enforce, protect, organize, deploy, monitor, secure, or document. Most governance questions can be solved by matching one of those verbs to the correct Azure service.

As a final review strategy, build a quick comparison sheet with confusing pairs: Policy versus locks, Monitor versus Service Health, Defender for Cloud versus Trust Center, pricing calculator versus TCO calculator, portal versus ARM/Bicep. These pairs account for many avoidable errors. The exam is not trying to trick you with obscure details; it is testing whether you can select the right tool for a clearly stated need.

If you can consistently identify the business outcome each Azure governance tool supports, you will be well prepared for this domain. That is the real AZ-900 skill: understanding what problem each service is designed to solve and recognizing it quickly under exam conditions.

Section 6.1: Full-length mock exam set one covering Describe cloud concepts

The first full-length mock exam set should center on the Describe cloud concepts domain because this objective area establishes the language and logic used throughout the rest of the exam. Expect this part of your review to emphasize cloud models, the benefits of cloud computing, shared responsibility, pricing principles, and deployment models such as public, private, and hybrid cloud. The exam is not asking you to architect a complex environment. It is asking whether you understand what problem each model solves and who is responsible for what.

When reviewing your performance in this domain, pay special attention to questions that appear simple. These are often where candidates lose easy points. For example, consumption-based pricing may be confused with fixed capital investment, or elasticity may be mistaken for high availability. Those terms are related to cloud value, but they do not mean the same thing. Elasticity refers to scaling resources up or down with demand. High availability refers to keeping services accessible. Fault tolerance, disaster recovery, and scalability are also frequent distractor clusters.

Exam Tip: If the wording points to avoiding large upfront infrastructure spending, think OpEx and consumption-based pricing. If it points to buying and maintaining physical hardware, think CapEx and on-premises models.

Another core exam target is the shared responsibility model. Microsoft tests whether you can distinguish what always remains the customer’s responsibility and what shifts to the cloud provider depending on IaaS, PaaS, or SaaS. The trap here is assuming Azure manages everything in every model. It does not. In IaaS, the customer still manages operating systems, applications, and many configuration decisions. In SaaS, Microsoft manages much more of the underlying stack, but the customer still owns data, access, and correct usage policies. If your mock exam results show confusion here, return to the model stack and review responsibilities layer by layer.

Use this mock exam set to sharpen identification skills. Ask yourself after each item: what exact objective was tested? Was this a question about business benefit, deployment model, or responsibility model? The more consistently you can label the objective behind the item, the less likely you are to fall for vague answer choices. This lesson naturally supports Mock Exam Part 1 because it trains the foundational judgment expected in the opening portion of a realistic AZ-900 practice session.

Section 6.2: Full-length mock exam set two covering Describe Azure architecture and services

The second mock exam set should focus on the broadest content area in AZ-900: Azure architecture and services. This domain commonly includes core architectural components such as regions, availability zones, subscriptions, resource groups, and management groups, followed by foundational service categories like compute, networking, storage, and identity. Because there are many service names in this objective area, successful candidates do not rely on memorization alone. They classify services by purpose and compare them to likely alternatives.

For compute, the exam frequently tests whether you understand when Azure Virtual Machines, containers, App Service, and serverless options such as Azure Functions are appropriate. A common trap is choosing the most powerful or most familiar service instead of the one that best matches the scenario. If the requirement suggests minimal infrastructure management for web apps, App Service is often the stronger fit than virtual machines. If the focus is event-driven execution, Azure Functions should come to mind before a full server deployment.

Networking questions often look straightforward but hide a distinction between connectivity concepts. You may need to recognize virtual networks, VPN Gateway, ExpressRoute, DNS, load balancing, or content delivery solutions. The exam expects foundational differentiation, not deep network engineering. Likewise, storage objectives usually test the differences among blob, file, queue, and table storage, along with concepts such as redundancy options and storage tiers. Be careful with answer choices that sound generally cloud-related but do not actually satisfy the storage requirement named in the scenario.

Identity is another high-value topic. Candidates commonly confuse Microsoft Entra ID with authorization tools such as Azure RBAC. Remember that Entra ID is the identity and authentication foundation, while RBAC controls what authenticated users can do with Azure resources. If your mock exam misses cluster around identity, that is a signal to review both service purpose and terminology.

Exam Tip: On architecture-and-services questions, ask: is this testing scope, connectivity, hosting model, storage type, or identity control? One classification step can eliminate half the options.

This section aligns with Mock Exam Part 2 because it simulates the middle of the exam, where breadth matters most. Strong performance here often depends on recognizing small wording differences between services that sound similar but solve different problems.

Section 6.3: Full-length mock exam set three covering Describe Azure management and governance

The third mock exam set should target Azure management and governance, an area that often produces avoidable mistakes because many services overlap in a candidate’s memory. The AZ-900 exam expects you to understand cost management, compliance, governance controls, monitoring, and security-related management tools at a foundational level. The challenge is not raw complexity. The challenge is precision: selecting the Azure service that directly matches the governance or monitoring task described.

Start with governance structure. Candidates should clearly distinguish management groups, subscriptions, resource groups, tags, Azure Policy, and resource locks. These terms are frequently tested together. Resource groups are used for organizing resources for lifecycle management, but they are not the same as subscriptions. Azure Policy helps enforce standards and evaluate compliance, while resource locks help prevent accidental deletion or modification. A common trap is choosing locks when the requirement is to enforce allowed SKUs, locations, or naming standards; that is a policy use case, not a lock use case.

Cost management and planning are also heavily tested. You should understand pricing calculators, total cost of ownership concepts, budgets, and the role of cost analysis tools. Here, Microsoft often checks whether you can distinguish estimation from operational cost tracking. Security and compliance questions may include Microsoft Defender for Cloud, compliance offerings, or governance features. Monitoring questions typically involve Azure Monitor, Log Analytics, alerts, and Service Health. Service Health is especially common as a distractor: it reports Azure service issues and planned maintenance affecting your environment, but it is not a full monitoring replacement for performance and telemetry analysis.

Exam Tip: If a question asks how to enforce, think Azure Policy. If it asks how to prevent accidental deletion, think resource locks. If it asks how to observe performance and metrics, think Azure Monitor.

This mock exam set supports the lesson on Weak Spot Analysis because governance-related misses are usually pattern-based. Candidates often know the names of the services but do not yet attach each service to the right management outcome. Correcting those patterns can quickly raise overall readiness.

Section 6.4: Detailed answer review, distractor analysis, and objective mapping

After completing the three mock exam sets, the most important work begins: detailed answer review. Many learners stop after checking which items were right and wrong. That is not enough for AZ-900 preparation. You must understand why the correct answer was best, why the distractors looked appealing, and which official objective each item measured. This process turns a practice test into a targeted study plan.

Begin by sorting all missed or guessed items into categories. One useful system is: concept gap, terminology confusion, comparison error, scenario misread, and time-pressure guess. A concept gap means you did not know the underlying idea. Terminology confusion means you mixed up similar names such as availability zones and region pairs, or Microsoft Entra ID and Azure RBAC. A comparison error means you knew both services but chose the wrong one for the stated requirement. A scenario misread means you missed a key word such as least administrative effort, hybrid requirement, or enforce compliance. Time-pressure guesses point to pacing rather than knowledge.

Next, map each issue to an exam objective. If several misses map to cloud concepts, revisit shared responsibility and pricing language. If the misses map to architecture and services, build side-by-side comparison notes for compute, storage, and identity tools. If they map to management and governance, review enforcement versus monitoring versus organization. This objective mapping is how you identify weak spots efficiently instead of rereading entire chapters.

Exam Tip: Pay special attention to questions you answered correctly for the wrong reason. Those are hidden weak spots and often become misses on the real exam when the wording changes.

Distractor analysis should be practical. Ask what made each wrong option attractive. Was it partially true? Was it related but too broad? Did it solve a different problem? This habit trains you to spot exam traps in future questions. The AZ-900 exam often includes options that are valid Azure services but not the best match. Your task is to align the requirement with the most accurate service, not simply recognize a familiar product name. This section is the bridge between mock-exam performance and final score improvement.

Section 6.5: Final revision plan, last-minute memory aids, and pacing strategy

Your final revision plan should be short, focused, and evidence-based. In the last stage before the exam, do not attempt to relearn Azure from scratch. Instead, review your weak-spot list and the most testable comparisons. A strong final review cycle usually includes one pass through cloud concepts, one pass through service comparisons, and one pass through governance and monitoring distinctions. Use compact notes, flashcards, or a one-page summary rather than long study sessions that introduce fatigue.

Useful last-minute memory aids are comparison anchors. For example, remember that IaaS gives the customer the most control and the most management responsibility, while SaaS gives the least infrastructure management burden. Remember that regions are geographic areas, availability zones are separate datacenter locations within a region, and resource groups are organizational containers. Remember that Entra ID answers identity questions, RBAC answers permission questions, Policy answers enforcement questions, and Monitor answers observability questions.

Pacing strategy matters even on a fundamentals exam. Many candidates lose focus by overthinking early questions. A better approach is to move steadily, answer what you know, mark uncertain items mentally, and avoid spending too long on any single prompt. Because the exam often uses best-answer logic, your first task is elimination. Remove clearly wrong choices, then compare the remaining answers against the exact wording of the scenario. Look for qualifiers such as most cost-effective, easiest to manage, or supports hybrid connectivity.

Exam Tip: In your final 24 hours, prioritize distinction over depth. AZ-900 rewards your ability to tell similar services apart more than your ability to explain advanced implementation details.

This final revision approach naturally ties together Weak Spot Analysis and your overall practical study plan. By the time you reach exam day, you should have a concise list of must-know comparisons, your most common traps, and a simple pacing routine you trust.

Section 6.6: Exam day checklist, confidence plan, and next-step certification guidance

Exam day success starts before the first question appears. Your checklist should include logistics, mindset, and a plan for handling uncertainty. Make sure your testing appointment details, identification requirements, and technical setup are confirmed in advance if you are testing online. If you are testing at a center, allow extra travel time and avoid creating stress from preventable delays. This may seem basic, but confidence begins with removing distractions.

Your confidence plan should be realistic rather than motivational only. Remind yourself that AZ-900 is designed to test broad understanding, not expert-level administration. You do not need perfect recall of every Azure feature. You need solid recognition of the core concepts, common service categories, and governance tools. If you encounter a difficult item, do not assume the whole exam is going badly. Fundamentals exams often mix straightforward questions with a few more nuanced comparisons. Stay process-focused: identify the objective, eliminate weak choices, and select the best fit.

• Read the full question stem before reviewing the answers.
• Watch for qualifiers such as best, first, most appropriate, or least administrative effort.
• Use elimination aggressively when two options are close.
• Do not change an answer without a clear reason tied to the objective.
• Maintain steady pacing instead of trying to race through easy items.

Exam Tip: Confidence on exam day comes from familiarity with your own reasoning process. Trust the method you used in mock exams: classify the topic, spot the requirement, eliminate distractors, choose the best answer.

After the exam, think ahead. AZ-900 is often a launch point into role-based certifications such as Azure Administrator, Azure Developer, or Azure Security paths. Use your strongest and weakest domains to guide your next step. If architecture and services felt natural, administration or development may be a good progression. If governance, compliance, and security topics stood out, a security-focused path may be the right direction. This chapter closes the course by linking Mock Exam Part 1, Mock Exam Part 2, Weak Spot Analysis, and the Exam Day Checklist into one complete final review system.