AZ-900 Practice Test Bank: 200+ Questions with Detailed Answers

Section 1.1: What AZ-900 measures and who it’s for

AZ-900 measures foundational competency across three broad exam outcomes: (1) describe cloud concepts (cloud models, shared responsibility, and cloud economics), (2) describe Azure architecture and services (core architecture, compute, networking, storage, identity), and (3) describe Azure management and governance (cost tools, policy, compliance, and resource management). The exam is role-agnostic: it’s appropriate for IT beginners, business stakeholders, project managers, and technical professionals who need a shared language for Azure.

Do not over-assume technical depth. AZ-900 rarely asks you to configure anything, write code, or calculate subnet ranges. Instead, it tests whether you can identify “what you would use” and “why it’s the best fit.” The high-frequency skill is classification: knowing whether a requirement implies IaaS vs PaaS, whether a service is compute vs storage, and whether a governance need points to Policy, RBAC, or cost management tools.

Common trap: overthinking with advanced services. If a question is clearly about identity and access, the correct answer is usually a core identity service or concept (like Azure AD/Microsoft Entra ID or RBAC), not an advanced security product. Microsoft exams at the Fundamentals level reward clarity over complexity.

• What you’re expected to do: interpret basic cloud scenarios, select correct service categories, and explain tradeoffs (cost, responsibility, management overhead).
• What you’re not expected to do: implement production architectures or troubleshoot deep configuration issues.

Exam Tip: When two answers both “sound Azure,” pick the one that most directly matches the question’s verb. “Manage access” points to RBAC; “enforce standards” points to Azure Policy; “track spending” points to cost management tools.

Section 1.2: Registration options, delivery modes, and exam rules

Registering for AZ-900 is part logistics, part risk management. You can typically take the exam via online proctoring (remote) or at a testing center. Both modes require planning: scheduling, system checks (for online), and strict ID requirements. Read your appointment confirmation carefully; the rules are enforced and “I didn’t know” does not help on exam day.

For online delivery, expect a workspace scan, webcam monitoring, and restrictions on breaks. Any extra monitors, phones, or papers can trigger a warning or termination. For testing centers, arrival time matters; late arrivals may forfeit the appointment. In both cases, the proctor must be satisfied that you follow policies exactly.

Common traps in exam rules are avoidable: forgetting that ID must match registration name, attempting to use prohibited items, or running the online system check too late. Candidates sometimes lose their attempt not from knowledge gaps, but from preventable policy violations.

• Confirm your legal name in your Microsoft profile matches your ID.
• For online exams, complete the system test well before exam day and ensure a stable connection.
• Clear your desk and plan for a no-interruption time block.

Exam Tip: Treat exam-day compliance like a checklist. Build a “day-before” routine: confirm appointment time zone, verify ID, run system test, and prepare a quiet room. This removes stress that can degrade performance during the first 10 questions.

Section 1.3: Scoring model, performance reports, and retake strategy

AZ-900 scoring is reported as a scaled score rather than “percent correct.” That means your result is normalized to a scoring scale, and different question forms can vary slightly in difficulty. Practically, your job is to maximize consistent objective coverage, not chase a perfect raw percentage. The exam also provides a performance report by skill area, which becomes your roadmap for targeted improvement.

Do not assume equal weight across all topics. Microsoft can adjust emphasis over time, and certain objectives consistently generate more scenario-style questions (for example, shared responsibility, cloud service models, identity, and governance). Your preparation should align to the skills outline and to your performance report trends after practice exams.

Retake strategy is simple: avoid “instant reattempt” without changing your inputs. If you fail, use the score report to identify weak domains, then run a short remediation cycle: revise notes, do targeted practice sets, and re-test under timed conditions. Many candidates waste attempts by re-sitting with the same misconceptions.

• Use your results to rank domains by weakness (not by preference).
• Focus on converting “almost correct” answers into stable rules (why the correct choice is correct, and why the runner-up is wrong).
• Simulate exam conditions at least twice before the next attempt.

Exam Tip: Track your “error types,” not just topics. If you frequently miss questions due to wording like “most cost-effective” or “least effort,” you have a decision-rule problem, not a knowledge problem.

Section 1.4: How to read official skills outline: domains and objectives

The official skills outline is your contract with the exam. It lists domains and the specific objectives Microsoft expects you to demonstrate. Your study plan should start by translating each objective into “what a question would look like.” For example, an objective like “describe cloud service types” becomes questions that compare IaaS, PaaS, and SaaS in terms of responsibility, flexibility, and management overhead.

Map the course outcomes directly to the outline: cloud concepts (models, shared responsibility, economics), Azure architecture and services (compute, networking, storage, identity), and management/governance (cost tools, policy, compliance, resource management). When you review, label each note or flashcard with its domain so you can identify imbalance—candidates often over-study services and under-study governance and economics.

Common trap: learning product names without learning “why.” Fundamentals questions often present a business requirement (reduce administrative effort, meet compliance, control costs) and ask for the best Azure concept or tool. If you only memorized names, you’ll fall for distractors that sound plausible but don’t address the requirement.

• Create a one-page “objective map” and check off confidence levels (high/medium/low).
• For each objective, write one decision rule (e.g., “Policy enforces; RBAC grants; Blueprints/initiatives organize at scale”).
• Revisit the outline weekly and update your weak areas based on practice results.

Exam Tip: The skills outline is not a reading list—it’s a question generator. If you can’t imagine a question for an objective, you don’t understand it well enough yet.

Section 1.5: Practice-test method: timed sets, error log, spaced repetition

This course is a practice test bank, so your main learning engine is the practice-review loop. The most efficient method is: timed sets → review with rationales → error log → spaced repetition → retest. Timed sets build pacing and decision-making under pressure. Review turns incorrect answers into rules. The error log ensures you fix patterns rather than “hoping they don’t show up again.”

Start with shorter timed sets to build accuracy, then scale toward exam-length sessions. During review, do not just note the right answer—write the reason the distractor was tempting. Many AZ-900 misses come from confusing adjacent tools (for example, mixing “cost estimation” with “cost tracking,” or mixing “access control” with “policy enforcement”). Your error log should capture that confusion explicitly.

Spaced repetition is essential for retention, especially for foundational definitions and tradeoffs. Revisit your error log on a schedule (e.g., 1 day, 3 days, 7 days, 14 days). The goal is automatic recall: when the exam says “shared responsibility,” you immediately know which layer belongs to Microsoft vs the customer depending on service model.

• Timed sets: practice reading carefully, choosing best answer, and moving on.
• Error log fields: objective/domain, why you missed it, correct rule, and a “trigger phrase” to spot next time.
• Retest: re-do only the objectives you missed until you can explain them in one sentence.

Exam Tip: If you can’t explain why an answer is wrong, you haven’t learned the objective. The exam rewards elimination skills as much as direct recall.

Section 1.6: Exam question types and trap patterns (best answer, scenario, T/F)

AZ-900 uses Microsoft-style question formats that test more than memorization. Expect “best answer” multiple choice, scenario-based items (short business/technical contexts), and True/False-style statements. These formats are designed to probe whether you can apply concepts like cloud models, shared responsibility, and governance tools to realistic needs.

“Best answer” questions often include two technically possible answers; the correct choice is the one that best satisfies the constraint in the prompt (cost, effort, responsibility, compliance). Scenario questions frequently embed key signals—phrases like “minimize administrative overhead,” “cap spending,” “enforce tagging,” or “control access by job role.” Your job is to underline the constraint mentally, then match it to the right Azure concept.

True/False-style statements are a trap for vague understanding. They often hinge on a single word like “always,” “only,” or “automatically.” If a statement overgeneralizes, it is likely false. Another common trap is confusing monitoring vs governance: monitoring tells you what happened; governance prevents or enforces what should happen.

• Trap pattern: “enforce” vs “monitor”—Policy enforces, Monitor observes.
• Trap pattern: IaaS vs PaaS—PaaS reduces customer responsibility and operational burden.
• Trap pattern: identity vs network security—RBAC/identity answers are often better than network controls when the requirement is access by role.

Exam Tip: Before selecting, restate the question in your own words as a requirement. If your chosen option doesn’t directly satisfy that requirement, it’s probably a distractor—even if it is a real Azure feature.

Section 2.1: Cloud benefits: scalability, elasticity, agility, reliability

AZ-900 loves to test the differences among common cloud benefits because they are easy to confuse in everyday conversation. You should be able to match a one-sentence business requirement to the right term: scalability, elasticity, agility, and reliability (often paired with high availability and resiliency).

Scalability is the ability to increase (or decrease) resources to meet demand, usually emphasizing capacity growth. If a company expects steady user growth over 6 months and needs to add compute or storage over time, that’s scalability. Elasticity is a specific form of scaling: dynamic, responsive scaling (often automated) to match changing demand—think spikes during a sale event, then returning to baseline. In exam scenarios, “seasonal traffic,” “spiky workload,” and “automatic scaling” are strong elasticity signals.

Agility is about speed: provisioning resources quickly, experimenting, and iterating without long procurement cycles. When the scenario mentions “deploy in minutes,” “rapidly test environments,” or “shorten time to market,” the exam wants agility. Reliability refers to consistent operation and fault tolerance. Here, watch for wording like “minimize downtime,” “service continues during hardware failure,” or “design for failures.” In Microsoft terminology, reliability is often supported by high availability (keeping services up) and resiliency (recovering from disruptions).

• Common trap: Choosing agility when the question is really about elasticity. “Quickly add resources during peak demand” is elasticity, not agility.
• Common trap: Treating scalability as only “scale up.” It can be scale up (bigger instance) or scale out (more instances). The exam may not require the distinction, but the concept that capacity changes is key.

Exam Tip: If the stem includes “automatically” or “dynamically,” lean toward elasticity. If it mentions “expected growth” or “planned increase,” lean toward scalability. If it focuses on “faster provisioning,” choose agility. If it emphasizes “continuity” and “uptime,” choose reliability/high availability.

Section 2.2: Cloud economics: consumption-based, OpEx, TCO basics

Cloud economics is a core AZ-900 objective: understand consumption-based pricing, distinguish CapEx vs OpEx, and speak at a basic level about total cost of ownership (TCO). The exam typically frames this as a budgeting conversation: “We don’t want to buy servers upfront,” “We want to pay for what we use,” or “We want to reduce datacenter costs.”

Consumption-based pricing means you pay only for the resources you consume (and often only while you consume them). This aligns strongly with variable workloads and experimentation because you can stop paying when you deallocate/stop usage (depending on the resource type). In contrast, traditional procurement often involves paying for peak capacity even when it’s idle.

CapEx (Capital Expenditure) is upfront investment in physical infrastructure: servers, storage arrays, networking gear, and the facility itself. OpEx (Operational Expenditure) is ongoing spend: monthly/usage-based bills, subscriptions, and operating costs. Cloud is commonly framed as shifting from CapEx-heavy to OpEx-heavy because you rent resources rather than buying them.

TCO basics show up as “more than just hardware.” Even if a server is already purchased, you still pay for power, cooling, rack space, security, staff time, maintenance contracts, and refresh cycles. Cloud TCO discussions usually emphasize reducing or transforming those costs, though the exam is careful: the cloud is not automatically cheaper in every scenario—mis-sizing and leaving resources running can increase spend.

• Common trap: Interpreting “pay-as-you-go” as always lowest cost. It’s flexible and aligns spend to usage, but poor governance can lead to surprise bills.
• Common trap: Confusing “consumption-based” with “subscription.” Many services are billed by consumption even within a subscription model.

Exam Tip: When you see “avoid upfront costs” or “reduce capital investment,” select OpEx/consumption. When you see “calculate full lifecycle costs,” “compare on-prem vs cloud,” pick TCO.

Section 2.3: Service models and responsibilities (IaaS vs PaaS vs SaaS)

The exam expects you to recognize what you manage vs what the cloud provider manages in each service model. The more you move from IaaS to PaaS to SaaS, the more responsibility shifts to the provider (and the less control you have over lower-level components).

IaaS (Infrastructure as a Service) is closest to “renting hardware.” You get virtual machines, networks, and storage. You manage the operating system, patches, runtime, and your application. Choose IaaS when a scenario says “lift-and-shift,” “custom OS configuration,” or “need control over the VM.”

PaaS (Platform as a Service) provides a managed platform for your application: the provider manages the OS and often the runtime/middleware; you deploy code and manage your data and application logic. PaaS is a strong answer when the question stresses “developer productivity,” “no OS patching,” “managed scaling,” or “focus on code.”

SaaS (Software as a Service) is a complete application delivered over the internet. You consume the software; the provider manages nearly everything. SaaS aligns with scenarios like “use email and collaboration without managing servers” (e.g., Microsoft 365) or “CRM without installing anything.”

• Common trap: Thinking PaaS means “no management at all.” You still manage your app, identities/access, and data governance.
• Common trap: Picking SaaS for custom apps. SaaS is for consuming finished software, not building your own platform.

Exam Tip: Translate the scenario into a management statement. If it says “we don’t want to patch OS,” eliminate IaaS. If it says “we need full control of OS,” eliminate PaaS/SaaS. If it says “we just want to use the app,” it’s SaaS.

Section 2.4: Deployment models: public, private, hybrid; multicloud overview

Deployment models describe where cloud resources run and who owns the underlying infrastructure. AZ-900 questions often hide the answer in compliance, latency, data residency, or legacy integration requirements.

Public cloud means resources are owned and operated by a cloud provider and delivered over the internet to multiple customers (with logical isolation). This is the default model when the scenario emphasizes speed, global reach, and minimal datacenter ownership.

Private cloud means cloud-like principles (self-service, pooling, automation) but dedicated to one organization. It may be hosted on-premises or by a third party. Private cloud is commonly associated with strict regulatory requirements, highly sensitive workloads, or specialized hardware needs. On the exam, “must remain on-prem” and “dedicated environment” are key signals.

Hybrid cloud combines public and private clouds (or on-prem and public cloud) with integration between them. Hybrid is the best match when a scenario requires keeping some data on-prem while using public cloud for burst capacity, disaster recovery, or modern services. It also fits gradual migration: keeping legacy apps on-prem while moving new workloads to the cloud.

Multicloud means using services from multiple public cloud providers. The AZ-900 level doesn’t require deep strategy, but you should know the term and basic drivers: vendor risk reduction, regional availability, specialized services, or merger/acquisition realities. Microsoft questions may position multicloud as a choice, but ensure the scenario truly demands multiple providers rather than hybrid (on-prem + one cloud).

• Common trap: Confusing hybrid with multicloud. Hybrid is about mixing on-prem/private with public cloud; multicloud is multiple public clouds.
• Common trap: Assuming private cloud is always more secure. Security depends on controls and implementation, not the label.

Exam Tip: If the scenario mentions “some workloads must stay on-prem” plus “use cloud for the rest,” pick hybrid. If it says “use Azure and another provider,” pick multicloud.

Section 2.5: Cloud security concepts: shared responsibility model

The shared responsibility model is one of the highest-yield concepts in AZ-900. Questions often ask who is responsible for a specific control (patching, physical security, identity, data). The key is to map responsibility to the service model and remember that data is always your responsibility—regardless of IaaS/PaaS/SaaS.

In all cloud models, the provider is responsible for security of the cloud: physical datacenter security, physical hardware, and core platform infrastructure. The customer is responsible for security in the cloud: identities, access, data classification, and configuration choices. As you move from IaaS to PaaS to SaaS, more operational responsibilities (OS patching, runtime, application platform) shift to the provider. However, customers still typically control: who has access, how data is used, and whether configurations are secure.

Expect scenario-based items like: “Who is responsible for applying OS updates?” (usually customer in IaaS, provider in PaaS, provider in SaaS), “Who secures physical servers?” (provider), “Who manages user accounts and permissions?” (customer), “Who is responsible for data encryption decisions?” (often customer—though provider supplies capabilities).

• Common trap: Answering “Microsoft” for everything in SaaS. Even in SaaS, the customer manages users, access policies, and data governance.
• Common trap: Forgetting that misconfiguration is typically the customer’s fault—even if the service is managed.

Exam Tip: When stuck, ask: “Is this control below the operating system (provider) or above it (customer)?” Then adjust for the service model: IaaS = customer manages most; PaaS = provider manages OS/platform; SaaS = provider manages app/platform/OS.

Section 2.6: Practice questions: Describe cloud concepts (exam-style)

Your practice set for this domain should train two skills: (1) fast concept identification from minimal text, and (2) disciplined elimination of distractors that are “true statements” but not the best answer. Microsoft-style items commonly give a short scenario and ask for the most appropriate cloud benefit/model. The best approach is to read the last line (what they are asking), then scan the scenario for one or two keywords that anchor the concept.

Build a quick mental mapping table while practicing: variable demand → elasticity; planned growth → scalability; “deploy in minutes” → agility; “minimize downtime” → reliability. Budget language maps to economics: “avoid upfront purchase” → OpEx; “pay only when used” → consumption; “compare all costs” → TCO. Management language maps to service models: “manage OS” → IaaS; “deploy code, provider handles OS” → PaaS; “use finished application” → SaaS. Location/integration language maps to deployment: “must remain on-prem” → private/hybrid; “mix on-prem and cloud” → hybrid; “two cloud providers” → multicloud.

Exam Tip: Treat many wrong options as “category errors.” For example, if the question asks for a deployment model and an option is “elasticity,” it’s wrong even if it sounds cloud-related. Train yourself to identify the category first: benefit vs economics vs service model vs deployment model.

During review, don’t just mark an item wrong—label the failure mode: did you miss a keyword (e.g., “automatic”), confuse two near-synonyms (scalability vs elasticity), or forget responsibility boundaries (IaaS patching)? Then create a micro-drill: 10 rapid prompts where you classify the concept in under 15 seconds. This is how you turn foundational knowledge into exam-speed performance.

Section 3.1: Regions, region pairs, sovereignty, and datacenters

An Azure region is a geographic area that contains one or more datacenters connected by a high-bandwidth, low-latency network. The exam frequently tests whether you understand that a region is the fundamental unit for where resources live (for many services) and for addressing data residency or latency requirements.

Inside a region are datacenters—the physical facilities. Do not overthink datacenters on AZ-900: you usually only need to know that a region is made up of datacenters, and that resiliency choices can involve distributing across those datacenters (typically via availability zones, covered next).

Region pairs are a key exam concept. Most regions are paired with another region in the same geography, designed for platform-level resiliency and for certain update sequencing. Region pairs support disaster recovery scenarios, but a common trap is assuming that simply deploying in a paired region happens automatically for you. In most cases, you decide whether to deploy to multiple regions; the pairing is a Microsoft design pattern that influences recovery options and platform behavior.

Sovereignty shows up in questions about government or restricted environments. Azure offers specialized clouds (for example, government/community clouds in some geographies) that may provide different compliance commitments and data boundaries. The exam usually frames sovereignty as: “Which option best meets regulatory requirements that data must remain within a country/region?” Choose the region/sovereign cloud construct—not an availability zone, not a resource group.

• Region = geographic area; where many services are deployed.
• Region pair = two regions in same geography aligned for resiliency patterns.
• Datacenter = physical facility; a building block inside a region.
• Sovereignty = meeting jurisdiction/compliance constraints by choosing appropriate region/cloud.

Exam Tip: If a question mentions “data residency,” “country-specific requirements,” or “sovereign cloud,” your answer is almost never “availability zone.” Zones address availability within a region; residency and sovereignty are addressed by where the region is and which cloud environment you’re using.

Section 3.2: Availability zones, resiliency, fault domains concepts

An availability zone is a physically separate location within an Azure region, with independent power, cooling, and networking. AZ-900 tests whether you know zones are about reducing the impact of a localized datacenter failure while staying in the same region (so you typically preserve data residency and keep latency low).

The exam loves to mix “zone” language with “region” language. The quickest way to separate them: if the scenario says “within the same region,” think availability zones; if it says “disaster recovery across geographies,” think multiple regions (often paired regions). Another common distractor is “resource group,” which is not a resiliency boundary at all—it’s an organizational container.

Resiliency in AZ-900 is conceptual. You are not expected to design complex architectures, but you should understand the basic goal: reduce single points of failure. Deploying across zones improves availability by spreading instances across separate facilities. Certain services are “zone-redundant” (the platform replicates across zones), while others require you to place resources in specific zones. When you see “zone-redundant,” interpret it as “the service is architected to survive a zone failure,” but still within one region.

Fault domains are a foundational concept: logical groupings of hardware that share a common power source and network switch. If the exam mentions “rack failure” or “shared power/network,” fault domains are the idea behind how Azure separates resources to reduce correlated failure. You may also see “update domains” in older materials; the core testable takeaway is that Azure can spread resources so maintenance or failures don’t take everything down at once.

Exam Tip: If a question asks for high availability with minimal latency and no cross-border data movement, choose availability zones. If it asks for disaster recovery from a regional outage, choose multi-region deployment (often aligned with a region pair).

Section 3.3: Management hierarchy: tenant, management groups, subscriptions

Azure governance questions in the architecture domain often start with identity boundaries. A tenant is the representation of your organization in Microsoft Entra ID (formerly Azure AD). It’s the identity and directory boundary: users, groups, app registrations, and authentication policies live here. A classic exam trap is picking “subscription” when the question is really about identity or directory.

A subscription is primarily a billing and resource boundary. Resources are deployed into subscriptions, and Azure RBAC is commonly applied at the subscription scope (and below). If you need to separate costs, apply different spending limits, or isolate environments (dev/test/prod) at a high level, subscriptions are a standard approach.

Management groups sit above subscriptions and are used to manage multiple subscriptions consistently. They are a policy/RBAC aggregation layer: apply Azure Policy or role assignments once at the management group and inherit down. The exam often phrases this as “You need to apply governance to many subscriptions.” The right answer is usually “management groups,” not “resource groups.” Resource groups do not contain subscriptions; they contain resources inside a subscription.

• Tenant = identity/directory boundary (Microsoft Entra ID).
• Management group = governance scope above subscriptions (policy/RBAC inheritance).
• Subscription = billing + deployment boundary for resources.

Exam Tip: When a question says “across multiple subscriptions,” immediately consider management groups. When it says “control access to resources,” think RBAC—but then confirm the scope (management group vs subscription vs resource group) that matches the scenario.

Section 3.4: Resource groups, resources, tags, and lifecycle boundaries

A resource is an instance of a service (for example, a storage account, virtual network, or virtual machine). A resource group is a logical container that holds related resources within a single subscription. AZ-900 tests that you understand resource groups are for organization and lifecycle management—not for network isolation, identity isolation, or geographic resiliency.

The most testable idea: lifecycle boundaries. If you delete a resource group, you delete the resources in it. That means you should group resources that share a lifecycle (deployed together, managed together, retired together). A common trap is assuming a resource group is a security boundary. It isn’t; security is enforced through RBAC, locks, policies, and network controls depending on the service.

Tags are key for cost management and organization. Tags are name/value metadata applied to resources (and sometimes inherited via policy). The exam often asks how to organize costs by department or project when resources span multiple resource groups. The correct concept is tags (plus cost analysis tools), not creating more tenants. Tags help with chargeback/showback and reporting.

Resource groups also have location metadata, but that does not mean resources must be in that same location. The exam may try to trick you with “resource group location dictates resource location.” In reality, the resource group’s location is about where the group’s metadata is stored; resources can be in different regions (service rules permitting).

Exam Tip: If the scenario is “delete everything for Project A at once,” choose resource group. If the scenario is “report costs by department across many projects/resources,” choose tags. If the scenario is “prevent deletion,” look for resource locks (often appears near resource group questions).

Section 3.5: Azure Resource Manager (ARM): control plane vs data plane

Azure Resource Manager (ARM) is Azure’s deployment and management layer. For AZ-900, you must be able to describe ARM as the consistent way to create, update, and delete resources, and to apply governance features (RBAC, Policy, tags) at different scopes.

The high-value exam concept is control plane vs data plane. The control plane is how you manage the resource: creating a storage account, configuring settings, assigning roles, applying policy. This is ARM territory (via the Azure portal, Azure CLI, PowerShell, SDKs, and ARM templates/Bicep). The data plane is how you use the service after it exists: uploading blobs to storage, querying a database, sending messages to a queue. Data plane permissions often use service-specific authorization models (for example, storage keys, SAS tokens, or data-plane RBAC roles).

Questions may ask which layer is responsible for “deploying resources consistently.” ARM (control plane). If they ask about “accessing data inside a service,” that’s usually data plane. Another common trap is assuming that granting someone “Owner” on a subscription automatically grants the ability to read all data inside every service. In practice, management permissions and data access are not always identical; many services separate them.

Exam Tip: If the verb is “deploy/configure/manage,” think control plane (ARM). If the verb is “read/write/query/consume data,” think data plane. This verb test is a fast elimination strategy on multi-choice items.

Section 3.6: Practice questions: Azure architecture fundamentals (exam-style)

This chapter’s practice set will target your ability to classify terms correctly under exam pressure. Expect items that force a choice between “region,” “availability zone,” and “region pair,” plus governance questions that tempt you to confuse “tenant,” “subscription,” “management group,” and “resource group.” The exam rarely rewards memorization of long definitions; it rewards selecting the construct that matches the scope (geography, availability, billing, identity, or deployment container).

Your job while practicing is to justify why each wrong option is wrong. For example, if the requirement is “apply one policy across multiple subscriptions,” you should be able to say: resource groups don’t contain subscriptions, and tenants are identity boundaries, so the best scope is management groups. If the requirement is “high availability within a region,” you should be able to reject region pairs because they are cross-region, and reject resource groups because they don’t provide resiliency.

Common traps to watch for:

• Choosing availability zones for a scenario that explicitly needs protection from a regional outage (needs multi-region).
• Choosing subscription when the question is about the directory (should be tenant).
• Assuming resource group location forces resource location.
• Mixing up control plane permissions (ARM/RBAC) with data plane permissions (service-level access).

Exam Tip: Use a two-step method in timed practice: (1) identify the scope keyword (identity, billing, governance across subscriptions, HA within region, DR across regions), then (2) pick the smallest Azure construct that satisfies it. Over-scoping (e.g., “new tenant” to solve a tagging problem) is a frequent distractor strategy.

In the answer rationales, pay attention to phrasing patterns: “in the same region” almost always points to zones; “across multiple subscriptions” points to management groups; “deploy consistently” points to ARM; and “organize costs” points to tags. Mastering these patterns turns architecture questions into quick wins.

Azure compute questions frequently start with “You need to run…” and then describe an OS requirement, legacy app dependency, or administrative control requirement. In those cases, Azure Virtual Machines (VMs) are the baseline: you choose the OS image, VM size, disks, and networking. The exam commonly tests that VMs are IaaS: you manage the guest OS, patches, and installed software; Microsoft manages the underlying datacenter hardware.

VM images show up in wording such as “preconfigured,” “golden image,” or “standardized deployments.” Understand the difference between using marketplace images (quick start) versus custom images for consistent builds. On AZ-900, you don’t need deep imaging workflows, but you should recognize that images support repeatable VM creation.

VM Scale Sets appear when the scenario includes “automatically increase/decrease instances,” “load-balanced,” or “high traffic varies.” Scale sets let you deploy a set of identical VMs and scale out/in. The trap is confusing scale sets with “vertical scaling” (changing VM size). Scale sets are primarily about horizontal scaling (more instances), typically paired with a load balancer.

• Choose VMs when you need OS-level control, custom software, or lift-and-shift.
• Choose VM Scale Sets when you need many similar VMs with autoscaling behavior.
• Think images when you need consistency and faster provisioning.

Exam Tip: If the scenario says “minimize management” or “no OS patching,” that is a signal to move away from VMs to PaaS options like App Service or Functions (covered next). A common wrong answer is “VMs” simply because you can run anything on them; the exam rewards the most appropriate cloud-native option.

When a prompt is about hosting a web app or API and emphasizes speed, managed platform, and minimal administration, Azure App Service is usually the correct match. App Service is PaaS: Microsoft manages the OS and runtime platform; you deploy code. AZ-900 often checks that App Service supports common web stacks and scaling without you managing VM infrastructure.

Azure Functions maps to “run code on demand,” “event-driven,” “only pay when it runs,” or “serverless.” The exam tests that Functions is designed for short-lived workloads triggered by timers, HTTP requests, queues, or events. A trap is selecting Functions for always-on, long-running processes without considering execution time/architecture. In AZ-900 terms, just remember: serverless = you focus on code and triggers, not servers.

Containers come up when the scenario includes “package dependencies,” “consistent environment,” “microservices,” or “portable deployment.” On AZ-900, the key is to identify containers as lightweight compared to VMs and to recognize Azure’s container options at a high level. You’re typically deciding between “host code on App Service,” “run event-driven code with Functions,” and “package and run in containers” (often via managed container services).

• App Service: best default for web apps/APIs with managed hosting.
• Functions: best for event-driven tasks, automation, and bursty workloads.
• Containers: best when you need application portability and environment consistency.

Exam Tip: Watch the phrase “without managing servers.” That usually means PaaS or serverless. Also watch for “container image” or “Docker”—those words are deliberate clues. A common trap is picking VMs for web hosting even when the scenario screams “managed web platform.”

Azure networking questions in AZ-900 focus on foundational building blocks. Azure Virtual Network (VNet) is the private network boundary in Azure. If a question says “private IPs,” “isolation,” “internal resources,” or “connect Azure resources securely,” the answer often starts with a VNet.

Subnets are divisions inside a VNet. If the scenario mentions separating tiers (web, app, database) or applying different security rules per tier, subnets are the concept being tested. Subnetting is also how Azure services are organized for routing and security controls.

Network Security Groups (NSGs) are a frequent exam target because they represent simple, common traffic filtering. If the prompt says “allow inbound from X,” “block outbound to internet,” or “control traffic at subnet/NIC,” that is NSG territory. The trap is confusing NSGs with “firewalls” as a general concept; on AZ-900, you typically choose NSGs for basic allow/deny rules and recognize that they can be associated with subnets or network interfaces.

VNet Peering is tested at the idea level: connecting two VNets so resources can communicate using private IPs. Wording like “connect two VNets” or “resources in different VNets communicate privately” points to peering. A common trap is selecting VPN Gateway for that requirement; gateways are for connecting networks over VPN/ExpressRoute, while peering is a direct VNet-to-VNet relationship.

Exam Tip: Identify the scope: if the question is about segmenting within Azure, think VNet/subnet/NSG. If the question is about connecting Azure to on-premises or Azure to a remote site, move to VPN Gateway/ExpressRoute (next section).

This section is where AZ-900 commonly tests “connectivity intent.” VPN Gateway is for encrypted connectivity over the public internet. Look for terms like “site-to-site VPN,” “secure tunnel,” “branch office,” or “over the internet.” The exam doesn’t require deep VPN configuration knowledge—just the correct use case.

ExpressRoute is for private, dedicated connectivity that does not traverse the public internet. Clues include “private connection,” “dedicated line,” “high bandwidth,” “consistent latency,” or “regulatory requirement to avoid the public internet.” A common trap is picking ExpressRoute when the scenario simply says “encrypt traffic” or “connect securely.” VPN already provides encryption; ExpressRoute is about private/dedicated connectivity and predictable performance.

Load Balancer appears when you need to distribute traffic across multiple instances for availability and scale. Keywords: “distribute traffic,” “multiple VMs,” “high availability,” “failover.” The exam tries to see if you can recognize load balancing as a networking service rather than a compute service.

Azure CDN is a delivery optimization service. If the requirement says “cache content close to users,” “reduce latency,” “static content,” or “global users,” CDN is the match. The trap is selecting a load balancer or ExpressRoute for “faster content delivery.” CDN is about edge caching and speeding up content delivery, not private network connectivity.

• VPN Gateway: secure tunnel over internet.
• ExpressRoute: private dedicated connection.
• CDN: faster global content delivery via caching.
• Load Balancer: distribute traffic across instances.

Exam Tip: Split the problem into two questions: “How do we connect?” (VPN/ExpressRoute) and “How do we deliver traffic efficiently?” (Load Balancer/CDN). Many exam distractors mix these categories.

AZ-900 storage questions usually test that Azure Storage accounts are the container for core storage services (blobs, files, queues, tables) and that you must choose the right storage type for the data pattern. The exam also checks you can interpret “unstructured objects” (blob), “SMB file shares” (Azure Files), and “messaging for decoupling” (queues) at a high level.

Redundancy is a major trap area. When you see “protect from datacenter failure,” “region outage,” “highest durability,” or “replicate to another region,” you’re in redundancy territory. The exam commonly expects you to differentiate: local redundancy within a datacenter vs. zone redundancy within a region vs. geo-redundancy across regions. You are not expected to compute durability numbers; you are expected to match the stated resilience requirement to the redundancy concept.

On databases, think in terms of managed relational vs. globally distributed NoSQL. Azure SQL Database is the managed relational database option (PaaS). If the scenario mentions relational data, SQL, transactions, or needing a managed database without VM administration, Azure SQL is typically the correct direction.

Azure Cosmos DB appears when the scenario emphasizes “global distribution,” “low latency worldwide,” “NoSQL,” “massive scale,” or “schema flexibility.” A common trap is choosing Cosmos DB for any database requirement; the exam wants you to notice when the requirements are specifically NoSQL and/or globally distributed. If the prompt describes a traditional business database with SQL queries, Azure SQL is the safer fit.

Exam Tip: When a question includes “unstructured data like images/videos,” default to blob storage. When it includes “relational,” default to Azure SQL. When it includes “globally distributed, low-latency NoSQL,” default to Cosmos DB. Don’t overcomplicate: AZ-900 rewards matching keywords to the intended service category.

This practice set is designed to strengthen your “service selection” instincts. Microsoft-style AZ-900 items often provide a short scenario plus a single must-have requirement (for example, “private connection,” “no server management,” “auto-scale,” “global users,” or “replicate across regions”). Your job is to ignore extra details and match the requirement to the service.

Use this repeatable approach during practice: first classify the domain (Compute, Networking, Storage/Data). Second, decide the service model (IaaS VM vs. PaaS App Service vs. serverless Functions). Third, validate with the deciding keyword. This reduces guesswork under time pressure and prevents the classic trap of choosing a powerful service that is not the best fit.

• Compute traps to watch: selecting VMs when the prompt asks for “no OS management,” or selecting Functions when the workload is clearly a long-running hosted app.
• Networking traps to watch: confusing VNet peering (VNet-to-VNet) with VPN Gateway (network-to-network over internet) and ExpressRoute (private dedicated).
• Delivery traps to watch: using CDN vs. load balancing; CDN is caching/edge acceleration, while Load Balancer is traffic distribution to instances.
• Storage/data traps to watch: mixing storage redundancy terms (local vs. zone vs. geo) and mixing relational SQL needs with NoSQL/global distribution needs.

Exam Tip: After each practice item, don’t just note the correct answer—write a one-sentence “because” statement using the requirement keyword (example format: “Because it requires a private dedicated connection, ExpressRoute fits better than VPN Gateway.”). This builds the exact mental rationale you’ll need when two answers both sound plausible.

Finally, track mistakes by category. If you miss multiple items that involve redundancy or connectivity, that’s a signal to re-drill those objective areas before doing more mixed practice. In AZ-900, a small number of repeated patterns account for many of the Azure services questions—master the patterns and your score becomes predictable.

Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud identity service and appears on AZ-900 primarily as the source of identities used to sign in to Azure and Microsoft cloud services. The exam focuses on core vocabulary: tenant, users, groups, and authentication.

A tenant is a dedicated instance of Microsoft Entra ID that represents an organization. Tenants are separate security boundaries: identities and policies in one tenant do not automatically apply to another. A tenant commonly aligns to a company, but the exam may describe multiple tenants for mergers, separate business units, or regulated environments.

Users are identities (cloud-only or synchronized from on-premises) used to sign in. Groups are containers for users and devices used to simplify assignment of access—especially when combined with RBAC in the next section. The key exam concept is that Entra ID provides authentication (proving who you are). Authentication methods include passwords, certificates, and modern controls like MFA (multi-factor authentication).

Exam Tip: If the question says “verify identity,” “sign in,” “MFA,” or “password reset,” you are in Entra ID territory (authentication). If it says “what can they do after signing in,” that is authorization (often RBAC).

Common trap: Confusing Entra ID with a subscription. A subscription is for billing and resource boundaries; a tenant is for identity. One tenant can have multiple subscriptions.

After authentication comes authorization: deciding what an identity can do in Azure. On AZ-900, the primary authorization system is Azure role-based access control (RBAC). RBAC assignments connect three pieces: a security principal (user, group, or service principal), a role definition (a set of allowed actions), and a scope (where the permissions apply).

Understand scope ordering because exam questions frequently test it: management group > subscription > resource group > resource. Permissions inherit down the hierarchy. For example, assigning a role at the subscription scope grants those permissions across all resource groups and resources inside that subscription.

RBAC roles can be built-in (common in AZ-900 questions) or custom. Typical built-in roles include Owner, Contributor, and Reader. You don’t need every capability detail, but know the intent: Owner is full management including assigning access; Contributor can manage resources but not grant access; Reader can view.

Exam Tip: If a question asks to “allow a team to manage VMs but not other resources,” focus on RBAC scope: assign the role at the resource group that contains the VMs (or at the VM resource). If the requirement is “view-only,” choose Reader, not Contributor.

Common trap: RBAC does not force “what must be deployed.” It only controls “who can do what.” Enforcing allowed SKUs/locations is Azure Policy (next section).

Azure Policy is Azure’s guardrail system for governance: it evaluates resources against rules to help enforce standards. AZ-900 tests whether you can differentiate Policy from RBAC and recognize common policy outcomes such as deny, audit, and deploy if not exists.

A policy definition describes what is allowed or required (for example, “only deploy resources to West Europe,” “require tags,” or “disallow public IPs”). You assign policies at a scope (management group, subscription, resource group, resource). When policies are grouped together, they are called an initiative (sometimes described as a “set of policies” used to track a compliance goal such as ISO 27001 or organizational baselines).

Compliance in this context is usually “policy compliance”: whether resources meet the defined rules. The exam may use terms like “regulatory requirements” and “standards,” but the decision point is: do you need to control configurations across many resources? If yes, Azure Policy/initiatives.

Blueprints (concept): While Azure Blueprints has been retired as a standalone service, AZ-900 may still reference the concept: packaging governance artifacts (policy assignments, role assignments, and templates) to deploy a standardized environment. On the exam, treat “Blueprints” as “repeatable environment governance,” but prefer Policy/initiatives for the enforcement mechanism.

Exam Tip: When the requirement says “ensure only compliant resources can be created” or “enforce” and “deny,” choose Azure Policy. When it says “control who can create,” choose RBAC.

Common trap: Confusing Azure Policy with Microsoft Defender for Cloud. Policy enforces/assesses configuration rules; Defender for Cloud focuses on security posture management and threat protection (not the same exam objective here).

Resource management is the practical layer: organizing, protecting, and deploying Azure resources consistently. AZ-900 emphasizes three concepts: resource locks, tags, and a high-level understanding of ARM templates (infrastructure as code).

Resource locks prevent accidental changes. Two common lock types are Read-only (can’t modify) and Delete (can’t delete). Locks apply at different scopes (resource, resource group, subscription) and inherit down. This is frequently tested with scenarios like “prevent a critical database from being deleted.” The correct tool is typically a delete lock.

Tags are name/value pairs attached to resources (and sometimes resource groups) to aid organization, cost reporting, and operations. Typical tag uses: “CostCenter=Finance,” “Environment=Prod,” “Owner=TeamA.” Tags do not provide security; they’re metadata.

ARM templates are JSON-based definitions used to deploy resources declaratively. AZ-900 typically tests the idea: templates make deployments repeatable, consistent, and automated. You don’t need to write templates, but you should recognize that ARM templates support idempotent deployments (“deploy again and Azure converges to desired state”).

Exam Tip: “Prevent deletion” points to locks. “Group costs by department” points to tags and Cost Management reporting. “Deploy the same environment repeatedly” points to ARM templates (or other IaC tools, but ARM is the classic AZ-900 answer).

Common trap: Locks can block actions even for highly privileged users unless removed. In questions, if someone “cannot delete despite being Contributor,” a lock is a strong suspect.

Cost management questions often hinge on timing: are you estimating future cost, comparing on-prem vs cloud, or monitoring actual spend? AZ-900 expects you to match the scenario to the correct tool: Azure Pricing Calculator, TCO Calculator, Cost Management + Billing (budgets/alerts), and Azure Advisor.

Azure Pricing Calculator estimates expected monthly costs for Azure services before deployment. It is used for “what will it cost if we run X VMs” scenarios. The TCO Calculator estimates potential savings of migrating from on-premises to Azure by factoring current infrastructure costs.

Cost Management + Billing is where you analyze actual Azure spending, create budgets, and set alerts. Budgets help you track and notify as you approach thresholds; they do not “stop” resources by default. On the exam, if the question involves “monitor spend,” “set a budget,” “cost analysis,” or “chargeback/showback,” this is the target.

Azure Advisor provides recommendations across categories including cost, reliability, security, operational excellence, and performance. Cost recommendations often include rightsizing or shutting down underutilized resources. Advisor doesn’t directly enforce governance rules; it recommends.

Exam Tip: Use this shortcut: “estimate” = Pricing Calculator; “compare to on-prem” = TCO; “track actual & budget” = Cost Management; “recommend optimizations” = Advisor.

Common trap: Confusing budgets with hard spending caps. Budgets alert; they don’t automatically prevent new resources unless integrated into processes/policies.

This domain rewards pattern recognition. As you complete your practice set, force each question into one of five buckets before looking at answer choices: Authentication (Entra ID/MFA), Authorization (RBAC/roles/scope), Standardization (Policy/initiatives and the Blueprint concept), Protection (locks), or Cost (calculators, Cost Management, Advisor). Most wrong answers are “neighboring tools” from the wrong bucket.

When reading scenarios, underline the verbs: “sign in,” “allow,” “deny,” “prevent deletion,” “estimate,” “monitor,” “recommend.” Those verbs map almost one-to-one to the correct Azure feature. Also watch for scope clues: “across all subscriptions” suggests management groups; “for one project” suggests a resource group; “only this VM” suggests resource scope.

Exam Tip: If two answers both seem plausible, ask: “Does the requirement mention who or what?” “Who can do it” is RBAC. “What is allowed to exist” is Policy. If the requirement is “avoid accidental change,” locks are stronger than RBAC because locks can block deletes even for authorized users.

Common trap: Over-assuming complexity. AZ-900 rarely requires multi-step solutions (for example, “Policy + RBAC + custom role + conditional access”). If the question is asking for the best single service/feature, choose the simplest Azure-native tool that directly matches the requirement.

Finally, apply a review loop: after each missed question, write a one-line correction in your notes in the format “Requirement → Tool.” Over time, you’ll build a fast lookup table that turns management and governance questions into near-instant points under timed conditions.

Section 6.1: Full mock exam instructions, timing, and scoring approach

Treat this mock as a simulation, not practice “whenever.” Block uninterrupted time, silence notifications, and use a single sitting for Part 1 + Part 2. The real AZ-900 experience is less about complex configuration and more about quick recognition across domains: cloud models (IaaS/PaaS/SaaS), shared responsibility, Azure architecture (regions/availability zones), core services (compute, networking, storage), identity (Microsoft Entra ID), and governance (cost management, policy, RBAC, compliance).

Timing: aim for a pace that leaves a review buffer. If you typically see ~35–60 questions on the live exam, you want a rhythm of roughly 60–90 seconds per item on average, but with flexibility. Some questions are instant (definitions); others require careful reading (governance scenario language). Run the mock with a “two-pass” method: first pass = answer everything you can quickly; second pass = return to flagged items only.

Scoring: record three numbers, not just a percentage. (1) Overall score, (2) score by domain bucket (cloud concepts / Azure services / management & governance), and (3) your error type. Common error types are: missed keyword (“most cost-effective”), confusing similar services (Azure Policy vs. RBAC), or misreading shared responsibility boundaries. Your improvement plan depends on the error type.

Exam Tip: Don’t retake immediately after you review. Wait at least 24 hours and then do a shorter timed set. Immediate retakes often measure memory, not mastery.

Section 6.2: Mock Exam Part 1 (domain-mixed, Microsoft-style)

Mock Exam Part 1 should feel like the first half of the real test: broad, mixed, and occasionally “too easy.” That’s intentional—AZ-900 includes many items that test whether you can distinguish basic definitions and pick the best Microsoft-aligned wording. During this part, focus on reading discipline. Microsoft-style questions often hide the deciding factor in a single constraint: “minimize administrative effort,” “ensure high availability,” “reduce costs,” or “meet compliance requirements.”

As you work, practice mapping each prompt to an exam objective before you look at options. Ask: is this cloud concepts (CapEx vs OpEx; elasticity; consumption-based), Azure architecture (regions, region pairs, availability zones), core services (VMs vs App Service; VNets; load balancing), or identity/governance (RBAC, Policy, locks, Cost Management)? This pre-classification prevents distractors from steering you.

Common traps in Part 1 include mixing service categories. For example, governance tools (Policy, Blueprints—historically referenced in some materials—resource locks, tags) can be confused with security/identity controls (RBAC, Conditional Access). Another frequent trap is confusing “availability” vs “durability”: availability is about uptime and access; durability is about data preservation (often discussed in storage context). When you see “SLA” language, slow down—SLAs can refer to service uptime, not data retention.

Exam Tip: If two options both sound plausible, look for the one that best matches the scope described: tenant vs subscription vs resource group vs individual resource. Scope alignment is a repeatable tie-breaker on AZ-900.

Section 6.3: Mock Exam Part 2 (domain-mixed, Microsoft-style)

Mock Exam Part 2 tends to feel “more scenario-driven,” even though AZ-900 remains fundamentals. Expect more prompts where multiple services could technically work, and you must choose the most appropriate given cost, management effort, or governance constraints. This is where candidates lose points by selecting a technically valid solution that is not the best fit for the requirement.

Lean heavily on exam patterns. When you see “control who can do what,” think RBAC (authorization). When you see “enforce that resources must meet rules,” think Azure Policy (compliance enforcement). When you see “prevent accidental deletion,” think resource locks. When you see “track costs by department,” think tags + Cost Management. When you see “connect on-premises to Azure,” check whether it implies internet-based (VPN Gateway) or dedicated private connectivity (ExpressRoute). For compute, “lift and shift” signals IaaS VMs; “deploy code without managing OS” signals PaaS (App Service, Functions, container services).

Part 2 also surfaces shared responsibility boundaries. If the prompt implies SaaS, Microsoft manages more (platform and app), while you still manage data, identities, and access policies. For IaaS, you manage OS configuration, patches, and runtime controls. Distractors often claim Microsoft handles tasks that remain customer-owned in IaaS (e.g., OS updates) or that customers handle tasks that are Microsoft-owned in SaaS (e.g., the underlying physical infrastructure).

Exam Tip: Watch for words like “always,” “never,” and “only.” In fundamentals exams, absolutes are frequently wrong unless they restate a formal definition (for example, “public cloud resources are shared among multiple customers”).

Section 6.4: Answer review workflow: rationales, why distractors are wrong

This is the “Weak Spot Analysis” lesson in action. Your score improves fastest when you review like an investigator, not like a student skimming explanations. Use a three-step workflow for every missed or guessed item: (1) restate the question in your own words, (2) identify the objective it targets, (3) explain why each wrong option is wrong—not just why the right one is right.

Classify each miss into one of four buckets. Bucket A: terminology gap (you don’t know what a service does). Bucket B: scope confusion (tenant/subscription/resource group/resource). Bucket C: requirement misread (you missed “least administrative effort,” “most cost-effective,” “high availability,” etc.). Bucket D: distractor attraction (you chose a familiar service name without matching the requirement). This classification determines your next action: A requires re-learning; B requires drawing a scope map; C requires reading practice; D requires elimination discipline.

When reviewing rationales, look for Microsoft’s “best answer” logic. For instance: Azure Policy evaluates and enforces compliance of resources; RBAC assigns permissions to identities; Cost Management + Billing analyzes and forecasts spend; the Azure portal/CLI/PowerShell are management interfaces (not governance). If you keep mixing two, write a one-line contrast card: “Policy = rules on resources; RBAC = permissions for users.”

Exam Tip: Force yourself to write a 5–10 word “deciding clue” for each reviewed question (e.g., “enforce allowed SKUs → Policy”). On exam day, those clues become your mental auto-complete.

Section 6.5: Final domain refresher: key terms and last-mile memorables

Your final refresher should be high-yield, definition-driven, and contrast-focused. Start with cloud concepts: CapEx (upfront datacenter spending) vs OpEx (pay-as-you-go). Elasticity (automatic scaling to match demand) vs scalability (ability to increase capacity). Public vs private vs hybrid cloud; and the shared responsibility model shifting across IaaS/PaaS/SaaS. Remember: “consumption-based” is the economic theme, and “shared” is the responsibility theme.

Azure architecture: a region is a geographic area with one or more datacenters; availability zones are separate physical locations within a region; region pairs support disaster recovery planning. Resource hierarchy matters: management groups > subscriptions > resource groups > resources. Many governance questions become easy if you anchor your answer to the correct level of scope.

Core services: compute (VMs, App Service, Containers, Functions), networking (VNet, VPN Gateway, ExpressRoute, load balancers), storage (Storage accounts, blobs, files, queues, disks) and identity (Microsoft Entra ID). Governance tools: RBAC for access control, Policy for compliance enforcement, resource locks for preventing changes, tags for organization and cost allocation, and Cost Management for analysis and budgeting.

Exam Tip: Last-mile memorables are contrasts. Build mini-pairs: “RBAC vs Policy,” “VPN vs ExpressRoute,” “Availability vs Durability,” “Region vs Availability Zone,” “IaaS vs PaaS vs SaaS.” If you can say the difference in one sentence, you’re ready.

Section 6.6: Exam-day strategy: pacing, flagging, and common pitfalls

This section is your Exam Day Checklist translated into behavior. Before you start: confirm you understand the interface (how to flag, navigate, and review). During the exam, use a two-pass approach. Pass 1: answer immediately if you can justify the choice with a keyword or objective (“enforce rule” → Policy). If you’re uncertain after a quick elimination, flag it and move on. Pass 2: return to flagged items with remaining time and re-read the question slowly—many errors are caused by missing a single constraint.

Pacing: don’t let one tough question steal time from five easy ones. AZ-900 contains many straightforward definition items that should be quick wins. Use those to “bank time” for scenario-style governance and shared responsibility questions. If you notice anxiety-driven rereading, stop and do a structured elimination: remove options that mismatch scope, mismatch category (management tool vs governance control), or violate the stated priority (cost vs performance vs effort).

Common pitfalls: (1) choosing a correct service in the wrong domain (e.g., selecting a monitoring tool when the question asks for enforcement), (2) confusing identity authentication (Entra ID) with authorization (RBAC), (3) ignoring the “most” in “most cost-effective,” and (4) over-assuming high availability when it wasn’t requested. High availability solutions often cost more; if cost minimization is explicit, prefer simpler architectures unless availability is required.

Exam Tip: If you change an answer during review, require a concrete reason (a missed keyword or a scope mismatch). Changing due to “a feeling” is one of the most reliable ways to lose points.