AZ-900 Practice Test Bank: 200+ Questions with Detailed Answers

AZ-900 aligns to three domains that appear verbatim in Microsoft’s skills outline. You should treat them as your “table of contents” for studying and for analyzing weak areas after each practice set:

• Describe cloud concepts (cloud benefits, pricing models, service types like IaaS/PaaS/SaaS, and deployment models such as public/private/hybrid).
• Describe Azure architecture and services (core components like subscriptions/resource groups, plus fundamentals of compute, networking, storage, identity, security, and management/AI tools at a high level).
• Describe Azure management and governance (cost management, governance tools like Policy and RBAC, compliance concepts, and resource management via tools such as Azure Portal, ARM/Bicep concepts, and Azure Advisor).

Microsoft periodically adjusts weighting, but the practical takeaway stays consistent: the largest share tends to come from Azure architecture/services, with cloud concepts and governance close behind. That means your study plan should not over-index on pure “cloud theory.” You need enough conceptual grounding to interpret scenarios, but most questions will name Azure services and ask what they do or when you would use them.

Common trap: confusing governance and security. For example, RBAC is authorization (who can do what), while Azure Policy is governance enforcement (what is allowed to be deployed). Another frequent pitfall is mixing service models: if you manage the OS, it’s IaaS; if Azure manages the platform/runtime, it’s PaaS; if you just use the app, it’s SaaS.

Exam Tip: When a question mentions “requirements” like compliance standards, resource constraints, or allowed regions/SKUs, you’re likely in the management and governance domain—even if it references services elsewhere.

You schedule AZ-900 through Microsoft’s certification dashboard, which redirects to the exam delivery provider (commonly Pearson VUE). You typically choose between online proctored and test center delivery. Both are valid; your choice should be driven by your environment and your test-taking style.

Online proctored is convenient but strict: you need a stable internet connection, a compliant webcam/mic setup, and a clean desk/room. Any interruption (notifications, people entering, second monitor issues) can jeopardize your session. Test center delivery reduces technical risk and is often calmer for candidates who prefer a controlled setting, but it requires travel and fixed appointment slots.

Schedule strategically. Pick a time when you’re mentally sharp and your environment is predictable. Avoid squeezing the exam into a stressful day. If you’re following a 14-day plan, schedule the exam before you start the plan. A fixed deadline improves focus and reduces “infinite studying.”

Exam Tip: If you choose online proctoring, run the system test well in advance and again on exam day. Many failures are not knowledge-related—they are preventable setup issues (camera permissions, corporate VPN restrictions, or unstable Wi‑Fi).

On test day, your goal is to eliminate friction before you answer the first question. Bring (or prepare) acceptable identification that matches your registered name exactly. Minor name mismatches can cause check-in delays or denial. For online proctoring, you’ll also complete a check-in process that may include room photos and a desk scan.

Know the rules: no notes, no second devices, and no browsing. In an online session, the proctor may require you to keep your eyes on the screen and may pause the exam if they suspect policy violations. At a test center, you’ll typically store belongings in a locker and may be monitored by staff and cameras.

Prepare your environment like a pilot’s pre-flight checklist. If you’re online: clear your desk, silence your phone, disable pop-up notifications, close background apps, and ensure your power settings won’t dim or sleep. If you’re in a test center: arrive early, use the restroom beforehand, and plan for minor administrative delays.

Common trap: underestimating how stress affects reading. Many AZ-900 questions are short, but the distractors rely on quick misreads (for example, “authorization” vs “authentication,” or “availability” vs “scalability”). A calm start helps you read precisely.

Exam Tip: Before clicking “Start,” take 30 seconds to settle your breathing and commit to reading every question twice—once for gist, once for keywords (like minimize cost, meet compliance, least privilege).

AZ-900 uses a mix of question formats: standard multiple-choice, multiple-response (choose two/three), matching, and scenario-based items. Even when questions look simple, Microsoft’s distractors are engineered to test whether you understand boundaries between concepts. The right answer is often the one that is correct and most directly satisfies the requirement without adding assumptions.

Expect distractor patterns like:

• Category swaps: presenting a security tool when the question is about governance, or a networking feature when the requirement is identity-related.
• Close cousins: confusing similar services (e.g., Azure Advisor vs Azure Monitor vs Microsoft Defender for Cloud; RBAC vs Policy vs Blueprints concepts).
• Overkill answers: offering a complex enterprise solution when a fundamentals-level feature suffices.
• Misleading keywords: using “encryption” when the scenario is actually about access control, or using “scaling” when the requirement is “high availability.”

Train yourself to identify what the exam is truly testing in each item. If the scenario mentions “who can access,” think identity and access (Microsoft Entra ID, RBAC, MFA). If it mentions “what can be deployed,” think governance (Policy). If it mentions “track spend,” think Cost Management and budgeting. If it mentions “health and recommendations,” think Advisor; if it mentions “metrics/logs,” think Monitor.

Exam Tip: When two options are both true statements, choose the one that is more directly aligned to the objective domain and the requirement wording. AZ-900 rewards precision, not general cloud knowledge.

Microsoft exams are scored on a scaled system. You typically need a minimum passing score (commonly 700 on a 1–1000 scale), but you should focus less on the math and more on consistent performance across domains. Because AZ-900 is broad, uneven preparation can hurt: it’s easy to feel strong on cloud concepts while losing points on governance tools or Azure service identification.

Time management is usually reasonable for AZ-900, but don’t waste it. Move quickly through questions you know, and mark tougher ones for review if the interface allows. Avoid “analysis paralysis”—many incorrect answers come from talking yourself out of a correct first choice due to a distractor that sounds more sophisticated.

Use your practice results to set readiness thresholds. A practical benchmark is achieving strong, repeatable scores across mixed sets (not just one domain at a time). If you only do well in topic-isolated practice, the real exam will feel harder because it interleaves domains and shifts context rapidly.

Retake policies can change, but the strategic mindset remains: treat a first attempt as a certification attempt, not a reconnaissance mission. If a retake is needed, your advantage is diagnostic clarity—your error log will tell you exactly which objectives and terms caused the miss.

Exam Tip: Don’t “cram and crash.” If you’re within 48 hours of the exam, prioritize reviewing your most-missed concepts and service boundaries rather than trying to learn brand-new areas from scratch.

This course is a practice test bank, so your highest ROI strategy is practice-first learning: attempt questions early, use the explanations to build the mental model, and then loop back with spaced repetition. Passive reading can create familiarity, but the exam requires recognition and discrimination under time pressure.

Use a simple 14-day plan anchored to the three domains:

• Days 1–4: Cloud concepts + targeted practice; build a glossary (IaaS/PaaS/SaaS, CapEx/OpEx, elasticity, availability).
• Days 5–10: Azure architecture and services; rotate compute/networking/storage/identity/security/management tools; prioritize “what is it for?” over deep configuration.
• Days 11–13: Management and governance; focus on RBAC vs Policy, cost tools, compliance, resource organization (subscriptions/resource groups), and monitoring/recommendations.
• Day 14: Full mixed review; reattempt your error log items and summarize last-minute “confusable pairs.”

Create an error log (spreadsheet or notes) with four columns: objective domain, concept/service, why you chose the wrong option, and the rule that would guarantee the right choice next time. This turns every mistake into a reusable decision rule. For example: “If the question asks to enforce allowed SKUs/regions, choose Azure Policy; if it asks to assign permissions to a user, choose RBAC.”

Apply spaced repetition: reattempt missed items after 1 day, 3 days, and 7 days. Your goal is not to memorize letter choices, but to strengthen retrieval of the concept and the boundary that eliminates distractors.

Exam Tip: Track performance by domain, not just total score. Many candidates pass practice sets overall but fail on exam day because one domain consistently lags and the real exam exposes that weakness with clustered items.

Section 2.1: Cloud computing benefits and shared responsibility basics

AZ-900 frequently tests cloud benefits through short “why cloud?” scenarios. You should be able to connect a requirement to the benefit: high availability means the service is accessible when needed; scalability means adding/removing resources to meet demand; elasticity emphasizes automatic or rapid scaling to match demand spikes; agility means faster provisioning and experimentation; fault tolerance and resiliency describe designing so failures don’t take the system down.

The exam also expects a fundamentals-level understanding of the shared responsibility model: moving to the cloud doesn’t eliminate your responsibilities; it shifts some responsibilities to the provider depending on service type. In general, Microsoft manages the security of the cloud (physical datacenters, underlying infrastructure). You manage security in the cloud (configuration, identities, data classification), with more customer responsibility in IaaS and less in SaaS.

• High availability: focus on minimizing downtime (often via redundancy).
• Scalability: ability to change capacity; can be vertical (bigger) or horizontal (more instances).
• Elasticity: scaling quickly/automatically to match workload; common for bursty traffic.
• Agility: fast time-to-market; provision resources in minutes.
• Fault tolerance: system continues to operate when components fail.

Exam Tip: When a question mentions “spikes,” “seasonal,” or “unpredictable demand,” prioritize elasticity over generic scalability. When it mentions “must stay online even if a server fails,” think fault tolerance/resiliency rather than “performance.”

Common trap: Confusing “high availability” with “disaster recovery.” High availability is about staying up during expected component failures; disaster recovery is about recovering after a major outage event. On AZ-900, availability is more frequently the target term unless the scenario explicitly references a catastrophe and recovery plan.

Section 2.2: Economies of scale, CapEx vs OpEx, and cost predictability

Cost questions are a staple: AZ-900 wants you to recognize cloud financial models and the business reasons organizations adopt them. Economies of scale means large providers buy hardware, power, and networking in bulk and operate datacenters efficiently, lowering per-unit costs compared to many on-prem environments.

Know the difference between CapEx and OpEx. CapEx (capital expenditure) is upfront investment in physical infrastructure—servers, storage, networking—and typically involves depreciation over time. OpEx (operational expenditure) is ongoing spending—paying for services as used. Cloud aligns heavily with OpEx because you can shift from buying capacity “just in case” to consuming capacity “as needed.” Consumption-based pricing is the phrase Microsoft often uses: you pay for what you use and can stop paying when you deprovision resources.

Cost predictability can be a tricky distractor. Cloud offers tools to improve predictability (budgets, cost analysis, reservations), but usage-based billing can also be less predictable if you don’t control consumption. Read the prompt carefully: if it emphasizes “avoid large upfront purchases,” choose OpEx/consumption. If it emphasizes “lock in a lower rate for steady workloads,” think about reserved capacity concepts (fundamentals-level awareness).

• CapEx: upfront purchase, long procurement cycles, overprovisioning risk.
• OpEx: pay-as-you-go, flexible, align cost to usage, faster to start.
• Consumption-based pricing: scale down to reduce costs; stop paying by deleting resources.

Exam Tip: If the scenario says “the company wants to avoid purchasing new hardware,” that is a direct cue for OpEx. If it says “pay only during peak season,” that is a direct cue for consumption-based and the ability to scale down.

Common trap: Thinking “cloud is always cheaper.” The exam expects you to understand it can be cheaper when matched to the right usage pattern, especially when you right-size, scale down, and use cost controls.

Section 2.3: Service types: IaaS vs PaaS vs SaaS (scenario identification)

Service model identification is one of the most testable skills in AZ-900. Microsoft will describe what the customer wants to manage (or not manage) and you pick IaaS, PaaS, or SaaS. Think of it as a spectrum of responsibility: IaaS gives you the most control (and the most tasks), SaaS gives you the least control (and the fewest tasks), and PaaS is in between.

IaaS (Infrastructure as a Service) is virtualized compute, storage, and networking. You typically manage the operating system, patches, installed software, and many security configurations. Use IaaS when you need custom OS control, lift-and-shift migrations, or specific software requirements.

PaaS (Platform as a Service) provides a managed platform for applications—often with managed runtime, scaling, and patching of the underlying OS. You focus on application code and data. Use PaaS when the scenario emphasizes “developers deploy code quickly,” “no server maintenance,” or “built-in scaling.”

SaaS (Software as a Service) is complete software delivered over the internet. You manage users, data, and configuration; the provider manages the application and infrastructure. Use SaaS when the scenario is about using an application (email, CRM, collaboration) rather than building and hosting one.

• Key phrase → likely model: “manage the OS” → IaaS; “deploy code”/“managed runtime” → PaaS; “use the app” → SaaS.
• Control vs convenience: more control (IaaS) usually means more responsibility.

Exam Tip: In scenario questions, underline what the customer wants to avoid managing. “Avoid patching” and “avoid managing servers” strongly indicate PaaS or SaaS. If the prompt mentions installing custom middleware or needing admin access to the OS, that leans IaaS.

Common trap: Choosing SaaS anytime “cloud” is mentioned. SaaS is specifically consuming a finished application. If the scenario includes building, deploying, or hosting custom code, SaaS is rarely correct.

Section 2.4: Deployment models: public, private, hybrid (when to choose which)

Deployment models describe where the resources run and who owns/operates the environment. AZ-900 commonly frames this as a compliance, data residency, or legacy integration decision.

Public cloud means services are delivered over the internet from a provider-owned datacenter (like Azure). You share the underlying infrastructure with other customers (multi-tenant), but your data and configurations are logically isolated. Public cloud is usually the default best answer when the requirement emphasizes rapid provisioning, global scale, and reducing datacenter management.

Private cloud is cloud infrastructure dedicated to a single organization, often on-premises or hosted. It can satisfy strict control, customization, or regulatory requirements, but it may reduce the agility and cost advantages of public cloud because you still maintain much of the environment.

Hybrid cloud combines public and private environments, enabling workloads and data to move between them. Hybrid is frequently the best fit when a scenario mentions “keep some systems on-prem” (legacy dependencies, data sovereignty, latency-sensitive apps) while also using public cloud for scalability, analytics, or new apps.

• Public: fastest access to cloud benefits; internet-delivered services.
• Private: dedicated environment; maximum control, less elasticity.
• Hybrid: mix of both; bridge for migration and specialized requirements.

Exam Tip: If the prompt includes phrases like “must remain on-premises” or “cannot move all data to the cloud,” hybrid is a strong candidate. If it says “no datacenter management” and “quickly provision,” public is usually the best fit.

Common trap: Selecting private cloud solely because of “security.” Public cloud can be highly secure; the differentiator in exam scenarios is typically control, location, and regulatory constraints—not a blanket statement that private is “more secure.”

Section 2.5: Cloud terminology: regions, availability, resiliency, and latency

Terminology questions often appear as “pick the best term” or “which design goal is described?” Focus on precision. Latency is the delay in data transfer; it’s typically reduced by placing resources closer to users. Resiliency is the ability to recover from failures and continue operating. Fault tolerance is a related concept emphasizing continued operation even when components fail.

In Azure, a region is a geographic area containing one or more datacenters. For fundamentals, you should associate regions with data residency choices and user proximity (latency). Availability concepts stack: you might design within a region for higher availability and across regions for higher resiliency. The exam doesn’t require deep architecture, but it does test the reasoning: spreading resources reduces single points of failure.

Also connect this to earlier benefits: high availability is an outcome; redundancy and distribution are common methods. When a prompt highlights “minimize downtime,” availability language is key; when it highlights “continue after an outage,” resiliency language becomes key; when it highlights “slow app for international users,” latency and region placement become key.

• Region: geographic location for Azure resources.
• Latency: time delay; impacted by distance and network path.
• Availability: uptime/accessibility goal.
• Resiliency: recover and continue despite failures.

Exam Tip: If the scenario mentions “users in Europe are experiencing delays,” your mental path should be: latency → deploy closer (region choice) → possibly add distribution for better user experience.

Common trap: Treating “availability” and “resiliency” as interchangeable. Availability is typically measured as uptime; resiliency is the broader capability to withstand and recover from failures.

Section 2.6: Practice questions: domain 1 drill set with answer explanations

This chapter’s drill set (in your practice bank) targets Domain 1 patterns Microsoft uses: short business requirements, two plausible distractors, and one “best” answer that matches a specific keyword. As you review explanations, don’t just mark right/wrong—identify the trigger phrase that should have led you to the correct concept.

For cloud benefits, your reasoning should be: requirement → benefit. “Must remain online during hardware failure” maps to fault tolerance/resiliency. “Need to rapidly add capacity during a marketing event” maps to elasticity. “Want to deploy new environments in minutes” maps to agility. The wrong answers often describe real cloud advantages but fail to match the prompt’s primary requirement.

For pricing, focus on the financial intent. “Avoid upfront datacenter purchases” maps to OpEx. “Pay only while running” maps to consumption-based pricing. Watch for double-negative wording: “minimize capital expenditures” is still a CapEx vs OpEx question.

For service models, your anchor is “who manages what.” If the scenario requires OS-level control, IaaS is favored. If it emphasizes developers and managed platform capabilities, PaaS. If it’s simply adopting a ready-to-use application, SaaS. For deployment models, “must stay on-prem” strongly signals hybrid; “all-in on provider-managed infrastructure” signals public.

Exam Tip: When you miss a question, rewrite it in one sentence as “They need X, therefore Y.” If you can’t express X as a single requirement (availability vs latency vs cost), you likely got pulled into a distractor. Build a personal error log with columns: keyword, chosen answer, correct answer, and the rule that would have prevented the miss.

Common trap: Overthinking beyond fundamentals. AZ-900 rewards clear mapping to core terms, not deep implementation detail. If two answers seem viable, choose the one that most directly matches the prompt’s explicit requirement words.

Azure’s global infrastructure is a frequent AZ-900 target because it underpins availability, resiliency, and data residency decisions. A region is a geographic area containing one or more datacenters that are close enough for low latency networking. Many questions hinge on the difference between “a region” (geography) and “a datacenter” (facility). If a prompt asks where you deploy resources, the correct level is usually the region, not “datacenter.”

Availability Zones are physically separate locations within an Azure region. They are designed to provide protection from datacenter-level failures. AZ-900 typically tests that zones are within a single region and improve availability for supported services. Some services are “zonal” (you choose a zone) while others are “zone-redundant” (the platform replicates across zones). Exam Tip: If the scenario says “high availability in the same region” or “protect against datacenter outage,” Availability Zones is the best fit—better than “region pairs,” which relate to cross-region resiliency.

Region pairs are two regions within the same geography paired for disaster recovery and platform updates. Microsoft designs these pairs to reduce the chance of simultaneous outages and to prioritize recovery in certain cases. The exam often uses region pairs to test the idea of cross-region replication and data residency (paired regions are in the same geography). A common trap is thinking region pairs automatically replicate every resource. They don’t—replication is service-specific (for example, storage redundancy options).

• Region = geographic deployment boundary.
• Availability Zone = separate fault domain within a region.
• Region pair = cross-region relationship for resiliency and updates within a geography.

When you see “business continuity across regions,” pair the concept with region pairs (and service-level replication), not zones. When you see “lowest latency for users in Europe,” choose a region close to those users; don’t overthink it into zones or pairs.

AZ-900 expects you to understand Azure’s resource hierarchy because it drives governance, billing, and access control decisions. From top to bottom, the hierarchy is commonly presented as management groups → subscriptions → resource groups → resources. Questions often ask “where would you apply a policy” or “how do you organize resources for billing,” and the right answer depends on the scope needed.

A subscription is primarily a billing and access boundary. Many exam items test that costs are tracked at the subscription level and that you can have multiple subscriptions to separate environments (e.g., dev vs. prod) or departments. A resource group is a logical container for resources that share a lifecycle. That lifecycle wording matters: if a scenario says “deploy, update, and delete together,” resource group is the right concept.

Resources are the actual service instances: a VM, a storage account, a virtual network, etc. Management groups sit above subscriptions to help you manage many subscriptions at scale—often used for applying governance like Azure Policy across multiple subscriptions. Exam Tip: If the question asks for “a scope that includes multiple subscriptions,” you should immediately consider management groups; a resource group cannot span subscriptions.

AZ-900 also expects basic familiarity with ARM (Azure Resource Manager) as the deployment and management layer for Azure. ARM provides consistent management through templates and APIs. A common trap is confusing ARM templates with “Azure Portal only” deployment. ARM is the underlying control plane regardless of tool (Portal, CLI, PowerShell, Bicep). In scenario questions, when you see “repeatable deployment” or “infrastructure as code,” think ARM templates/Bicep rather than manual portal clicks.

• Subscription: billing + RBAC boundary.
• Resource group: lifecycle boundary for related resources.
• Management group: governance across multiple subscriptions.

To pick correct answers, match the required scope: one resource, a set of related resources, one subscription, or many subscriptions.

Compute questions in AZ-900 focus on selecting the right hosting model, not on deep configuration. Start by classifying the option as IaaS (more control) vs PaaS (less management). Azure Virtual Machines (VMs) are the classic IaaS answer: you manage the OS, patches, and most configuration. If a scenario mentions “lift-and-shift,” “custom OS,” or “installing server software,” VMs are commonly correct.

VM Scale Sets are tested conceptually as a way to deploy and manage a set of identical VMs that can scale out/in. You do not need to memorize implementation details, but you should recognize the cue: “need to automatically increase VM instances when demand increases.” The trap is picking “Availability Sets” (also a VM concept) when the question is about scaling rather than redundancy. Scale sets are about elasticity and managing a fleet; availability sets are about fault/update domain separation for a fixed set.

Containers (e.g., running containerized apps) come up as a lightweight alternative to VMs, focusing on packaging and portability. AZ-900 commonly frames containers as “run an application with dependencies without managing a full OS per app.” The exam may mention orchestration concepts; your job is usually to identify that containers are the appropriate compute model when rapid, consistent deployments are needed.

Azure App Service is a PaaS offering for hosting web apps, REST APIs, and backend services. It’s often correct when prompts say “host a web app without managing servers,” “built-in scaling,” or “quickly deploy from source control.” Exam Tip: If the scenario emphasizes “minimal infrastructure management” and “web app,” App Service typically beats VMs. If it emphasizes “full control of OS and software stack,” VMs typically win.

• Choose VMs for OS-level control and traditional server workloads.
• Choose containers for portable app packaging and faster deployments.
• Choose App Service for managed web/API hosting.
• Choose VM Scale Sets when the key requirement is autoscaling identical VMs.

When eliminating distractors, watch for answers that are “true but mismatched.” For example, containers can run web apps, but App Service is purpose-built for web hosting with less management—so if the prompt stresses simplicity, App Service is usually the intended answer.

Networking questions in AZ-900 emphasize basic connectivity and name resolution. A Virtual Network (VNet) is your private network in Azure. It provides an address space and isolation boundary. Subnets segment the VNet into smaller networks, often aligned to tiers (web, app, data). A common trap is confusing VNets with resource groups: VNets are networking constructs; resource groups are management constructs.

VNet peering connects two VNets so resources can communicate privately over Microsoft’s backbone. The exam will often hint “connect two VNets” or “connect workloads in different VNets” without needing a VPN. If the key phrase is “private connectivity between VNets,” peering is usually correct. Be careful: peering is not the same as connecting on-premises to Azure.

For hybrid connectivity, AZ-900 typically contrasts VPN Gateway and ExpressRoute. VPN Gateway uses encrypted tunnels over the public internet. ExpressRoute provides private connectivity (not over the public internet) via a connectivity provider. Exam Tip: If the scenario emphasizes “dedicated private connection,” “more consistent latency,” or “regulatory requirements avoiding public internet,” ExpressRoute is the best match. If it emphasizes “quick setup” or “lower cost” for on-prem connectivity, VPN Gateway is commonly the intended answer.

Azure DNS is a hosting service for DNS domains, while name resolution inside networks can involve Azure-provided DNS or custom DNS servers. Exam questions usually stay high-level: DNS translates names to IP addresses. The trap is overcomplicating DNS as a “load balancer” or “firewall”—it’s neither. If the prompt says “host your domain’s DNS records,” Azure DNS fits.

• VNet: private network boundary.
• Subnet: segment within a VNet.
• Peering: private VNet-to-VNet connectivity.
• VPN Gateway: encrypted internet-based tunnel to on-prem.
• ExpressRoute: private, dedicated connectivity to Azure.
• DNS: name-to-IP resolution and hosting DNS records.

Identify the “connectivity endpoints” in the scenario (VNet-to-VNet vs on-prem-to-Azure) before selecting the service—this single step eliminates many distractors.

AZ-900 expects familiarity with how you interact with Azure, not mastery of command syntax. The Azure portal is the web-based UI for creating and managing resources. It’s commonly referenced in questions about “quickly provisioning” or “viewing resource properties and costs.” The portal is also where you navigate the resource hierarchy (subscriptions, resource groups) and where role assignments and policy scopes are commonly visualized.

Azure Cloud Shell provides a browser-based shell environment with preconfigured tools, typically offering both Bash and PowerShell experiences. The exam angle is usually: “manage Azure from anywhere without installing tools locally.” It also integrates with storage for persisting files like scripts. Exam Tip: If the scenario emphasizes “no local installation” or “run Azure CLI/PowerShell in the browser,” Cloud Shell is the intended answer more often than “Azure CLI on your laptop.”

At a fundamentals level, you should recognize common deployment tooling categories:

• Azure CLI / Azure PowerShell: command-line tools for scripting and automation.
• ARM templates / Bicep: declarative infrastructure-as-code for repeatable deployments.
• Portal: interactive, manual deployment and management.

Many distractors on AZ-900 describe “automation” but then offer a purely manual tool. When a prompt emphasizes consistency, repeatability, or deploy the same environment multiple times, you should lean toward ARM templates/Bicep rather than portal. Conversely, if the prompt is about a one-off exploration or quick proof-of-concept, the portal may be the simplest correct answer.

Also note the control-plane concept: regardless of which tool you use, Azure Resource Manager is typically the underlying management layer. This helps you avoid the trap of thinking each tool deploys resources in a completely different way.

This chapter’s practice set is designed to mirror Microsoft’s AZ-900 patterns: short scenarios, one best answer, and distractors that are plausible but mis-scoped. Your performance improves most when you can articulate a one-sentence rationale tied to a keyword in the prompt. After each item, force yourself to say: “The requirement is X, so the feature/service is Y, because Z.” That habit is what the exam is really measuring—service-to-requirement mapping.

Use a consistent elimination workflow:

• Step 1: Identify scope (single resource vs resource group vs subscription vs multiple subscriptions). This quickly separates resource groups from subscriptions and management groups.
• Step 2: Identify resiliency boundary (within a region = availability zones; across regions = region pairs/service replication).
• Step 3: Identify connectivity type (VNet-to-VNet = peering; on-prem-to-Azure over internet = VPN Gateway; private circuit = ExpressRoute).
• Step 4: Identify compute model (OS control = VM; web app with minimal management = App Service; packaged runtime = containers; autoscaling VM fleet = scale set).

Exam Tip: Watch for “keyword hijacking.” For example, “high availability” does not automatically mean “availability zones” if the scenario is really about scaling, and “disaster recovery” does not automatically mean “region pairs” if the service in question only replicates within a region unless configured otherwise. Always tie the answer to the stated requirement (availability, scalability, governance scope, or connectivity).

Common traps you should expect in the drill set:

• Choosing region pairs when the prompt specifies “within the same region” (zones is better).
• Choosing resource group for billing separation (subscription is the billing boundary).
• Choosing VPN Gateway when the prompt says “does not traverse the public internet” (ExpressRoute).
• Choosing VM when the prompt says “no server management” for a web app (App Service).

As you review rationales, don’t just note what is correct—note why each distractor is wrong. AZ-900 is designed so wrong answers often describe real Azure features, just not the best match. Your goal is to become faster at recognizing mismatch: wrong scope, wrong boundary, or wrong service model.

Section 4.1: Storage services: storage accounts, Blob, Files, Queue, Table basics

Azure Storage usually starts with a storage account, which is the top-level container that provides a unique namespace and holds data services like Blob, Files, Queue, and Table. On the exam, the most common task is mapping a workload description to the right storage service. The correct answer is typically the one that best matches the data shape and access pattern.

Blob storage is for unstructured object data: images, videos, backups, log files, and large binary objects. If you see “store files for a website,” “store backups,” “data lake-style objects,” or “unstructured,” Blob is usually the target. Azure Files provides managed file shares and is designed to be mounted like a traditional network share (SMB, and in many cases NFS). When the scenario says “lift-and-shift file server,” “shared drive,” or “applications need a file share,” look for Azure Files.

Azure Queue storage is for simple messaging between components (decoupling). Keywords: “asynchronous,” “buffer,” “message queue,” “work items.” Don’t confuse it with Service Bus; AZ-900 typically treats Queue storage as the straightforward option for basic queueing. Azure Table storage is a NoSQL key/value store for semi-structured data. If you see “NoSQL,” “schema-less,” “fast lookups by key,” Table can fit—though Cosmos DB is also a common NoSQL answer elsewhere.

• Blob: objects/unstructured data
• Files: managed file shares (SMB/NFS)
• Queue: messaging to decouple components
• Table: NoSQL key/value (simple, scalable)

Common trap: Choosing Azure Disks for “file storage.” Disks attach to VMs; they aren’t shared file services by default. If the question implies multiple servers need to access the same files, Azure Files is usually the safer choice at fundamentals level.

Exam Tip: If the prompt mentions “URLs,” “objects,” or “static content,” think Blob. If it mentions “mapped drive,” “SMB,” or “shared folder,” think Files. If it mentions “messages,” think Queue. If it mentions “NoSQL table-like storage with keys,” think Table.

Section 4.2: Storage redundancy and performance concepts (LRS/ZRS/GRS/GZRS at fundamentals level)

AZ-900 frequently tests recognition of redundancy acronyms and the trade-off between availability, durability, and cost. You are not expected to calculate “nines,” but you are expected to know what the letters mean and which option adds cross-zone or cross-region protection.

LRS (Locally Redundant Storage) replicates data within a single datacenter in a region. It’s the baseline, generally lowest cost, and protects against local hardware failures—not a datacenter outage. ZRS (Zone Redundant Storage) replicates across availability zones within the same region, so a single-zone failure is handled. If the question says “within a region” and “zone failure,” ZRS is your clue.

GRS (Geo-Redundant Storage) replicates to a secondary region (paired region concept). This is about regional disaster recovery. GZRS (Geo-Zone-Redundant Storage) combines zone redundancy in the primary region with geo-replication to a secondary region. When you see “zone outage protection” plus “regional disaster recovery,” GZRS is the pattern match.

Performance can also appear indirectly: some storage accounts offer different performance tiers (standard vs premium) and access tiers (hot/cool/archive for blobs). At AZ-900 level, remember: “hot” is frequent access, “cool” is infrequent, “archive” is the cheapest storage but highest retrieval latency and rehydration time.

Common trap: Picking GRS when the requirement is explicitly “survive an availability zone failure.” GRS is cross-region; it does not automatically mean zone-aware in the primary region. If the question emphasizes “zone,” ZRS or GZRS is typically better aligned.

Exam Tip: Decode the acronym quickly: L=local, Z=zone, G=geo, and the presence of both “G” and “Z” (GZRS) signals both zone-level and regional resilience. Then choose the simplest option that meets the stated outage scenario (hardware vs zone vs region).

Section 4.3: Database and analytics options overview (Azure SQL, Cosmos DB, data services basics)

Database questions in AZ-900 are typically “which database type fits?” rather than “how do you configure it?” Start with the relational vs NoSQL split. If the scenario calls for relational tables, joins, and SQL queries, the expected answer is often Azure SQL Database (a managed relational database as a service). Azure SQL is a strong choice when the prompt mentions “SQL Server migration,” “relational,” “transactions,” or “existing app uses SQL.”

Azure Cosmos DB is the headline NoSQL service in Azure fundamentals: globally distributed, low latency, and supports multiple APIs. When the scenario emphasizes “global distribution,” “massive scale,” “schema-less,” “NoSQL,” or “multi-region reads/writes,” Cosmos DB is a common correct selection. At fundamentals level, you don’t need to memorize every API; recognize Cosmos DB as the general-purpose managed NoSQL platform.

Analytics and data services may show up as “big data” or “data warehousing” hints. When the question uses language like “reporting,” “business intelligence,” “large-scale analytical queries,” or “data warehouse,” look for data analytics services rather than transactional databases. Even if the exam doesn’t require deep detail, keep the mental model: transactional systems (OLTP) vs analytics systems (OLAP). Azure SQL Database is typically positioned as OLTP; warehouse/analytics platforms are positioned for OLAP-style workloads.

Common trap: Selecting Cosmos DB just because the prompt says “high performance.” If the data is clearly relational (joins, constraints, normalized schema), Azure SQL is the safer fundamentals answer. Another trap is picking “Storage Table” when the prompt indicates advanced global distribution and SLAs; that usually points to Cosmos DB.

Exam Tip: Underline the data clues: “relational/SQL” → Azure SQL Database. “NoSQL/global distribution/low latency at scale” → Cosmos DB. If the question hints at “analytics/reporting/warehouse,” shift your thinking away from OLTP databases.

Section 4.4: Identity: Microsoft Entra ID, authentication vs authorization, and MFA

Identity is a high-yield AZ-900 area because Microsoft wants you to distinguish who someone is from what they can do. Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud identity and access management service. It provides identities for users, groups, and applications, and it supports features like single sign-on (SSO) and conditional access (conceptually).

The exam repeatedly tests the difference between authentication and authorization. Authentication answers the question: “Are you who you say you are?” Authorization answers: “Are you allowed to do this action?” If a question says “verify user credentials,” that’s authentication. If it says “grant permissions to read storage blobs,” that’s authorization (often implemented with RBAC, covered next).

Multi-factor authentication (MFA) strengthens authentication by requiring two or more factors (something you know, have, or are). In scenario terms, if the prompt includes “reduce risk of password compromise,” “require additional verification,” or “protect admin accounts,” MFA is the straightforward control.

Common trap: Confusing Entra ID with Windows Server Active Directory (AD DS). AD DS is primarily on-premises directory services; Entra ID is cloud-first identity for Microsoft 365 and Azure. Another trap is treating MFA as authorization; MFA proves identity more strongly, but it doesn’t grant resource permissions by itself.

Exam Tip: When you see “sign in,” “identity provider,” “SSO,” or “user accounts,” think Entra ID and authentication. When you see “permissions,” “can/cannot delete,” or “least privilege,” think authorization mechanisms (commonly RBAC).

Section 4.5: Access and security fundamentals: RBAC, zero trust concepts, Defender for Cloud, and Azure Monitor overview

This section aligns with the exam’s expectation that you can describe security posture tools and basic access control models. Azure role-based access control (RBAC) is the primary authorization system for Azure resources. RBAC assigns a role (a set of permissions) to a security principal (user, group, service principal, managed identity) at a scope (management group, subscription, resource group, resource). If the question says “give a user read-only access to a storage account,” the correct mental move is: choose an RBAC role at the correct scope.

Zero Trust is a guiding security model: verify explicitly, use least privilege, and assume breach. AZ-900 typically tests it conceptually—expect statements like “never trust, always verify” or “grant least privilege access.” The practical tie-in is RBAC (least privilege) plus strong authentication (MFA) and ongoing monitoring.

Microsoft Defender for Cloud is the service for security posture management and workload protection recommendations. If the prompt mentions “security recommendations,” “secure score,” “hardening,” “regulatory compliance dashboard,” or “identify misconfigurations,” Defender for Cloud is likely correct. It’s not the same as Azure Monitor; Defender is focused on security posture and threat protection guidance.

Azure Monitor is the umbrella for collecting and analyzing telemetry (metrics and logs) across Azure resources. The exam often checks whether you know: metrics are numeric time-series (fast, near real-time), while logs are richer event records (queryable). If the prompt says “set an alert when CPU exceeds 80%,” think Monitor/metrics and alerts. If it says “investigate events over the last 30 days,” think logs (Log Analytics conceptually).

Common trap: Choosing Defender for Cloud when the requirement is “collect performance metrics and create alerts.” That’s Azure Monitor. Another trap is granting access by sharing keys/connection strings rather than RBAC; the exam generally nudges you toward identity-based access and least privilege.

Exam Tip: RBAC answers “who can do what.” Defender for Cloud answers “how secure is it and what should I fix.” Azure Monitor answers “what is happening (metrics/logs) and how do I alert on it.”

Section 4.6: Practice questions: services scenarios with detailed explanations

This chapter’s mixed practice set (storage + identity + security) is designed to mirror AZ-900 question patterns: short scenarios, one best answer, and distractors that are plausible but misaligned to the key requirement. As you work through questions, force yourself to state (1) the requirement, (2) the category of solution, and (3) the minimal Azure service that satisfies it.

For storage scenarios, train your eye to spot the data type and access style: “unstructured objects” tends to map to Blob; “shared drive/mount” tends to map to Files; “decouple components with messages” maps to Queue; “key/value NoSQL” maps to Table. Then layer redundancy: if the scenario mentions “zone outage,” it’s ZRS/GZRS; if it mentions “regional disaster recovery,” it’s GRS/GZRS; if it’s only local durability at lowest cost, it’s LRS. Many wrong answers are “too much” (more expensive than required) or “wrong failure domain” (region vs zone).

For database scenarios, practice deciding relational vs NoSQL first. If the prompt implies SQL queries, relationships, and transactional consistency for an app, Azure SQL Database is usually correct. If it emphasizes global scale, low latency worldwide, or schema flexibility, Cosmos DB becomes the stronger candidate. A frequent distractor is to pick a storage service when the scenario clearly asks for a database with query capabilities and SLAs.

For identity/security scenarios, separate authentication from authorization every time. Entra ID and MFA strengthen sign-in (authentication). RBAC assigns permissions (authorization) at the correct scope. Defender for Cloud points out security misconfigurations and recommendations. Azure Monitor is for metrics/logs and alerting. Questions often combine these—your job is to identify which tool is being described, not to design a full architecture.

Exam Tip: When two answers both “could work,” choose the one that most directly matches the wording in the question stem. AZ-900 is vocabulary-driven: the exam rewards recognizing Microsoft’s standard phrasing (for example, “role-based access control,” “security posture management,” “metrics and logs,” “availability zones,” “geo-redundant”).

Section 5.1: Azure cost management concepts and the shared responsibility of costs

Cost management is tested in AZ-900 as a fundamentals concept: you must know what drives Azure spend and who is responsible for controlling it. Even though Microsoft manages the underlying datacenters, your organization still controls the majority of cost drivers: which services you deploy, how you size them, whether they run 24/7, and how you govern usage across teams.

Key cost drivers that appear in exam scenarios include compute time (VMs, containers), storage consumed and transactions, outbound data transfer (egress), and premium features (managed disks tiers, higher availability, reserved capacity). You will also see questions that implicitly test “elasticity”: if a workload scales out automatically, cost can increase automatically unless governed through budgets and alerts.

Shared responsibility applies to costs as well as security. Azure provides meters, billing, and tools for tracking/optimization, but you own decisions like right-sizing, turning off dev/test resources, using tags for chargeback, and choosing pricing models (pay-as-you-go vs reserved savings options conceptually). If a prompt says “management wants to know which department is responsible for this spend,” that’s not a security question—it’s governance and cost allocation.

• Cost allocation: commonly done with tags and/or management group/subscription structure.
• Cost control: budgets, alerts, and guardrails that prevent uncontrolled provisioning.
• Cost optimization: right-size, remove idle resources, and follow recommendations.

Exam Tip: When a question hints at “showback/chargeback,” your first thought should be tags and reporting, not RBAC or Policy (though Policy can enforce required tags).

Common trap: Confusing “cost governance” with “access governance.” RBAC decides who can do something. It does not automatically manage spend; a user with access can still create expensive resources unless you apply governance controls and budgets.

Section 5.2: Pricing and estimation tools: Pricing Calculator, TCO Calculator, and budgeting basics

AZ-900 frequently asks you to choose between the Azure Pricing Calculator and the Total Cost of Ownership (TCO) Calculator. The easiest way to separate them is to anchor on the starting point. If you are estimating Azure service costs directly (VM size, storage type, region, bandwidth), that’s the Pricing Calculator. If you are comparing existing on-premises costs to a projected Azure cost and savings model, that’s the TCO Calculator.

The Pricing Calculator is a forward-looking estimator for Azure consumption. It helps answer “How much will it cost to run X in Azure?” It supports service-by-service selection and often appears in prompts involving a new deployment, a proof of concept, or selecting a VM size/region. The exam will not require exact dollar math; it tests tool selection and what inputs affect cost.

The TCO Calculator is a migration justification tool. It models current on-prem expenses (servers, storage, networking, labor, facilities) and compares them with a cloud alternative to estimate savings. Questions that mention “justify ROI,” “business case,” “compare on-prem vs cloud,” or “include datacenter costs” strongly indicate TCO.

Budgeting basics on AZ-900 are usually framed around controlling spend and avoiding surprise bills. In Azure Cost Management, budgets can be set (often at subscription or resource group scope conceptually) and paired with alerts at thresholds (for example, 80%, 100%). Budget alerts do not automatically shut down services by default; they notify stakeholders so action can be taken.

Exam Tip: If the scenario is about forecasting future consumption and monitoring spend against a limit, think “budget + alerts.” If the scenario is about estimating a design, think “Pricing Calculator.” If it’s about comparing to on-prem, think “TCO Calculator.”

Common trap: Selecting TCO when the prompt only asks for “estimate the monthly cost of Azure resources” without any on-prem comparison. That’s Pricing Calculator territory.

Section 5.3: Governance: Azure Policy, resource locks, and tagging strategy

Governance in AZ-900 is about guardrails: ensuring resources remain compliant with organizational standards. The exam expects you to identify which tool enforces standards (Azure Policy), which tool prevents accidental changes (resource locks), and which technique supports organization and cost allocation (tags).

Azure Policy evaluates resources against rules. Policies can deny noncompliant deployments, audit existing resources, or help enforce configurations (for example, allowed regions, required SKU types, or mandatory tags). In exam scenarios, look for language like “must ensure,” “enforce,” “prevent users from creating,” or “only allow.” That is your cue that Policy is the governance control.

Resource locks are simpler: they protect resources from deletion or modification, even by users who otherwise have permissions. This is ideal when the scenario says “prevent accidental deletion” or “stop changes during an audit window.” Understand the two classic lock types: Delete (can’t delete) and ReadOnly (can’t change). Locks are not about standards; they are about safeguarding.

Tagging strategy is a recurring AZ-900 theme because tags improve visibility and reporting. Tags are name/value pairs (e.g., CostCenter=Finance, Environment=Prod, Owner=TeamA). They are not a security boundary, and they do not automatically apply to every child resource unless you implement strategy and enforcement. Many organizations use Policy to require tags at creation time.

“Blueprints” is sometimes referenced conceptually in fundamentals contexts as a way to orchestrate governance artifacts (policies, role assignments, templates) into repeatable environments. Even if the product is less emphasized today, the exam-level idea is “package governance and deployment standards.” If you see a scenario about “standardize new subscriptions/projects quickly with predefined governance,” that’s the conceptual blueprint pattern.

Exam Tip: Map the requirement to the mechanism: “enforce” → Policy, “prevent deletion” → lock, “report by department” → tags (and cost reporting), “repeatable compliant environment” → blueprint concept.

Common trap: Choosing RBAC to “enforce allowed SKUs/regions.” RBAC controls access actions, not configuration constraints. Policy is the configuration guardrail.

Section 5.4: Compliance and trust: Microsoft Purview concepts, Service Trust Portal, and compliance offerings overview

Compliance questions in AZ-900 focus on where to find Microsoft’s compliance documentation and the conceptual services that help manage data governance. You are not expected to memorize every certification, but you must recognize where to verify compliance claims and where to review audit reports.

Service Trust Portal (STP) is the key “proof point” resource. If a scenario asks, “Where can an auditor download SOC reports?” or “Where can you find Microsoft compliance documentation for Azure?” the answer is typically the Service Trust Portal. The exam often uses verbs like “access audit reports,” “download compliance reports,” or “review attestations.” That is STP.

Microsoft Trust Center is broader: it explains Microsoft’s approach to security, privacy, compliance, and transparency. It’s less about downloading specific audit artifacts and more about understanding policies and commitments. If the question asks where to learn about Microsoft privacy principles or overall compliance posture, Trust Center fits.

Microsoft Purview at a fundamentals level is about data governance and compliance management concepts: data discovery, classification, cataloging, and understanding where sensitive data lives across environments. In exam prompts, keywords like “data catalog,” “classify data,” “discover sensitive data,” or “govern data across sources” signal Purview concepts. Don’t overcomplicate: AZ-900 typically tests recognition of purpose, not configuration steps.

Compliance offerings overview: Microsoft aligns Azure services to standards and regulations (e.g., ISO, SOC, GDPR-related commitments). The test is less about listing them and more about knowing that Azure provides compliance documentation and that compliance is shared: Microsoft handles platform compliance; you must configure and use services in a compliant way (data residency choices, access controls, retention).

Exam Tip: “Where do I download audit reports?” → Service Trust Portal. “Where do I read about privacy/compliance approach?” → Trust Center. “How do I govern and classify data?” → Purview concepts.

Common trap: Confusing “compliance documentation” with “monitoring recommendations.” Azure Advisor gives best-practice suggestions; it is not the portal for compliance attestations.

Section 5.5: Resource management and monitoring fundamentals: Azure Advisor and basic operational guidance

Resource management on AZ-900 blends organization (resource groups, tags, lifecycle) with “how Azure helps you run better” via recommendations. You should be comfortable with the basic operational idea: deploy resources into resource groups, manage them through their lifecycle, and use built-in tools to optimize.

Resource groups are logical containers. A resource belongs to one resource group at a time, and the resource group is often used for managing permissions, applying policies, and tracking costs at a high level. AZ-900 scenarios might test lifecycle behavior: deleting a resource group deletes the resources inside it (a common “gotcha” in wording). Use resource groups to model application boundaries, environments (Dev/Test/Prod), or ownership models.

Azure Advisor provides recommendations across major pillars such as cost, security, reliability, operational excellence, and performance. Exam questions will describe a goal like “reduce costs,” “improve reliability,” or “identify underutilized resources,” and ask what service provides recommendations—Advisor is the typical match. Advisor does not enforce changes; it recommends.

Operational guidance basics also connect to governance: tags and policies help keep your environment organized, while Advisor helps you continually improve what you’ve already deployed. In real-world operations, you’ll combine these: apply Policy to stop bad deployments, then use Advisor to optimize what remains and to catch issues that slipped through.

Exam Tip: Watch for the word “recommendations.” If the service is recommending improvements (not enforcing them), that’s usually Azure Advisor, not Azure Policy.

Common trap: Treating Advisor as a compliance tool. Advisor may surface security recommendations, but audit/compliance reports and attestations come from compliance resources (e.g., STP), while enforcement comes from Policy.

Section 5.6: Practice questions: management & governance drill set with explanations

This chapter’s mini-exam practice is designed to mirror AZ-900’s most common management/governance question patterns: selecting the correct tool given a short scenario and resisting distractors that are “true statements” but don’t meet the requirement. As you drill, use a consistent reasoning routine: identify the verb (estimate, enforce, prevent, download reports, recommend), identify the scope (single resource, resource group, subscription), then match to the Azure feature.

For cost management drills, you should be able to explain why a prompt that asks for a migration business case aligns to TCO/ROI thinking, while a prompt that asks for monthly Azure service estimates aligns to the Pricing Calculator. For budgeting-style prompts, focus on “alerts/thresholds” and the purpose: visibility and control, not automatic shutdown unless additional automation is added (which fundamentals questions usually won’t assume).

For governance drills, be ready to distinguish Policy vs locks vs tags: Policy enforces standards at deployment or audits compliance; locks prevent deletion/modification; tags organize and attribute ownership/cost. Expect mixed prompts where more than one tool sounds plausible—your task is to find the best fit to the requirement stated.

For compliance and trust drills, your explanations should use the correct “source of truth”: Service Trust Portal for audit reports and compliance documentation, Trust Center for Microsoft’s overall approach, and Purview concepts for data governance/classification. The exam often tests whether you know where to look, not how to implement.

Exam Tip: When two answers seem correct, re-read the scenario for the “business outcome.” Example outcomes: “prevent” (hard stop) vs “recommend” (soft guidance), or “prove compliance” (documentation) vs “improve compliance posture” (governance controls).

Common trap: Over-rotating on one favorite service. Azure has multiple management tools; AZ-900 rewards precise matching. If the prompt is about enforcing required tags, the enforcement is Policy—even though tags themselves are the data you want for reporting.

Run your mock exam under strict rules so you can trust the results. Close notes, silence notifications, and use a single sitting. AZ-900 is not a speed contest, but time pressure can trigger careless errors—so your timing plan should protect accuracy.

A practical timing plan: do one pass through all items at a steady pace, flagging anything that requires rereading or careful elimination. On the first pass, commit only when you can articulate why the correct option is best and why the others are not. On the second pass, spend time only on flagged items. Avoid over-investing in any one item; if you can’t justify it quickly, flag it and move on.

Exam Tip: Use “question-first reading.” Read the last line (what it’s asking) before you read the scenario. Many misses happen because learners answer a related concept instead of the requested one (for example, answering a governance question with a security tool).

• Pass 1: Answer confidently-known items; flag uncertainty.
• Pass 2: Resolve flags using elimination and domain mapping (cloud concepts vs services vs governance).
• Review: For every wrong or guessed item, record the trap type (misread, concept gap, distractor, or domain confusion).

Effective review is not re-reading explanations; it is extracting patterns. You’re looking for consistent mistakes like confusing “authorization vs authentication,” “availability vs scalability,” “Azure Policy vs RBAC,” and “CAPEX vs OPEX.” Those patterns tell you exactly how to spend your final study time.

Mock Exam Part 1 should be mixed-domain and timed to force context switching, just like the real exam. Include a blend of cloud concepts (benefits, service types, deployment models), Azure core services (compute, storage, networking), and identity/security/governance fundamentals. The aim is to test whether you can quickly classify what domain the question belongs to, then retrieve the correct concept.

As you work, practice “domain labeling” in your head: if the prompt is about cost control, resource consistency, or compliance, you’re likely in management/governance; if it’s about what a service does (VMs, containers, VNets, storage), you’re in architecture/services; if it’s about why cloud is used and the shared responsibility mindset, you’re in cloud concepts.

Common trap: Choosing an answer because it is a true statement about Azure, not because it addresses the requirement. Microsoft distractors often include real services that don’t match the asked outcome (for example, selecting a monitoring tool when the question is about access control).

Exam Tip: Convert the prompt into a one-sentence requirement before you look at options: “They need secure sign-in,” “They need network isolation,” “They need enforceable configuration rules,” or “They need cost reporting.” Then match the tool or concept that directly satisfies that requirement.

During Part 1, monitor your “uncertainty triggers.” If you repeatedly hesitate on identity and access, you may be mixing up Entra ID concepts (authentication) with RBAC (authorization). If you hesitate on storage, you may be mixing up blob vs file vs disk use cases. Capture these as notes for Section 6.4’s answer review framework.

Mock Exam Part 2 should be taken after a short break to simulate a second testing block and to expose fatigue effects. The goal is not only to test knowledge, but also to test consistency: do you keep reading carefully, or do you start assuming what the question “must be” asking?

Focus on scenarios that blend domains, because AZ-900 frequently does this at a fundamentals level. For example, a prompt might mention securing resources (security), enforcing standards (governance), and controlling access (identity). Your job is to identify the primary requirement. This is where many candidates lose points: they answer a secondary detail instead of the main request.

Common trap: Confusing tools that sound similar. Examples include Azure Policy vs Blueprints (and understanding that Blueprints are largely legacy compared to newer approaches), Network Security Groups vs Azure Firewall, and Microsoft Defender for Cloud vs Microsoft Sentinel. The exam often tests the “what is it for” level, not deployment steps.

Exam Tip: When two options both seem plausible, look for the one that is “native to the requirement.” Governance requirements usually point to Policy/locks/tags; identity requirements point to Entra ID/RBAC; threat detection posture points to Defender for Cloud; SIEM/SOAR points to Sentinel; cost analysis points to Cost Management.

Finish Part 2 with a short self-audit: did you miss items because you didn’t know the concept, or because you rushed? This distinction determines your remediation: knowledge gaps need focused learning; process gaps need better reading, elimination, and pacing.

After both mock parts, review using a framework that produces actionable insights. Start by classifying each missed or guessed item into one of four buckets: (1) concept gap, (2) misread/keyword miss, (3) distractor selection, or (4) domain confusion. Then write a one-line “rule” that would prevent the miss next time.

Pattern-based review is what turns practice into score improvement. If you simply note “I got it wrong,” you’ll repeat the error. Instead, identify the recurring mechanism. For example: “I choose monitoring solutions when asked about access control,” or “I confuse authentication (who you are) with authorization (what you can do).”

Exam Tip: Use elimination deliberately. Cross out options that are correct in general but wrong for the requirement. If a question is about enforcing standards automatically, a “training” or “documentation” option may be true but not enforceable—Policy is enforceable. If it’s about resilience, a backup service is not the same as high availability.

• Cloud concepts: Watch for CAPEX vs OPEX, elasticity vs scalability, and shared responsibility wording.
• Architecture/services: Map compute to use case (VMs, containers, serverless), storage to data type (object, file, block), and networking to isolation and connectivity (VNet, VPN, ExpressRoute).
• Management/governance: Separate “who can do what” (RBAC) from “what should exist” (Policy) and “cannot be changed/deleted” (resource locks).

End your review by writing a short “personal glossary” of the top 15 terms you personally confuse. AZ-900 rewards crisp definitions and correct tool-to-problem matching.

Now convert your mock exam results into a domain-mapped remediation plan aligned to the AZ-900 objectives. Create three columns—Cloud Concepts; Azure Architecture & Services; Azure Management & Governance—and tally misses and guesses. Your remediation should target the highest-yield weaknesses first: the topics you miss often and can fix quickly with clear rules.

Cloud concepts remediation: If you missed questions about service models, drill the responsibility boundaries: IaaS gives you most control (and most responsibility), PaaS abstracts OS/runtime management, and SaaS is the most managed. If you missed deployment models, clarify public vs private vs hybrid and how they relate to compliance and control.

Architecture & services remediation: If compute is weak, practice mapping requirements to services: lift-and-shift to VMs, microservices to containers, event-driven tasks to serverless. If networking is weak, focus on VNet basics, peering, and when to choose VPN vs ExpressRoute. If storage is weak, tie services to scenarios: Blob for unstructured objects, Files for SMB shares, Disks for VM block storage.

Management & governance remediation: If governance is weak, memorize the intent: RBAC controls access, Policy enforces standards, tags organize and report, locks prevent accidental changes, Cost Management analyzes and budgets, and the Well-Architected Framework guides best practices. If security tooling is weak, separate posture management (Defender for Cloud) from SIEM/SOAR (Sentinel) and from identity (Entra ID).

Exam Tip: Your plan should be time-boxed. For each weak area, schedule a 20–30 minute review + a short set of targeted practice items + a rewrite of your personal rule. This cycle is more effective than long, unfocused rereading.

On exam day, your goal is stable execution. Use a checklist that reduces avoidable mistakes: verify testing setup, arrive early (or run remote system checks), and keep your pacing plan. During the exam, stay literal: answer the question asked, not the one you wish you were asked.

Exam Tip: If you feel stuck, force a reset: reread the final line of the prompt, identify the domain, then eliminate two options. Many candidates spiral because they keep rereading the whole scenario without clarifying the requirement.

• Last-hour facts (high-yield): IaaS/PaaS/SaaS responsibility boundaries; public/private/hybrid; CAPEX vs OPEX; scalability vs elasticity; high availability vs disaster recovery.
• Identity and access traps: Authentication (Entra ID sign-in) vs authorization (RBAC permissions); “least privilege” points to RBAC and role assignment scope.
• Governance traps: Policy enforces rules; locks prevent deletion/changes; tags are for organization/reporting (not security); Blueprints are legacy in many narratives—focus on Policy/initiatives and templates.
• Services recognition: VMs vs containers vs serverless; VNet as the isolation boundary; VPN vs ExpressRoute; Blob/Files/Disks use cases.
• Management tooling: Azure Monitor collects metrics/logs; Advisor recommends improvements; Cost Management tracks and budgets; Defender for Cloud improves security posture; Sentinel is SIEM/SOAR.

Finish with a domain recap: Cloud concepts are the “why” and “models,” Architecture & services are the “what service does what,” and Management & governance are the “how you control, secure, and optimize.” If you can consistently map the requirement to the correct domain and tool, you are ready to perform under exam conditions.